Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe
Analysis ID:	1428965
MD5:	98978c705e7a64b2d3fffa565892ddab
SHA1:	b6985aaf3ac01a8742f2d0dcf3d8c0db12752e3f
SHA256:	40cd90feea9b35d138b78aa98c39e86d6aed424ad90963f6ee02749de63432c3
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to register a low level keyboard hook

Installs a global keyboard hook

Machine Learning detection for sample

Sample or dropped binary is a compiled AutoHotkey binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe (PID: 6680 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe" MD5: 98978C705E7A64B2D3FFFA565892DDAB)

Haims_ESC.exe (PID: 6996 cmdline: Haims_ESC.exe MD5: 0A32B7F8B8662394FDB3F6F6034A106B)

taskkill.exe (PID: 2212 cmdline: Taskkill /f /im iexplore.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

iexplore.exe (PID: 4476 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 7140 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ssvagent.exe (PID: 7052 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 7140, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 7052, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 4476, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\Haims_ESC.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\Haims_ESC.exe	File created: C:\Users\user\Desktop\readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	File created: C:\Users\user\Desktop\VNDCD_memo\readme.txt			Jump to behavior

Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004804F0 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_004804F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00480580 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_00480580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,	0_2_0045E1A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0044D4F0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose,	0_2_0044D4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0044D7F0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	0_2_0044D7F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00437AD0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,	0_2_00437AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0047BAE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	0_2_0047BAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0044DB30 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0044DB30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0045EE20 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_0045EE20
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004804F0 FindFirstFileW,FindClose,GetFileAttributesW,	2_2_004804F0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00480580 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	2_2_00480580
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0047BAE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	2_2_0047BAE0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,	2_2_0045E1A0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0044D4F0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose,	2_2_0044D4F0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0044D7F0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	2_2_0044D7F0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00437AD0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,	2_2_00437AD0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0044DB30 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	2_2_0044DB30
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0045EE20 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	2_2_0045EE20

Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_0049C396 InternetReadFileExA,__flush,__write,__flsbuf,

0_2_0049C396

Source: global traffic	HTTP traffic detected: GET /haims_esc/Haims_ESC.exe HTTP/1.1User-Agent: AutoHotkeyHost: runuo.krCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /haims_esc/ver.txt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: runuo.kr
Source: global traffic	HTTP traffic detected: GET /haims_esc/notice.txt HTTP/1.1User-Agent: AutoHotkeyHost: runuo.krCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /haims_esc/haims_localconnect.php HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: runuo.krConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wlog/piwik.js HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://runuo.kr/haims_esc/haims_localconnect.phpAccept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: runuo.krConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wlog/piwik.php?action_name=&idsite=1&rec=1&r=643131&h=23&m=25&s=22&url=https%3A%2F%2Frunuo.kr%2Fhaims_esc%2Fhaims_localconnect.php&_id=1aa1c3094c7d4b5f&_idts=1713561923&_idvc=1&_idn=1&_refts=0&_viewts=1713561923&cs=windows-1252&java=1&cookie=1&res=1280x1024&gt_ms=0 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /;q=0.5Referer: https://runuo.kr/haims_esc/haims_localconnect.phpAccept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: runuo.krConnection: Keep-AliveCookie: _pk_id.1.041b=1aa1c3094c7d4b5f.1713561923.1.1713561923.1713561923.; _pk_ses.1.041b=
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: runuo.krConnection: Keep-AliveCookie: _pk_id.1.041b=1aa1c3094c7d4b5f.1713561923.1.1713561923.1713561923.; _pk_ses.1.041b=*
Source: global traffic	HTTP traffic detected: GET /haims_esc/nosearch/Haims_CompanyCode_check.php?CompanyCode=0 HTTP/1.1User-Agent: AutoHotkeyHost: runuo.krCache-Control: no-cacheCookie: _pk_ses.1.041b=*; _pk_id.1.041b=1aa1c3094c7d4b5f.1713561923.1.1713561923.1713561923.

Source: unknown

DNS traffic detected: queries for: runuo.kr

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 19 Apr 2024 21:25:24 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 209Connection: closeContent-Type: text/html; charset=iso-8859-1

Source: piwik[1].js.6.dr	String found in binary or memory: http://piwik.org
Source: piwik[1].js.6.dr	String found in binary or memory: http://piwik.org/free-software/bsd/
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821601052.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://runuo.co.kr/haims_esc/Haims_ESC.exe
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821601052.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://runuo.co.kr/haims_esc/Haims_ESC.exe$
Source: haims_localconnect[1].htm.6.dr	String found in binary or memory: http://runuo.kr/wlog/piwik.php?idsite=1
Source: Haims_ESC.exe, Haims_ESC.exe, 00000002.00000002.2975355981.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://autohotkey.com
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://autohotkey.comCould
Source: piwik[1].js.6.dr	String found in binary or memory: https://github.com/piwik/piwik/blob/master/js/piwik.js
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821601052.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://office.runuo.kr/haims_esc/Haims_ESC.exe
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://office.runuo.kr:5001/sharing/cx22ddLq1
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2978092664.0000000006880000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/
Source: Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/O
Source: Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/gnu/Haims_ESC/2
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/gnu/Haims_ESC/2=
Source: Haims_ESC.exe	String found in binary or memory: https://runuo.kr/hai
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc
Source: Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933080599.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931229919.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1925136818.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932090189.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932134417.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932826201.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931843025.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930888894.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932231043.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932179913.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930939772.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931152410.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933030660.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931436456.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1924489741.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1923754529.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1924897219.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931289757.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931094457.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1924950407.0000000006980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/
Source: Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/#Function_key_user_config
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/#Function_key_user_config=
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/=
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821601052.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/Haims_ESC.exe
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/Haims_ESC.exe32
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/Haims_ESC.exeP
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/Haims_ESC.exeoY
Source: Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp, ~DF79F3A13EFF4F3D66.TMP.5.dr, {500D0D6F-FE93-11EE-8C2C-ECF4BBEA1588}.dat.5.dr	String found in binary or memory: https://runuo.kr/haims_esc/haims_localconnect.php
Source: Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/haims_localconnect.php0ahk_exe
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/haims_localconnect.phpmin
Source: Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/haims_localconnect.phptCookies
Source: Haims_ESC.exe	String found in binary or memory: https://runuo.kr/haims_esc/nosearch/HV41_NoSearch_Inv
Source: Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/nosearch/HV41_NoSearch_Invoke.php?CompanyCode=%getCode%&PartNo=%getPtno%
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/nosearch/HV41_NoSearch_Invoke.php?CompanyCode=%getCode%&PartNo=%getPtno%R
Source: Haims_ESC.exe	String found in binary or memory: https://runuo.kr/haims_esc/nosearch/Hai
Source: Haims_ESC.exe, Haims_ESC.exe, 00000002.00000002.2976395327.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/nosearch/HaimsNoSearch.php?CompanyCode=%strCompanyCode%&PartNo=%UIA_HV41_
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/nosearch/Haims_CompanyCode_check.php?CompanyCode=%cCode%
Source: Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975923731.0000000000AB1000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/nosearch/Haims_CompanyCode_check.php?CompanyCode=0
Source: Haims_ESC.exe, 00000002.00000002.2975923731.0000000000AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/nosearch/Haims_CompanyCode_check.php?CompanyCode=0eenKey_Use=1
Source: Haims_ESC.exe, Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/notice.txt
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/notice.txtnotice.txt?
Source: Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/updater.exe
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/updater.exeupdater.exe?
Source: Haims_ESC.exe, 00000002.00000002.2975923731.00000000009FB000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/ver.txt
Source: Haims_ESC.exe, 00000002.00000002.2975923731.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/ver.txtl)
Source: Haims_ESC.exe, 00000002.00000002.2975923731.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/haims_esc/ver.txtr(
Source: Haims_ESC.exe, 00000002.00000002.2975923731.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr/r)
Source: Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://runuo.kr:443/haims_esc/ver.txtXJ
Source: Haims_ESC.exe, Haims_ESC.exe, 00000002.00000003.1930994998.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932980145.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931481058.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932642347.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932881382.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933080599.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931229919.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1925136818.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932090189.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932134417.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932826201.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931843025.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930888894.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932231043.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932179913.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930939772.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931152410.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933030660.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931436456.0000000006980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.daum.net/
Source: Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.daum.net/$
Source: Haims_ESC.exe, Haims_ESC.exe, 00000002.00000002.2976395327.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.haims.co.kr/Haims
Source: Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.haims.co.kr/HaimsHYUNDAI
Source: Haims_ESC.exe, Haims_ESC.exe, 00000002.00000003.1930994998.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932980145.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931481058.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932642347.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932881382.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933080599.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931229919.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1925136818.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932090189.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932134417.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932826201.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931843025.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930888894.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932231043.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932179913.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930939772.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931152410.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933030660.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931436456.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1924489741.0000000006980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.naver.com/
Source: Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.naver.com/1110C:
Source: Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.naver.com/x

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 112.175.184.42:443 -> 192.168.2.4:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_0040E7E0 SetWindowsHookExW 0000000D,Function_00009E00,MZ@,00000000

0_2_0040E7E0

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Haims_ESC.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Haims_ESC.exe			Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Windows user hook set: 0 mouse low level C:\Users\user\Desktop\Haims_ESC.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00405390 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

0_2_00405390

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004050C0 EmptyClipboard,GlobalUnWire,CloseClipboard,GlobalUnWire,GlobalUnWire,GlobalFree,GlobalUnWire,CloseClipboard,SetClipboardData,GlobalUnWire,CloseClipboard,	0_2_004050C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00482940 EmptyClipboard,GlobalUnWire,CloseClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,GlobalUnWire,CloseClipboard,GlobalFree,GlobalUnWire,CloseClipboard,	0_2_00482940
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004050C0 EmptyClipboard,GlobalUnWire,CloseClipboard,GlobalUnWire,GlobalUnWire,GlobalFree,GlobalUnWire,CloseClipboard,SetClipboardData,GlobalUnWire,CloseClipboard,	2_2_004050C0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00482940 EmptyClipboard,GlobalUnWire,CloseClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,GlobalUnWire,CloseClipboard,GlobalFree,GlobalUnWire,CloseClipboard,	2_2_00482940

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00405290 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

0_2_00405290

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00444260 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyCursor,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,

0_2_00444260

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_004160A0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

0_2_004160A0

Source: C:\Users\user\Desktop\Haims_ESC.exe

Windows user hook set: 0 mouse low level C:\Users\user\Desktop\Haims_ESC.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004014E4 GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,KiUserCallbackDispatcher,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,	0_2_004014E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004181B0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	0_2_004181B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00414920 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	0_2_00414920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00414B96 GetKeyboardLayout,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	0_2_00414B96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00414D66 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	0_2_00414D66
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004014E4 GlobalUnWire,CloseClipboard,SetTimer,GetTickCount,GetTickCount,KiUserCallbackDispatcher,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,	2_2_004014E4
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004181B0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	2_2_004181B0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00414920 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	2_2_00414920
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00414B96 GetKeyboardLayout,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	2_2_00414B96
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00414D66 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	2_2_00414D66

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Window found: window name: AutoHotkey			Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Window found: window name: AutoHotkey			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00444D60 RegisterClipboardFormatW,SetFocus,ShowWindow,ShowWindow,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,GetMenu,CheckMenuItem,Shell_NotifyIconW,Shell_NotifyIconW,Shell_NotifyIconW,RegisterClipboardFormatW,inet_ntoa,__itow,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,SendMessageTimeoutW,PostMessageW,GlobalUnWire,CloseClipboard,GetCurrentProcessId,EnumWindows,SetTimer,PostMessageW,PostMessageW,IsWindow,GetWindowTextW,GetCurrentProcessId,	0_2_00444D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00471450 GetDlgCtrlID,SetTextColor,GetSysColor,SetTextColor,SetBkMode,GetStockObject,GetSysColor,SetBkColor,GetSysColorBrush,GetSysColor,SetBkColor,GetSysColorBrush,SetBkColor,SetBkColor,GetSysColor,SetBkColor,GetSysColorBrush,GetSysColor,SetBkColor,GetSysColorBrush,_memset,DragQueryPoint,ClientToScreen,EnumChildWindows,GetDlgCtrlID,PostMessageW,DragFinish,PostMessageW,NtdllDialogWndProc_W,	0_2_00471450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,NtdllDialogWndProc_W,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_0046F4D0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471450 GetDlgCtrlID,SetTextColor,GetSysColor,SetTextColor,SetBkMode,GetStockObject,GetSysColor,SetBkColor,GetSysColorBrush,GetSysColor,SetBkColor,GetSysColorBrush,SetBkColor,SetBkColor,GetSysColor,SetBkColor,GetSysColorBrush,GetSysColor,SetBkColor,GetSysColorBrush,_memset,DragQueryPoint,ClientToScreen,EnumChildWindows,GetDlgCtrlID,PostMessageW,DragFinish,PostMessageW,NtdllDialogWndProc_W,	2_2_00471450
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,NtdllDialogWndProc_W,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	2_2_0046F4D0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00444D60 RegisterClipboardFormatW,SetFocus,ShowWindow,ShowWindow,MoveWindow,GetSysColor,SetBkColor,SetTextColor,GetSysColorBrush,CreateCompatibleDC,SelectObject,BitBlt,SelectObject,DeleteDC,DrawIconEx,ExcludeClipRect,CreateRectRgn,GetClipRgn,GetSysColorBrush,FillRgn,DeleteObject,GetClipBox,FillRect,GetClientRect,MoveWindow,MoveWindow,MoveWindow,InvalidateRect,GetMenu,CheckMenuItem,Shell_NotifyIconW,Shell_NotifyIconW,Shell_NotifyIconW,RegisterClipboardFormatW,inet_ntoa,__itow,NtdllDefWindowProc_W,SendMessageTimeoutW,PostMessageW,SendMessageTimeoutW,PostMessageW,GlobalUnWire,CloseClipboard,GetCurrentProcessId,EnumWindows,SetTimer,PostMessageW,PostMessageW,IsWindow,GetWindowTextW,GetCurrentProcessId,	2_2_00444D60
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004714F6 SendMessageW,PostMessageW,NtdllDialogWndProc_W,	2_2_004714F6
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471558 NtdllDialogWndProc_W,	2_2_00471558
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004715C3 NtdllDialogWndProc_W,	2_2_004715C3
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471CA7 NtdllDialogWndProc_W,	2_2_00471CA7
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471D5B NtdllDialogWndProc_W,	2_2_00471D5B
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471D12 GetClipBox,FillRect,NtdllDialogWndProc_W,	2_2_00471D12
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471D9F FillRect,SetBkColor,GetClassLongW,FillRect,SetTextColor,SendMessageW,SendMessageW,SendMessageW,DrawTextW,SetTextColor,NtdllDialogWndProc_W,	2_2_00471D9F
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471EEE NtdllDialogWndProc_W,	2_2_00471EEE
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471F16 _memset,ScreenToClient,EnumChildWindows,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,	2_2_00471F16
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00471FE5 NtdllDialogWndProc_W,	2_2_00471FE5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00449AF0: __swprintf,CreateFileW,DeviceIoControl,CloseHandle,

0_2_00449AF0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0045F390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_0045F390
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0045F390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_0045F390

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004014E4	0_2_004014E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00426070	0_2_00426070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004A22CD	0_2_004A22CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0042A340	0_2_0042A340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0040D3B0	0_2_0040D3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0042B4E0	0_2_0042B4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004A6509	0_2_004A6509
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004A95EE	0_2_004A95EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00411640	0_2_00411640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0049C648	0_2_0049C648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004A7655	0_2_004A7655
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0040D680	0_2_0040D680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00451760	0_2_00451760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004A1776	0_2_004A1776
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0041F7E4	0_2_0041F7E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00429780	0_2_00429780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00414920	0_2_00414920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00443A50	0_2_00443A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00438A90	0_2_00438A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00411C80	0_2_00411C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0048DE10	0_2_0048DE10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00426070	0_2_00426070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00401EF4	0_2_00401EF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00419EA1	0_2_00419EA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00419EA0	0_2_00419EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0043BF60	0_2_0043BF60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00412F30	0_2_00412F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0047EFC0	0_2_0047EFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004A5FB8	0_2_004A5FB8
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004014E4	2_2_004014E4
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0040D680	2_2_0040D680
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00451760	2_2_00451760
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00468E60	2_2_00468E60
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0043BF60	2_2_0043BF60
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00426070	2_2_00426070
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004A22CD	2_2_004A22CD
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0042A340	2_2_0042A340
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0040D3B0	2_2_0040D3B0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0042B4E0	2_2_0042B4E0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004A6509	2_2_004A6509
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004A95EE	2_2_004A95EE
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00411640	2_2_00411640
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0049C648	2_2_0049C648
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004A7655	2_2_004A7655
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004A1776	2_2_004A1776
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0041F7E4	2_2_0041F7E4
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00429780	2_2_00429780
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00414920	2_2_00414920
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00443A50	2_2_00443A50
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00438A90	2_2_00438A90
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00497AA0	2_2_00497AA0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00411C80	2_2_00411C80
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0048DE10	2_2_0048DE10
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00426070	2_2_00426070
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00401EF4	2_2_00401EF4
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00419EA1	2_2_00419EA1
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00419EA0	2_2_00419EA0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00412F30	2_2_00412F30
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0047EFC0	2_2_0047EFC0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004A5FB8	2_2_004A5FB8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 0047F770 appears 64 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 0047F810 appears 53 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 00499409 appears 383 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 0043A0A0 appears 73 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 0043A380 appears 231 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 00499B8A appears 55 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 00408FA4 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 0049A399 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: String function: 004A7840 appears 47 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 0047F770 appears 66 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 0047F810 appears 53 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 00499409 appears 383 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 0043A0A0 appears 80 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 0043A380 appears 252 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 00499B8A appears 55 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 00408FA4 appears 36 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 0049A399 appears 34 times
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: String function: 004A7840 appears 47 times

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Static PE information: Section: .MPRESS1 ZLIB complexity 1.0003240610986548
Source: Haims_ESC.exe.0.dr	Static PE information: Section: .MPRESS1 ZLIB complexity 1.000320916077258

Source: classification engine

Classification label: mal60.spyw.evad.winEXE@11/20@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_0043B080 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

0_2_0043B080

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0045F390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_0045F390
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0045F390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		2_2_0045F390

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00449790 _wcsncpy,GetDiskFreeSpaceExW,

0_2_00449790

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_0045F5A0 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

0_2_0045F5A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_0041F3CB _wcsncpy,CharUpperW,lstrcmpiW,lstrcmpiW,FindResourceW,LoadResource,LockResource,SizeofResource,FindResourceW,

0_2_0041F3CB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

File created: C:\Users\user\Desktop\Haims_ESC.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
Source: C:\Users\user\Desktop\Haims_ESC.exe	Mutant created: \Sessions\1\BaseNamedObjects\AHK Mouse
Source: C:\Users\user\Desktop\Haims_ESC.exe	Mutant created: \Sessions\1\BaseNamedObjects\AHK Keybd

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1D0A298AAD15511E.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "iexplore.exe")

Source: C:\Users\user\Desktop\Haims_ESC.exe

File read: C:\Users\user\Desktop\config.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

ReversingLabs: Detection: 23%

Source: Haims_ESC.exe

String found in binary or memory: nt while (!cEl.CurrentValue && (A_TickCount-startTime < timeOut)) Sleep, 20 } } } return cEl } ActivateChromiumAccessibility(hwnd:="A", cacheRequest:=0, timeOut:=500) { static activatedHwnds := {} if hwnd is not integer hwnd := WinExist(hwnd) if activatedHwnds

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Process created: C:\Users\user\Desktop\Haims_ESC.exe Haims_ESC.exe
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Users\user\Desktop\Haims_ESC.exe	Process created: C:\Windows\SysWOW64\taskkill.exe Taskkill /f /im iexplore.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Process created: C:\Users\user\Desktop\Haims_ESC.exe Haims_ESC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Process created: C:\Windows\SysWOW64\taskkill.exe Taskkill /f /im iexplore.exe	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Haims_ESC.exe

File written: C:\Users\user\Desktop\config.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Unpacked PE file: 0.2.SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\Haims_ESC.exe	Unpacked PE file: 2.2.Haims_ESC.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00473130 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW,

0_2_00473130

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Static PE information: section name: .MPRESS1
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Static PE information: section name: .MPRESS2
Source: Haims_ESC.exe.0.dr	Static PE information: section name: .MPRESS1
Source: Haims_ESC.exe.0.dr	Static PE information: section name: .MPRESS2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0049EB75 push ecx; ret	0_2_0049EB88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004AAD28 push eax; ret	0_2_004AAD46
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0049EB75 push ecx; ret	2_2_0049EB88
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004AAD28 push eax; ret	2_2_004AAD46

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Static PE information: section name: .MPRESS1 entropy: 7.999527045952774
Source: Haims_ESC.exe.0.dr	Static PE information: section name: .MPRESS1 entropy: 7.999499195300892

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

File created: C:\Users\user\Desktop\Haims_ESC.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Haims_ESC.exe	File created: C:\Users\user\Desktop\readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	File created: C:\Users\user\Desktop\VNDCD_memo\readme.txt			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00483940 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	0_2_00483940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0046C100 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	0_2_0046C100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00444260 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyCursor,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	0_2_00444260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00473350 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	0_2_00473350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0045C320 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,__swprintf,	0_2_0045C320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,NtdllDialogWndProc_W,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_0046F4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,NtdllDialogWndProc_W,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_0046F4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00442760 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,__swprintf,GetModuleHandleW,GetProcAddress,__swprintf,	0_2_00442760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00483810 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	0_2_00483810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00443A50 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,__swprintf,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	0_2_00443A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00446B40 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	0_2_00446B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00480B70 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00480B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00480BD0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00480BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00445CB0 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	0_2_00445CB0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,NtdllDialogWndProc_W,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	2_2_0046F4D0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,NtdllDialogWndProc_W,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	2_2_0046F4D0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00442760 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,__swprintf,GetModuleHandleW,GetProcAddress,__swprintf,	2_2_00442760
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00483940 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	2_2_00483940
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00468E60 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,MulDiv,ReadConsoleOutputAttribute,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,	2_2_00468E60
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0046C100 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	2_2_0046C100
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00444260 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyCursor,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	2_2_00444260
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00473350 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	2_2_00473350
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0045C320 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,__swprintf,	2_2_0045C320
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00483810 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	2_2_00483810
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00443A50 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,__swprintf,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	2_2_00443A50
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00446B40 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	2_2_00446B40
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00480B70 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	2_2_00480B70
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00480BD0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	2_2_00480BD0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00445CB0 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	2_2_00445CB0

Source: C:\Users\user\Desktop\Haims_ESC.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Haims_ESC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Haims_ESC.exe

Window / User API: foregroundWindowGot 526

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	API coverage: 4.1 %
Source: C:\Users\user\Desktop\Haims_ESC.exe	API coverage: 6.0 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0040C260 GetKeyboardLayout followed by cmp: cmp dword ptr [004db3c4h], edi and CTI: je 0040C434h	0_2_0040C260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00419230 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 0041932Ch country: Russian (ru)	0_2_00419230
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0040C260 GetKeyboardLayout followed by cmp: cmp dword ptr [004db3c4h], edi and CTI: je 0040C434h	2_2_0040C260
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00419230 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 0041932Ch country: Russian (ru)	2_2_00419230

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004804F0 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_004804F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00480580 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_00480580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,	0_2_0045E1A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0044D4F0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose,	0_2_0044D4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0044D7F0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	0_2_0044D7F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_00437AD0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,	0_2_00437AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0047BAE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	0_2_0047BAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0044DB30 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0044DB30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0045EE20 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_0045EE20
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004804F0 FindFirstFileW,FindClose,GetFileAttributesW,	2_2_004804F0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00480580 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	2_2_00480580
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0047BAE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	2_2_0047BAE0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,	2_2_0045E1A0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0044D4F0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose,	2_2_0044D4F0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0044D7F0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	2_2_0044D7F0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_00437AD0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,	2_2_00437AD0
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0044DB30 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	2_2_0044DB30
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0045EE20 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	2_2_0045EE20

Source: Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpg
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975923731.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_004164C0 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,

0_2_004164C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_004A1767 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004A1767

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00473130 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW,

0_2_00473130

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_004A8CEE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004A8CEE

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_004A1767 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004A1767
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0049DD65 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0049DD65
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_004A1767 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_004A1767
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0049DD65 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0049DD65

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

0_2_0043B080

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00418090 keybd_event,GetTickCount,GetForegroundWindow,GetWindowTextW,

0_2_00418090

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_00417360 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,

0_2_00417360

Source: C:\Users\user\Desktop\Haims_ESC.exe

Process created: C:\Windows\SysWOW64\taskkill.exe Taskkill /f /im iexplore.exe

Jump to behavior

Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, Haims_ESC.exe	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, Haims_ESC.exe	Binary or memory string: Shell_TrayWnd
Source: Haims_ESC.exe	Binary or memory string: IN_JUMP } ie.Visible := false ie.Navigate(url) While ie.ReadyState != 4 \|\| ie.Busy Sleep, 100 WinHide, ahk_class IEFrame WinActivate, ahk_class Shell_TrayWnd SetTimer, CloseIE, 500 MAIN_JUMP: GroupAdd GroupA, ahk_exe chrome.exe GroupAdd GroupA, ahk_exe whale.e
Source: Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: WinActivate, ahk_class Shell_TrayWnd
Source: Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ahk_class Shell_TrayWndw
Source: Haims_ESC.exe, 00000002.00000002.2975644201.0000000000996000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: IEFrameShell_TrayWnd <=
Source: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Gp6A08ATextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264MasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWMonitorCountMonitorPrimaryMonitorMonitorWorkAreaMonitorNameAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightShowAddRenameCheckUncheckToggleCheckEnableDisableToggleEnableStandardNoStandardColorNoDefaultDeleteAllTipIconNoIconMainWindowNoMainWindowSubmitCancelHideMinimizeMaximizeRestoreDestroyMarginFontListViewTreeViewFlashNewMoveMoveDrawFocusChooseChooseStringPosFocusVEnabledVisibleHwndNameButtonCheckboxRadioDDLDropDownListComboBoxListBoxUpDownSliderTab2Tab3GroupBoxPicPictureDateTimeMonthCalStatusBarActiveXLinkCustomPriorityInterruptNoTimersCloseWaitCloseStyleExStyleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceListLineCountCurrentLineCurrentColSelectedEjectLockUnlockLabelFileSystemFSSetLabel:SerialTypeStatusSt
Source: Haims_ESC.exe, 00000002.00000002.2975355981.00000000004C0000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_0044E100 __wcsicoll,GetTickCount,GetLocalTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,

0_2_0044E100

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_0044F3D0 GetComputerNameW,GetUserNameW,

0_2_0044F3D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Code function: 0_2_0041A04E RtlGetVersion,__snwprintf,

0_2_0041A04E

Source: Haims_ESC.exe	Binary or memory string: WIN_XP
Source: Haims_ESC.exe, 00000002.00000002.2976720110.000000000301B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ((A_OSVersion="WIN_XP" \|\| A_OSVersion="WIN_7" \|\| A_OSVersion="WIN_2000" \|\| A_OSVersion="WIN_2003") && flags=2)
Source: Haims_ESC.exe, 00000002.00000002.2975355981.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingleWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkCountarraypcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCallbackCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
Source: Haims_ESC.exe	Binary or memory string: hdc, Flags:=2) { If ((A_OSVersion="WIN_XP" \|\| A_OSVersion="WIN_7" \|\| A_OSVersion="WIN_2000" \|\| A_OSVersion="WIN_2003") && flags=2) flags := 0 return DllCall("PrintWindow", "UPtr", hwnd, "UPtr", hdc, "uint", Flags) } DestroyIcon(hIcon) { return DllCall("Destroy
Source: Haims_ESC.exe	Binary or memory string: WIN_VISTA
Source: Haims_ESC.exe	Binary or memory string: WIN_7
Source: Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ADWIN_XPWIN_7WIN_2000WIN_20032
Source: Haims_ESC.exe	Binary or memory string: WIN_8
Source: Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: If ((A_OSVersion="WIN_XP" \|\| A_OSVersion="WIN_7" \|\| A_OSVersion="WIN_2000" \|\| A_OSVersion="WIN_2003") && flags=2)
Source: Haims_ESC.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0041D920 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize,_free,_free,_free,	0_2_0041D920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Code function: 0_2_0041E370 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,	0_2_0041E370
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0041E370 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,	2_2_0041E370
Source: C:\Users\user\Desktop\Haims_ESC.exe	Code function: 2_2_0041D920 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize,_free,_free,_free,	2_2_0041D920

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	231 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	231 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Process Injection	12 Software Packing	NTDS	15 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	24%	ReversingLabs
SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\Haims_ESC.exe	34%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://autohotkey.comCould	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
runuo.kr	112.175.184.42	true	false		unknown

Contacted URLs

Name	Malicious	Reputation
https://runuo.kr/haims_esc/nosearch/Haims_CompanyCode_check.php?CompanyCode=0	false	unknown
https://runuo.kr/haims_esc/Haims_ESC.exe	false	unknown
https://runuo.kr/wlog/piwik.php?action_name=&idsite=1&rec=1&r=643131&h=23&m=25&s=22&url=https%3A%2F%2Frunuo.kr%2Fhaims_esc%2Fhaims_localconnect.php&_id=1aa1c3094c7d4b5f&_idts=1713561923&_idvc=1&_idn=1&_refts=0&_viewts=1713561923&cs=windows-1252&java=1&cookie=1&res=1280x1024&gt_ms=0	false	unknown
https://runuo.kr/haims_esc/ver.txt	false	unknown
https://runuo.kr/wlog/piwik.js	false	unknown
https://runuo.kr/favicon.ico	false	unknown
https://runuo.kr/haims_esc/notice.txt	false	unknown
https://runuo.kr/haims_esc/haims_localconnect.php	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://runuo.kr/haims_esc/nosearch/Hai	Haims_ESC.exe	false		unknown
https://office.runuo.kr/haims_esc/Haims_ESC.exe	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821601052.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/Haims_ESC.exeoY	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://autohotkey.com	Haims_ESC.exe, Haims_ESC.exe, 00000002.00000002.2975355981.0000000000401000.00000040.00000001.01000000.00000007.sdmp	false		high
https://runuo.kr/haims_esc/haims_localconnect.phptCookies	Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
https://www.daum.net/$	Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.haims.co.kr/Haims	Haims_ESC.exe, Haims_ESC.exe, 00000002.00000002.2976395327.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
https://www.naver.com/	Haims_ESC.exe, Haims_ESC.exe, 00000002.00000003.1930994998.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932980145.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931481058.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932642347.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932881382.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933080599.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931229919.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1925136818.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932090189.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932134417.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932826201.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931843025.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930888894.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932231043.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932179913.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930939772.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931152410.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933030660.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931436456.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1924489741.0000000006980000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.haims.co.kr/HaimsHYUNDAI	Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/#Function_key_user_config	Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
https://runuo.kr/r)	Haims_ESC.exe, 00000002.00000002.2975923731.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr:443/haims_esc/ver.txtXJ	Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/Haims_ESC.exe32	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/ver.txtr(	Haims_ESC.exe, 00000002.00000002.2975923731.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/nosearch/HV41_NoSearch_Inv	Haims_ESC.exe	false		unknown
https://office.runuo.kr:5001/sharing/cx22ddLq1	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
https://runuo.kr/hai	Haims_ESC.exe	false		unknown
https://www.naver.com/1110C:	Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autohotkey.comCould	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.0000000000401000.00000040.00000001.01000000.00000007.sdmp	false	URL Reputation: safe	unknown
https://runuo.kr/haims_esc/nosearch/Haims_CompanyCode_check.php?CompanyCode=0eenKey_Use=1	Haims_ESC.exe, 00000002.00000002.2975923731.0000000000AB1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/#Function_key_user_config=	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/O	Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/	Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933080599.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931229919.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1925136818.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932090189.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932134417.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932826201.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931843025.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930888894.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932231043.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932179913.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930939772.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931152410.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933030660.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931436456.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1924489741.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1923754529.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1924897219.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931289757.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931094457.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1924950407.0000000006980000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/nosearch/HaimsNoSearch.php?CompanyCode=%strCompanyCode%&PartNo=%UIA_HV41_	Haims_ESC.exe, Haims_ESC.exe, 00000002.00000002.2976395327.0000000002C14000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
http://runuo.co.kr/haims_esc/Haims_ESC.exe$	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821601052.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/haims_localconnect.php0ahk_exe	Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/=	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/notice.txtnotice.txt?	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://piwik.org	piwik[1].js.6.dr	false		high
https://runuo.kr/haims_esc/nosearch/Haims_CompanyCode_check.php?CompanyCode=%cCode%	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
http://piwik.org/free-software/bsd/	piwik[1].js.6.dr	false		high
https://runuo.kr/gnu/Haims_ESC/2	Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
https://github.com/piwik/piwik/blob/master/js/piwik.js	piwik[1].js.6.dr	false		high
https://runuo.kr/haims_esc/ver.txtl)	Haims_ESC.exe, 00000002.00000002.2975923731.00000000009FB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://runuo.co.kr/haims_esc/Haims_ESC.exe	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821601052.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/updater.exeupdater.exe?	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/nosearch/HV41_NoSearch_Invoke.php?CompanyCode=%getCode%&PartNo=%getPtno%	Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
https://runuo.kr/haims_esc/updater.exe	Haims_ESC.exe, 00000002.00000002.2975355981.00000000004E3000.00000040.00000001.01000000.00000007.sdmp	false		unknown
https://runuo.kr/haims_esc/haims_localconnect.phpmin	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://runuo.kr/wlog/piwik.php?idsite=1	haims_localconnect[1].htm.6.dr	false		unknown
https://runuo.kr/haims_esc/Haims_ESC.exeP	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.naver.com/x	Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp	false		high
https://runuo.kr/gnu/Haims_ESC/2=	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000003.1820569878.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe, 00000000.00000002.1821271566.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2978092664.0000000006880000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2975923731.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://runuo.kr/haims_esc/nosearch/HV41_NoSearch_Invoke.php?CompanyCode=%getCode%&PartNo=%getPtno%R	Haims_ESC.exe, 00000002.00000002.2976395327.0000000002C14000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.daum.net/	Haims_ESC.exe, Haims_ESC.exe, 00000002.00000003.1930994998.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932980145.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931481058.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932642347.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932881382.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000002.2977100207.0000000003150000.00000004.00000020.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933080599.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931229919.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1925136818.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932090189.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932134417.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932826201.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931843025.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930888894.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932231043.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1932179913.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1930939772.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931152410.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1933030660.0000000006980000.00000004.00000800.00020000.00000000.sdmp, Haims_ESC.exe, 00000002.00000003.1931436456.0000000006980000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
112.175.184.42	runuo.kr	Korea Republic of		4766	KIXS-AS-KRKoreaTelecomKR	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428965
Start date and time:	2024-04-19 23:24:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe
Detection:	MAL
Classification:	mal60.spyw.evad.winEXE@11/20@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 48 Number of non-executed functions: 226
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.63.205.212
Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, go.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, go.microsoft.com.edgekey.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Simulations

Behavior and APIs

Time	Type	Description
23:24:55	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe modified
23:25:13	API Interceptor	1x Sleep call for process: Haims_ESC.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KIXS-AS-KRKoreaTelecomKR	JdnjRc1VGX.elf	Get hash	malicious	Mirai	Browse	211.222.190.56
	order.exe	Get hash	malicious	Unknown	Browse	168.126.63.1
	H6ccnU1094.elf	Get hash	malicious	Mirai, Okiru	Browse	183.109.40.161
	SecuriteInfo.com.Trojan.DownLoader40.42214.8350.4072.exe	Get hash	malicious	Unknown	Browse	112.175.61.157
	SecuriteInfo.com.Trojan.DownLoader40.42214.8350.4072.exe	Get hash	malicious	Unknown	Browse	112.175.61.157
	czEunnbk7b.elf	Get hash	malicious	Mirai	Browse	14.38.74.4
	9IseFevRH6.elf	Get hash	malicious	Mirai	Browse	175.200.190.191
	BzmhHwFpCV.elf	Get hash	malicious	Mirai	Browse	175.202.96.253
	dPFRrhKTeG.elf	Get hash	malicious	Unknown	Browse	14.78.152.197
	Gq7FlDf6cE.elf	Get hash	malicious	Mirai	Browse	119.204.19.204

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	https://docx-nok.online/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	112.175.184.42
	http://www.pdfconvertercompare.com	Get hash	malicious	Unknown	Browse	112.175.184.42
	http://www.sushi-idea.com	Get hash	malicious	Unknown	Browse	112.175.184.42
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	112.175.184.42
	https://wechatunsuscribe.secure.force.com/	Get hash	malicious	Unknown	Browse	112.175.184.42
	https://assets-gbr.mkt.dynamics.com/63445ada-d6fc-ee11-9046-002248c656ac/digitalassets/standaloneforms/4f16ddf0-7afd-ee11-a1fe-000d3ad499fa	Get hash	malicious	HTMLPhisher	Browse	112.175.184.42
	https://www.gourmetgirlsglutenfree.com/?utm_source=google&utm_medium=organic&utm_campaign=gmb	Get hash	malicious	Unknown	Browse	112.175.184.42
	product1122.html	Get hash	malicious	Unknown	Browse	112.175.184.42
	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FQuantexa/IpoXF42991IpoXF42991IpoXF/bWFzc2ltb2JvcnJlbGxpQHF1YW50ZXhhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	112.175.184.42
	https://www.canva.com/design/DAGClbxS4CM/0aRj8j8Ev9jwS9CNHsAlbw/view?utm_content=DAGClbxS4CM&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	112.175.184.42
a0e9f5d64349fb13191bc781f81f42e1	FFE Order details - Cincy v41720.xlsx	Get hash	malicious	Unknown	Browse	112.175.184.42
	z47Danfe-Pedido17042024.msi	Get hash	malicious	MicroClip	Browse	112.175.184.42
	SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exe	Get hash	malicious	Remcos, DBatLoader	Browse	112.175.184.42
	Gantt_Excel_Pro_Daily_Free1.xlsm	Get hash	malicious	Unknown	Browse	112.175.184.42
	s2dwlCsA95.exe	Get hash	malicious	RisePro Stealer	Browse	112.175.184.42
	SecuriteInfo.com.Trojan.PWS.Steam.37210.2413.24955.exe	Get hash	malicious	LummaC	Browse	112.175.184.42
	avp.msi	Get hash	malicious	Unknown	Browse	112.175.184.42
	13w4NM6mPa.exe	Get hash	malicious	LummaC	Browse	112.175.184.42
	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	112.175.184.42
	SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe	Get hash	malicious	Unknown	Browse	112.175.184.42
37f463bf4616ecd445d4a1937da06e19	z42MNA2024000000041-KWINTMADI-11310Y_K.exe	Get hash	malicious	GuLoader, Remcos	Browse	112.175.184.42
	z14Novospedidosdecompra_Profil_4903.exe	Get hash	malicious	GuLoader, Remcos	Browse	112.175.184.42
	file.exe	Get hash	malicious	Vidar	Browse	112.175.184.42
	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	112.175.184.42
	eOU2MVDmTd.exe	Get hash	malicious	CredGrabber, Meduza Stealer, PureLog Stealer, zgRAT	Browse	112.175.184.42
	SecuriteInfo.com.Win64.Malware-gen.14921.4629.exe	Get hash	malicious	CobaltStrike	Browse	112.175.184.42
	UMMAN #U0130HRACAT AFR5641 910-1714 1633.exe	Get hash	malicious	GuLoader, Remcos	Browse	112.175.184.42
	SecuriteInfo.com.Trojan.DownLoader40.42214.8350.4072.exe	Get hash	malicious	Unknown	Browse	112.175.184.42
	SecuriteInfo.com.Trojan.DownLoader40.42214.8350.4072.exe	Get hash	malicious	Unknown	Browse	112.175.184.42
	POTWIERDZENIE_TRANSAKCJI_20240418145856.exe	Get hash	malicious	GuLoader	Browse	112.175.184.42

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{500D0D6D-FE93-11EE-8C2C-ECF4BBEA1588}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.043209386871311
Encrypted:	false
SSDEEP:	48:r4GWYHzGo4kHgIDH0H58p5Lc0j8p5LQg0:NHkkHBH0H58f8
MD5:	17F5FE1552363CE3EFF8A04D6D6AED8E
SHA1:	09FE73D834194F651A84E6FB5FF6847A9B0FEEEF
SHA-256:	6F7846AE0BC37436EF1F1863ED8F049EFBF87A8B620860E71FF201E72812951D
SHA-512:	479903472EDAAF49306CFD3A75C86B4CAA3FDE0769CB32D491287DF6314FDAAC6BCF92DF8A8A0E3E08B98A4C88F67FCADD88BA402AEEAA6158026E895FA468E3
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................`.....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.b.g.0.N.U.J.P.+.7.h.G.M.L.O.z.0.u.+.o.V.i.A.=.=.........:.......................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{500D0D6F-FE93-11EE-8C2C-ECF4BBEA1588}.dat

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	1.7892001586567305
Encrypted:	false
SSDEEP:	12:rl0oXGF3rEgmf0x7KFCxrEgmfd7qg9lLahw0tZMjh9liNatQ0tzMeDHD/mkd9k:r8G8LxGx9l/8ZMjh9li18zMkjb0
MD5:	477F768605C7AEF6E4565FF66CE24663
SHA1:	AE80F8811CC75A2B42185F6163499F4E210CB154
SHA-256:	D211C622FDC70D6CFA2A3D41DA5694592213CD0A8680EC7317FA10D849FCD571
SHA-512:	9A2E83DAF7BD2A3BB819B4AF9DF0C3EE023B3FF26083D51160069E94812E18E58E9E043838EC5B328797C2209ED170AF1F77504A9001448EEF11670874E15A53
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................0Y....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................8.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\haims_localconnect[1].htm

Download File

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	681
Entropy (8bit):	5.263037086582387
Encrypted:	false
SSDEEP:	12:oMqJmeXeFWULV9NoULV9A1GWfjHCRxj+M0VqbLV9AzWEmbLV9S2FV3VXRWUkEJ9o:WfRULV9OULV98fjCX+M0VOV9oWBV9FFq
MD5:	D5A887F17A04120D7A509E7681E4BEBB
SHA1:	27507B367EE20AFAE0950A99489B4A6BB69D23C5
SHA-256:	2BAB625AB6EB8FEF89BA1AFAB2DB87FA0EFBC214F36F165B2F774B051FEEACA8
SHA-512:	33B6DEA030FE26F5A250B7C50BC1A79889FDDF10C16C3226FBE66A341C48F7738B1DB19AD9E7836A0F77FFB874D93F64706194C0A0D2C19A13991D3383B9B70C
Malicious:	false
Reputation:	low
Preview:	Piwik -->.<script type="text/javascript"> . var _paq = _paq \|\| [];. _paq.push(['trackPageView']);. _paq.push(['enableLinkTracking']);. (function() {. var u=(("https:" == document.location.protocol) ? "https" : "http") + "://runuo.kr/wlog/";. _paq.push(['setTrackerUrl', u+'piwik.php']);. _paq.push(['setSiteId', 1]);. var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript';. g.defer=true; g.async=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);. })();.</script>.<noscript><p><img src="http://runuo.kr/wlog/piwik.php?idsite=1" style="border:0" alt="" /></p></noscript>. End Piwik Code -->.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\piwik[1].js

Download File

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines (1661)
Category:	dropped
Size (bytes):	22157
Entropy (8bit):	5.592352751926467
Encrypted:	false
SSDEEP:	384:XIgJV0f5Ji+BDOMNPa0q28JXHBMM0n3DQq61KFv8811smlNS/fQ0MDbiAS86y7:tJV63xOvhcDQq61KFvgmn+I0zASjy7
MD5:	AB81C375BB10B2245DCDB8ED3BA933C0
SHA1:	391A4F1278E1941B780CC6062C918AE1289CC733
SHA-256:	82AEC59CBFDF9AB5A8CE91CB7807DD24C82A8BF66900D917E919395BF491AC90
SHA-512:	337614EE73C824029F8C1C62A21FBD7809513E4DBFEC538DC03C4F5ADB9F882AA68AEC3DFA9E47FE9F7700A7BF1D85DF657F8C1888B4F792D499645B3F9F9DD2
Malicious:	false
Reputation:	low
Preview:	/!. Piwik - Web Analytics. . JavaScript tracking client. . @link http://piwik.org. * @source https://github.com/piwik/piwik/blob/master/js/piwik.js. * @license http://piwik.org/free-software/bsd/ Simplified BSD (also in js/LICENSE.txt). */.if(typeof JSON2!=="object"){JSON2={}}(function(){function d(f){return f<10?"0"+f:f}function l(n,m){var f=Object.prototype.toString.apply(n);if(f==="[object Date]"){return isFinite(n.valueOf())?n.getUTCFullYear()+"-"+d(n.getUTCMonth()+1)+"-"+d(n.getUTCDate())+"T"+d(n.getUTCHours())+":"+d(n.getUTCMinutes())+":"+d(n.getUTCSeconds())+"Z":null}if(f==="[object String]"\|\|f==="[object Number]"\|\|f==="[object Boolean]"){return n.valueOf()}if(f!=="[object Array]"&&typeof n.toJSON==="function"){return n.toJSON(m)}return n}var c=new RegExp("[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]","g"),e='\\\\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\uf

C:\Users\user\AppData\Local\Temp\~DF1D0A298AAD15511E.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08160234104249947
Encrypted:	false
SSDEEP:	3:ZhJRvlmJR+Fc/glclllv/nt+lybltll1lRsltFll2/lsllc/JRBorbAJRll:DJ7mJQFc4UFAl3+ts0JoYJ
MD5:	A6FF9965D1BEA5E20856230AA0B32F7C
SHA1:	4DD5050F118AA535A2213A6E297965064A85866C
SHA-256:	A5A57F734EFBF220577AC80C8CD799362B58287E806EEBC3B377AD9E19B922FC
SHA-512:	A78E1F2DCB01F26D88B35523597427495940A93F816BA06752F3A7F02635C1579EC6EE41D872CC3F02E6B5A052AD6055BA49EDF76DCF27C136FFD3F9380CEF07
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF79F3A13EFF4F3D66.TMP

Download File

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.09983402840466445
Encrypted:	false
SSDEEP:	6:a/vllWlNalyPSQl3+tsMta31gyYHDS61Ex3U+4/AL:i9liNatQ0tzMeDHD/m3U9k
MD5:	3D78C4C57F280C106E06F99C54E555BA
SHA1:	B3B85B2CB19D82AB098EF54F6C610DE2B48D0653
SHA-256:	1F0F46B07009C0E2DD19156CD9A24E76224F8DF74331C64AB9CBEA48E9763831
SHA-512:	4C079CFE7F81DF50461FCC97CFD8B7A67509813FBFD7E1FEA15135864617EEB284B6456F04F6BD0B7732B88A1F83C335F3F6E7293E7CFD39E7FEB3285707F889
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\FileCompanyCode.txt

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5275182662886326
Encrypted:	false
SSDEEP:	3:LQzLgS1yy:UHX13
MD5:	EF774AE81724D5F54A30CEA429B47EBA
SHA1:	A3DD54CAD1A335EF5F96D95E2358B718B1A66978
SHA-256:	1FB0B96EE1C3E6DF877D1D29120C7042EAEB2D777FC5EC093434C8B936D3CD62
SHA-512:	2632F69D4C51E31A4F1873132F3EFF790829A740D2443EBAFCAF47E5D93EB9DAA8B794C096801D7A2AA70D94259A6B2B2CE208AEB948A745E992218653BA0EBD
Malicious:	false
Reputation:	low
Preview:	CFCD208495D565EF66E7DFF9F98764DA

C:\Users\user\Desktop\HE_hotstring.ini

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	107
Entropy (8bit):	4.689470134409913
Encrypted:	false
SSDEEP:	3:ZsXKRWKx4yUZyQV0FQVJFwyyhFIFV9YOlFQVVM4vn:ZTxaH8AJFwyMIFV6OlFAVMin
MD5:	6DC9DDB47A42808762469E1D4B6FBEC1
SHA1:	B38DFE498E48CE499246F51C8FA2EB32D3E8E308
SHA-256:	499BB0AB8C604CC234D66E4C6AA82995DF83D91FD16EC83A3D5A8264B0418E12
SHA-512:	EDF6C5DF395C67A8FAC442D9F591737C534EAE3E5C360B573A4B3CBBDB356626978FF831130658E394C02765B85CBECDD4DD9AD2DCDFF8E3C981C1F4C0D1CA92
Malicious:	false
Reputation:	low
Preview:	[Haims_ESC Hotstrings]..Test1=......QQQ = 08007AQ016 = H..WWW = 0800710016K = K..EEE = 0800710016MB = H..

C:\Users\user\Desktop\Haims_ESC.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	500856
Entropy (8bit):	7.963225387479419
Encrypted:	false
SSDEEP:	12288:X06vflkMUMg+ieAbwFKbUv6dGZep9vtprX1tQK4N3:ECflkM0DxwFidx/prXbCN3
MD5:	0A32B7F8B8662394FDB3F6F6034A106B
SHA1:	E3AFAE0909E80DCF755B0DBB37EE56048F25A0FC
SHA-256:	57748A6F3E451B4D5B2DC7D2E8C16A78EDE8E80112112E0230AB49D4EF54CF7F
SHA-512:	BC686C31718F2201CFB712AF664D8F736CAF0F38226CA35AC51DE109562A374B26979ADBAD67BE633F88173255EE3C8A8CFB1B303C71922A8BD6794257A6E68A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Reputation:	low
Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....q.c.....................\|....................@..........................@................@.........................................._..............x...........................................................,...p............................MPRESS1.................................MPRESS2.............0...................rsrc...._.......`...@..............@..............................................................................v2.19...,.. ....M(...R... ........R.....o.;.~..v....&.Al..oq...g...`...m0...T6.j.i.........C.+.$u...A.h.....g.FG{\....6.</[e-=.....w..xm7..M.cC.i.9..UD\r.....T......;q.9b......<...S#tt....H.....7l.4Y,.t..=1.!......L.Z..QF.Q......}.$.g.K.e. >..=....-.Z.(..#...0.TL.drl=...#.2h.D.".i.605.DS..s.Q.`.....<....3sm....Z..?i.`......G...y.8...r..L5....F....O3....e...B.D.#.. j.).s...W..LZ.{.'.1.V..9.?.%...%SU....,"..C.F.1..=...]f...{&R. k..~;H.du.@...rYm....4..`.T..V...

C:\Users\user\Desktop\VNDCD_memo\readme.txt

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1080
Entropy (8bit):	5.922629829631171
Encrypted:	false
SSDEEP:	24:48LoTCNVyvn9PCKjyyO5a53+htuLOYTCzaLOFTO:rtXyv9ljYM0Md
MD5:	A345C3C0713DC9CE131A817C7995FDDB
SHA1:	5F6137972EE8612ABBD3BD30EA4189688BC1FE54
SHA-256:	0002D675BBECA785084C6A6991EBDC2ABAE3930C344323F96DB615EF392F6FF2
SHA-512:	C0C3DA31322FD29C05C460229D4DCE855A6299640722D75801E1FA7DC32DF6E3B25CC766F7685DE5F73DBFD7940DF834FFC1F2ED09F902BDD0100B8FBFD55FE7
Malicious:	false
Reputation:	low
Preview:	[HT01] ... ... ...., ........ ......., ......(.... ......) ...., .... ... ...... ...... ........ ...... ..................... ...... ...... ....... ................ ...... ..... ..... ........ ...... ............, ... .... .... ......... ........... ... ...... ...... ....... (...... ... ...... .... ....... ...... ..... ..........)....txt..... .... .... .... .... ..... ... ................##### ..... ...... ..., .... ... ........ #####........, ..... .............. [HT01] ...... .... ...(....) ...., ...(ON).. ........ (.. OFF ....)....Haims_ESC.exe ...... ... VNDCD_MEMO ...... txt ........ .. ...... .................... ......(....... .......).. ..................., 9999 00000.txt .. .... ...... .... ... [HT01]..... ...... .... txt.... ...... ................P.S .... ..... ...... ...... ..... ....... ........ ................. > ... ....... .... > .... ..... ANSI .... >

C:\Users\user\Desktop\config.ini

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4488
Entropy (8bit):	3.938888739394845
Encrypted:	false
SSDEEP:	48:rsqXy3UB+Ofla4dm1VC1d3dYpcTc5UD7Wr0UnKT7k2cl/VjFXEQtjO7ZMj7ig:rsHCPla4dmneKQc5UD7qk4pa6
MD5:	B0A7F5C2895AF7A065773BA033E6BE18
SHA1:	74F9273EAA51C1343D9312735A2C1C1A56C0038C
SHA-256:	2B85DA049878AA1F10360A1BBB5E4175D39EBC60C6BBCD3DB6E07E4292FC34BB
SHA-512:	A62DFAE24283CACA82FC4BEC508BF863B413F63D814E96D49AED8C46A97071BD629134CB996BEF3CE6CCCA39E82FC84CF1F9090D76176883063D9E47680B58E3
Malicious:	false
Preview:	..[.S.e.t.t.i.n.g.s.].....h.h.s.t.r.F.1.=.[.p..]....T......h.h.s.t.r.F.2.=.[...%.]....T......h.h.s.t.r.F.3.=.[...%.]...t..m.....h.h.s.t.r.F.4.=.....l.,. .T.E.X.T... .\...\. ...%. ... ...%.).........h.h.s.t.r.F.5.=.H...<.\. .P...t. ...X... .. . .0...D. .i.........h.h.s.t.r.F.6.=.H.P.2.1.....h.h.s.t.r.F.7.=.H.T.0.1.....h.h.s.t.r.F.8.=.H.V.4.2.....H.T.0.1.d.i.s.p.l.a.y.V.i.e.w.=.0.....H.T.0.1.d.i.s.p.l.a.y.D.e.l.a.y.=.1.0.0.0.....H.T.0.1.d.i.s.p.l.a.y.T.o.p.X.=.0.....H.T.0.1.d.i.s.p.l.a.y.T.o.p.Y.=.0.....H.T.0.1.d.i.s.p.l.a.y.B.o.t.t.o.m.X.=.0.....H.T.0.1.d.i.s.p.l.a.y.B.o.t.t.o.m.Y.=.0.....I.n.p.u.t._.A.c.t.w.i.n._.X.=.0.....I.n.p.u.t._.A.c.t.w.i.n._.Y.=.0.....I.n.p.u.t._.A.c.t.w.i.n._.w.i.d.t.h.=.1.3.0.0.....I.n.p.u.t._.A.c.t.w.i.n._.h.e.i.g.h.t.=.1.0.4.0.....H.a.i.m.s._.S.t.a.r.t._.A.u.t.o.S.i.z.e.=.0.....H.T.0.1._.H.a.n.E.n.g._.C.h.e.c.k._.I.n.p.u.t.=.1.....H.T.0.1._.H.a.n.E.n.g._.C.h.e.c.k._.D.e.l.a.y.=.1.0.0.0.....H.T.0.1._.H.a.n.E.n.g._.C.h.e.c.k._.D.i.s.p.l.a.y.=.1.....

C:\Users\user\Desktop\images\esc.ico

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.962807238836026
Encrypted:	false
SSDEEP:	24:NVe/dM8UActS0Qio5BSQgy524G5123dNuRjt:NM+DftS0Qiecy5fG51yuRjt
MD5:	BA9EF4B307F552D6364BAC4DE98EB631
SHA1:	02B8865FDDDF040694CD8DB21C6958836ED65A65
SHA-256:	75C112FA3C2C5518A715FF00A899D17979F5895B34003FA9CEE117FAC59B0695
SHA-512:	39F2F2430C586233BB7EE44188B482D72808208E2585502432E7276DD7F6326374DAA75154CDC72FDD52F9CB8778ABFFCF3195FAA4DF47ADA6D3996DF14B78A4
Malicious:	false
Preview:	............ .h.......(....... ..... ....................................h7Zj.Eq..Dq..Dq..Eq..<n..)h..(h..(h.."Tk....k................5Wg.}...................}...l...k...k...l...6Zj.................Bm.....................................y...2Sa.................Bm.........Q...4Wf.7[k.7[k.7[k.7[k.8\l.,HU....ICn..............Bm.........:`q.... ............................................Bm.........:`p....(............................................Bm.........V...<ct.?gy.8ey.%_y.#\u..4B.........................Bm.....................\|...g...f...S.....$s(BM.................Bm.................................b.....$s'AL.................Bm.........U...;ar.=ew.=ew.=ew.<bt."7A.........................Bl.........:`q....'............................................Fn.........:`q....!............................................kz.........R...5Xg.8]m.5\m.#Vm. Um. Um..CV....J6u..............t\|.....................~...i...d...d...c...0Rb.................`dg..............................

C:\Users\user\Desktop\images\myEng_Arrow.cur

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @0x0
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	1.4846412417223942
Encrypted:	false
SSDEEP:	24:DgN/gKHA/lDYglup/lGmjSaVVcEAIwcgg5l7:aTQ/uFlxjSaVVcptBc7
MD5:	F66B60FB1529C235E499D0C69858DC54
SHA1:	A6D3DEB0297F45FE2C15BC2AB92750431E3975C3
SHA-256:	FE41CAD5ABE23A0A0CBAADFBD8700AD100D9FAFA6A0B27E963DF85596F42F2BE
SHA-512:	41C92FB63A0B1C854F69860274F6592FD4393B96FC17EBCD4AC3EE0C3C6D3BC0448C7FA4B343781DAB294CD95300939F8863582D9339C46186FF34212F49124D
Malicious:	false
Preview:	...... ..............(... ...@..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\images\myEng_ArrowB.cur

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @0x0
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	1.5445741506793325
Encrypted:	false
SSDEEP:	24:DYGN/r4nQ/lDpQlu8glGmFSh5M2VVcEAIwcgg5TW5VD:LEAQuVlx8a2VVcptBz5VD
MD5:	D0E162B5B1BDE5240A7172B0F66CF6ED
SHA1:	B65D3DED5D9D0531A31B6CB757BD38A1E7E7D742
SHA-256:	68F4A95F4FFD5FCA5C38888174D3924601021BFC8B5632BA6BAF8295D957B8F5
SHA-512:	F0CE5F10F4E3CD11FD26AF3ED6EBFCBA45BB6A595891F8A22CD6E646A66F8A7B5B20A7EA43A9578681EB58A1BDC6C11D938A724426ACF018CA6373C49BCB14C6
Malicious:	false
Preview:	...... ..............(... ...@..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\images\myEng_Ibeam.cur

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @15x15
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	1.113196596382923
Encrypted:	false
SSDEEP:	24:75iQk9dhOZzhmJu/pKIYSlPXXr2EYSAsp/s6rmtvj9pmZq:Ny9otrP3mZtPmZq
MD5:	69349544C5128A8DE8B94CB4E2E64A44
SHA1:	CD0A70C2FEF58833DEEE25EF42A07C83DE2C2FA4
SHA-256:	CF3040A4ED69FBE8FB5AE7042C2293D2072C2A0C481353514FB4DDBF4FE778DF
SHA-512:	2A70BFBA692A1D6FAECCC1F285BD996356C5CF241058D265B46304040033E9C031F6C0BAB3D19AFA2BD602CCA3B4C0E4D98BECB5420AA679BADABFF6ED712F5B
Malicious:	false
Preview:	...... ..............(... ...@..... ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S...]...[...............[...]..............................................................................................

C:\Users\user\Desktop\images\myEng_IbeamB.cur

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @15x15
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	1.1633746613881057
Encrypted:	false
SSDEEP:	24:7IGvbAk4txOZjhaczS/p6bfYS5PXXr2EYSAsp/s6rmtvj9p1y4q:p94bG/P3mZtP1y4q
MD5:	7BFEE1AB1AF03C0ADFA7F4B6BD356480
SHA1:	5BBE5D08E8C0501E6ACA63122B38B4644C22E63A
SHA-256:	2E625004750D7AD98AD21686850585BBA425ACF89D1C83D5FDB09DBF7544035A
SHA-512:	8C9C07B8D2E8B6526AC5BD0D82F5D7DB317AB714A1E4B47E7BACF76E1D0D947C32D73E759F5FB92C7034A90CDCDA7826D011C0BDE2913E89056473E454B2A1E8
Malicious:	false
Preview:	...... ..............(... ...@..... ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S...]...[...............[...]..............................................................................................

C:\Users\user\Desktop\images\myHan_Arrow.cur

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @2x2
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	1.0884382040299165
Encrypted:	false
SSDEEP:	24:TtTmHPm8WcbtpjHaGvdmjZpoDxedIt499kkL6Od:CntFVOLjd
MD5:	A96CC1F3A01FFD97B429DD8CF2381945
SHA1:	A0C0614CAF818B2F82E06857D28703D3D3F79096
SHA-256:	5D15702F95E5DD649A9D6CA67B62B0D4EA0FD6862D0923FADF2FC6441D3ACA6F
SHA-512:	2D4AE5AEF22D0842B8427D4115E78470E199C06971B5670095695F34F82F07A439E09816F69EA916AF3424A7D6080F5D00A99F13BFA25B4F620645E1A5AEC32C
Malicious:	false
Preview:	...... ..............(... ...@..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\images\myHan_Ibeam.cur

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	MS Windows cursor resource - 1 icon, 32x32, hotspot @15x15
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	1.2052047110367083
Encrypted:	false
SSDEEP:	24:7N8+ckxudBONWThP8Tj/pr9pvYSDmMvr2EYSAsp/s6rmtvj9pOaasjYq:KC0sLh73mZtP5Yq
MD5:	A6D36421DEB79D894424616E30FDFF37
SHA1:	65944D80E2C7DCB06A3DF0B91BB9158E5F61D15D
SHA-256:	15DD0968BC9A0692035721FFC98AD462DE1D79F2CDFE8C6CCAC6D052F63D3054
SHA-512:	C7AB86129BF63C6C3869D6379B4F738493345B7761DF2309D44EBCD9C00188007217073BC88235D8A2047DD15DDCEA66656B0BEE61A8A3D3951CC1427C6E3C23
Malicious:	false
Preview:	...... ..............(... ...@..... ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S...]...[...............[...]..............................................................................................

C:\Users\user\Desktop\notice.txt

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	ISO-8859 text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.428223120538426
Encrypted:	false
SSDEEP:	24:5sZrh3ggb0uzozA9+3OdwzUvkio6bBaaoeXxaBSVD:5sZrh3jb0us936AUDo6daaoexaBSVD
MD5:	CEC2724434EBE56EADB1E7193753D598
SHA1:	57A6D3D954A30239CA324F23BDBA4185E9D1A55C
SHA-256:	D75609265331F198AA6FDA77723F624E3A1BC8F8D32A53276C9ADE03C9D65D2F
SHA-512:	29D6F065AEEE1BEDD5EAA5FE37C856D7A74F3A204BAEBAB9A7CE3BEC1C330DBA656E4DD8BF61020C208E0FFFA9DF83F87C820BAC8A82AF7815D59A27470EB4FB
Malicious:	false
Preview:	[ ....... .. ]..(...) .... ...... .... ..., .........(FreeBoard).. .......... .......... ................ ...... ......... Haims_ESC.exe ...... ......... ...... ........MSI(Microsoft Security Intelligence).. ..../... ..... ....... .............. ...... ......... ....... ................. ....... FREEBOARD(.........).. .. ...... .........============================================================================......... 20240415.3..(....) ...... ....., ... ...... ... .... ...........============================================================================......... 20240412..(....) ....(EXCEL) .... .. ...., ..... .... .... .... ... ...... ......... ... .........(...) .............. Haims_ESC .......... ...... .....? ........ .... ...... ... ...... ............ ............ .... ....... .... ...... ..........., ................ .... ... ..... ......... ..... V3, ... .... .... .... ..... .........===

C:\Users\user\Desktop\readme.txt

Download File

Process:	C:\Users\user\Desktop\Haims_ESC.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1906
Entropy (8bit):	6.128156859845731
Encrypted:	false
SSDEEP:	48:mPxm+4XQXdHZD/oxhJG9JS1BJcQ8cX1zVn:mP4QtN/oxX6S7lB
MD5:	4F8779F1ADAAF5348380BB907C2F3389
SHA1:	3BF75955D94D5AA2D98E019FB80E44026AB82439
SHA-256:	AA218EB2CC0607031F9DF76C2B675296B90BC6A7F8AEC466C6F05332ECDDA6E7
SHA-512:	9493DF85B6CD7D77DC6049E1EEC361010536A55082A2C953639337AF5EA6A8B6624E1993C30CC79EACCF79571B110889587954A8FC2BB268D8D74B7074C0CC5E
Malicious:	false
Preview:	Haims_ESC .... ............ ...... .... HAIMS.... ESC(....).. ...... ........... HAIMS ........ ...... ESC... ...... ...... ......... .... ... HT01.... .... ... ... ........ ...... ......... ...... ESC ....... ...... ....... ......!. .... ...(....), [HT01]......... .... ... ... .. LEP H,K .... ................ ....... ........ ...... ... ..., ...... .... ... .......... ........... ESC ... ...... ...... ........ ... ...... ................., ... ...... ....... ESC. ....... ... .................ESC . .. ....... ....... F1~F8. ..... ... .. ...... ......, HT01 ..../.... .../...... - .... ...... ... .../..., ...... ......, [HT01] .... .. .... ....... [HT01] ... ... .... . ... ... .. ...... ...... ... .... Display.... [HT01] ... ... .... ........ ...... ...... ...... ../.. .... ...... ........ ... ............ [HT01] ........ ...... .....

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.943717303141386
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe
File size:	371'848 bytes
MD5:	98978c705e7a64b2d3fffa565892ddab
SHA1:	b6985aaf3ac01a8742f2d0dcf3d8c0db12752e3f
SHA256:	40cd90feea9b35d138b78aa98c39e86d6aed424ad90963f6ee02749de63432c3
SHA512:	87984a0d2b3a5e31b00e590928aafcbb9721d3a5a820fbb936673ad753e960d64e05a09c7db9fbd62bceea3dcf1c6b8eb95456c6005db75af4eb2e1dccafa92a
SSDEEP:	6144:YjSQqWg/8GzhvLKjotsaGc3vIQEup/ZQUi6i3yRmljf82Q7diEeB:YjSQ9g8GzhvuMJIQPpS/vyBb7LeB
TLSH:	8A8412C567D2D016E2B5563E00767D051620ED936E24CAF37296382F2DF3DAC3A8A46F
File Content Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....q.c.............................S............@..................................,........@..p...........................P.......`..tZ.................................................

File Icon


Icon Hash:	d0761e262e06c6dd

Static PE Info

General

Entrypoint:	0x4e5316
Entrypoint Section:	.MPRESS2
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x639071AF [Wed Dec 7 10:57:51 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	1343ca50d234527bf272645d6db0664b

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Haims_ESC GangPung CA
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	27/03/2023 02:12:47 31/12/2039 23:59:59
Subject Chain	CN=Haims_ESC GangPung CA
Version:	3
Thumbprint MD5:	5B2F01174BC284B3E7F34ADF6EBA8A22
Thumbprint SHA-1:	0289755BE1331BA9E5F9653BFA1ABA8DC53AC60E
Thumbprint SHA-256:	EDBE02CBF1DA318A8387C064A7A635BF2D8DD8E832A2A7B0290C03C0B6BA95F4
Serial:	3C27303A6D1F01B14C28104AB91C12E8

Entrypoint Preview

Instruction
pushad
call 00007FD601786125h
pop eax
add eax, 00000B5Ah
mov esi, dword ptr [eax]
add esi, eax
sub eax, eax
mov edi, esi
lodsw
shl eax, 0Ch
mov ecx, eax
push eax
lodsd
sub ecx, eax
add esi, ecx
mov ecx, eax
push edi
push ecx
dec ecx
mov al, byte ptr [ecx+edi+06h]
mov byte ptr [ecx+esi], al
jne 00007FD601786118h
sub eax, eax
lodsb
mov ecx, eax
and cl, FFFFFFF0h
and al, 0Fh
shl ecx, 0Ch
mov ch, al
lodsb
or ecx, eax
push ecx
add cl, ch
mov ebp, FFFFFD00h
shl ebp, cl
pop ecx
pop eax
mov ebx, esp
lea esp, dword ptr [esp+ebp*2-00000E70h]
push ecx
sub ecx, ecx
push ecx
push ecx
mov ecx, esp
push ecx
mov dx, word ptr [edi]
shl edx, 0Ch
push edx
push edi
add ecx, 04h
push ecx
push eax
add ecx, 04h
push esi
push ecx
call 00007FD601786183h
mov esp, ebx
pop esi
pop edx
sub eax, eax
mov dword ptr [edx+esi], eax
mov ah, 10h
sub edx, eax
sub ecx, ecx
cmp ecx, edx
jnc 00007FD601786148h
mov ebx, ecx
lodsb
inc ecx
and al, FEh
cmp al, E8h
jne 00007FD601786114h
inc ebx
add ecx, 04h
lodsd
or eax, eax
js 00007FD601786128h
cmp eax, edx
jnc 00007FD601786107h
jmp 00007FD601786128h
add eax, ebx
js 00007FD601786101h
add eax, edx
sub eax, ebx
mov dword ptr [esi-04h], eax
jmp 00007FD6017860F8h
call 00007FD601786125h
pop edi
add edi, FFFFFF4Dh
mov al, E9h
stosb
mov eax, 00000B56h
stosd
call 00007FD601786125h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe5000	0x318	.MPRESS2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe6000	0x5a74	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5a800	0x488	.MPRESS1
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe512c	0x70	.MPRESS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.MPRESS1	0x1000	0xe4000	0x53a00	ec7b4fdc81806de5d3928881def8e024	False	1.0003240610986548	data	7.999527045952774	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.MPRESS2	0xe5000	0xe80	0x1000	67db63e74c68d484ce8a47518aff60c3	False	0.52099609375	data	5.668777835612214	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xe6000	0x5a74	0x5c00	f37af518d3ad9ea66065ec804d25d7e2	False	0.28103770380434784	data	5.288669112748265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xe60c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	English	United States	0.499113475177305
RT_ICON	0xe6558	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6941489361702128
RT_ICON	0xe69e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6622340425531915
RT_ICON	0xe6e78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6453900709219859
RT_ICON	0xe7308	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.22396810506566603
RT_ICON	0xe83d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.15228215767634853
RT_ICON	0xea9a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.40425531914893614
RT_ICON	0xeae38	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.43548387096774194
RT_MENU	0xe33a0	0x2c8	empty	English	United States	0
RT_DIALOG	0xe3668	0xe8	empty	English	United States	0
RT_ACCELERATOR	0xe3750	0x48	empty	English	United States	0
RT_RCDATA	0xe3798	0x559	empty	English	United States	0
RT_GROUP_ICON	0xeb280	0x14	data	English	United States	1.1
RT_GROUP_ICON	0xeb2bc	0x3e	data	English	United States	0.8870967741935484
RT_GROUP_ICON	0xeb324	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xeb360	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xeb39c	0x14	data	English	United States	1.25
RT_VERSION	0xeb3f0	0x150	data	English	United States	0.5744047619047619
RT_MANIFEST	0xeb580	0x4f4	ASCII text, with very long lines (1268), with no line terminators	English	United States	0.4755520504731861

Imports

DLL	Import
KERNEL32.DLL	GetModuleHandleA, GetProcAddress
WSOCK32.dll	WSACleanup
WINMM.dll	mixerOpen
VERSION.dll	VerQueryValueW
COMCTL32.dll	ImageList_Create
PSAPI.DLL	GetModuleBaseNameW
WININET.dll	InternetOpenW
USER32.dll	GetDC
GDI32.dll	BitBlt
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	RegCloseKey
SHELL32.dll	DragFinish
ole32.dll	CoGetObject
OLEAUT32.dll	OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 23:25:05.009349108 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:05.009438992 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:05.009572029 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:05.021815062 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:05.021851063 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:05.896605968 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:05.896719933 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:05.941936016 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:05.941984892 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:05.942698002 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:05.942778111 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:05.946989059 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:05.992111921 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.237728119 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.237828970 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:06.519711971 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.519742966 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.519954920 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.519979954 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:06.520041943 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.520159006 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:06.520159006 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:06.801341057 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.801374912 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.801423073 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.801605940 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:06.801605940 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:06.801673889 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.801721096 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:06.801769018 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:06.801831961 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.083906889 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.083971024 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.084034920 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.084074974 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.084183931 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.084223032 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.084244013 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.084286928 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.084300041 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.084300041 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.084320068 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.084340096 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.084342003 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.084364891 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.084377050 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.084405899 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.084405899 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.084434032 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.366463900 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.366518974 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.366723061 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.366723061 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.366786957 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.366826057 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.366859913 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.366878033 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.366884947 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.366910934 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.366961956 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367093086 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367130995 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367175102 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367192984 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367218018 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367244959 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367264986 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367309093 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367335081 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367346048 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367373943 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367398977 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367438078 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367480993 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367506981 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367516994 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.367547035 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.367564917 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.649612904 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.649672031 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.649724007 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.649789095 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.649825096 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.649847984 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.649876118 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.649923086 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.649954081 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.649966955 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.649995089 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650015116 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650078058 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650151014 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650155067 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650177956 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650223970 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650224924 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650357962 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650399923 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650428057 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650439024 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650497913 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650499105 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650499105 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650562048 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650604010 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650634050 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650645018 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650672913 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650691986 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650782108 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650821924 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650851011 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650861025 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.650891066 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.650911093 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651041031 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651087046 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651119947 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651129961 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651155949 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651175022 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651278973 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651325941 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651365995 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651376963 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651402950 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651418924 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651550055 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651592016 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651638031 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651653051 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651679039 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651704073 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651901960 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651947021 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.651979923 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.651989937 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.652014971 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.652038097 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.652224064 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.652272940 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.652291059 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.652302027 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.652334929 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.652354956 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.934267998 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934298992 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934366941 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934609890 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.934680939 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934720039 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.934734106 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934798956 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.934823036 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934859991 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.934874058 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934906006 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934928894 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.934928894 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.934948921 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.934978962 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935008049 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935086966 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935137987 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935195923 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935206890 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935236931 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935260057 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935415983 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935456991 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935497046 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935508966 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935538054 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935554981 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935731888 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935774088 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935807943 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935817957 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.935906887 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935930967 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.935993910 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936041117 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936089039 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936120033 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936147928 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936182022 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936314106 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936356068 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936398029 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936408997 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936438084 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936463118 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936503887 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936582088 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936593056 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936654091 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936666965 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:07.936728954 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936770916 CEST	49730	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:07.936800957 CEST	443	49730	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:14.083800077 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:14.083847046 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:14.083910942 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:14.086249113 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:14.086261034 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:14.959302902 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:14.959788084 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:14.960854053 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:14.960861921 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:14.961183071 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:15.011903048 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:15.052146912 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:15.298990011 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:15.299223900 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:15.299592972 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:15.304253101 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:15.304253101 CEST	49731	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:15.304270029 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:15.304281950 CEST	443	49731	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:15.541555882 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:15.541667938 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:15.541791916 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:15.542568922 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:15.542639017 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.426187038 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.426424980 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.437820911 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.437896013 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.438215017 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.438417912 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.438729048 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.484162092 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.728203058 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.728307962 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.728337049 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.728363991 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.728399038 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.728455067 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.728483915 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.728519917 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:16.728601933 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.729156017 CEST	49735	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:16.729186058 CEST	443	49735	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:21.628698111 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:21.628756046 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:21.628849983 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:21.629039049 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:21.629065037 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:21.629431009 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:21.631746054 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:21.631767988 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:21.631906986 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:21.631918907 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.493684053 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.493779898 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.500674009 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.500708103 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.500900984 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.500917912 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.500972033 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.501034975 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.504021883 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.504093885 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.506622076 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.506628990 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.507388115 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.507469893 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.784995079 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.785098076 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.785218954 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.785218954 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.786746979 CEST	49738	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:22.786782026 CEST	443	49738	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:22.959861040 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.000197887 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.247375011 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.247498035 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.532797098 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.532816887 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.532883883 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.532890081 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.532919884 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.532959938 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.532959938 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.532970905 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.533010960 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.533010960 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.533013105 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.533076048 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.537604094 CEST	49739	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.537616968 CEST	443	49739	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.613507032 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.613571882 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.613672972 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.614105940 CEST	49741	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.614185095 CEST	443	49741	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.614254951 CEST	49741	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.632405043 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.632438898 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:23.632662058 CEST	49741	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:23.632703066 CEST	443	49741	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.480168104 CEST	443	49741	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.480274916 CEST	49741	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.493273973 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.493376017 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.508194923 CEST	49741	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.508244991 CEST	443	49741	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.508512974 CEST	49741	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.508527040 CEST	443	49741	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.512876034 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.512926102 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.513356924 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.513372898 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.796535015 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.796654940 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.796717882 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.796817064 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.796832085 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.796859026 CEST	443	49740	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:24.796928883 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.805581093 CEST	49740	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:24.805870056 CEST	49741	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:25.054640055 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:25.054723978 CEST	443	49742	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:25.054982901 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:25.055327892 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:25.055362940 CEST	443	49742	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:25.923542023 CEST	443	49742	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:25.924057961 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:25.924694061 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:25.924694061 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:25.924745083 CEST	443	49742	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:25.924808025 CEST	443	49742	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:26.212320089 CEST	443	49742	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:26.212573051 CEST	443	49742	112.175.184.42	192.168.2.4
Apr 19, 2024 23:25:26.212661028 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:26.212723970 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:26.213300943 CEST	49742	443	192.168.2.4	112.175.184.42
Apr 19, 2024 23:25:26.213340044 CEST	443	49742	112.175.184.42	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 23:25:04.282605886 CEST	59100	53	192.168.2.4	1.1.1.1
Apr 19, 2024 23:25:05.003845930 CEST	53	59100	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 23:25:04.282605886 CEST	192.168.2.4	1.1.1.1	0xa977	Standard query (0)	runuo.kr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 23:25:05.003845930 CEST	1.1.1.1	192.168.2.4	0xa977	No error (0)	runuo.kr		112.175.184.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

runuo.kr

https:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	112.175.184.42	443	6680	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 21:25:05 UTC	106	OUT	GET /haims_esc/Haims_ESC.exe HTTP/1.1 User-Agent: AutoHotkey Host: runuo.kr Cache-Control: no-cache
2024-04-19 21:25:06 UTC	276	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 21:25:05 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Mon, 15 Apr 2024 11:05:47 GMT ETag: "18816b8-7a478-616209a899b46" Accept-Ranges: bytes Content-Length: 500856 Connection: close Content-Type: application/octet-stream
2024-04-19 21:25:06 UTC	16384	IN	Data Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 af 71 90 63 00 00 00 00 00 00 00 00 e0 00 03 03 0b 01 0a 00 00 ba 0a 00 00 7c 0e 00 00 00 00 00 16 d3 19 00 00 10 00 00 00 d0 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 40 1a 00 00 02 00 00 81 ec 07 00 02 00 00 00 00 00 40 00 00 d0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 19 00 18 03 00 00 00 e0 19 00 b4 5f 00 00 00 00 00 00 00 00 00 00 00 a0 07 00 78 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!Win32 .EXE.$@PELqc\|@@@_x
2024-04-19 21:25:06 UTC	16384	IN	Data Raw: ec fb c8 93 0a 0c 43 6d 2d 17 ff f0 87 3f d5 f5 ab b6 c2 a0 ee 66 16 98 8a 15 d7 5f f1 52 11 63 06 48 f9 c3 73 c0 b9 44 82 5b 26 c8 19 e8 31 a0 89 42 c5 96 e8 bb 36 a2 e7 fc 0d 92 5b f5 d8 40 93 cb 9d 65 d6 59 60 c9 e6 c1 de ed 86 d4 d7 7f ed 3f 19 3a ba d5 e6 91 72 6a 29 f4 9f 28 14 73 64 f8 8c f7 94 65 d3 c5 56 4e 84 44 2d c1 d8 35 65 cf ae cd d0 a2 35 71 b2 c6 e1 fd 7d 2c b9 ff a2 8d d4 bd 0d 70 f7 8e 8c 17 6c 80 01 cd d9 90 11 fc af 4c 78 45 48 6b 12 80 d5 96 f7 15 ea 15 d8 c3 69 4b ce 9e da aa 97 36 84 5a 72 ef 6f ba e3 54 76 ab 76 9e fa e6 82 d5 05 c0 b1 fe 2e 66 54 69 a6 7a 07 ab c4 4d 35 84 d8 51 0c a8 7e 9e 00 4e 4f d8 5e 0c a1 6a f5 60 5f fd f7 17 0f 1b a7 73 c3 a4 84 49 de 3e 75 bc 31 64 35 fa 40 51 db 4c 50 a4 cf 7b 8b e0 dc 7c d2 fb ff e8 38 Data Ascii: Cm-?f_RcHsD[&1B6[@eY`?:rj)(sdeVND-5e5q},plLxEHkiK6ZroTvv.fTizM5Q~NO^j`_sI>u1d5@QLP{\|8
2024-04-19 21:25:06 UTC	16384	IN	Data Raw: 64 64 14 07 65 ae eb 67 6b e3 c6 b2 f8 53 b9 ac f5 ac 1a 42 50 f2 db ab 14 c2 63 b7 a6 df 54 cb 12 52 85 e8 98 e6 6a 95 f5 ff 7e 87 ed 3d d6 60 3b ce bd 36 71 d9 4c fc 7a e3 02 10 01 c7 43 92 d1 c1 19 46 e7 71 5d 73 9f fe 0c 75 7c 0f 11 fd 7d 88 44 5b af 0b ef 09 ec ed 01 9a 01 2f 16 6e 22 da 92 b8 c8 6d f1 78 4b ef c0 e5 3f 97 e5 c2 52 80 b4 ca a6 43 e8 ac da 9b bb fa 67 08 4a 8d fa 7a 0c b2 f8 db 47 a1 87 3b 46 4f b4 37 19 dd 60 a4 00 1e b5 ff 26 b6 a9 c6 af 74 09 cd 31 f0 7b 66 d1 c0 da 36 9c 9c 11 1e a2 ef 6b 34 d7 1e a5 ba 6a 07 29 a7 ed 27 c0 d0 8e e2 99 91 dd 5b 62 17 da 09 5b 68 bf 92 73 e8 c0 77 89 21 78 05 85 7b 4f bf ac 9c 5d fc 5e d0 e2 d0 b2 dc 42 22 65 86 1c 88 63 80 cc 78 d2 ea 1f 90 9c 68 5e c9 a8 fd 72 f4 5e 83 7c 04 5a 89 09 f6 45 8f 5e Data Ascii: ddegkSBPcTRj~=`;6qLzCFq]su\|}D[/n"mxK?RCgJzG;FO7`&t1{f6k4j)'[b[hsw!x{O]^B"ecxh^r^\|ZE^
2024-04-19 21:25:07 UTC	16384	IN	Data Raw: 72 91 e2 c4 c3 cb ab ea e2 4f c0 8f f6 c7 f1 7d d7 0a 8a ca 1d 18 a1 dc d0 7a 83 26 78 15 17 88 6b f2 0d 0c 5c 57 35 0d c1 b1 5d de 18 92 61 cc 65 1c 38 0c be 9d 9d 11 5c eb 51 64 78 c5 fe ec eb 0e 69 3c 8d 53 61 9e eb 05 31 03 eb 6c 03 dc 78 0c c0 9d 84 d5 88 3c 15 55 b7 55 52 4f 5d 32 02 3f 21 b1 4a f0 06 dc 86 b3 f9 fc fb 62 d8 55 5c be c3 9d b8 76 8a a8 c7 87 26 62 8b 6b ea fa d7 e8 1c 1d 81 ec 78 b2 57 49 e9 6c 8a 7e 21 88 18 ef 57 07 6b b4 6d da c1 3b 2c f2 29 fb 93 4f 6f fe 15 d4 8e 85 5c 41 e7 fd e9 58 2d 6f d2 63 43 2c 56 33 c3 b6 ea e8 04 19 bf 76 d8 c1 23 dc 4f ab 89 7d 58 b4 71 ed fe ce 1b 80 ae 2f 60 1f b9 c0 f4 92 53 50 3e 2a 4e ef 08 15 4c 82 cc 33 0b 5a c9 69 09 49 2a 69 d4 fb 03 73 16 21 d7 e4 ab f8 c6 bd 11 c1 bc 86 e6 04 56 7f e0 f9 c8 Data Ascii: rO}z&xk\W5]ae8\Qdxi<Sa1lx<UURO]2?!JbU\v&bkxWIl~!Wkm;,)Oo\AX-ocC,V3v#O}Xq/`SP>NL3ZiIis!V
2024-04-19 21:25:07 UTC	16384	IN	Data Raw: 79 8a fe be 21 c3 9e 65 1b fe 20 94 c9 b1 f7 17 f8 6b 29 2c 3b aa 60 54 f6 46 90 5c cd ee 2a 7f 79 32 9a 97 8d 5c 53 d6 9e 5d 52 a5 38 83 17 63 37 b5 92 b1 09 f5 ec 95 d7 5f 9d 51 d8 99 78 88 c2 a6 5c a1 ea d3 27 82 3c 9b 9e c7 5b fb 3b 39 20 b6 14 54 77 46 c6 35 44 d7 37 94 47 dd 49 87 04 60 d2 e1 6c ea b6 92 95 60 a5 cf 00 ba c2 05 a5 c0 0f 5d bc fc 59 16 f9 76 36 d3 90 14 b2 d3 c1 38 14 33 57 11 98 d0 0e 86 57 8c 83 77 03 79 c4 7b 47 28 1c d2 49 d9 03 bd 20 26 23 cd 79 63 b6 51 97 8f 37 b0 dd db 4a 88 86 86 e1 c3 32 92 5e 6c 47 fe 83 a9 70 bb 37 27 17 1e 81 f0 e0 c6 cb e7 a5 4e 6b 56 fc d2 ef ac 09 c9 3d 16 45 1a 22 dd bd 10 07 91 73 41 6f 2e 88 f2 15 cc aa 59 fb 53 83 22 9d 78 f8 70 70 3a 49 a6 6c 2e 1d a6 a0 57 e9 6b cf 44 13 42 2f 62 79 a1 3b 91 e5 Data Ascii: y!e k),;`TF\*y2\S]R8c7_Qx\'<[;9 TwF5D7GI`l`]Yv683WWwy{G(I &#ycQ7J2^lGp7'NkV=E"sAo.YS"xpp:Il.WkDB/by;
2024-04-19 21:25:07 UTC	16384	IN	Data Raw: ac f9 33 ab f3 5b 2d 72 f1 28 ad 31 39 bd f5 2a 1d 48 9e 3a 73 a9 ba ae dc 50 10 bf b5 ea e0 4c c1 bc f7 f7 cd c0 4f 26 e8 27 1f ae 84 68 a7 d6 f4 b3 51 97 68 81 ef 2c 98 8f fd 12 f5 fa 83 60 34 81 c2 20 18 60 a6 d7 9b 3b 24 ac 4c 41 2d 93 e1 c8 30 00 b4 9e c1 b4 69 9a ae cb 8b 06 a6 7f 95 48 64 3d 2e 0c 59 3b ec cc 73 c6 dd b6 fe 31 97 91 67 38 ec 1e 07 6f a9 46 2a 23 af f3 f9 eb 72 d9 38 e1 02 7e 49 c3 3d f5 81 36 26 81 4d 76 d8 c1 5a d8 0b de a1 a2 a0 ee 25 19 7c 71 6f 19 87 e8 13 2a a7 af a8 49 cc 5f 24 4d 50 ec 71 e4 af 77 0b 51 c6 81 19 84 bd 4d e6 ae 7d fe 0e d0 31 f7 4c 29 df 7a 10 35 32 a4 8e ac 68 55 44 44 6e 84 0f 21 a9 5e f4 8c 20 91 7c 19 5f 3b 6a 98 91 51 ae 8f 8e 56 e8 5a 6d 21 c8 9d 97 42 8e 44 24 c3 14 90 76 8e d4 53 b9 08 84 5b 57 18 fb Data Ascii: 3[-r(19H:sPLO&'hQh,`4 `;$LA-0iHd=.Y;s1g8oF#r8~I=6&MvZ%\|qo*I_$MPqwQM}1L)z52hUDDn!^ \|_;jQVZm!BD$vS[W
2024-04-19 21:25:07 UTC	16384	IN	Data Raw: 82 e0 04 20 e6 aa 98 55 04 e1 2c d9 02 b0 69 97 0f b4 11 49 52 28 41 cb 2e fe 18 2a 97 dd 15 ac 64 56 67 ee 82 e6 1b ce c7 fb fc 2e 91 d2 e7 60 a9 3b 1d b0 d7 91 f7 07 05 cf 0d 74 5c 7f 4b 7f 11 e7 73 8e 6e d4 fb 29 32 4f a8 43 c2 12 ba 08 24 92 c1 e4 78 62 21 d9 06 32 6b ee 82 0f 41 7e 8f fa 4a 23 2a e5 50 40 b3 44 15 ca b3 d9 fc f5 9a d3 b9 11 ab 6e 6d 54 24 b7 53 3d 43 6f 29 ab f7 e0 86 7d 94 db a9 53 61 6a d5 79 5b 24 2f 2f 73 fd 63 87 95 38 4f b2 4c 2f e4 ce 61 d1 d8 a4 59 9c 9b 06 9c b5 05 97 bb 87 9d 93 50 e6 9e 86 e6 b4 52 07 2d 3f 90 d8 59 a4 be 29 c3 29 16 d9 11 9f 72 6b c3 47 73 55 b2 af cb 58 a3 84 09 2f 75 63 02 5e 7e 81 62 70 22 94 5a 43 fa dd d0 65 bf dd 16 3b ba df f4 78 90 39 57 96 f2 8d 03 af 85 56 d0 5b 23 aa 7c 02 98 89 78 18 6b c8 bc Data Ascii: U,iIR(A.dVg.`;t\Ksn)2OC$xb!2kA~J#P@DnmT$S=Co)}Sajy[$//sc8OL/aYPR-?Y))rkGsUX/uc^~bp"ZCe;x9WV[#\|xk
2024-04-19 21:25:07 UTC	16384	IN	Data Raw: 28 0d a2 24 cc 11 57 f5 01 fd b6 55 d2 74 c3 0d 78 b7 05 f4 f9 7a 50 f0 39 19 fd 97 81 48 3a fb c2 22 6d bd 6b ec 88 ad 44 82 0c e3 d3 d7 d4 6d 7d a8 b0 10 fd e3 f7 74 15 5f 86 f5 18 b9 33 01 78 cd e2 c4 96 71 5e 55 6e aa 3f 93 67 bf 6c ea 18 82 96 d3 e8 55 83 12 cf e5 a5 5e d0 51 11 d7 79 9e f3 dd d8 2d 80 c7 66 e9 63 40 3f 91 69 74 a4 78 d8 b8 6a b1 b6 d7 cc 46 ec 8e 72 6b 85 a0 17 66 92 99 38 d1 ca 00 6a 08 a0 d0 39 ce 37 37 a6 03 57 df 79 f6 b9 4d b6 0e ca 98 e3 4b ff b5 77 11 62 08 78 59 d1 44 62 b1 aa e4 6c e7 86 76 3f 62 9f 14 a9 01 01 d9 b4 f1 89 f7 ae f9 9d e5 27 00 be 39 00 42 51 26 33 7b 4f f9 45 cb c3 bb 5e 86 66 91 3b f9 e8 6f ca 86 f9 b9 05 d0 54 f7 db 40 03 93 47 31 67 81 34 c5 64 7f 41 66 4e 94 04 18 23 3a 31 40 61 e8 3d 2b 7a d4 71 18 69 Data Ascii: ($WUtxzP9H:"mkDm}t_3xq^Un?glU^Qy-fc@?itxjFrkf8j977WyMKwbxYDblv?b'9BQ&3{OE^f;oT@G1g4dAfN#:1@a=+zqi
2024-04-19 21:25:07 UTC	16384	IN	Data Raw: 82 28 9c 2a 5f 54 4c 46 2f 58 4b 2d 4c 49 7b eb d1 80 ce d4 15 26 ec ee 13 aa 6b 1f cd 0b a6 c5 8f 3d 81 30 ea 73 78 e3 70 7e ca 7c 70 94 cd 27 4d 05 72 4c 6a 71 16 1b 88 3b 6b 5f 91 c7 ba 27 b6 c1 b5 e6 31 c9 b5 18 70 58 89 1a d5 82 7c c0 15 52 d9 e4 1a f4 3c d4 eb fe 4c 23 1c ae d5 38 79 46 dc 23 bf e9 a2 17 ea 90 d2 02 5b cc 01 05 83 af 18 37 d6 15 de 9a a1 5a 13 6e 9a 7c 96 17 ea 37 ab 54 df 33 bd d2 62 08 4a c6 d1 8d 1b 8e 9e 29 c1 48 d2 10 7e 4c b4 16 1d 4e 44 2e fb 38 98 64 5b e2 d4 97 23 a7 28 a8 85 10 75 73 5b 01 6e b3 25 e5 29 c2 f0 11 a4 34 33 22 b4 4d f3 cc 4a 43 c5 b4 d0 01 be db f0 f6 d2 2a f5 ec f2 bd df 42 54 70 b6 b5 2e ae b7 2b d1 ea e1 43 74 1f c1 ca de be fe ad fa 2b 8c 55 b0 90 18 88 44 09 03 b1 32 67 2e 5b 05 d5 f4 b2 d1 53 f5 86 4d Data Ascii: (_TLF/XK-LI{&k=0sxp~\|p'MrLjq;k_'1pX\|R<L#8yF#[7Zn\|7T3bJ)H~LND.8d[#(us[n%)43"MJCBTp.+Ct+UD2g.[SM
2024-04-19 21:25:07 UTC	16384	IN	Data Raw: 82 9b ce d4 a2 24 c2 b5 d9 e2 cb 71 e1 35 42 51 c6 63 ac b3 c8 64 75 46 56 bd 37 82 08 23 61 e9 1d 8e bc 97 ec 91 10 17 33 5c 38 9d 5c 6e eb a0 b8 17 98 0c d0 58 3a b1 3f 29 15 ab 95 80 20 80 8e 9c 5f 77 39 a7 8f 48 7b f8 bb 3f 15 ee 70 22 d2 1e f0 ff b7 75 ff 7a f1 26 ef 6f 3f f5 34 ab c0 36 c5 d4 9d 5e f1 29 31 35 ba 55 e8 bf 4a be 7d 09 4c 18 ac 7c 6e 24 d0 7e 10 25 15 40 b9 92 a6 8d d5 3b e5 e6 e5 04 fd 3a 15 21 5f a8 e2 ba 5e 3b b7 4f 25 e0 4e c4 a0 e3 20 2e 93 09 84 a3 7e 41 ea 7e 14 ba 81 fa bb 8d dc 4f 74 6d c2 d8 ee 83 fe c5 a2 03 dc a0 02 cc 5f a0 6f 6b 6b 10 e6 93 30 5e e4 4b 22 b3 49 dc 4a 3f ba 94 8d 30 e8 de 2e 71 86 6c 36 35 3b 9c 20 ee 56 bb ee 1f 48 5d ab e8 cf 88 26 50 72 9d bd fd 88 7d 23 d3 15 c6 d9 9f 78 a5 b9 54 d7 11 55 d2 fa ac b0 Data Ascii: $q5BQcduFV7#a3\8\nX:?) _w9H{?p"uz&o?46^)15UJ}L\|n$~%@;:!_^;O%N .~A~Otm_okk0^K"IJ?0.ql65; VH]&Pr}#xTU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	112.175.184.42	443	6996	C:\Users\user\Desktop\Haims_ESC.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 21:25:15 UTC	159	OUT	GET /haims_esc/ver.txt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: runuo.kr
2024-04-19 21:25:15 UTC	254	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 21:25:14 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Mon, 15 Apr 2024 11:05:48 GMT ETag: "1881688-a-616209a8e5a1e" Accept-Ranges: bytes Content-Length: 10 Connection: close Content-Type: text/plain
2024-04-19 21:25:15 UTC	10	IN	Data Raw: 32 30 32 34 30 34 31 35 2e 33 Data Ascii: 20240415.3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	112.175.184.42	443	6996	C:\Users\user\Desktop\Haims_ESC.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 21:25:16 UTC	103	OUT	GET /haims_esc/notice.txt HTTP/1.1 User-Agent: AutoHotkey Host: runuo.kr Cache-Control: no-cache
2024-04-19 21:25:16 UTC	258	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 21:25:16 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 17 Apr 2024 08:12:20 GMT ETag: "1881300-63c-6164669e859da" Accept-Ranges: bytes Content-Length: 1596 Connection: close Content-Type: text/plain
2024-04-19 21:25:16 UTC	1596	IN	Data Raw: 5b 20 be cb b7 c1 b5 e5 b8 ae b4 c2 20 b1 db 20 5d 0a 0a 28 c1 df bf e4 29 20 ba b8 be c8 20 c7 c1 b7 ce b1 d7 b7 a5 20 b0 fc b7 c3 20 c0 cc bd b4 2c 20 c0 da c0 af b0 d4 bd c3 c6 c7 28 46 72 65 65 42 6f 61 72 64 29 bf a1 20 b1 db c0 db bc ba c7 d5 b4 cf b4 d9 2e 20 c2 fc b0 ed c7 d8 c1 d6 bd c3 b1 e2 20 b9 d9 b6 f8 b4 cf b4 d9 2e 0a bf e4 b8 e7 c4 a5 b5 bf be c8 20 c0 a9 b5 b5 bf ec 20 b5 f0 c6 e6 b4 f5 bf a1 bc ad 20 48 61 69 6d 73 5f 45 53 43 2e 65 78 65 20 c6 c4 c0 cf c0 bb 20 b9 d9 c0 cc b7 af bd ba b7 ce 20 c5 bd c1 f6 c7 cf b0 ed 20 c0 d6 bd c0 b4 cf b4 d9 2e 0a 4d 53 49 28 4d 69 63 72 6f 73 6f 66 74 20 53 65 63 75 72 69 74 79 20 49 6e 74 65 6c 6c 69 67 65 6e 63 65 29 bf a1 20 b9 ae c0 c7 2f bd c5 b0 ed 20 b0 e1 b0 fa b4 c2 20 bf c0 c5 bd c1 f6 b7 Data Ascii: [ ]() , (FreeBoard) . . Haims_ESC.exe .MSI(Microsoft Security Intelligence) /

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	112.175.184.42	443	7140	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 21:25:22 UTC	287	OUT	GET /haims_esc/haims_localconnect.php HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: runuo.kr Connection: Keep-Alive
2024-04-19 21:25:22 UTC	153	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 21:25:22 GMT Server: Apache/2.2.15 (CentOS) Content-Length: 681 Connection: close Content-Type: text/html
2024-04-19 21:25:22 UTC	681	IN	Data Raw: 3c 21 2d 2d 20 50 69 77 69 6b 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 0a 20 20 76 61 72 20 5f 70 61 71 20 3d 20 5f 70 61 71 20 7c 7c 20 5b 5d 3b 0a 20 20 5f 70 61 71 2e 70 75 73 68 28 5b 27 74 72 61 63 6b 50 61 67 65 56 69 65 77 27 5d 29 3b 0a 20 20 5f 70 61 71 2e 70 75 73 68 28 5b 27 65 6e 61 62 6c 65 4c 69 6e 6b 54 72 61 63 6b 69 6e 67 27 5d 29 3b 0a 20 20 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 76 61 72 20 75 3d 28 28 22 68 74 74 70 73 3a 22 20 3d 3d 20 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 29 20 3f 20 22 68 74 74 70 73 22 20 3a 20 22 68 74 74 70 22 29 20 2b 20 22 3a 2f 2f 72 75 6e 75 6f 2e 6b 72 2f 77 6c 6f 67 2f 22 3b 0a 20 20 Data Ascii: ... Piwik --><script type="text/javascript"> var _paq = _paq \|\| []; _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u=(("https:" == document.location.protocol) ? "https" : "http") + "://runuo.kr/wlog/";

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	112.175.184.42	443	7140	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 21:25:22 UTC	313	OUT	GET /wlog/piwik.js HTTP/1.1 Accept: application/javascript, /;q=0.8 Referer: https://runuo.kr/haims_esc/haims_localconnect.php Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: runuo.kr Connection: Keep-Alive
2024-04-19 21:25:23 UTC	265	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 21:25:22 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Tue, 16 Sep 2014 11:02:46 GMT ETag: "1961ea4-568d-5032cb0f76180" Accept-Ranges: bytes Content-Length: 22157 Connection: close Content-Type: text/javascript
2024-04-19 21:25:23 UTC	16384	IN	Data Raw: 2f 2a 21 0a 20 2a 20 50 69 77 69 6b 20 2d 20 57 65 62 20 41 6e 61 6c 79 74 69 63 73 0a 20 2a 0a 20 2a 20 4a 61 76 61 53 63 72 69 70 74 20 74 72 61 63 6b 69 6e 67 20 63 6c 69 65 6e 74 0a 20 2a 0a 20 2a 20 40 6c 69 6e 6b 20 68 74 74 70 3a 2f 2f 70 69 77 69 6b 2e 6f 72 67 0a 20 2a 20 40 73 6f 75 72 63 65 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 70 69 77 69 6b 2f 70 69 77 69 6b 2f 62 6c 6f 62 2f 6d 61 73 74 65 72 2f 6a 73 2f 70 69 77 69 6b 2e 6a 73 0a 20 2a 20 40 6c 69 63 65 6e 73 65 20 68 74 74 70 3a 2f 2f 70 69 77 69 6b 2e 6f 72 67 2f 66 72 65 65 2d 73 6f 66 74 77 61 72 65 2f 62 73 64 2f 20 53 69 6d 70 6c 69 66 69 65 64 20 42 53 44 20 28 61 6c 73 6f 20 69 6e 20 6a 73 2f 4c 49 43 45 4e 53 45 2e 74 78 74 29 0a 20 2a 2f 0a 69 66 28 74 79 70 Data Ascii: /! Piwik - Web Analytics * * JavaScript tracking client * * @link http://piwik.org * @source https://github.com/piwik/piwik/blob/master/js/piwik.js * @license http://piwik.org/free-software/bsd/ Simplified BSD (also in js/LICENSE.txt) */if(typ
2024-04-19 21:25:23 UTC	5773	IN	Data Raw: 28 62 6d 2e 74 79 70 65 3d 3d 3d 22 6d 6f 75 73 65 75 70 22 29 7b 69 66 28 62 6e 3d 3d 3d 61 49 26 26 62 6f 3d 3d 3d 61 64 29 7b 61 58 28 62 6f 29 7d 61 49 3d 61 64 3d 6e 75 6c 6c 7d 7d 7d 7d 66 75 6e 63 74 69 6f 6e 20 61 57 28 62 6e 2c 62 6d 29 7b 69 66 28 62 6d 29 7b 4e 28 62 6e 2c 22 6d 6f 75 73 65 75 70 22 2c 62 6b 2c 66 61 6c 73 65 29 3b 4e 28 62 6e 2c 22 6d 6f 75 73 65 64 6f 77 6e 22 2c 62 6b 2c 66 61 6c 73 65 29 7d 65 6c 73 65 7b 4e 28 62 6e 2c 22 63 6c 69 63 6b 22 2c 62 6b 2c 66 61 6c 73 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 61 45 28 62 6e 29 7b 69 66 28 21 61 56 29 7b 61 56 3d 74 72 75 65 3b 76 61 72 20 62 6f 2c 62 6d 3d 61 6d 28 57 2c 22 69 67 6e 6f 72 65 22 29 2c 62 70 3d 71 2e 6c 69 6e 6b 73 3b 69 66 28 62 70 29 7b 66 6f 72 28 62 6f 3d 30 3b Data Ascii: (bm.type==="mouseup"){if(bn===aI&&bo===ad){aX(bo)}aI=ad=null}}}}function aW(bn,bm){if(bm){N(bn,"mouseup",bk,false);N(bn,"mousedown",bk,false)}else{N(bn,"click",bk,false)}}function aE(bn){if(!aV){aV=true;var bo,bm=am(W,"ignore"),bp=q.links;if(bp){for(bo=0;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	112.175.184.42	443	7140	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 21:25:24 UTC	687	OUT	GET /wlog/piwik.php?action_name=&idsite=1&rec=1&r=643131&h=23&m=25&s=22&url=https%3A%2F%2Frunuo.kr%2Fhaims_esc%2Fhaims_localconnect.php&_id=1aa1c3094c7d4b5f&_idts=1713561923&_idvc=1&_idn=1&_refts=0&_viewts=1713561923&cs=windows-1252&java=1&cookie=1&res=1280x1024&gt_ms=0 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /;q=0.5 Referer: https://runuo.kr/haims_esc/haims_localconnect.php Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: runuo.kr Connection: Keep-Alive Cookie: _pk_id.1.041b=1aa1c3094c7d4b5f.1713561923.1.1713561923.1713561923.; _pk_ses.1.041b=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49740	112.175.184.42	443	7140	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 21:25:24 UTC	291	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: runuo.kr Connection: Keep-Alive Cookie: _pk_id.1.041b=1aa1c3094c7d4b5f.1713561923.1.1713561923.1713561923.; _pk_ses.1.041b=*
2024-04-19 21:25:24 UTC	180	IN	HTTP/1.1 404 Not Found Date: Fri, 19 Apr 2024 21:25:24 GMT Server: Apache/2.2.15 (CentOS) Content-Length: 209 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-04-19 21:25:24 UTC	209	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /favicon.ico was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49742	112.175.184.42	443	6996	C:\Users\user\Desktop\Haims_ESC.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-19 21:25:25 UTC	237	OUT	GET /haims_esc/nosearch/Haims_CompanyCode_check.php?CompanyCode=0 HTTP/1.1 User-Agent: AutoHotkey Host: runuo.kr Cache-Control: no-cache Cookie: _pk_ses.1.041b=*; _pk_id.1.041b=1aa1c3094c7d4b5f.1713561923.1.1713561923.1713561923.
2024-04-19 21:25:26 UTC	152	IN	HTTP/1.1 200 OK Date: Fri, 19 Apr 2024 21:25:25 GMT Server: Apache/2.2.15 (CentOS) Content-Length: 32 Connection: close Content-Type: text/html
2024-04-19 21:25:26 UTC	32	IN	Data Raw: 43 46 43 44 32 30 38 34 39 35 44 35 36 35 45 46 36 36 45 37 44 46 46 39 46 39 38 37 36 34 44 41 Data Ascii: CFCD208495D565EF66E7DFF9F98764DA

Target ID:	0
Start time:	23:24:55
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe"
Imagebase:	0x400000
File size:	371'848 bytes
MD5 hash:	98978C705E7A64B2D3FFFA565892DDAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:25:12
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\Haims_ESC.exe
Wow64 process (32bit):	true
Commandline:	Haims_ESC.exe
Imagebase:	0x400000
File size:	500'856 bytes
MD5 hash:	0A32B7F8B8662394FDB3F6F6034A106B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	23:25:16
Start date:	19/04/2024
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Imagebase:	0x7ff7bab40000
File size:	834'512 bytes
MD5 hash:	CFE2E6942AC1B72981B3105E22D3224E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:25:16
Start date:	19/04/2024
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:2
Imagebase:	0x2b0000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:25:17
Start date:	19/04/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Wow64 process (32bit):	true
Commandline:	"C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Imagebase:	0xd80000
File size:	85'632 bytes
MD5 hash:	F9A898A606E7F5A1CD7CFFA8079253A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:25:23
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	Taskkill /f /im iexplore.exe
Imagebase:	0x2a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:25:23
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.1%
Total number of Nodes:	1504
Total number of Limit Nodes:	89

Executed Functions

Function 00444D60 Relevance: 95.4, APIs: 50, Strings: 4, Instructions: 941registrynativeclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00444D81
NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00445513

Strings

9000, xrefs: 00445485
localhost, xrefs: 0044546E
AHK_ATTACH_DEBUGGER, xrefs: 0044543D
TaskbarCreated, xrefs: 00444D7C

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardFormatNtdllProc_RegisterWindow
String ID: 9000$AHK_ATTACH_DEBUGGER$TaskbarCreated$localhost
API String ID: 1648117791-182697789
Opcode ID: cb7544afc279605b2f7e71d5848703d4d221190eb803ef6b3a26814f3b69685b
Instruction ID: 5b26b025531e639d4603431bda0b32276ca779ae649421882833c68e9c4d690d
Opcode Fuzzy Hash: cb7544afc279605b2f7e71d5848703d4d221190eb803ef6b3a26814f3b69685b
Instruction Fuzzy Hash: D762E272600604AFEB20DF68EC84A6B77A5EB85711F00493BF946D7792D739DC10CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0043B080 Relevance: 88.1, APIs: 32, Strings: 18, Instructions: 610processlibraryloaderCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043B0E7
__wcsicoll.LIBCMT ref: 0043B0F9
__wcsicoll.LIBCMT ref: 0043B10B
__wcsicoll.LIBCMT ref: 0043B11D
__wcsicoll.LIBCMT ref: 0043B12F
__wcsicoll.LIBCMT ref: 0043B141
_memset.LIBCMT ref: 0043B2E8
__swprintf.LIBCMT ref: 0043B36A
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0043B403
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0043B415
CloseHandle.KERNEL32(?), ref: 0043B456
_memset.LIBCMT ref: 0043B493
__wcsicoll.LIBCMT ref: 0043B4DF
_wcschr.LIBCMT ref: 0043B52B
ShellExecuteExW.SHELL32(0000003C), ref: 0043B636
GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 0043B65A
GetProcAddress.KERNEL32(00000000), ref: 0043B661

Strings

edit, xrefs: 0043B117, 0043B1D9
print, xrefs: 0043B129, 0043B1EB
explore, xrefs: 0043B0F3, 0043B1B5
System verbs unsupported with RunAs., xrefs: 0043B26E
find, xrefs: 0043B0E1, 0043B1A3
Launch Error (possibly related to RunAs):, xrefs: 0043B76A
kernel32.dll, xrefs: 0043B655
String too long., xrefs: 0043B2B7
..., xrefs: 0043B739, 0043B755, 0043B77F
properties, xrefs: 0043B13B, 0043B1FD, 0043B4D6
open, xrefs: 0043B105, 0043B1C7
"%s" %s, xrefs: 0043B364
Verb: <%s>, xrefs: 0043B6EA
Failed attempt to launch program or document:, xrefs: 0043B771, 0043B781
GetProcessId, xrefs: 0043B650
.exe.bat.com.cmd.hta, xrefs: 0043B5C5
%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>, xrefs: 0043B782
\/., xrefs: 0043B594

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$Handle$Close_memset$AddressCreateExecuteModuleProcProcessShell__swprintf_wcschr
String ID: Verb: <%s>$"%s" %s$%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>$...$.exe.bat.com.cmd.hta$Failed attempt to launch program or document:$GetProcessId$Launch Error (possibly related to RunAs):$String too long.$System verbs unsupported with RunAs.$\/.$edit$explore$find$kernel32.dll$open$print$properties
API String ID: 3691946165-2616667029
Opcode ID: 60352d2862462ec6d69d3979fdbed61ef14b53b38e96c089fdf58ffe046d2a67
Instruction ID: 749d80ff5dfd462ae6f12ffa27d563702a54a983c1c9c4622f36685a36bcbddc
Opcode Fuzzy Hash: 60352d2862462ec6d69d3979fdbed61ef14b53b38e96c089fdf58ffe046d2a67
Instruction Fuzzy Hash: B722AE71A002059BDF20DF65CC86BAF77A4EF98304F04916BEA05A7341E7789945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004014E4 Relevance: 74.6, APIs: 40, Strings: 2, Instructions: 1091timewindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 0040150F
CloseClipboard.USER32 ref: 0040151B
SetTimer.USER32(00010424,00000009,0000000A), ref: 004015C4
GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4

Strings

#32770, xrefs: 00401DD0
(&, xrefs: 00401613

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$CallbackClipboardCloseDispatcherFocusGlobalTimerUserWire
String ID: #32770$(&
API String ID: 3046383785-2511465892
Opcode ID: b7154e88ced562639ceab82bf40a49c15f8b900ecc9ab0ba3c6c9623e38ef1c0
Instruction ID: 8efcaa11bda21fb41c0711c83df5939c906220ec3daa44cf4f5dacab51e27cd2
Opcode Fuzzy Hash: b7154e88ced562639ceab82bf40a49c15f8b900ecc9ab0ba3c6c9623e38ef1c0
Instruction Fuzzy Hash: 9D9290709083419BDB24DF24C98876B7BE1BB85304F58457BE885AB3E1D7B8DC41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D920 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 264
comwindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E4B0: CreateThread.KERNEL32(00000000,00002000,0040E7E0,00000000,00000000,004D85A0), ref: 0040E50A
Part of subcall function 0040E4B0: SetThreadPriority.KERNEL32(00000000,0000000F,?,00408CE2,?,00408938,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E520
Part of subcall function 0040E4B0: PostThreadMessageW.USER32(00000000,00000417,004062BD,00000000), ref: 0040E544
Part of subcall function 0040E4B0: Sleep.KERNEL32(0000000A,?,00408CE2,?,00408938,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E550
Part of subcall function 0040E4B0: GetTickCount.KERNEL32 ref: 0040E567
Part of subcall function 0040E4B0: PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E58A

Shell_NotifyIconW.SHELL32(00000002,004DA93A), ref: 0041D969
IsWindow.USER32(00000000), ref: 0041D987
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 0041D994
DeleteObject.GDI32(00000000), ref: 0041D9A2
DeleteObject.GDI32(00000000), ref: 0041D9AC
DeleteObject.GDI32(00000000), ref: 0041D9B6
DeleteObject.GDI32(00000000), ref: 0041D9DD
DestroyCursor.USER32(00000000), ref: 0041D9E1
IsWindow.USER32(00000000), ref: 0041D9EB
DestroyWindow.USER32(00000000,?,?,?,?,00000000,00000000), ref: 0041D9F9
DeleteObject.GDI32(00000000), ref: 0041DA07
DeleteObject.GDI32(00000000), ref: 0041DA11
DeleteObject.GDI32(00000000), ref: 0041DA1B
DeleteObject.GDI32(?), ref: 0041DA72
DestroyCursor.USER32(00000000), ref: 0041DA8D
DestroyCursor.USER32(00000000), ref: 0041DA96
IsWindow.USER32(00000000), ref: 0041DAC7
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 0041DAD4
DeleteObject.GDI32(00000000), ref: 0041DAEF
ChangeClipboardChain.USER32(00010424,00000000), ref: 0041DB36
mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0041DB63
mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0041DB78
RtlDeleteCriticalSection.NTDLL(004D8588), ref: 0041DB7F
OleUninitialize.OLE32(?,?,?,00000000,00000000), ref: 0041DB85
_free.LIBCMT ref: 0041DBBB
_free.LIBCMT ref: 0041DBF7

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

_free.LIBCMT ref: 0041DC36

Strings

close AHK_PlayMe, xrefs: 0041DB73
status AHK_PlayMe mode, xrefs: 0041DB5E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Delete$Object$DestroyWindow$CursorThread_free$MessageSendString$ChainChangeClipboardCountCreateCriticalErrorFreeHeapIconLastNotifyPeekPostPrioritySectionShell_SleepTickUninitialize
String ID: close AHK_PlayMe$status AHK_PlayMe mode
API String ID: 2053152309-1474590089
Opcode ID: 43dbf4e48762742fef1c2bc3ea25bc63398a652a321cc9a88617ff32132107d1
Instruction ID: c16290384eefa07a878c0c2939a52c9d199cf07a1a4ec102613a24c0f1cf8a08
Opcode Fuzzy Hash: 43dbf4e48762742fef1c2bc3ea25bc63398a652a321cc9a88617ff32132107d1
Instruction Fuzzy Hash: 399159F1E042019BDB20DF69DC54BAB77E8AB05744F09052BA846D7390DB78E880CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401EF4 Relevance: 28.5, APIs: 14, Strings: 2, Instructions: 525threadwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetForegroundWindow.USER32 ref: 00401D9A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00401DAD
GetClassNameW.USER32(00000000,?,00000020), ref: 00401DCA
IsDialogMessageW.USER32(00000000,?), ref: 0040315C
SetCurrentDirectoryW.KERNEL32(004AF9BC), ref: 00403184

Strings

#32770, xrefs: 00401DD0
(&, xrefs: 00401613

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTickWindow$CallbackClassCurrentDialogDirectoryDispatcherForegroundMessageNameProcessThreadUser
String ID: #32770$(&
API String ID: 2062716809-2511465892
Opcode ID: c458dfc60e4137a53c38c12445efd280584aa3bcb8fca7e6b072092b8870d4d7
Instruction ID: 21372fadce2f9c2c49e305777284a7a0a2bda8a71c8e5db11bf07930ff598f1a
Opcode Fuzzy Hash: c458dfc60e4137a53c38c12445efd280584aa3bcb8fca7e6b072092b8870d4d7
Instruction Fuzzy Hash: 7812A2719043529BDB258F28C98476BB7E1BB85304F59457FE885AB3E0D378DC42CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041F3CB Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*#2, xrefs: 0041F655
Too many includes., xrefs: 0041F3DF
Out of memory., xrefs: 0041F438
*, xrefs: 0041F460

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: *$*#2$Out of memory.$Too many includes.
API String ID: 0-744658508
Opcode ID: 78604e5a44b7f2934b41466ae364e3cb1411b8314b3251e9401cf4890cc07294
Instruction ID: cebd737840011d0a7ed4ae4f31cf641042e15227ad5008ef3c7bf29de8d98328
Opcode Fuzzy Hash: 78604e5a44b7f2934b41466ae364e3cb1411b8314b3251e9401cf4890cc07294
Instruction Fuzzy Hash: BC61B671700301ABE7209F24E841BA77795AF95714F14053BE949CB392EB3DD84AC7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00483940 Relevance: 19.7, APIs: 13, Instructions: 170
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0048395A

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessThreadWindow
String ID:
API String ID: 1653199695-0
Opcode ID: 640a2d6f9e7d29815fbe85e67c769789653ff849aa96f63ceae80de5fa9ef58e
Instruction ID: 09f6db9bfc3c21d03fcca0c09fe130dab533411e0639ebdd37bbf4c27118845f
Opcode Fuzzy Hash: 640a2d6f9e7d29815fbe85e67c769789653ff849aa96f63ceae80de5fa9ef58e
Instruction Fuzzy Hash: 78515BB17043006FE720BF68AC45B6F7BD89B84F09F440C2AF58196392E7B9D904875E

Uniqueness

Uniqueness Score: -1.00%

Function 00480580 Relevance: 12.2, APIs: 8, Instructions: 164fileCOMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0048064A
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,0040468E,?,004DA6C0), ref: 00480672
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,0040468E,?,004DA6C0), ref: 0048068A
_wcschr.LIBCMT ref: 004806DD
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,0040468E,?,004DA6C0), ref: 00480702
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,0040468E,?,004DA6C0), ref: 00480712

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst_wcschr
String ID:
API String ID: 1717823228-0
Opcode ID: cfc661adc62f4a664a7de936f81ba0ba435efa7efdb94d626c25a0ce4c116b76
Instruction ID: dfaa348b6580a408bfe2c43741ce18e000110445171fc820590134c92dd95946
Opcode Fuzzy Hash: cfc661adc62f4a664a7de936f81ba0ba435efa7efdb94d626c25a0ce4c116b76
Instruction Fuzzy Hash: E8512C72510301ABC710EB60CC85EAF7768EF84315F45893AEC459B291F778E90D8BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004804F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,?), ref: 0048052E
FindClose.KERNEL32(00000000,?,?,?), ref: 0048053A
GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 00480555

Strings

\\?\, xrefs: 00480503

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID: \\?\
API String ID: 48322524-4282027825
Opcode ID: c3fc4c152e5982e28bd70fe5cf2296377dfebde9111d1f6d4ac0afef8e8b75e0
Instruction ID: 6308ded1558d9aaad8a4f93d5b288044f3a3d3d6c0c683a1baaa1712dd309081
Opcode Fuzzy Hash: c3fc4c152e5982e28bd70fe5cf2296377dfebde9111d1f6d4ac0afef8e8b75e0
Instruction Fuzzy Hash: 4101F739900A016BD761FA28DC897AF37549F80320F544A36EC24D23C0E77C894D5B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0049C396 Relevance: 4.6, APIs: 3, Instructions: 130COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0049C44F
__write.LIBCMT ref: 0049C476
__flsbuf.LIBCMT ref: 0049C4A1

Part of subcall function 0049DF32: __getptd_noexit.LIBCMT ref: 0049DF32

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write
String ID:
API String ID: 3115901604-0
Opcode ID: aa0ce2da80148cfc0ed893735abf5d9ad2b72076688f837931c3715b8f2b565a
Instruction ID: b7e99e1910aeb7041d20f3f228ab8831a8c6e8b823391c1c040a9263a5ff0729
Opcode Fuzzy Hash: aa0ce2da80148cfc0ed893735abf5d9ad2b72076688f837931c3715b8f2b565a
Instruction Fuzzy Hash: FA41B071B00604ABDF24DF6988D46AFBFB5AF80320F24853FE81597280D778EE418B48

Uniqueness

Uniqueness Score: -1.00%

Function 00404290 Relevance: 79.3, APIs: 27, Strings: 18, Instructions: 518
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(004D8588), ref: 004042A9
SetErrorMode.KERNEL32(00000001), ref: 004042B1

Part of subcall function 0044B870: GetCurrentDirectoryW.KERNEL32(00008000,?,?,004042BE), ref: 0044B887

FindResourceW.KERNEL32 ref: 00404351
__wcsicoll.LIBCMT ref: 00404383
__wcsicoll.LIBCMT ref: 00404399
__wcsicoll.LIBCMT ref: 004043AF
__wcsicoll.LIBCMT ref: 004043C5
__wcsnicmp.LIBCMT ref: 004043DD
__wcsicoll.LIBCMT ref: 00404415
__wcsicoll.LIBCMT ref: 0040443B
__wcsicoll.LIBCMT ref: 00404471
__wcsnicmp.LIBCMT ref: 004044DA
__wcsnicmp.LIBCMT ref: 0040450D
_wcsrchr.LIBCMT ref: 0040453A
FindWindowW.USER32(AutoHotkey,02C302B0), ref: 00404751
FindWindowW.USER32(AutoHotkey,02C302B0), ref: 004047BB
PostMessageW.USER32(00000000,00000044,00000406,00000000), ref: 004047D2
Sleep.KERNEL32(00000014), ref: 004047E2
IsWindow.USER32(00000000), ref: 004047E5
Sleep.KERNEL32(00000014), ref: 0040481E
IsWindow.USER32(00000000), ref: 00404821
Sleep.KERNEL32(00000064), ref: 0040482D
SystemParametersInfoW.USER32(00002000,00000000,004D81D4,00000000), ref: 00404843
SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040485D
_setvbuf.LIBCMT ref: 00404881
_malloc.LIBCMT ref: 0040489A
_memset.LIBCMT ref: 004048AF

Strings

/include, xrefs: 00404435
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 00404787
A_Args, xrefs: 00404603, 00404631
$mM, xrefs: 0040455E
/restart, xrefs: 00404393
localhost, xrefs: 00404593
/ErrorStdOut, xrefs: 004043D7
/script, xrefs: 0040440F
Could not close the previous instance of this script. Keep waiting?, xrefs: 00404803
/force, xrefs: 004043BF
AutoHotkey, xrefs: 0040474C, 004047B6
*#1, xrefs: 0040435B
/iLib, xrefs: 0040446B
9000, xrefs: 00404582, 004045A2
/Debug, xrefs: 00404507
Clipboard, xrefs: 0040492F
Out of memory., xrefs: 00404307
/CP, xrefs: 004044D4

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$Window$FindSleep__wcsnicmp$InfoParametersSystem$CriticalCurrentDirectoryErrorInitializeMessageModePostResourceSection_malloc_memset_setvbuf_wcsrchr
String ID: $mM$*#1$/CP$/Debug$/ErrorStdOut$/force$/iLib$/include$/restart$/script$9000$A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Clipboard$Could not close the previous instance of this script. Keep waiting?$Out of memory.$localhost
API String ID: 1442251356-776061993
Opcode ID: 0f33e5f75049e0f1379862a92f8fa95a18f327c97ef91bafaa9be28a13da8f4a
Instruction ID: 5b431fe97f201099b494706444d3f0a2dfa8c005fa9ced425c77ebfff6bf694d
Opcode Fuzzy Hash: 0f33e5f75049e0f1379862a92f8fa95a18f327c97ef91bafaa9be28a13da8f4a
Instruction Fuzzy Hash: 73F104B1A05201ABDB20AB65AC42B6B3794ABD1705F14453FFF05A73D1EB7CDC0186AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041E010 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 253
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0041E042

Part of subcall function 00481680: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,75C04BD0,?,004DA6C0,00000000,FFFFFF61,00000000,00000000,00000000,75C04BD0,?,004DA6C0), ref: 00481699
Part of subcall function 00481680: FindResourceW.KERNEL32(00400000,00400000,0000000E), ref: 004816FF
Part of subcall function 00481680: LoadResource.KERNEL32(00400000,00000000), ref: 0048170F
Part of subcall function 00481680: LockResource.KERNEL32(00000000), ref: 0048171E
Part of subcall function 00481680: GetSystemMetrics.USER32(0000000B), ref: 00481746
Part of subcall function 00481680: FindResourceW.KERNEL32(00400000,?,00000003), ref: 004817A6
Part of subcall function 00481680: LoadResource.KERNEL32(00400000,00000000), ref: 004817B4
Part of subcall function 00481680: LockResource.KERNEL32(00000000), ref: 004817BF

GetSystemMetrics.USER32(00000031), ref: 0041E08C

Part of subcall function 00481680: EnumResourceNamesW.KERNEL32 ref: 004816E6
Part of subcall function 00481680: SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004817DA
Part of subcall function 00481680: CreateIconFromResourceEx.USER32(00000000,00000000), ref: 004817E2
Part of subcall function 00481680: ExtractIconW.SHELL32(00000000,?,?), ref: 00481822

LoadCursorW.USER32(00000000,00007F00), ref: 0041E0BC
RegisterClassExW.USER32 ref: 0041E0E1
RegisterClassExW.USER32(?), ref: 0041E12A
GetForegroundWindow.USER32 ref: 0041E131
GetClassNameW.USER32(00000000,?,00000040), ref: 0041E143
__wcsicoll.LIBCMT ref: 0041E157
CreateWindowExW.USER32(00000000,AutoHotkey,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00400000,00000000), ref: 0041E1AE
GetMenu.USER32(00000000), ref: 0041E1DE
EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 0041E1EE
CreateWindowExW.USER32(00000000,edit,00000000,50A00804,00000000,00000000,00000000,00000000,00000000,00000001,00400000,00000000), ref: 0041E235
GetDC.USER32(00000000), ref: 0041E245
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E27E
MulDiv.KERNEL32(0000000A,00000000), ref: 0041E287
CreateFontW.GDI32(00000000), ref: 0041E290
ReleaseDC.USER32(00010428,00000000), ref: 0041E2A3
SendMessageW.USER32(00010428,00000030,650A0D66,00000000), ref: 0041E2C0
SendMessageW.USER32(00010428,000000C5,00000000,00000000), ref: 0041E2D2
ShowWindow.USER32(00010424,00000000), ref: 0041E2E2
ShowWindow.USER32(00010424,00000000), ref: 0041E2ED
ShowWindow.USER32(00010424,00000006), ref: 0041E2FC
SetWindowLongW.USER32(00010424,000000EC,00000000), ref: 0041E308
LoadAcceleratorsW.USER32(00400000,000000D4), ref: 0041E31A

Part of subcall function 0041E450: _memset.LIBCMT ref: 0041E460
Part of subcall function 0041E450: _wcsncpy.LIBCMT ref: 0041E4D2
Part of subcall function 0041E450: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0041E4E5

Strings

CreateWindow, xrefs: 0041E1CA
edit, xrefs: 0041E22E
Shell_TrayWnd, xrefs: 0041E151
AutoHotkey, xrefs: 0041E065, 0041E1A3
Consolas, xrefs: 0041E254
RegClass, xrefs: 0041E0F9
AutoHotkey2, xrefs: 0041E11A
Lucida Console, xrefs: 0041E25B, 0041E260
fe, xrefs: 0041E29E, 0041E2A9
0, xrefs: 0041E05D

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$Window$Load$Create$ClassIconShow$FindLockMenuMessageMetricsRegisterSendSystem_memset$AcceleratorsCapsCursorDeviceEnableEnumExtractFontForegroundFromItemLibraryLongNameNamesNotifyReleaseShell_Sizeof__wcsicoll_wcsncpy
String ID: 0$AutoHotkey$AutoHotkey2$Consolas$CreateWindow$Lucida Console$RegClass$Shell_TrayWnd$edit$fe
API String ID: 2663150501-4085925049
Opcode ID: 27695deff8b8e19a3f4e35cd14154023138713e620d633747618fa860ddefe17
Instruction ID: 441e70ead37ee4330271e54fc4a76f266eb80d233ad2c8c4d28c4210b5f82463
Opcode Fuzzy Hash: 27695deff8b8e19a3f4e35cd14154023138713e620d633747618fa860ddefe17
Instruction Fuzzy Hash: 8581D875B45300BBE7209B61DC45FA73BA8EB45B04F14052BFA05AB2D0D7B9A844CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402607 Relevance: 40.9, APIs: 20, Strings: 3, Instructions: 697windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004015E9
SendMessageW.USER32(?,0000110A,00000009,?), ref: 004026D4
ScreenToClient.USER32(?,?), ref: 00402701
SendMessageW.USER32(00000000,00001111,00000000,?), ref: 00402719
GetWindowLongW.USER32(?,000000EC), ref: 00402848
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0040285C
MulDiv.KERNEL32(?,00000060,00000060), ref: 004028F9
MulDiv.KERNEL32(?,00000060,00000060), ref: 00402941
_memset.LIBCMT ref: 00402B61
SendMessageW.USER32 ref: 00402B96
DragFinish.SHELL32(?), ref: 00402DAE
GetWindowLongW.USER32(00000000,000000EC), ref: 00402DC1
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00402DD1

Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A

Strings

(&, xrefs: 00401613
I, xrefs: 00402AE8
Gui, xrefs: 00402D25

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$MessageSend$AvailableClipboardFormat$ClientCountDragFinishScreenTick_memset
String ID: Gui$I$(&
API String ID: 2313988943-3917846355
Opcode ID: 139abdacb5128bdf9b2c62a26f0f2a330e702b069820a5931b63f31f8916751c
Instruction ID: 976f84cc3d787988f0ebed0f778409e2265b81f612b390d725eece04fcb87179
Opcode Fuzzy Hash: 139abdacb5128bdf9b2c62a26f0f2a330e702b069820a5931b63f31f8916751c
Instruction Fuzzy Hash: D95291706083009FD725DF18C984B9BB7E5BF88304F14896EE589A73E1D7B8E845CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045DB10 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 279
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcstoi64.LIBCMT ref: 0045DB4C
InternetOpenW.WININET(AutoHotkey,00000004,00000000,00000000,00000000), ref: 0045DB92

Part of subcall function 004998B8: __wcstoi64.LIBCMT ref: 004998C4

Strings

AutoHotkey, xrefs: 0045DB8D
(, xrefs: 0045DCAF

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcstoi64$InternetOpen
String ID: ($AutoHotkey
API String ID: 469112803-2766205875
Opcode ID: 2265a2156d5291020e89cdb63bf7186018e6d1350cbf802bc0a1cf46af99e315
Instruction ID: 53fc6d40da4b1f6fef5fdd053395f4985d7ed9a5cdabd0dd5427008260780ef6
Opcode Fuzzy Hash: 2265a2156d5291020e89cdb63bf7186018e6d1350cbf802bc0a1cf46af99e315
Instruction Fuzzy Hash: 6191B772A443006BD330EB259C81F6B77E4AF95715F10052BFA449B2D2D6B9AC48C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 004316D5 Relevance: 27.0, APIs: 11, Strings: 4, Instructions: 702windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
GetTickCount.KERNEL32 ref: 00430AF4
_free.LIBCMT ref: 004319B7
_free.LIBCMT ref: 004319F5
_wcschr.LIBCMT ref: 00431C32

Strings

D, xrefs: 004317FF
v1j, xrefs: 00430A08
MZ@, xrefs: 004319BF, 004319FD
SMHD, xrefs: 00431C2D

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$_free$ClipboardCloseGlobalMessagePeekWire_wcschr
String ID: D$MZ@$SMHD$v1j
API String ID: 2216821484-722006676
Opcode ID: 3ac5fde0385bd2c17cf40b807939d134bfce3a3cc1f2d6b8deb14a7fc5ad4987
Instruction ID: e0a876c0feb26252890c6b63f0e44e233e6c81559f4ac884dc4db58093329221
Opcode Fuzzy Hash: 3ac5fde0385bd2c17cf40b807939d134bfce3a3cc1f2d6b8deb14a7fc5ad4987
Instruction Fuzzy Hash: 2E42E170608300DFD724DF14D891B6BB7E1AB89314F145A2FE8869B3A1D778EC85CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00430F95 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 575windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
__wcsicoll.LIBCMT ref: 00431267

Part of subcall function 00438590: _wcsncpy.LIBCMT ref: 00438643
Part of subcall function 00438590: _wcschr.LIBCMT ref: 0043868A
Part of subcall function 00438590: _memmove.LIBCMT ref: 004386D6
Part of subcall function 00438590: _wcschr.LIBCMT ref: 004386E3

GetTickCount.KERNEL32 ref: 00430A30

Part of subcall function 0041AFE0: __wcsicoll.LIBCMT ref: 0041B0EC
Part of subcall function 0041AFE0: __wcsicoll.LIBCMT ref: 0041B104

Part of subcall function 0041CEB0: __fassign.LIBCMT ref: 0041CEC0

__wcsicoll.LIBCMT ref: 00431005

Strings

CSV, xrefs: 00431261
Read, xrefs: 00430FFF
v1j, xrefs: 00430A08
Parameter #2 invalid., xrefs: 004350A8
Parameter #3 invalid., xrefs: 004350D2

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$CountTick_wcschr$ClipboardCloseGlobalMessagePeekWire__fassign_memmove_wcsncpy
String ID: CSV$Parameter #2 invalid.$Parameter #3 invalid.$Read$v1j
API String ID: 194727873-2063208240
Opcode ID: 97d8d28fe4db50c42ad0c3092935d269c80c865a760d0c5925d072cb407fd48a
Instruction ID: 0447225378f8a9a999642c4047eadc4727601436632f26a11834652e19def5e1
Opcode Fuzzy Hash: 97d8d28fe4db50c42ad0c3092935d269c80c865a760d0c5925d072cb407fd48a
Instruction Fuzzy Hash: 5422BD716083409FD724DF14D890BABB7E5AB88314F149A2FF4458B3A1D778EC45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043475A Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 253
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
GetTickCount.KERNEL32 ref: 00430AF4
__wcsnicmp.LIBCMT ref: 00434768
_wcschr.LIBCMT ref: 0043479E
__swprintf.LIBCMT ref: 0043482E

Part of subcall function 00404040: __wcstoi64.LIBCMT ref: 00404050

__wcsnicmp.LIBCMT ref: 0043484D

Strings

Integer, xrefs: 00434847
v1j, xrefs: 00430A08
%%%s%s%s, xrefs: 00434828
Float, xrefs: 00434762

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$__wcsnicmp$ClipboardCloseGlobalMessagePeekWire__swprintf__wcstoi64_wcschr
String ID: %%%s%s%s$Float$Integer$v1j
API String ID: 2868021218-2641105242
Opcode ID: 94e04a534ef4aa59ed96f4234b79f439152b8c34e2358e63bccc53abc2dd77ff
Instruction ID: a795a7c27c1cfb6a6991a9997a0675f614bdf05a03f198ba6d36b679fd26eefe
Opcode Fuzzy Hash: 94e04a534ef4aa59ed96f4234b79f439152b8c34e2358e63bccc53abc2dd77ff
Instruction Fuzzy Hash: CAA15571A043009BDB24DB24ECA576A37A1AB99318F18173FE4558B3E1D77C9C41CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00481680 Relevance: 21.2, APIs: 14, Instructions: 174
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,75C04BD0,?,004DA6C0,00000000,FFFFFF61,00000000,00000000,00000000,75C04BD0,?,004DA6C0), ref: 00481699
EnumResourceNamesW.KERNEL32 ref: 004816E6
FindResourceW.KERNEL32(00400000,00400000,0000000E), ref: 004816FF
LoadResource.KERNEL32(00400000,00000000), ref: 0048170F
LockResource.KERNEL32(00000000), ref: 0048171E
GetSystemMetrics.USER32(0000000B), ref: 00481746
FindResourceW.KERNEL32(00400000,?,00000003), ref: 004817A6
LoadResource.KERNEL32(00400000,00000000), ref: 004817B4
LockResource.KERNEL32(00000000), ref: 004817BF
SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004817DA
CreateIconFromResourceEx.USER32(00000000,00000000), ref: 004817E2
FreeLibrary.KERNEL32(00400000), ref: 0048180D
ExtractIconW.SHELL32(00000000,?,?), ref: 00481822
ExtractIconW.SHELL32(00000000,?,-00000001), ref: 0048183F

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
String ID:
API String ID: 2349713634-0
Opcode ID: 08ac8f00e448fbdf342f32d71c7537f2804a7e9b3184fe5ff9c2f73d14adf3dc
Instruction ID: 13f58265a7cc48dcbbfd2008fb6ef1652058c1a787efe3a169d90be1eb2d3334
Opcode Fuzzy Hash: 08ac8f00e448fbdf342f32d71c7537f2804a7e9b3184fe5ff9c2f73d14adf3dc
Instruction Fuzzy Hash: 3C51E775A04311ABD3206F649C44B6FBBDCEB85B51F440D2FFC46E62A0D778D8428769

Uniqueness

Uniqueness Score: -1.00%

Function 00434DA2 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 238
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
__wcsicoll.LIBCMT ref: 00434E5F

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

RegCloseKey.ADVAPI32(00000000), ref: 00434E93

Strings

ahk_default, xrefs: 00434E59
v1j, xrefs: 00430A08
%s\%s, xrefs: 00434DC3

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCountTick$ClipboardGlobalMessagePeekWire__wcsicoll_vswprintf_s
String ID: %s\%s$ahk_default$v1j
API String ID: 2178406390-383174103
Opcode ID: f41fed269c13e1c531b3a78dd1393c1af379c7157ca6a4dfa369efb79886065a
Instruction ID: 9887da5d58284bcdf2c8f68fe6e99a6d53167ff3cf302bca706516ed05503a36
Opcode Fuzzy Hash: f41fed269c13e1c531b3a78dd1393c1af379c7157ca6a4dfa369efb79886065a
Instruction Fuzzy Hash: 14912471505300DBD724DF24ECA476A77A1AB99318F28172FE4458B3E1D778AC81CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0043149B Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 353windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
_free.LIBCMT ref: 0043163F

Strings

Jumps cannot exit a FINALLY block., xrefs: 00435127
v1j, xrefs: 00430A08
MZ@, xrefs: 00431647

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardCloseCountGlobalMessagePeekTickWire_free
String ID: Jumps cannot exit a FINALLY block.$MZ@$v1j
API String ID: 4211446141-1725973380
Opcode ID: 3722be40e6e03c0c75be3a37fff355d4b0f1249521ac4982c7a2aa737fc42953
Instruction ID: b10ae604a6f53770bc07aaa228f7014b05558723bc55e12b17cd8c63af1bd1b5
Opcode Fuzzy Hash: 3722be40e6e03c0c75be3a37fff355d4b0f1249521ac4982c7a2aa737fc42953
Instruction Fuzzy Hash: 95E1F171A08340DFDB24CF14E8A076AB7E1EB9C314F14666FE8858B3A1D7799C41CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA4 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 211clipboardCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
CountClipboardFormats.USER32 ref: 00402EA4
IsClipboardFormatAvailable.USER32(0000000D), ref: 00402EB6
IsClipboardFormatAvailable.USER32(0000000F), ref: 00402EBE

Strings

(&, xrefs: 00401613
OnClipboardChange, xrefs: 00402F40

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardCount$AvailableFormatTick$CallbackDispatcherFormatsUser
String ID: OnClipboardChange$(&
API String ID: 2843769501-2620337273
Opcode ID: 4977c89f7e9ea8aac4a8f901465e91c453f5c90d6ce02c7d3e33746f38e0a391
Instruction ID: 6e4e40baf0cdc87e82bfc454d5e42e59812c2aaf20469dc92335d07aff22e9f3
Opcode Fuzzy Hash: 4977c89f7e9ea8aac4a8f901465e91c453f5c90d6ce02c7d3e33746f38e0a391
Instruction Fuzzy Hash: 3671B071A053419BDB24DF28C884B6B77E4AB85704F04453BF445A73E1D7B8EC85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00432D78 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 205
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043B080: __wcsicoll.LIBCMT ref: 0043B0E7
Part of subcall function 0043B080: __wcsicoll.LIBCMT ref: 0043B0F9
Part of subcall function 0043B080: __wcsicoll.LIBCMT ref: 0043B10B
Part of subcall function 0043B080: __wcsicoll.LIBCMT ref: 0043B11D
Part of subcall function 0043B080: __wcsicoll.LIBCMT ref: 0043B12F
Part of subcall function 0043B080: __wcsicoll.LIBCMT ref: 0043B141

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
GetTickCount.KERNEL32 ref: 00430AF4

Strings

UseErrorLevel, xrefs: 00432D7E
ERROR, xrefs: 00432DE8
v1j, xrefs: 00430A08

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: ERROR$UseErrorLevel$v1j
API String ID: 1562844557-790589029
Opcode ID: 9c473f46002c9b12cc547dbfdeab9b254bf0322007617df6bbf66cdb47582879
Instruction ID: 92fe76ff4d71dde7f44baf92dee590f1034169f8aaa6f9f2b6d127454efab720
Opcode Fuzzy Hash: 9c473f46002c9b12cc547dbfdeab9b254bf0322007617df6bbf66cdb47582879
Instruction Fuzzy Hash: 888133306013409BDB24DF24ECA4B6A77A1AB49318F28172FE4558B3E1D7789C80CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401979 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 176windowsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4
PeekMessageW.USER32(?,00000000,00000000,-00000311,00000001), ref: 004019E4
GetTickCount.KERNEL32 ref: 004019F2
Sleep.KERNEL32(00000000), ref: 00401A13

Strings

(&, xrefs: 00401613

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$CallbackDispatcherFocusMessagePeekSleepUser
String ID: (&
API String ID: 1365517912-1801568203
Opcode ID: de625936c1fde2b95e7e73644099b19d404a513d7ed77d9d5aa0eed0ee614fbb
Instruction ID: cc666404116d261e2182305376ccd9d335a3044d87037505ff4fa53c344f67b9
Opcode Fuzzy Hash: de625936c1fde2b95e7e73644099b19d404a513d7ed77d9d5aa0eed0ee614fbb
Instruction Fuzzy Hash: D8519F71A043409FDB219B28C884BAF76E5AB86704F05463BF446A73F1D778DC81C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED69 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindow.USER32(00010424), ref: 0041EEB0
DestroyWindow.USER32(00010424), ref: 0041EEC8

Strings

<response command="%s" status="%s" reason="%s" transaction_id="%e"/>, xrefs: 0041EE84
step_into, xrefs: 0041EE47
stopped, xrefs: 0041EE7E
step_out, xrefs: 0041EE55
step_over, xrefs: 0041EE4E
run, xrefs: 0041EE5C, 0041EE83
error, xrefs: 0041EE29, 0041EE7D

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Destroy
String ID: <response command="%s" status="%s" reason="%s" transaction_id="%e"/>$error$run$step_into$step_out$step_over$stopped
API String ID: 3707531092-3398089490
Opcode ID: a1a179f60c7415f12871abf5571e1b96ff6cb74d034b7fcf99c7a91d52f40a18
Instruction ID: ee491ed2a9d921c495d898865484dae82e290bef11b4f00e56e9d4207e2d4513
Opcode Fuzzy Hash: a1a179f60c7415f12871abf5571e1b96ff6cb74d034b7fcf99c7a91d52f40a18
Instruction Fuzzy Hash: 8D41B3786043418FD315DF6AD445BA777A5EF8A304F04856FE8868B3A1C738EC86CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00434C59 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 207
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
RegCloseKey.ADVAPI32(00000000), ref: 00434CDD

Strings

v1j, xrefs: 00430A08

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCountTick$ClipboardGlobalMessagePeekWire
String ID: v1j
API String ID: 1928398982-3288809988
Opcode ID: 45bd53e7efb79136fe5827670c90fabd2754109394bd710ab7737e39dfee985d
Instruction ID: 4c55386819adf07ad37bcd78b24463b7a7458e5d367eba618a1a1760f49b81bd
Opcode Fuzzy Hash: 45bd53e7efb79136fe5827670c90fabd2754109394bd710ab7737e39dfee985d
Instruction Fuzzy Hash: 66812470505340DBD724DF24ECA4B6A77A1AB4D318F14272FE4558B3E1D778A881CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E600 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0041E613

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00499913

SetTimer.USER32(00010424,0000000E,04EF6D80,00403EA0), ref: 0041E656
_free.LIBCMT ref: 0041E7B6

Strings

Auto-execute, xrefs: 0041E717

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeapTimer_free_malloc
String ID: Auto-execute
API String ID: 92111083-593629425
Opcode ID: da7634f41a9beaf7d98b4374d7dc467207cfe3bbd3cf920ee384d564115dec6b
Instruction ID: f79becd74e2b295e4b926f143f395e20fcb1a5bbc00015b257527efc8ef6efbe
Opcode Fuzzy Hash: da7634f41a9beaf7d98b4374d7dc467207cfe3bbd3cf920ee384d564115dec6b
Instruction Fuzzy Hash: A0617EB4602240DFEB10EF26EC84B963BE5EB45304F08413BE9459B3A1D7B99C85CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004659BA Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 105
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 004659D7
_malloc.LIBCMT ref: 004659F1
_free.LIBCMT ref: 00465C90
GetTickCount.KERNEL32 ref: 00465CC9
SetTimer.USER32(00010424,0000000D,00002710,00446B30), ref: 00465CFF

Strings

u(h0kD, xrefs: 00465CE6
MZ@, xrefs: 004659DF, 00465A28, 00465C98, 00465CBD
Out of memory., xrefs: 00465A08

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free$CountTickTimer_malloc
String ID: MZ@$Out of memory.$u(h0kD
API String ID: 1890322348-3338892045
Opcode ID: 006d3bb29ef393ec29dfa3ead46a227bd5cf9b54a9b5c321624afd0354ce7436
Instruction ID: 8c66ec05fd57397063369624bcccc09c25e51e66d53ac575e6139c66bf761825
Opcode Fuzzy Hash: 006d3bb29ef393ec29dfa3ead46a227bd5cf9b54a9b5c321624afd0354ce7436
Instruction Fuzzy Hash: 064187B1A067019FDB109F68B85076A3BA0AB94314F04413FE855C23A0FB399969DB8E

Uniqueness

Uniqueness Score: -1.00%

Function 00430982 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 357
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
GetTickCount.KERNEL32 ref: 00430AF4

Strings

v1j, xrefs: 00430A08

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: v1j
API String ID: 849950280-3288809988
Opcode ID: 8d84b0c484119f58726120bf3deec1e97c2e3a324013856afa4a75a574bb4a1b
Instruction ID: 1b3b778ba695a2ef6fc9946a229e7b2dfb37f4b6f4d61c6766116c17233f068e
Opcode Fuzzy Hash: 8d84b0c484119f58726120bf3deec1e97c2e3a324013856afa4a75a574bb4a1b
Instruction Fuzzy Hash: C6E1CD71A08341CFD724CF14D8A0B6AB7E1EB89314F14576FE8458B3A1D779AC81CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00431A79 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 198windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30

Strings

v1j, xrefs: 00430A08

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: v1j
API String ID: 849950280-3288809988
Opcode ID: 1a979fffb2cce1b5d7d61877b221a6b33cdd669be11686523deb177f1b54e48a
Instruction ID: e32e9ef17cd93fcafff804dc69225b1fa5162dbd225d64bd7f8b959097e47c98
Opcode Fuzzy Hash: 1a979fffb2cce1b5d7d61877b221a6b33cdd669be11686523deb177f1b54e48a
Instruction Fuzzy Hash: 2871F231604340CBD724DF24E8A476A77A1AB4D314F24276FE4568B3E1D3789C81CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00402DE5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B

Strings

(&, xrefs: 00401613
Menu, xrefs: 00402E39

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$CallbackDispatcherUser
String ID: Menu$(&
API String ID: 1502404630-3564462718
Opcode ID: 7ce952dceac7028ee9cc1f1ed98d164fa3740c36c46e059b7a20ec08d4cde1a9
Instruction ID: 5142cbedb4c1340b55baf82c6c2c6dd690e2fdc335b8df1bc3b133ddb19d100e
Opcode Fuzzy Hash: 7ce952dceac7028ee9cc1f1ed98d164fa3740c36c46e059b7a20ec08d4cde1a9
Instruction Fuzzy Hash: 7261AF71A093009BDB259F28C8847AFB6E4AB85704F04492FF485A73E1D778ED45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402FD6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B70: _free.LIBCMT ref: 00403BA4
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BDA
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BFD

GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A

Part of subcall function 004033A0: GetTickCount.KERNEL32 ref: 004033A0

Strings

(&, xrefs: 00401613
InputHook, xrefs: 0040301B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick_free$AcceleratorCallbackDispatcherFocusTranslateUser
String ID: InputHook$(&
API String ID: 2275687776-3679040146
Opcode ID: d2d0f5ef84cf40c13b24c9f15257bf44ea18dcf8204aeddddd375d139eba48f9
Instruction ID: 5aab2760a701c34d965efc7752229629f1a09febf6bec8b09e6b49643d196ce6
Opcode Fuzzy Hash: d2d0f5ef84cf40c13b24c9f15257bf44ea18dcf8204aeddddd375d139eba48f9
Instruction Fuzzy Hash: 3C519071909340ABDB249F28C884BAFB6E4AB85704F04493FF585A73E1D378ED45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040304D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B70: _free.LIBCMT ref: 00403BA4
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BDA
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BFD

GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A

Part of subcall function 004033A0: GetTickCount.KERNEL32 ref: 004033A0

Strings

(&, xrefs: 00401613
InputHook, xrefs: 0040308F

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick_free$AcceleratorCallbackDispatcherFocusTranslateUser
String ID: InputHook$(&
API String ID: 2275687776-3679040146
Opcode ID: df8df3e3bf723a771e92e4328485573c86ee51d35dd2461919cf0982e948a640
Instruction ID: 8b970fc61506066c9ea0accfb51a20151b72b0dc749918c262fa9e1638dfffbe
Opcode Fuzzy Hash: df8df3e3bf723a771e92e4328485573c86ee51d35dd2461919cf0982e948a640
Instruction Fuzzy Hash: 3D518E719083409BDB24DB28C884BAFB6E4AB85704F04492FF589A73E1D778ED45C75B

Uniqueness

Uniqueness Score: -1.00%

Function 00402F92 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 166windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B70: _free.LIBCMT ref: 00403BA4
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BDA
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BFD

GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A

Part of subcall function 004033A0: GetTickCount.KERNEL32 ref: 004033A0

Strings

(&, xrefs: 00401613
InputHook, xrefs: 00402FA5

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick_free$AcceleratorCallbackDispatcherFocusTranslateUser
String ID: InputHook$(&
API String ID: 2275687776-3679040146
Opcode ID: 0c697dbecc378b0f983b38bb74cc8274199dcde36867fe9bcdc50d0902d8241e
Instruction ID: 5d92972ea7083f3361a6856aeb557a0a0538144525ab856d548a405d23312803
Opcode Fuzzy Hash: 0c697dbecc378b0f983b38bb74cc8274199dcde36867fe9bcdc50d0902d8241e
Instruction Fuzzy Hash: 02519F71A08300ABDB249B28C884BAF77E4AB85704F04492FF546A73E0D779ED45C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040155B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 162windowtimeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00010424,00000009,0000000A), ref: 004015C4
GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4

Part of subcall function 00403610: joyGetPosEx.WINMM ref: 0040363F

TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A
IsDialogMessageW.USER32(?,?), ref: 00401CC7

Part of subcall function 00473960: SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0047397A

Strings

(&, xrefs: 00401613

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountMessageTick$AcceleratorCallbackDialogDispatcherFocusSendTimerTranslateUser
String ID: (&
API String ID: 125437232-1801568203
Opcode ID: 9898ad49d0aa553f3aa91e8597851dd6cb572a70bed85a4c53127895d76081a8
Instruction ID: fdef66c3691e2a560f374b91998badb968f22f6f3cbdc9f7de635d54b17f8530
Opcode Fuzzy Hash: 9898ad49d0aa553f3aa91e8597851dd6cb572a70bed85a4c53127895d76081a8
Instruction Fuzzy Hash: 5A519F71A083409BDB219B28C88476F7BE4AB96704F04093FF486A73F1D7789D85C75A

Uniqueness

Uniqueness Score: -1.00%

Function 004316C9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
GetTickCount.KERNEL32 ref: 00430AF4

Strings

v1j, xrefs: 00430A08

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekWire
String ID: v1j
API String ID: 849950280-3288809988
Opcode ID: 94bb569b39159071f0937dd3053aa46086dae3b39f2c1909ce57deffe7c019fe
Instruction ID: 976a08794c494d7c5564301efb597b32ae1a89cc08c08e8fcb2dc43fef6daacb
Opcode Fuzzy Hash: 94bb569b39159071f0937dd3053aa46086dae3b39f2c1909ce57deffe7c019fe
Instruction Fuzzy Hash: FE510430505340DBD728DF24E8B476A7BA1AB49318F24276FE4518A3E1D7789881CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00430AB8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159clipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
GetTickCount.KERNEL32 ref: 00430AF4

Strings

v1j, xrefs: 00430A08

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalWire
String ID: v1j
API String ID: 2559963729-3288809988
Opcode ID: 9c68425db1b6a97c64ef699e9b9030ac6ef55d28a0d17debbdfb22225810e107
Instruction ID: e7b80274e8a3e15cb632acd92b52b00805bf098c064ce36d04c5ab4b6a80f2c4
Opcode Fuzzy Hash: 9c68425db1b6a97c64ef699e9b9030ac6ef55d28a0d17debbdfb22225810e107
Instruction Fuzzy Hash: 1E510330905340DFDB28DF24E8B476A7BA1AB49318F24276FE4558A3E1D7789881CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0046346C Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 563COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004634A8
_malloc.LIBCMT ref: 004637E0

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00499913

_free.LIBCMT ref: 004650A9

Strings

@oM, xrefs: 004634E3
Out of memory., xrefs: 00464D6B, 00464D97

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap_free_malloc_memmove
String ID: @oM$Out of memory.
API String ID: 1897403436-1868094666
Opcode ID: dd3ff00cc9978eaed3393c438aa5fa60bbc80f393571d42cc639f98c99dc284b
Instruction ID: cac0884b6acbaccd3638116c5a08ee067a50bc5e4c55b3245cb511caba6555f9
Opcode Fuzzy Hash: dd3ff00cc9978eaed3393c438aa5fa60bbc80f393571d42cc639f98c99dc284b
Instruction Fuzzy Hash: 9022B1B0A00214DFDF24DF94C880BAAB7B5AF85715F24815BE8059B385E778ED41CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00402E83 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B70: _free.LIBCMT ref: 00403BA4
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BDA
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BFD

GetTickCount.KERNEL32 ref: 004015E9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A

Part of subcall function 004033A0: GetTickCount.KERNEL32 ref: 004033A0

Strings

(&, xrefs: 00401613

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick_free$AcceleratorCallbackDispatcherFocusTranslateUser
String ID: (&
API String ID: 2275687776-1801568203
Opcode ID: bfc0a99861b17d30e13b196887250a4e592a9dd16f56e874f7d39db1176dab7c
Instruction ID: 37570eba18e7cdfca8d454d9ca2a2f4a5a2c6fa2c1b4ca00b32bc71a833e0020
Opcode Fuzzy Hash: bfc0a99861b17d30e13b196887250a4e592a9dd16f56e874f7d39db1176dab7c
Instruction Fuzzy Hash: DF519371908340ABDB259B28C88476F77E4AB85704F04493FF486A73E1D778ED45C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134comCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041D8AA
OleInitialize.OLE32(00000000), ref: 0041D8F4

Strings

Tray, xrefs: 0041D8B7
No tray mem, xrefs: 0041D8D1

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Initialize_memset
String ID: No tray mem$Tray
API String ID: 2068092829-3325046031
Opcode ID: ea0649acda6fdf5e0b2b225122c4c7b0e4a2f096217ea4000cc8d8e2ffa0d8d1
Instruction ID: bd1cbd455a58ce2ebad4239875577231f32ed096459b0e04762bf3c33dfe75bb
Opcode Fuzzy Hash: ea0649acda6fdf5e0b2b225122c4c7b0e4a2f096217ea4000cc8d8e2ffa0d8d1
Instruction Fuzzy Hash: 2D6153B1907391DAC700CF1AADA5649BBA4F71AB94B9A857FD09883371C7784050CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041E460
_wcsncpy.LIBCMT ref: 0041E4D2
Shell_NotifyIconW.SHELL32(00000000,?), ref: 0041E4E5

Strings

AutoHotkey, xrefs: 0041E4C3, 0041E4CA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: IconNotifyShell__memset_wcsncpy
String ID: AutoHotkey
API String ID: 1481257660-348589305
Opcode ID: ecd1b069303c88d3f1ea25889ce45ecf1cd6f4269b6201538435dd49830af13c
Instruction ID: c686445f2512367dc9ce89e0d941c16e9b78dc41647ae29c272231039a59f7ed
Opcode Fuzzy Hash: ecd1b069303c88d3f1ea25889ce45ecf1cd6f4269b6201538435dd49830af13c
Instruction Fuzzy Hash: F21161B46007019BEB60CF79D848B97B7E8EB49304F00482EE95EC7240EB78B944C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB90 Relevance: 4.6, APIs: 3, Instructions: 66windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 0040FB95

Part of subcall function 0040E4B0: CreateThread.KERNEL32(00000000,00002000,0040E7E0,00000000,00000000,004D85A0), ref: 0040E50A
Part of subcall function 0040E4B0: SetThreadPriority.KERNEL32(00000000,0000000F,?,00408CE2,?,00408938,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E520
Part of subcall function 0040E4B0: PostThreadMessageW.USER32(00000000,00000417,004062BD,00000000), ref: 0040E544
Part of subcall function 0040E4B0: Sleep.KERNEL32(0000000A,?,00408CE2,?,00408938,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E550
Part of subcall function 0040E4B0: GetTickCount.KERNEL32 ref: 0040E567
Part of subcall function 0040E4B0: PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E58A

UnhookWindowsHookEx.USER32(00000000), ref: 0040FBB1
UnregisterHotKey.USER32(00010424,00A62F48,004DA638,004DA638,?,00000000), ref: 0040FBFE

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageThread$Post$CountCreateHookPeekPriorityQuitSleepTickUnhookUnregisterWindows
String ID:
API String ID: 3108639398-0
Opcode ID: 3ae8de7abbf6b2396597ed3184ffb937bd3e09e1e7e12ff09fd90381ffb38f2e
Instruction ID: f678b03adc8496d394007a846388aa6c25f6f1e203ca55a098b88dc200e8b8ea
Opcode Fuzzy Hash: 3ae8de7abbf6b2396597ed3184ffb937bd3e09e1e7e12ff09fd90381ffb38f2e
Instruction Fuzzy Hash: B0210532601201ABCB24CF29EC90A23B7B5BB81704F18863FE905977A1D734EC81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0049C5D4 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 0049DF32: __getptd_noexit.LIBCMT ref: 0049DF32

__lock_file.LIBCMT ref: 0049C61B

Part of subcall function 0049A1DD: __lock.LIBCMT ref: 0049A202

__fclose_nolock.LIBCMT ref: 0049C626

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b351c8998f988ce5f9f4cee330e901733a9144a01e3c6234aad0cfc110fc2945
Instruction ID: 755a7160d2f5cfdea35b10bed85c1ec3d686fc5e539e4fc9ee9352951e7b92a6
Opcode Fuzzy Hash: b351c8998f988ce5f9f4cee330e901733a9144a01e3c6234aad0cfc110fc2945
Instruction Fuzzy Hash: 49F090318117159ADF10EB76C846B6E7EA06F013B9F20822EE431AA1D1C77C9E019FAD

Uniqueness

Uniqueness Score: -1.00%

Function 00499C53 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 00499C5B

Part of subcall function 00499C28: GetModuleHandleW.KERNEL32(mscoree.dll,?,00499C60,00401234,?,004998FD,000000FF,0000001E,00000001,00000000,00000000,?,0049EF67,00401234,00000001,00401234), ref: 00499C32
Part of subcall function 00499C28: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00499C42

ExitProcess.KERNEL32 ref: 00499C64

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 0421b0f6985088203354d7304d323f15193487efa1ea1addf572502a8f722d9b
Instruction ID: 5590524d49bf4f990dd4fcb4c8ba04263fd2375fb5636a45117137aeae6aa19c
Opcode Fuzzy Hash: 0421b0f6985088203354d7304d323f15193487efa1ea1addf572502a8f722d9b
Instruction Fuzzy Hash: D7B0923200010CBBDF052F16DD0A88E7F6AEB813A0B504479F80909071DF72ED92DA88

Uniqueness

Uniqueness Score: -1.00%

Function 0049C4ED Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0049C52C

Part of subcall function 0049DF32: __getptd_noexit.LIBCMT ref: 0049DF32

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: bc389e7a3ceee2bcea020f6fb599f9db7e2dcebc527de428830911177c57e51c
Instruction ID: da7ef058ccdae3fe4b7a8945d4db44cc92a1cd3705e2d0ed0cf15e99c9bbe8a7
Opcode Fuzzy Hash: bc389e7a3ceee2bcea020f6fb599f9db7e2dcebc527de428830911177c57e51c
Instruction Fuzzy Hash: C9F04F31801229EBCF11EFA1C94299F7EB1AF04760F05843BF8249A151D73D9D60EB99

Uniqueness

Uniqueness Score: -1.00%

Function 0047CE90 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0047CE9D

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00499913

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 3c8f9f6f6d62d1f3fde778ff52c0c458229448fda74028d4e07b7d6302b86e85
Instruction ID: e0ff38a37aae9c5da36a39944d6c6bbf2fc43273aaa001a4590c473d3afc1fd1
Opcode Fuzzy Hash: 3c8f9f6f6d62d1f3fde778ff52c0c458229448fda74028d4e07b7d6302b86e85
Instruction Fuzzy Hash: A0F05E716006028FEB60CB29D8D0B3BB3E6BBD0310B14852EE44E83B45E734E845CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0047C7F0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00499F62: _malloc.LIBCMT ref: 00499F7C

_malloc.LIBCMT ref: 0047C80D

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00499913

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: 4d9829b255e766318dbf7f9cdad7c2dd47de7ce1eca084a6aef08ba39aa5b808
Instruction ID: 60f2fd2570567d015b206eb534049d340f51144caf1b3675b57728f96f651861
Opcode Fuzzy Hash: 4d9829b255e766318dbf7f9cdad7c2dd47de7ce1eca084a6aef08ba39aa5b808
Instruction Fuzzy Hash: 9BE065B19016114AD750AB15B8153977AD49B14755F01843FF889D6305E678D8848BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0049C37F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 0049C38C

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction ID: 012a7aea82c8b6227345a7228b963214de8326d77443396aa62ca2ab6dd0e759
Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction Fuzzy Hash: 78C09B7744010C77CF111A83DC03E453F1997C0764F444061FB1C19161A577D5619589

Uniqueness

Uniqueness Score: -1.00%

Function 00499EAB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00499EB7

Part of subcall function 00499D6B: __lock.LIBCMT ref: 00499D79

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __lock_doexit
String ID:
API String ID: 368792745-0
Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction ID: 99c31e5998016d6f27103a6cdbf36e4da01be5af98a3ac658741d2cbdf203ba4
Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction Fuzzy Hash: A1B0923258460873DA212546AC03F463E0D87C0B64E280025BA0C191A5A9A6A9618089

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042B4E0 Relevance: 451.3, APIs: 137, Strings: 120, Instructions: 1502COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042B536
__wcsicoll.LIBCMT ref: 0042B572
__wcsnicmp.LIBCMT ref: 0042B5AC
__wcsicoll.LIBCMT ref: 0042B5C6
__wcsicoll.LIBCMT ref: 0042B5FB
__wcsicoll.LIBCMT ref: 0042B61D
_wcsncpy.LIBCMT ref: 0042C7AA
_memmove.LIBCMT ref: 0042C8F9

Strings

RegisterCallback, xrefs: 0042C054
BindMethod, xrefs: 0042C33A
Add, xrefs: 0042B63D, 0042B778, 0042B95A
ASin, xrefs: 0042BF1B
OnMessage, xrefs: 0042BFDD
RegExReplace, xrefs: 0042BAD1
WinExist, xrefs: 0042BDB8
Mod, xrefs: 0042BE40
MaxIndex, xrefs: 0042C246
Value, xrefs: 0042C544
InStr, xrefs: 0042BA85
SetImageList, xrefs: 0042B738, 0042B8B0
IsFunc, xrefs: 0042BD10
GetKey, xrefs: 0042BB42
NumGet, xrefs: 0042BC87
SB_SetIcon, xrefs: 0042B9CE
MinIndex, xrefs: 0042C226
Hotstring, xrefs: 0042C673
Min, xrefs: 0042BE67
IsObject, xrefs: 0042C077
FileExist, xrefs: 0042BD98
Flags, xrefs: 0042C564
d, xrefs: 0042C886
StrReplace, xrefs: 0042BAF7
IsSet, xrefs: 0042C6BB
Connect, xrefs: 0042C4E2
SetBase, xrefs: 0042C404
VerCompare, xrefs: 0042C6D8
State, xrefs: 0042BB58
StrPut, xrefs: 0042BC64
GetParent, xrefs: 0042B7E0
Modify, xrefs: 0042B689, 0042B79B
Create, xrefs: 0042B915, 0042C4A2
Out of memory., xrefs: 0042C859, 0042C8B7
Length, xrefs: 0042C206
Type, xrefs: 0042C524
ATan, xrefs: 0042BF4F
Sin, xrefs: 0042BEBB
Floor, xrefs: 0042BE0C
ACos, xrefs: 0042BF35
DllCall, xrefs: 0042BD50
NewEnum, xrefs: 0042C2FA
Error, xrefs: 0042C502
MenuGetHandle, xrefs: 0042C61C
Abs, xrefs: 0042BE9B
OnExit, xrefs: 0042C006
LTrim, xrefs: 0042BA51
Ceil, xrefs: 0042BE26
SB_SetParts, xrefs: 0042B9A7
Count, xrefs: 0042C1E6
InsertAt, xrefs: 0042C107
Exp, xrefs: 0042BF6F
InputHook, xrefs: 0042C696
Obj, xrefs: 0042C09E
MenuGetName, xrefs: 0042C636
Array, xrefs: 0042C439, 0042C587
Tan, xrefs: 0042BEFB
GetBase, xrefs: 0042C3E4
GetAddress, xrefs: 0042C2D3
Asc, xrefs: 0042BBE2
IL_, xrefs: 0042B8FF
InsertCol, xrefs: 0042B6D0
Trim, xrefs: 0042BA37
IsByRef, xrefs: 0042BD30
GetSelection, xrefs: 0042B848
Ord, xrefs: 0042BBC8
Destroy, xrefs: 0042B93A
Insert, xrefs: 0042B664, 0042C0DF
Release, xrefs: 0042C37C
ModifyCol, xrefs: 0042B6F3
FileOpen, xrefs: 0042C460
Exception, xrefs: 0042C5F9
Function name too long., xrefs: 0042C783
GetCount, xrefs: 0042B5F5, 0042B82E
GetText, xrefs: 0042B617, 0042B89A
HasKey, xrefs: 0042C266
LV_, xrefs: 0042B59F
OnClipboardChange, xrefs: 0042C020
Log, xrefs: 0042BFA9
AddRef, xrefs: 0042C362
StrLen, xrefs: 0042B9F1
Max, xrefs: 0042BE81
SB_SetText, xrefs: 0042B984
Remove, xrefs: 0042C17D
RegExMatch, xrefs: 0042BAAB
RTrim, xrefs: 0042BA6B
Pop, xrefs: 0042C1C6
Delete, xrefs: 0042B6AE, 0042B7BE, 0042C157
Name, xrefs: 0042BB78
NumPut, xrefs: 0042BCAA
Sqrt, xrefs: 0042BF8F
DeleteCol, xrefs: 0042B718
SubStr, xrefs: 0042BA11
Round, xrefs: 0042BDEC
OnError, xrefs: 0042C03A
GetCapacity, xrefs: 0042C28D
RawSet, xrefs: 0042C396
GetPrev, xrefs: 0042B814
VarSetCapacity, xrefs: 0042BD75
StrGet, xrefs: 0042BC41
ComObj, xrefs: 0042C488
TV_, xrefs: 0042B75E
Get, xrefs: 0042B884, 0042C4C2
ect, xrefs: 0042C0B8
LoadPicture, xrefs: 0042C650
RemoveAt, xrefs: 0042C1A0
IsLabel, xrefs: 0042BCD0
WinActive, xrefs: 0042BDD2
RawGet, xrefs: 0042C3BD
Func, xrefs: 0042BCF0
StrSplit, xrefs: 0042BB1D
Clone, xrefs: 0042C31A
Cos, xrefs: 0042BEDB
GetChild, xrefs: 0042B7FA
GetNext, xrefs: 0042B5C0, 0042B862
Format, xrefs: 0042BC1C
Push, xrefs: 0042C12F
Query, xrefs: 0042C5AD
SetCapacity, xrefs: 0042C2AD
Chr, xrefs: 0042BBFC

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$_wcsncpy$__wcsnicmp_memmove
String ID: ACos$ASin$ATan$Abs$Add$AddRef$Array$Asc$BindMethod$Ceil$Chr$Clone$ComObj$Connect$Cos$Count$Create$Delete$DeleteCol$Destroy$DllCall$Error$Exception$Exp$FileExist$FileOpen$Flags$Floor$Format$Func$Function name too long.$Get$GetAddress$GetBase$GetCapacity$GetChild$GetCount$GetKey$GetNext$GetParent$GetPrev$GetSelection$GetText$HasKey$Hotstring$IL_$InStr$InputHook$Insert$InsertAt$InsertCol$IsByRef$IsFunc$IsLabel$IsObject$IsSet$LTrim$LV_$Length$LoadPicture$Log$Max$MaxIndex$MenuGetHandle$MenuGetName$Min$MinIndex$Mod$Modify$ModifyCol$Name$NewEnum$NumGet$NumPut$Obj$OnClipboardChange$OnError$OnExit$OnMessage$Ord$Out of memory.$Pop$Push$Query$RTrim$RawGet$RawSet$RegExMatch$RegExReplace$RegisterCallback$Release$Remove$RemoveAt$Round$SB_SetIcon$SB_SetParts$SB_SetText$SetBase$SetCapacity$SetImageList$Sin$Sqrt$State$StrGet$StrLen$StrPut$StrReplace$StrSplit$SubStr$TV_$Tan$Trim$Type$Value$VarSetCapacity$VerCompare$WinActive$WinExist$d$ect
API String ID: 3867594672-75078419
Opcode ID: 78dc1d7d097d09ae15feca79cdcebcf3695cf65ad7862e5e8b10cc6faccdd74e
Instruction ID: 97684d11d6f9231503d311fa771f68fb3032c94a8f007bc9b456bea239ad184a
Opcode Fuzzy Hash: 78dc1d7d097d09ae15feca79cdcebcf3695cf65ad7862e5e8b10cc6faccdd74e
Instruction Fuzzy Hash: 96B2DDB2A0435157CF10D7659C81A6B72986ED430AF95493FFC08D7242F76CEE0AC6AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7E4 Relevance: 161.9, APIs: 45, Strings: 46, Instructions: 2690COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041F86F
_memmove.LIBCMT ref: 0041F918
_memmove.LIBCMT ref: 0041FA47
_wcschr.LIBCMT ref: 0041FC05
_wcschr.LIBCMT ref: 0041FC6F
__wcsnicmp.LIBCMT ref: 0041FD88
_wcschr.LIBCMT ref: 0041FDCB
__wcsnicmp.LIBCMT ref: 0041FE9E
_wcsncpy.LIBCMT ref: 0041FEBC
_memmove.LIBCMT ref: 0041FFB6
__wcsnicmp.LIBCMT ref: 0041FFCD
__wcsnicmp.LIBCMT ref: 0041FFEC
_memmove.LIBCMT ref: 00420435
_free.LIBCMT ref: 00420494
_wcsrchr.LIBCMT ref: 004204D8
__wcsnicmp.LIBCMT ref: 00420569
__wcsnicmp.LIBCMT ref: 0042057D
_wcschr.LIBCMT ref: 004205F9

Part of subcall function 00429780: _wcschr.LIBCMT ref: 0042979F
Part of subcall function 00429780: __snwprintf.LIBCMT ref: 004297D2

Strings

?*- , xrefs: 0041FC6A
Duplicate label., xrefs: 0042143F
Return, xrefs: 00420F52
AltTabMenuDismiss, xrefs: 0042115E
Hotkeys/hotstrings are not allowed inside functions., xrefs: 00421A87
This hotstring is missing its abbreviation., xrefs: 00421AC5
Not a valid method, class or property definition., xrefs: 004219FB, 00421A08, 00421A62
%s up::, xrefs: 004218A4
Missing "{", xrefs: 004219D4, 004219F4
Static, xrefs: 004207D2
Duplicate hotkey., xrefs: 00421B06
AltTab, xrefs: 004210F4
This line does not contain a recognized action., xrefs: 00421B4F
{LCtrl up}, xrefs: 0042184D
Not a valid property getter/setter., xrefs: 00421A4A
<>=/|^,:.+-*&!?~, xrefs: 0041FC00
{RCtrl up}, xrefs: 00421846, 00421862
Get, xrefs: 00420563
LTrim, xrefs: 0041FFC7
Join, xrefs: 0041FE90
@, xrefs: 00420D68
IfWin should be #IfWin., xrefs: 00421AAB
Missing ")", xrefs: 00421B72
Invalid single-line hotkey/hotstring., xrefs: 004210A0, 00421AE4
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout., xrefs: 00421292
<>=/|^,:, xrefs: 0041FDC6
%s::, xrefs: 004217A2
Functions cannot contain functions., xrefs: 00421A25
@, xrefs: 00420C32
OnClipboardChange, xrefs: 00421660
Continuation section too long., xrefs: 004219B5
AltTabAndMenu, xrefs: 00421145
hDeK, xrefs: 0041F81C
if not GetKeyState("%s"), xrefs: 004217FE
%s%s%s, xrefs: 00420E66
& , xrefs: 0041FCBB, 00420DAD
#CommentFlag, xrefs: 0041F85B
{Blind}%s%s{%s DownR}, xrefs: 00421863
{Blind}{%s Up}, xrefs: 00421939
Default, xrefs: 00421343
Set, xrefs: 00420577
AltTabMenu, xrefs: 0042112C
RTrim, xrefs: 0041FFE6
Out of memory., xrefs: 00421473, 00421693, 00421B2E
and, xrefs: 0041FD82
ShiftAltTab, xrefs: 00421110

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp$_wcschr$_memmove$__snwprintf_free_wcsncpy_wcsrchr
String ID: & $#CommentFlag$%s up::$%s%s%s$%s::$<>=/|^,:$<>=/|^,:.+-*&!?~$?*- $@$@$AltTab$AltTabAndMenu$AltTabMenu$AltTabMenuDismiss$Continuation section too long.$Default$Duplicate hotkey.$Duplicate label.$Functions cannot contain functions.$Get$Hotkeys/hotstrings are not allowed inside functions.$IfWin should be #IfWin.$Invalid single-line hotkey/hotstring.$Join$LTrim$Missing ")"$Missing "{"$Not a valid method, class or property definition.$Not a valid property getter/setter.$Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.$OnClipboardChange$Out of memory.$RTrim$Return$Set$ShiftAltTab$Static$This hotstring is missing its abbreviation.$This line does not contain a recognized action.$and$hDeK$if not GetKeyState("%s")${Blind}%s%s{%s DownR}${Blind}{%s Up}${LCtrl up}${RCtrl up}
API String ID: 2467999715-1699900947
Opcode ID: 58eb8bf25cde025b8a2fde775da8fdf7a3d892075c315318f5a03861fb7ce9c0
Instruction ID: d76c29f547aafbae01cdbdfffb27ede8f0bdad8749e0f57c73626aff5462de51
Opcode Fuzzy Hash: 58eb8bf25cde025b8a2fde775da8fdf7a3d892075c315318f5a03861fb7ce9c0
Instruction Fuzzy Hash: 821327717043609ADB309B24A8417BBB3E0AF95304F94452FE8898B392E77D9D85C79F

Uniqueness

Uniqueness Score: -1.00%

Function 0046C100 Relevance: 114.5, APIs: 41, Strings: 24, Instructions: 704windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0046C11F
GetWindowLongW.USER32(?,000000EC), ref: 0046C12A
__wcsnicmp.LIBCMT ref: 0046C1E9
__wcsnicmp.LIBCMT ref: 0046C20A
__wcsicoll.LIBCMT ref: 0046C220
SetWindowPos.USER32(?,-000000FE,00000000,00000000,00000000,00000000,00000013,?,?,?,?,?,00000000,00000000,00000000), ref: 0046C24B
__wcsicoll.LIBCMT ref: 0046C28C
__wcsicoll.LIBCMT ref: 0046C2BC
IsWindowVisible.USER32(?), ref: 0046C9A0
IsIconic.USER32(?), ref: 0046C9AE
SetWindowLongW.USER32(?,000000F0,?), ref: 0046C9D2
SetWindowLongW.USER32(?,000000EC,?), ref: 0046C9E8
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0046CA05
InvalidateRect.USER32(?,00000000,00000001), ref: 0046CA13

Strings

MinimizeBox, xrefs: 0046C462
Space, xrefs: 0046C31D
Caption, xrefs: 0046C2B6
MinSize, xrefs: 0046C494
Resize, xrefs: 0046C69D
SysMenu, xrefs: 0046C6CD
Label, xrefs: 0046C3E6
Border, xrefs: 0046C286
OwnDialogs, xrefs: 0046C678
Invalid option., xrefs: 0046CA29
DPIScale, xrefs: 0046C74B
Hwnd, xrefs: 0046C3B6
Delimiter, xrefs: 0046C2E8
Tab, xrefs: 0046C2FD
Owner, xrefs: 0046C1DC
Disabled, xrefs: 0046C354
LastFound, xrefs: 0046C414
Invalid or nonexistent owner or parent window., xrefs: 0046CA43
ToolWindow, xrefs: 0046C71B
Parent, xrefs: 0046C204
MaximizeBox, xrefs: 0046C432
AlwaysOnTop, xrefs: 0046C21A
Theme, xrefs: 0046C6FD
MaxSize, xrefs: 0046C586

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$__wcsicoll$__wcsnicmp$IconicInvalidateRectVisible
String ID: AlwaysOnTop$Border$Caption$DPIScale$Delimiter$Disabled$Hwnd$Invalid option.$Invalid or nonexistent owner or parent window.$Label$LastFound$MaxSize$MaximizeBox$MinSize$MinimizeBox$OwnDialogs$Owner$Parent$Resize$Space$SysMenu$Tab$Theme$ToolWindow
API String ID: 2729535577-994823521
Opcode ID: 5752d24ceeccbde05bd884313f1c286b1aa8afa0b221bc06c02ec99eba3eefd5
Instruction ID: f97e498eb5c675b6e2babeaa17694e848fd0e8a3ad054b9971d71be422db1bec
Opcode Fuzzy Hash: 5752d24ceeccbde05bd884313f1c286b1aa8afa0b221bc06c02ec99eba3eefd5
Instruction Fuzzy Hash: 7D32E3B1A04340ABDB609F258CC17777B94AB41319F18856FF8869A282F76CD845CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 0046F4D0 Relevance: 102.2, APIs: 50, Strings: 8, Instructions: 743windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 0046F4FD
IsZoomed.USER32 ref: 0046F521
IsIconic.USER32(?), ref: 0046F531

Strings

Maximize, xrefs: 0046F633
AutoSize, xrefs: 0046F5B7
Minimize, xrefs: 0046F60D
Center, xrefs: 0046F5DE, 0046F6DA
NoActivate, xrefs: 0046F683
Restore, xrefs: 0046F6AD
Invalid option., xrefs: 0046F989
Hide, xrefs: 0046F721

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: IconicTextWindowZoomed
String ID: AutoSize$Center$Hide$Invalid option.$Maximize$Minimize$NoActivate$Restore
API String ID: 3288056585-1419224897
Opcode ID: 5bcb01ea36ee1d6dd2731120d31b7dbf0a7936758aff00f63028e2fa99bc3dc7
Instruction ID: 9e955fc03cba1bc5989b91a93e67ca38d74a868a43011eb31221a3e6c421501b
Opcode Fuzzy Hash: 5bcb01ea36ee1d6dd2731120d31b7dbf0a7936758aff00f63028e2fa99bc3dc7
Instruction Fuzzy Hash: 08528F71908301AFD710DF64E884B5BBBE4BB55304F144A2EF8DA93251E778E948CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00444260 Relevance: 72.6, APIs: 36, Strings: 5, Instructions: 885windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004442C7
IsIconic.USER32(00000000), ref: 004442D8
GetWindowRect.USER32(?,?), ref: 004442F0
ClientToScreen.USER32(?,?), ref: 00444312
_wcsrchr.LIBCMT ref: 0044435B
__wcsicoll.LIBCMT ref: 00444372
__wcsicoll.LIBCMT ref: 00444384
__wcsicoll.LIBCMT ref: 00444396
GetSystemMetrics.USER32(00000031), ref: 004443AA
GetSystemMetrics.USER32(00000032), ref: 004443B2
__wcsnicmp.LIBCMT ref: 00444409
__fassign.LIBCMT ref: 00444428

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

__wcsnicmp.LIBCMT ref: 00444450
_wcsncpy.LIBCMT ref: 0044446E
__fassign.LIBCMT ref: 004444B2
__fassign.LIBCMT ref: 00444591

Strings

ico, xrefs: 0044436C
Icon, xrefs: 00444403
dll, xrefs: 00444390
exe, xrefs: 0044437E
Trans, xrefs: 0044444A

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fassign__wcsicoll$MetricsSystemWindow__wcsnicmp$ClientForegroundIconicRectScreen_wcsncpy_wcsrchrwcstoxl
String ID: Icon$Trans$dll$exe$ico
API String ID: 1615180671-2549557054
Opcode ID: 47663b9206726d60053b58c0180aa47e17e1d2185d0ec114b4e4995b333748b2
Instruction ID: 953d35cb7651e20cf304447bfe9d3b135df43bd3450c6eae182fedd3850abcba
Opcode Fuzzy Hash: 47663b9206726d60053b58c0180aa47e17e1d2185d0ec114b4e4995b333748b2
Instruction Fuzzy Hash: 6262E171A083419FE724DF298880B6BBBE4AFC5704F14492FF58597381E778D845CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00426070 Relevance: 62.5, APIs: 13, Strings: 22, Instructions: 1239COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0042621D

Strings

Not allowed as an output variable., xrefs: 00426BF5
=, xrefs: 0042658E
+, xrefs: 0042636C
Missing close-quote, xrefs: 00426C16
Parse, xrefs: 00426217
<>=/|^,:*&~!()[]{}", xrefs: 00426358
A label must not point to an ELSE or UNTIL or CATCH., xrefs: 004291F0
'\;`, xrefs: 004267C6
Too many var/func refs., xrefs: 00426C92
Divide by zero, xrefs: 00426EAC
Quote marks are required around this key., xrefs: 00426644
Ambiguous or invalid use of ".", xrefs: 00426C54, 00426C73
<>=/|^,:*&~!()[]{}+-?, xrefs: 004264D7, 0042653E, 0042655B
Parameter #2 required, xrefs: 004280A9
<>=/|^,:*&~!()[]{}+-?., xrefs: 00426756, 00426770, 00426789, 00426A64
(, xrefs: 004268F1
The leftmost character above is illegal in an expression., xrefs: 00426C35
Out of memory., xrefs: 004261A5, 00426CB5, 0042914F
Parameter #2 invalid., xrefs: 00426DFE
Parameter #3 invalid., xrefs: 00426DA5
SMHD, xrefs: 00426D8C
Unexpected %, xrefs: 00426BDD

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: <>=/|^,:*&~!()[]{}"$ <>=/|^,:*&~!()[]{}+-?$ <>=/|^,:*&~!()[]{}+-?.$ =$'\;`$($+$A label must not point to an ELSE or UNTIL or CATCH.$Ambiguous or invalid use of "."$Divide by zero$Missing close-quote$Not allowed as an output variable.$Out of memory.$Parameter #2 invalid.$Parameter #2 required$Parameter #3 invalid.$Parse$Quote marks are required around this key.$SMHD$The leftmost character above is illegal in an expression.$Too many var/func refs.$Unexpected %
API String ID: 3832890014-3913940891
Opcode ID: 20138aa46cf560a44c8153c94111f2306ffcfb8a68c83492a78e4fa00d24684a
Instruction ID: 678817ad220626c220030b37ef8e228867ae8b211a91ea3dcaed813c2b5849fe
Opcode Fuzzy Hash: 20138aa46cf560a44c8153c94111f2306ffcfb8a68c83492a78e4fa00d24684a
Instruction Fuzzy Hash: E9A203717043618ADB209F15E8817BBB7A1AF91314F96442FE8848B381E77CDC95C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00429780 Relevance: 56.9, APIs: 8, Strings: 24, Instructions: 900COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0042979F
__snwprintf.LIBCMT ref: 004297D2

Strings

Unsupported parameter default., xrefs: 0042A2A0
, =), xrefs: 00429E62
Missing close-quote, xrefs: 0042A27A
Missing ")", xrefs: 00429B85, 00429C4C, 0042A068
this, xrefs: 00429A9C
Too many params., xrefs: 0042A000
Parameters of hotkey functions must be optional., xrefs: 0042A221
Parameter default required., xrefs: 0042A2BB
Duplicate parameter., xrefs: 0042A03E
Duplicate declaration., xrefs: 0042981A
Duplicate function definition., xrefs: 0042989D
Expected ":=", xrefs: 0042A259
Blank parameter, xrefs: 0042A026, 0042A2E3
A label must not point to a function., xrefs: 0042A1F8
Function name too long., xrefs: 00429903
Missing comma, xrefs: 00429FB0
ByRef, xrefs: 00429BC1
Invalid function declaration., xrefs: 0042A09B
Out of memory., xrefs: 004299C0, 00429A10, 0042A0DD
value, xrefs: 00429AEA
, :=*), xrefs: 00429B53, 00429C13
false, xrefs: 00429EA8
true, xrefs: 00429EE1
%s.%s, xrefs: 004297BD

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __snwprintf_wcschr
String ID: %s.%s$, :=*)$, =)$A label must not point to a function.$Blank parameter$ByRef$Duplicate declaration.$Duplicate function definition.$Duplicate parameter.$Expected ":="$Function name too long.$Invalid function declaration.$Missing ")"$Missing close-quote$Missing comma$Out of memory.$Parameter default required.$Parameters of hotkey functions must be optional.$Too many params.$Unsupported parameter default.$false$this$true$value
API String ID: 1333472643-1825772190
Opcode ID: 65141d0833f818b936480aa1e5b0c54aa1434efa3ca9c245032277474ce24503
Instruction ID: 1c9b2a67bfb85d18724c98cf25bd425d91e1196ad192b8b12c260e754d2e3607
Opcode Fuzzy Hash: 65141d0833f818b936480aa1e5b0c54aa1434efa3ca9c245032277474ce24503
Instruction Fuzzy Hash: F0621431700221ABC720DF15E881ABBB3A4EF94314F54856FE8458B392EB3DDD55C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00473350 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 276windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047336D
GetWindowLongW.USER32(?,000000F0), ref: 00473379
IsWindowVisible.USER32(?), ref: 0047339A
IsIconic.USER32(?), ref: 004733AD
GetFocus.USER32 ref: 004733E1
GetWindowRect.USER32(?,?), ref: 00473411
GetPropW.USER32(?,ahk_dlg), ref: 00473420
ShowWindow.USER32(00000000,00000000,?,ahk_dlg,?,?), ref: 00473434
GetUpdateRect.USER32(?,?,00000000), ref: 0047345C
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0047346A
GetWindowLongW.USER32(?,000000F0), ref: 004734DD
ShowWindow.USER32(00000000,?,?,ahk_dlg,?,?), ref: 0047350D
EnableWindow.USER32(00000000,00000000), ref: 00473524
GetWindowRect.USER32(00000000,?), ref: 00473538
PtInRect.USER32(?,?,?), ref: 00473553
PtInRect.USER32(?,?,?), ref: 00473568
SetFocus.USER32(00000000,?,ahk_dlg,?,?), ref: 004735AA
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 004735E5
ShowWindow.USER32(00000000,00000005,?,ahk_dlg,?,?), ref: 004735F5
SetFocus.USER32(?,?,ahk_dlg,?,?), ref: 00473609
InvalidateRect.USER32(?,00000000,00000001,?,ahk_dlg,?,?), ref: 00473625
InvalidateRect.USER32(?,?,00000001,?,ahk_dlg,?,?), ref: 0047364F
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0047365E
InvalidateRect.USER32(?,?,00000001,?,ahk_dlg,?,?), ref: 0047366F

Strings

ahk_dlg, xrefs: 0047341A

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect$FocusInvalidateMessageSendShow$Long$EnableIconicPointsPropUpdateVisible
String ID: ahk_dlg
API String ID: 1662922230-2093416220
Opcode ID: 5652faa813781b0b649733104dbef4c8067b368c947f3a27687875be09f9f30c
Instruction ID: a859e8082bb668224de5d24321cbf382ec91396cea25e0006669855d4740d452
Opcode Fuzzy Hash: 5652faa813781b0b649733104dbef4c8067b368c947f3a27687875be09f9f30c
Instruction Fuzzy Hash: 79A18270508380AFD715CF648844BABBFE4AB89305F08C95EF5C947381C779EA48DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00471450 Relevance: 43.9, APIs: 29, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c819cf528b87361c9009871fefec2e418584694d79a18b88dd01a49ff2febabc
Instruction ID: c418dee636523a824421918fb10bdfb1826edc2758b6bdd120931515686bcf98
Opcode Fuzzy Hash: c819cf528b87361c9009871fefec2e418584694d79a18b88dd01a49ff2febabc
Instruction Fuzzy Hash: 6CD142326002059BD720DF69EE48BEB77A8FB85311F04852BFA4DD7291D7B89C11C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C260 Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 452threadkeyboardwindowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00010424,0000041E,00000000,?), ref: 0040C321
GetForegroundWindow.USER32 ref: 0040C39C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040C3B6
GetGUIThreadInfo.USER32(00000000,?), ref: 0040C3CE
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040C3E6
GetKeyboardLayout.USER32(00000000), ref: 0040C3EB
GetClassNameW.USER32(00000000,?,0000001C), ref: 0040C410
__wcsicoll.LIBCMT ref: 0040C423
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C4B9
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C4DE
GetKeyState.USER32(00000014), ref: 0040C537
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C5A2
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C69B
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C77F
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C7B4
_memset.LIBCMT ref: 0040C7E7
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C831

Strings

ApplicationFrameWindow, xrefs: 0040C41D
0, xrefs: 0040C3C3

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Unicode$ThreadWindow$Process$ClassForegroundInfoKeyboardLayoutMessageNamePostState__wcsicoll_memset
String ID: 0$ApplicationFrameWindow
API String ID: 1795949194-1469001145
Opcode ID: acdde6228dfe0c90839549102c2a670d6af60dc13a26f897435f3cbd53f25527
Instruction ID: baa89a8715a2f92fcabd8d413b0084162a7154774db677bad6868604c59eab16
Opcode Fuzzy Hash: acdde6228dfe0c90839549102c2a670d6af60dc13a26f897435f3cbd53f25527
Instruction Fuzzy Hash: BBF13431508380DBE721CB64D890BBB7BE4EB86704F04463FE885A72D1D7789949D7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00442760 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 441windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAA0: __wcsicoll.LIBCMT ref: 0041CABB
Part of subcall function 0041CAA0: __wcsicoll.LIBCMT ref: 0041CAD1

GetForegroundWindow.USER32 ref: 004427D9
IsWindowVisible.USER32(00000000), ref: 004427F4

Strings

user32, xrefs: 00442B85
0x%08X, xrefs: 00442B1E
%s1, xrefs: 004429BB
GetLayeredWindowAttributes, xrefs: 00442B80
Parameter #2 invalid., xrefs: 00442795
0x%06X, xrefs: 00442BFA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window__wcsicoll$ForegroundVisible
String ID: %s1$0x%06X$0x%08X$GetLayeredWindowAttributes$Parameter #2 invalid.$user32
API String ID: 1910143062-141734719
Opcode ID: 5c7f484eb573f8355e77f031860678e6e1a1b55070b9834041dbcb8feeae038e
Instruction ID: 2229b0944fb40f90ed85245df7101be7cf22fbe8d2fb06f33c45bfaf9b03f4cf
Opcode Fuzzy Hash: 5c7f484eb573f8355e77f031860678e6e1a1b55070b9834041dbcb8feeae038e
Instruction Fuzzy Hash: 8ED11672B043055BE720EF699D81B6F77D8EB84314F500A2FF941972C1DAE8DD4483AA

Uniqueness

Uniqueness Score: -1.00%

Function 0044E100 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 252timeCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0044E11E
GetTickCount.KERNEL32 ref: 0044E12A
GetLocalTime.KERNEL32(004DB400), ref: 0044E14E
__swprintf.LIBCMT ref: 0044E16C

Strings

%03d, xrefs: 0044E166
%02d, xrefs: 0044E2E3, 0044E2FE, 0044E319, 0044E334, 0044E36B, 0044E386
MSec, xrefs: 0044E118

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountLocalTickTime__swprintf__wcsicoll
String ID: %02d$%03d$MSec
API String ID: 3794994719-2031959049
Opcode ID: 75af95b6452a60d9062f1fb2a88a9c9364053dbffff9b6b2003bb1ab6ab626ac
Instruction ID: d134a9e218522014b99d661dac36902b0603d91a7a68ed24a549a0bedd24c8ab
Opcode Fuzzy Hash: 75af95b6452a60d9062f1fb2a88a9c9364053dbffff9b6b2003bb1ab6ab626ac
Instruction Fuzzy Hash: 4B515877B414249AEA1097ABBC425BB335CF7E072A714027BF90DC12D3E66D881592FE

Uniqueness

Uniqueness Score: -1.00%

Function 0044D4F0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 223filewindowCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 0044D524
GetTickCount.KERNEL32 ref: 0044D53B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0044D55E
GetTickCount.KERNEL32 ref: 0044D574
FindNextFileW.KERNEL32(00000000,00000010), ref: 0044D635
FindClose.KERNEL32(00000000), ref: 0044D644
GetLastError.KERNEL32 ref: 0044D65B
FindFirstFileW.KERNEL32(?,?), ref: 0044D6A5
GetTickCount.KERNEL32 ref: 0044D6BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0044D6DF
GetTickCount.KERNEL32 ref: 0044D6F5
__swprintf.LIBCMT ref: 0044D766
FindNextFileW.KERNEL32(00000000,00000010), ref: 0044D78C
FindClose.KERNEL32(00000000), ref: 0044D79B

Strings

., xrefs: 0044D707
%s\%s, xrefs: 0044D760

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CountFileTick$CloseFirstMessageNextPeek$ErrorLast__swprintf
String ID: %s\%s$.
API String ID: 2043249117-2631528844
Opcode ID: 4f63029755f2be001ec87d94a85693a7a15a2620a92975abf2d95a66fa2f20ea
Instruction ID: acd0a1602dae13d3d3ae1887a0a08d78c9e75040a1401dd7f037b7e43462d917
Opcode Fuzzy Hash: 4f63029755f2be001ec87d94a85693a7a15a2620a92975abf2d95a66fa2f20ea
Instruction Fuzzy Hash: FE81D635A043059FD720EF24D884BABB7E5EF84354F00492FF89687394EBB8A945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405290 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 74clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 004052BC
__wcsnicmp.LIBCMT ref: 004052CE
__wcsicoll.LIBCMT ref: 004052E7
__wcsicoll.LIBCMT ref: 004052FC
__wcsicoll.LIBCMT ref: 00405311
__wcsicoll.LIBCMT ref: 00405326
__wcsicoll.LIBCMT ref: 0040533B
__wcsicoll.LIBCMT ref: 00405350
GetClipboardData.USER32(0000000D), ref: 00405376

Strings

MSDEVLineSelect, xrefs: 0040534A
Native, xrefs: 0040530B
MSDEVColumnSelect, xrefs: 00405335
Link Source, xrefs: 004052C8
OwnerLink, xrefs: 004052F6
ObjectLink, xrefs: 004052E1
Embed Source, xrefs: 00405320

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$Clipboard$DataFormatName__wcsnicmp
String ID: Embed Source$Link Source$MSDEVColumnSelect$MSDEVLineSelect$Native$ObjectLink$OwnerLink
API String ID: 3127108255-1844231336
Opcode ID: 5ea2c3351164587978336dc008465dd7fc49f8326ce07ee02ae0989120baf7e9
Instruction ID: 69334690a8f70c6acdf00ce6594448056c5c142054193d773241eec891463b8f
Opcode Fuzzy Hash: 5ea2c3351164587978336dc008465dd7fc49f8326ce07ee02ae0989120baf7e9
Instruction Fuzzy Hash: 5511D8B190430136DB20A7709C43B7B7698AF54746F48493EBC94D11C2F7FCDA09CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045C320 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?,?,00000000), ref: 0045C383
IsIconic.USER32(00000000), ref: 0045C390
GetWindowRect.USER32(00000000,?), ref: 0045C3A4
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0045C3F4

Part of subcall function 00443A50: GetForegroundWindow.USER32 ref: 00443B41
Part of subcall function 00443A50: IsIconic.USER32(00000000), ref: 00443B50
Part of subcall function 00443A50: GetWindowRect.USER32(?,?), ref: 00443B68

Strings

DISPLAY, xrefs: 0045C3EF
Slow, xrefs: 0045C32F
RGB, xrefs: 0045C479
0x%06X, xrefs: 0045C4A9
Alt, xrefs: 0045C3D0

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ForegroundIconicRect$Create
String ID: 0x%06X$Alt$DISPLAY$RGB$Slow
API String ID: 472947238-780868468
Opcode ID: a0d84084c95ff00d404a048df5e44577fe4a3eab8f9c6f502344ee0436d7a18a
Instruction ID: b2fe233c8cafdbbe7b449e4b3d682e2a79f21355d93c8b5bad85730baa4618de
Opcode Fuzzy Hash: a0d84084c95ff00d404a048df5e44577fe4a3eab8f9c6f502344ee0436d7a18a
Instruction Fuzzy Hash: 7B4136327443006FD220AB649C81FAB7B98EB81715F10412BFE41962D2DAA99C0A87BD

Uniqueness

Uniqueness Score: -1.00%

Function 004050C0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 004050E4
GlobalUnWire.KERNEL32(00000000), ref: 004050FB
CloseClipboard.USER32 ref: 00405104
GlobalUnWire.KERNEL32(00000000), ref: 0040513B
GlobalFree.KERNEL32(00000000), ref: 0040514D
GlobalUnWire.KERNEL32 ref: 00405163
CloseClipboard.USER32 ref: 00405168

Part of subcall function 004051C0: GlobalUnWire.KERNEL32(00000000), ref: 004051DC
Part of subcall function 004051C0: CloseClipboard.USER32 ref: 004051E1
Part of subcall function 004051C0: GlobalUnWire.KERNEL32(00000000), ref: 004051F5
Part of subcall function 004051C0: GlobalFree.KERNEL32(00000000), ref: 00405205

Strings

SetClipboardData, xrefs: 004051AF
Can't open clipboard for writing., xrefs: 004050D6
EmptyClipboard, xrefs: 0040510F

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$Wire$Clipboard$Close$Free$Empty
String ID: Can't open clipboard for writing.$EmptyClipboard$SetClipboardData
API String ID: 3076736919-2690908087
Opcode ID: 26718ce8527e5455ab28741a94bb936101b0d8e225dba5c232992013e6065a2f
Instruction ID: c31fad1c82b01ec232fbae2a0d899f4fcf0da175247c9f28ba6c2f0b11e7de7a
Opcode Fuzzy Hash: 26718ce8527e5455ab28741a94bb936101b0d8e225dba5c232992013e6065a2f
Instruction Fuzzy Hash: 65312B71D01B019FDB30AFA6D8C4517BBF4EF55305324893FE1979AAA1C678A884CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00451760 Relevance: 20.0, APIs: 6, Strings: 5, Instructions: 797COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004518AD
__wcsnicmp.LIBCMT ref: 0045190E
_memset.LIBCMT ref: 004519B1
__wcstoui64.LIBCMT ref: 00451B40
FreeLibrary.KERNEL32(?), ref: 0045209A

Strings

Int, xrefs: 0045192C
CDecl, xrefs: 004518A1, 00451908
This DllCall requires a prior VarSetCapacity., xrefs: 00451C38
, xrefs: 00451851
DllCall, xrefs: 004517CA, 0045194A, 00451C8D

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp$FreeLibrary__wcstoui64_memset
String ID: $CDecl$DllCall$Int$This DllCall requires a prior VarSetCapacity.
API String ID: 886327013-3585077685
Opcode ID: 9ce0c244b00f8267ecb7059bf7842c8aade53aec8e80cf452f3227024fd0e79b
Instruction ID: bfad584f1c1b5dcc6d1cadb0631b58d769e953268d694f5f3a839ab62909e77f
Opcode Fuzzy Hash: 9ce0c244b00f8267ecb7059bf7842c8aade53aec8e80cf452f3227024fd0e79b
Instruction Fuzzy Hash: B152E371A002059FCB24DF54C881BAAB7B1FF45306F24856FEC159B3A2D379AC49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004164C0 Relevance: 19.9, APIs: 13, Instructions: 439keyboardwindowthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004164EE
GetKeyboardState.USER32(?), ref: 004165BA
SetKeyboardState.USER32(?), ref: 00416659
PostMessageW.USER32(00000000,00000100,?,00000000), ref: 00416685
PostMessageW.USER32(00000000,00000101,?,00000000), ref: 004166C2
BlockInput.USER32(00000000), ref: 004166FE
GetForegroundWindow.USER32 ref: 0041675C
GetAsyncKeyState.USER32 ref: 0041678C
keybd_event.USER32(?,00000000,?,00000000), ref: 00416857
GetAsyncKeyState.USER32(?), ref: 004168A2
keybd_event.USER32(?,00000000,00000002,00000000), ref: 00416982
GetAsyncKeyState.USER32(?), ref: 004169BD
BlockInput.USER32(00000001), ref: 00416A1E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: State$Async$BlockInputKeyboardMessagePostkeybd_event$CurrentForegroundThreadWindow
String ID:
API String ID: 802988723-0
Opcode ID: 52d8bab6890e6773e45320d3c8f57d97d02040d5cb93ba182f48c4ba02a228c0
Instruction ID: 7fabc05357295c8101665ebde29e69223d32a8779cf610359c7ebbaa548f2f1d
Opcode Fuzzy Hash: 52d8bab6890e6773e45320d3c8f57d97d02040d5cb93ba182f48c4ba02a228c0
Instruction Fuzzy Hash: 9102C1B05093859BDB11DF24D8447EB7FE1AB96308F09485FF89587391C23CC989CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A340 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 434COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0042A3CA

Strings

Invalid class name., xrefs: 0042A472
__Class, xrefs: 0042A538, 0042A797
Missing class name., xrefs: 0042A40C
This class definition is nested too deep., xrefs: 0042A35B
extends, xrefs: 0042A3C4
Duplicate class definition., xrefs: 0042A6EB
Syntax error in class definition., xrefs: 0042A576
Out of memory., xrefs: 0042A800
Full class name is too long., xrefs: 0042A673

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp
String ID: Duplicate class definition.$Full class name is too long.$Invalid class name.$Missing class name.$Out of memory.$Syntax error in class definition.$This class definition is nested too deep.$__Class$extends
API String ID: 1038674560-3763243221
Opcode ID: 47b969b72cf50e18692ba212d1510190a78d81538540f1d77314f4e188eac336
Instruction ID: 28f0fba0c4d5056baade32ceb9c975ec692cfeef84c3a9a32fab6b9097cd569b
Opcode Fuzzy Hash: 47b969b72cf50e18692ba212d1510190a78d81538540f1d77314f4e188eac336
Instruction Fuzzy Hash: F1E1EE716002208FCB14DF19E880AABB7E1EB98314F54846FED898B351D778DD95CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00473130 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110windowlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(uxtheme,?,?,?,?,?,0046ED2A,?,?,?,0000041D,00000000,00000000,?,0000000B,00000000), ref: 0047315F
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00473171
FreeLibrary.KERNEL32(00000000,?,0000041D,00000000,00000000,?,0000000B,00000000,00000000,?,00000192,?,?), ref: 00473189
SendMessageW.USER32(?,00000406,?,?), ref: 004731E1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004731FA
SendMessageW.USER32(?,00002001,00000000,?), ref: 00473217
GetSysColor.USER32(0000000F), ref: 00473231
SendMessageW.USER32(?,00002001,00000000,?), ref: 00473247

Strings

uxtheme, xrefs: 0047315A
SetWindowTheme, xrefs: 0047316B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Library$AddressColorFreeLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 2745204275-1369271589
Opcode ID: 806b88e9484df04510396adb66c26fcb0c2832f06858f2416d2056cdc3dd154b
Instruction ID: 16990f9229a5685da94b4118ba246f59584ac10a4a703eaf1bf86810867177f1
Opcode Fuzzy Hash: 806b88e9484df04510396adb66c26fcb0c2832f06858f2416d2056cdc3dd154b
Instruction Fuzzy Hash: 1A3107303003006AE6349E658C84FB7B758EF11326F60862FF956966C1D768ED81D71C

Uniqueness

Uniqueness Score: -1.00%

Function 00417360 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

@, xrefs: 004175F8

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 52c8cf7de7ee5502e398bf83f1e78f5d6529e8725fab1beb655e615bbec4aca5
Instruction ID: 9bb40bada77e481f4e77f5964d0d3ae9cf41b9ebd96de40ee605ba039700fc3d
Opcode Fuzzy Hash: 52c8cf7de7ee5502e398bf83f1e78f5d6529e8725fab1beb655e615bbec4aca5
Instruction Fuzzy Hash: BBA1BE7060C2049FE7289B28D8947BBB7F6AB84315F54092FF48683391D77C99C5CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004160A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

@, xrefs: 00416167

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: eaa9ae610327ae0cc6f2fdaeb1e9bf4e589aeb8885b7b7734bb3f38a5a06ef9a
Instruction ID: 6fa203a9efdcdb7b93725501101b66a71e1baa4dfb51d08296207f6809b5e4d4
Opcode Fuzzy Hash: eaa9ae610327ae0cc6f2fdaeb1e9bf4e589aeb8885b7b7734bb3f38a5a06ef9a
Instruction Fuzzy Hash: CA4113346583E075F32093689C12BF77F905B42B14F59846FEAC84B2C3DAA8C884D76B

Uniqueness

Uniqueness Score: -1.00%

Function 0045F5A0 Relevance: 15.1, APIs: 10, Instructions: 123processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0045F5B5
Process32FirstW.KERNEL32(00000000,00000000), ref: 0045F5C7
__wcstoi64.LIBCMT ref: 0045F5F3

Part of subcall function 00499840: wcstoxq.LIBCMT ref: 00499861

Process32NextW.KERNEL32(00000000,?), ref: 0045F614
__wsplitpath.LIBCMT ref: 0045F655
__wcsicoll.LIBCMT ref: 0045F6A5
Process32NextW.KERNEL32(?,?), ref: 0045F6BB
CloseHandle.KERNEL32(00000000), ref: 0045F6CE
CloseHandle.KERNEL32(00000000), ref: 0045F6E1
CloseHandle.KERNEL32(?), ref: 0045F6F8

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleProcess32$Next$CreateFirstSnapshotToolhelp32__wcsicoll__wcstoi64__wsplitpathwcstoxq
String ID:
API String ID: 2291101207-0
Opcode ID: 2a1718eba2a5045537204514f38d9527067e1e65eb8ef719e20edc1ebfa619c2
Instruction ID: 970fa0a2ea3cbeeefadb5dfe3caf0c08ae0e150ce7ab94c916f2ac53f2b60e26
Opcode Fuzzy Hash: 2a1718eba2a5045537204514f38d9527067e1e65eb8ef719e20edc1ebfa619c2
Instruction Fuzzy Hash: CE31B3726043056BD720EF649C45BEB77A8EBC5301F04483EF94687292EB79D60DC79A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113windowthreadCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040E80B
SetWindowsHookExW.USER32(0000000D,Function_00009E00,MZ@,00000000), ref: 0040E873
UnhookWindowsHookEx.USER32(00000000), ref: 0040E88C
SetWindowsHookExW.USER32(0000000E,Function_00009F70,MZ@,00000000), ref: 0040E8CF
UnhookWindowsHookEx.USER32(00000000), ref: 0040E8E3
PostThreadMessageW.USER32(00001A2C,00000417,00000000,00000000), ref: 0040E910

Strings

MZ@, xrefs: 0040E86B, 0040E8C7

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: HookWindows$MessageUnhook$PostThread
String ID: MZ@
API String ID: 378849449-2978689999
Opcode ID: e87eec9c23772e149d2dbfa9b91983acc2e188abfe2da193064e14ecbe1d9be2
Instruction ID: 82f1594234db6c158134b7ca8356d03bd98198c9eab869f498e06d705d2335de
Opcode Fuzzy Hash: e87eec9c23772e149d2dbfa9b91983acc2e188abfe2da193064e14ecbe1d9be2
Instruction Fuzzy Hash: 60318372A55302EAE720AF66DC09B677B949750304F484C3BE500E72E1D7B9DC64C76E

Uniqueness

Uniqueness Score: -1.00%

Function 0045F390 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0045F39A
OpenProcessToken.ADVAPI32(00000000), ref: 0045F3A1
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0045F3BD
AdjustTokenPrivileges.ADVAPI32 ref: 0045F3E5
GetLastError.KERNEL32 ref: 0045F3EB
ExitWindowsEx.USER32(?,00000000), ref: 0045F3FB

Strings

SeShutdownPrivilege, xrefs: 0045F3B6

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: e33d21e9821868b7492b716e6ff4923ce1667d42e0a022f49d7e47d729a169ea
Instruction ID: 24e649ce4d6df138e5824dc091e6de44c9bdf63add23181742e1fbc349d31b9e
Opcode Fuzzy Hash: e33d21e9821868b7492b716e6ff4923ce1667d42e0a022f49d7e47d729a169ea
Instruction Fuzzy Hash: C2F062B5604300AFF300AF65CC4AF9B7BB8BB89B05F40446CFA46D5191D7B8D8098B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00411640 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411657
_wcsncpy.LIBCMT ref: 00411801
_wcsncpy.LIBCMT ref: 0041187B
_wcsncpy.LIBCMT ref: 004118AD

Strings

& , xrefs: 004117DE, 00411808
Up, xrefs: 004118BF

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcsncpy$_memset
String ID: & $ Up
API String ID: 4291556967-3258026345
Opcode ID: c3973739c305d695946c92067afe5007dba12f2fe9a409545d08fa77b83d7c17
Instruction ID: ea146dea876754dcfeedc5363ecd36b2df0a20e4f0135c39156c2b8efd15732c
Opcode Fuzzy Hash: c3973739c305d695946c92067afe5007dba12f2fe9a409545d08fa77b83d7c17
Instruction Fuzzy Hash: 4A8155316042818ADB249B2485917F77BD1AF52700F18805FEAD68B3F1E72E98C9C39F

Uniqueness

Uniqueness Score: -1.00%

Function 00419230 Relevance: 10.6, APIs: 7, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 00419239
_memset.LIBCMT ref: 00419262
ToUnicodeEx.USER32(0000006E,00000000,?,?,00000002,00000000,00000000), ref: 00419283
ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 004192A9
ToUnicodeEx.USER32(0000006E,00000000,?,?,00000002,00000000,00000000), ref: 004192C6
ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 0041930A
MapVirtualKeyExW.USER32(?,00000002,00000000), ref: 00419333

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Unicode$KeyboardLayoutVirtual_memset
String ID:
API String ID: 2910491412-0
Opcode ID: 3b20bbefeeb46bfb42843c5e45ab90676c8f9aea95f3b8b281ba2d627c7c3871
Instruction ID: 9ac22f3871fbb63799a4ec6c97682b2e808fbf52f3be064ef6a4f5273151c9d0
Opcode Fuzzy Hash: 3b20bbefeeb46bfb42843c5e45ab90676c8f9aea95f3b8b281ba2d627c7c3871
Instruction Fuzzy Hash: BE3108725443447BD324DB61CC56FFB7BE8AB85B04F84481DF685990C1E2B5EA08C7BA

Uniqueness

Uniqueness Score: -1.00%

Function 004A1767 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004A760A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A761F
UnhandledExceptionFilter.KERNEL32(H~M), ref: 004A762A
GetCurrentProcess.KERNEL32(C0000409), ref: 004A7646
TerminateProcess.KERNEL32(00000000), ref: 004A764D

Strings

H~M, xrefs: 004A7625

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: H~M
API String ID: 2579439406-941190207
Opcode ID: 9f5fa2d9c982ad17457543f1ae1845021275cda48203d41c5f6daba2ce7149cc
Instruction ID: c0caff100f3e9301cbfd000cb99b3b0afff863403bb0dff261bab2a2d3160f37
Opcode Fuzzy Hash: 9f5fa2d9c982ad17457543f1ae1845021275cda48203d41c5f6daba2ce7149cc
Instruction Fuzzy Hash: 8021CDB985A2149FDB20DF65EC896583BA5FB59304F5010BFE809837A1F7B49980CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D680 Relevance: 9.6, APIs: 3, Strings: 2, Instructions: 842COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040D739
_memset.LIBCMT ref: 0040D75B
_memset.LIBCMT ref: 0040D76D

Part of subcall function 0040E4B0: CreateThread.KERNEL32(00000000,00002000,0040E7E0,00000000,00000000,004D85A0), ref: 0040E50A
Part of subcall function 0040E4B0: SetThreadPriority.KERNEL32(00000000,0000000F,?,00408CE2,?,00408938,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E520
Part of subcall function 0040E4B0: PostThreadMessageW.USER32(00000000,00000417,004062BD,00000000), ref: 0040E544
Part of subcall function 0040E4B0: Sleep.KERNEL32(0000000A,?,00408CE2,?,00408938,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E550
Part of subcall function 0040E4B0: GetTickCount.KERNEL32 ref: 0040E567
Part of subcall function 0040E4B0: PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E58A

Strings

[M, xrefs: 0040D7F8
DlM, xrefs: 0040D90E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$Message_memset$CountCreatePeekPostPrioritySleepTick_malloc
String ID: [M$DlM
API String ID: 2797994793-220038877
Opcode ID: a0277a27d527d6f36710225cd70a3e546bb14d535e5134fb3c894af60d7bfa53
Instruction ID: 813ed562dedafe5557cdd3931494a383f8027da915c8add8c546f60d4ff1a227
Opcode Fuzzy Hash: a0277a27d527d6f36710225cd70a3e546bb14d535e5134fb3c894af60d7bfa53
Instruction Fuzzy Hash: DD82F3309083818EE725CF25C4547B2BBE0AF55308F0985BFD8895B3D2D7BDA949C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0045E1A0 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0045E288
_wcschr.LIBCMT ref: 0045E29A
GetFileAttributesW.KERNEL32(?), ref: 0045E2AA
FindFirstFileW.KERNEL32(?,?), ref: 0045E2C6
FindClose.KERNEL32(00000000), ref: 0045E2D6
CoInitialize.OLE32(00000000), ref: 0045E2DE

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind_wcschr$AttributesCloseFirstInitialize
String ID:
API String ID: 1847535733-0
Opcode ID: f1a6238e9b8fe9512923cc11f866302a46654d64d32a2b348283019eb2fda38b
Instruction ID: 49fcae3e94eb92bb941ddcd62202e2ed8025de6f136ab263d24adf93ccf6f695
Opcode Fuzzy Hash: f1a6238e9b8fe9512923cc11f866302a46654d64d32a2b348283019eb2fda38b
Instruction Fuzzy Hash: 6AB1C0713043016BD614EF55CC81FAB73A9ABC9714F104A1EF9558B2D1D7B8ED08C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0 Relevance: 7.6, APIs: 5, Instructions: 84keyboardthreadCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000000), ref: 004181BB
GetKeyState.USER32(00000000), ref: 004181EA
GetForegroundWindow.USER32(00000000), ref: 00418224
GetWindowThreadProcessId.USER32(00000000), ref: 0041822B
GetKeyState.USER32(00000014), ref: 0041826E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: State$Window$ForegroundProcessThread
String ID:
API String ID: 2921243749-0
Opcode ID: 5b543a1b4e44f3f82ded680df0c54a0ee61c961da886b0c07f93c6ca1ebd0d95
Instruction ID: 4ca9e7699063091770c6354c4ecf619e05b48292cbc624426e4146e738590a4f
Opcode Fuzzy Hash: 5b543a1b4e44f3f82ded680df0c54a0ee61c961da886b0c07f93c6ca1ebd0d95
Instruction Fuzzy Hash: DC213B72A8071476EA3077046C46FEA77544751B4CF25021BF9083A3E2DAB614C486AE

Uniqueness

Uniqueness Score: -1.00%

Function 00418090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004180C8
GetForegroundWindow.USER32(?,00416A12,?,00000000), ref: 00418114
GetWindowTextW.USER32(00000000,0000000C,00000064), ref: 00418141

Strings

N/A, xrefs: 0041816A

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountForegroundTextTick
String ID: N/A
API String ID: 3416458291-2525114547
Opcode ID: 6e0a026da9b91fa3b2157bb212803ad0b11cb383a78a2c4102d11ccb8426085d
Instruction ID: 82860f9e12c593ce16bc86499a0fa0c56dd153aea8b92913d30b03bf15879694
Opcode Fuzzy Hash: 6e0a026da9b91fa3b2157bb212803ad0b11cb383a78a2c4102d11ccb8426085d
Instruction Fuzzy Hash: F7316B3260A200DFC758DF28ED94AA5BBA1EB89304B05C57FD446CB3A0DBB49C42DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044D7F0 Relevance: 6.1, APIs: 4, Instructions: 113filetimeCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(004AF9BC,?), ref: 0044D81F
GetLastError.KERNEL32 ref: 0044D82A
FindClose.KERNEL32(00000000), ref: 0044D869
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044D8C0

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$FindTime$CloseErrorFirstLastLocal
String ID:
API String ID: 1380247339-0
Opcode ID: 807ab6e0a0b51726660564de6561b2d45eefc054ffbb4c100756cbf532bb8b3b
Instruction ID: 3dc776bd0dedf3690ec4ccfe141519c0ef9ae4b8d9ad7f5a05d16fded1e68c87
Opcode Fuzzy Hash: 807ab6e0a0b51726660564de6561b2d45eefc054ffbb4c100756cbf532bb8b3b
Instruction Fuzzy Hash: 1A31F5B2A0430177E320FB64DC46FEB3798AB44725F14462BF964AA2D0D7B9A944C36D

Uniqueness

Uniqueness Score: -1.00%

Function 00405390 Relevance: 6.1, APIs: 4, Instructions: 51clipboardCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004053AB
OpenClipboard.USER32(00010424), ref: 004053BC
GetTickCount.KERNEL32 ref: 004053D0
OpenClipboard.USER32(00010424), ref: 0040540A

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardCountOpenTick
String ID:
API String ID: 420724667-0
Opcode ID: 459c1798ee3ce9711e3a403e5317481573c89aea6b23b24ab0939571a3d8814f
Instruction ID: ed8853b92766a8f9651e7de7639f6eb5ba03e17ce7cb93d190cd71f8be86c550
Opcode Fuzzy Hash: 459c1798ee3ce9711e3a403e5317481573c89aea6b23b24ab0939571a3d8814f
Instruction Fuzzy Hash: A40169326216108BD310DB68EC84B9B33E9EB94359F14413BE500E73D0CBB9DC91CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00449790 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004497C9
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0044982D

Strings

\, xrefs: 004497F1

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DiskFreeSpace_wcsncpy
String ID: \
API String ID: 1165104651-2967466578
Opcode ID: 1579c0bc3ad180801a4f3133a02e5b7a83da239c4471754ef8a3be1f444f87af
Instruction ID: 9688f3865c663d43b7458727641629474765d123225c8f32952d40f2dddaa87e
Opcode Fuzzy Hash: 1579c0bc3ad180801a4f3133a02e5b7a83da239c4471754ef8a3be1f444f87af
Instruction Fuzzy Hash: 3531393260430066D720FB59DC45FDBB798EB85724F14462FF944A72D0E6B9ED44C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A04E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(004DB230), ref: 0041A06D
__snwprintf.LIBCMT ref: 0041A0A4

Strings

10.0.19045, xrefs: 0041A08E
%u.%u.%u, xrefs: 0041A087

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Version__snwprintf
String ID: %u.%u.%u$10.0.19045
API String ID: 444779968-4060445884
Opcode ID: e1e7ce3a92834f78720694a515484305c9f7ac00c6d46e2baeb4738793576bb4
Instruction ID: ab1c3dfdb1a6e663e0c4dc7cf950089abed141bbf424aed54ac51e19997f775d
Opcode Fuzzy Hash: e1e7ce3a92834f78720694a515484305c9f7ac00c6d46e2baeb4738793576bb4
Instruction Fuzzy Hash: 58017C71607300DBCB14CF94AC867A63BA0E348704B12407FE94986361C7B85890A7EF

Uniqueness

Uniqueness Score: -1.00%

Function 0041E370 Relevance: 4.5, APIs: 3, Instructions: 45clipboardwindowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00010424,00000415,00000001,00000000), ref: 0041E3B4
SetClipboardViewer.USER32(00010424), ref: 0041E3C7
ChangeClipboardChain.USER32(00010424,?), ref: 0041E409

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard$ChainChangeMessagePostViewer
String ID:
API String ID: 1822368796-0
Opcode ID: 9f357267cdd85439ebab49ec5f4f376c8b4d1175ffca5a965d773f8e61da975f
Instruction ID: d9b452989ced23a826708364905ad1171823d84fcb553d290879446dc1a04739
Opcode Fuzzy Hash: 9f357267cdd85439ebab49ec5f4f376c8b4d1175ffca5a965d773f8e61da975f
Instruction Fuzzy Hash: EF016D34642340DFDB10CB39AC84BA63BA4E74A780F1C003BAC45C72A0C774E890EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?), ref: 0044F3F4
GetUserNameW.ADVAPI32(?,?), ref: 0044F405

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 484acdd6b1c0c57ed577efa55293d0ceabe5b9d93c65d1706b9fa83a50fc031c
Instruction ID: 59f6158cd52cee6d3b4592464ab4dbd40d86dad764125a62828b85dd9a3d81e8
Opcode Fuzzy Hash: 484acdd6b1c0c57ed577efa55293d0ceabe5b9d93c65d1706b9fa83a50fc031c
Instruction Fuzzy Hash: 21019E305082018BD728DF24C5497AB77B1FF94304F44892DE896C7290FB78DA09C756

Uniqueness

Uniqueness Score: -1.00%

Function 004A7655 Relevance: .2, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: be0ff70005ee51896e6d30d6bd3abf013f6eb977b6c8c78f1f93ed9f393cc39a
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 10617A759043158FCB28CF48C89469ABBF2FF95310F2AC5AED8095B361D7B4A945CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4f874815ee760f27c5a8d394161a2b9e2656fa4f507e5568db7478bd83a19f
Instruction ID: 8d96babd4026a849341dd8854424beb6069252471f928d2b60ee30f67e679201
Opcode Fuzzy Hash: 5e4f874815ee760f27c5a8d394161a2b9e2656fa4f507e5568db7478bd83a19f
Instruction Fuzzy Hash: 1841DD979189110FFB140919B4F23F3ABD2CBB2332F159967D1D447BC2D22AA98FE650

Uniqueness

Uniqueness Score: -1.00%

Function 0041C130 Relevance: 94.7, APIs: 27, Strings: 27, Instructions: 219COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C148
__wcsicoll.LIBCMT ref: 0041C15D

Strings

Button, xrefs: 0041C16C
Checkbox, xrefs: 0041C181
Progress, xrefs: 0041C255
Text, xrefs: 0041C142
Tab3, xrefs: 0041C294
Tab2, xrefs: 0041C27F
DropDownList, xrefs: 0041C1C1
Tab, xrefs: 0041C26A
DateTime, xrefs: 0041C2EA
ComboBox, xrefs: 0041C1D7
ActiveX, xrefs: 0041C33E
Custom, xrefs: 0041C368
GroupBox, xrefs: 0041C2A9
Pic, xrefs: 0041C2BE
ListBox, xrefs: 0041C1EC
StatusBar, xrefs: 0041C329
Edit, xrefs: 0041C157
MonthCal, xrefs: 0041C2FF
ListView, xrefs: 0041C201
Radio, xrefs: 0041C196
DDL, xrefs: 0041C1AB
Slider, xrefs: 0041C240
Hotkey, xrefs: 0041C314
Picture, xrefs: 0041C2D4
TreeView, xrefs: 0041C216
UpDown, xrefs: 0041C22B
Link, xrefs: 0041C353

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: ActiveX$Button$Checkbox$ComboBox$Custom$DDL$DateTime$DropDownList$Edit$GroupBox$Hotkey$Link$ListBox$ListView$MonthCal$Pic$Picture$Progress$Radio$Slider$StatusBar$Tab$Tab2$Tab3$Text$TreeView$UpDown
API String ID: 3832890014-2446625512
Opcode ID: 2901f291a698eb6e24ceb44a4213e4981d5e4937b95ba8c36b4378ab764076ac
Instruction ID: cf11397bbc3c6731868d0f736e2aa95a186b88ff6e4dce671b0ff68a31e34f32
Opcode Fuzzy Hash: 2901f291a698eb6e24ceb44a4213e4981d5e4937b95ba8c36b4378ab764076ac
Instruction Fuzzy Hash: 5F51C4A9EC5A11319F12212A2D43BEF25481CA1B4BBD4507FFC14E4343F78D9A4BA0BE

Uniqueness

Uniqueness Score: -1.00%

Function 0041C480 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 143COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C498
__wcsicoll.LIBCMT ref: 0041C4B0

Strings

Disable, xrefs: 0041C4DA
Add, xrefs: 0041C5B2
EditPaste, xrefs: 0041C612
Uncheck, xrefs: 0041C4AA
HideDropDown, xrefs: 0041C56A
Enable, xrefs: 0041C4C2
Style, xrefs: 0041C522
ChooseString, xrefs: 0041C5FA
TabRight, xrefs: 0041C59A
ExStyle, xrefs: 0041C53A
Show, xrefs: 0041C4F2
Check, xrefs: 0041C492
Choose, xrefs: 0041C5E2
Delete, xrefs: 0041C5CA
ShowDropDown, xrefs: 0041C552
Hide, xrefs: 0041C50A
TabLeft, xrefs: 0041C582

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Add$Check$Choose$ChooseString$Delete$Disable$EditPaste$Enable$ExStyle$Hide$HideDropDown$Show$ShowDropDown$Style$TabLeft$TabRight$Uncheck
API String ID: 3832890014-3688457572
Opcode ID: 2a6be5d219d4ed8a113b9e379ae1d1e566e37d0fc14a8626d18e487f6ae433cc
Instruction ID: 360c7f25003bc87261ed12e04d3bff2f31548cb06d1fe73cb1f9401970a5b75d
Opcode Fuzzy Hash: 2a6be5d219d4ed8a113b9e379ae1d1e566e37d0fc14a8626d18e487f6ae433cc
Instruction Fuzzy Hash: F6316EA5B85A1132EF12212E5D43BEB25495BA0B4BFD4407BFC04D4282F78DEE5390BE

Uniqueness

Uniqueness Score: -1.00%

Function 0041C630 Relevance: 52.6, APIs: 15, Strings: 15, Instructions: 127COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C648
__wcsicoll.LIBCMT ref: 0041C660

Strings

CurrentCol, xrefs: 0041C71A
List, xrefs: 0041C6D2
Enabled, xrefs: 0041C65A
Selected, xrefs: 0041C74A
Choice, xrefs: 0041C6BA
CurrentLine, xrefs: 0041C702
Style, xrefs: 0041C762
FindString, xrefs: 0041C6A2
Hwnd, xrefs: 0041C792
Tab, xrefs: 0041C68A
Visible, xrefs: 0041C672
ExStyle, xrefs: 0041C77A
Checked, xrefs: 0041C642
Line, xrefs: 0041C732
LineCount, xrefs: 0041C6EA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Checked$Choice$CurrentCol$CurrentLine$Enabled$ExStyle$FindString$Hwnd$Line$LineCount$List$Selected$Style$Tab$Visible
API String ID: 3832890014-586525042
Opcode ID: a168fbf5ab8b9a9616839f05cd6ecc3d583be5aefb81053bf2bc12838a226441
Instruction ID: bd5c2008093ed378fadac1c4745cb4461a6cfa7f979c773bb9cc87ad6b6f8323
Opcode Fuzzy Hash: a168fbf5ab8b9a9616839f05cd6ecc3d583be5aefb81053bf2bc12838a226441
Instruction Fuzzy Hash: 363178A5A84A1122EF12212A5D43BEB68495BA1B4BFD4403BFC04C53C3F78DDA5780AE

Uniqueness

Uniqueness Score: -1.00%

Function 0045B2A0 Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 199COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0045B2F6
__wcsnicmp.LIBCMT ref: 0045B31D
__fassign.LIBCMT ref: 0045B34E

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

__wcsicoll.LIBCMT ref: 0045B381

Strings

JoyInfo, xrefs: 0045B47F
JoyPOV, xrefs: 0045B417
JoyZ, xrefs: 0045B3AF
JoyU, xrefs: 0045B3E3
Joy, xrefs: 0045B317
JoyR, xrefs: 0045B3C9
0.6f, xrefs: 0045B34D, 0045B358
JoyX, xrefs: 0045B37B
JoyAxes, xrefs: 0045B465
JoyY, xrefs: 0045B395
JoyButtons, xrefs: 0045B44B
JoyV, xrefs: 0045B3FD
JoyName, xrefs: 0045B431

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fassign$__wcsicoll__wcsnicmp
String ID: 0.6f$Joy$JoyAxes$JoyButtons$JoyInfo$JoyName$JoyPOV$JoyR$JoyU$JoyV$JoyX$JoyY$JoyZ
API String ID: 3933591233-895525690
Opcode ID: ff9f24b94457d12aa57e7e9472f55303e2375b5d8dea6389a18f077d043d2191
Instruction ID: e4d2329740c585aab2003d12bb5678fddcb3f9621b2ebb356fc5bcf59287bdb2
Opcode Fuzzy Hash: ff9f24b94457d12aa57e7e9472f55303e2375b5d8dea6389a18f077d043d2191
Instruction Fuzzy Hash: 0C417362A4461022EF21252E7C82BFF56898FA2757F15407BFC44E5283F78D8D8B50EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B500 Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 143COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0041B529

Part of subcall function 00499840: wcstoxq.LIBCMT ref: 00499861

__wcsicoll.LIBCMT ref: 0041B550
__wcsicoll.LIBCMT ref: 0041B566
__wcsicoll.LIBCMT ref: 0041B57C

Strings

Treble, xrefs: 0041B669
Bass, xrefs: 0041B64E
QSoundPan, xrefs: 0041B633
Volume, xrefs: 0041B560
Mute, xrefs: 0041B591
Equalizer, xrefs: 0041B684
BassBoost, xrefs: 0041B5FD
StereoEnh, xrefs: 0041B5E2
Pan, xrefs: 0041B618
Mono, xrefs: 0041B5AC
Vol, xrefs: 0041B54A
OnOff, xrefs: 0041B576
Loudness, xrefs: 0041B5C7

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$__wcstoi64wcstoxq
String ID: Bass$BassBoost$Equalizer$Loudness$Mono$Mute$OnOff$Pan$QSoundPan$StereoEnh$Treble$Vol$Volume
API String ID: 1236819900-1456001458
Opcode ID: 7328845727f1ffc28bde7bfd91f1ceb2e0da66f9eadefb1f51ce874c98274b3b
Instruction ID: 3b58f78f2b15da3226cb278668071b50ffa1cd2ce30bfdd18102c7837e68b0e7
Opcode Fuzzy Hash: 7328845727f1ffc28bde7bfd91f1ceb2e0da66f9eadefb1f51ce874c98274b3b
Instruction Fuzzy Hash: 9031CBE1E4561132DF12312A2D03BDB64455BB1B4BF99407AFC0895382F78E9A9A81FE

Uniqueness

Uniqueness Score: -1.00%

Function 004667B0 Relevance: 46.0, APIs: 17, Strings: 9, Instructions: 498COMMON

Download Yara Rule

Strings

Menu does not exist., xrefs: 00466D3E
NoHide, xrefs: 00466D9A
Parameter #1 invalid., xrefs: 00466831
MZ@, xrefs: 00467066
Invalid Gui name., xrefs: 004667F8
Out of memory., xrefs: 00466B0A
+LastFoundExist, xrefs: 00466967
Parameter #2 invalid., xrefs: 00466C73
Could not create window., xrefs: 00466B8C

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcstoui64
String ID: +LastFoundExist$Could not create window.$Invalid Gui name.$MZ@$Menu does not exist.$NoHide$Out of memory.$Parameter #1 invalid.$Parameter #2 invalid.
API String ID: 3882282163-2895177167
Opcode ID: b0524672b85ba4720a418da6cf880f6c0321b874aaaa9342ef857da1374db196
Instruction ID: 8fed147f907bf6eff4893a3a777525d66df59293421ca44c660cd904adf21561
Opcode Fuzzy Hash: b0524672b85ba4720a418da6cf880f6c0321b874aaaa9342ef857da1374db196
Instruction Fuzzy Hash: E4029FB1A09300DBC710EF65D841A6B7BA4AB84708F05462FF9469B352F679ED04CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004594C0 Relevance: 46.0, APIs: 17, Strings: 9, Instructions: 458windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001101,00000000,00000000), ref: 0045958E
__wcsicoll.LIBCMT ref: 004596CE
__wcsnicmp.LIBCMT ref: 004596F9
__wcsicoll.LIBCMT ref: 0045970E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00459974
SendMessageW.USER32(00000000,0000113F,00000000,00000008), ref: 004599D0
SendMessageW.USER32(00000000,00001114,00000000,?), ref: 00459A03
SendMessageW.USER32(00000000,0000110B,00000005,?), ref: 00459A1F
SendMessageW.USER32(?,0000110B,?,?), ref: 00459A3B

Strings

Bold, xrefs: 00459740
First, xrefs: 00459708, 004598DF
Select, xrefs: 004596C5
", xrefs: 0045986C
Icon, xrefs: 00459850
Expand, xrefs: 0045978A
Check, xrefs: 004597FC
Sort, xrefs: 00459887
Vis, xrefs: 004596F3

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$__wcsicoll$__wcsnicmp
String ID: "$Bold$Check$Expand$First$Icon$Select$Sort$Vis
API String ID: 2665471568-3379154359
Opcode ID: 997216da964c0083502cc30a5e89d3c2c855407d8c0d358e1c7dbdbe2ccd8c10
Instruction ID: 4764b7c008dc99075ff7a6a461663adcf378453d4a1a8a79360eea8092d13d86
Opcode Fuzzy Hash: 997216da964c0083502cc30a5e89d3c2c855407d8c0d358e1c7dbdbe2ccd8c10
Instruction Fuzzy Hash: FEF180B1604341EBD7209F25888176BB7E4AF95306F14882FFC8997382E378DD49CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00442070 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 381COMMON

Download Yara Rule

Strings

+-^, xrefs: 004422CE
Off, xrefs: 00442188
Parameter #1 invalid., xrefs: 00442094

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: +-^$Off$Parameter #1 invalid.
API String ID: 3832890014-3419364491
Opcode ID: a6deb76571c3256fccdde9498a9ef4c97abb1712874da43a5a9c45ea0107f73c
Instruction ID: a9869502c2463e5c491b00f1daaed527760db5490b4bbb1d9e9abb1972f94f4b
Opcode Fuzzy Hash: a6deb76571c3256fccdde9498a9ef4c97abb1712874da43a5a9c45ea0107f73c
Instruction Fuzzy Hash: 73C149326443106BE730AF349D44BBB7BA4AB86724F50063BF951A72C1C7BD9D05C3AA

Uniqueness

Uniqueness Score: -1.00%

Function 0045C4F0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000007), ref: 0045C509
GetSystemMetrics.USER32(00000007), ref: 0045C517
GetSystemMetrics.USER32(00000004), ref: 0045C51F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0045C530
IsWindow.USER32(00000000), ref: 0045C56A
DestroyWindow.USER32(00000000,?,?,?,00000000), ref: 0045C57A
CreateWindowExW.USER32(00000008,AutoHotkey2,?,88C00000,?,?,00000000,?,00010424,00000000,MZ@,00000000), ref: 0045C5BA
GetClientRect.USER32(00000000,?), ref: 0045C5C7
CreateWindowExW.USER32(00000000,static,?,50000001,00000000,00000000,?,?,00000000,00000000,MZ@,00000000), ref: 0045C608
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0045C624
_wcsncpy.LIBCMT ref: 0045C642
EnumFontFamiliesExW.GDI32(00000000,?,00480B40,?,00000000,?,?,00000000), ref: 0045C669
GetStockObject.GDI32(00000011), ref: 0045C69B
SelectObject.GDI32(00000000,00000000), ref: 0045C6A3
GetTextFaceW.GDI32(00000000,00000040,?), ref: 0045C6B4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045C6BD
DeleteDC.GDI32(00000000), ref: 0045C6C6
CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045C704
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0045C715
ShowWindow.USER32(00000000,00000004,?,?,?,00000000), ref: 0045C724

Strings

DISPLAY, xrefs: 0045C61C
static, xrefs: 0045C601
Segoe UI, xrefs: 0045C630
AutoHotkey2, xrefs: 0045C5A9
MZ@, xrefs: 0045C595, 0045C5E2

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CreateSystem$Metrics$FontObject$CapsClientDeleteDestroyDeviceEnumFaceFamiliesInfoMessageParametersRectSelectSendShowStockText_wcsncpy
String ID: AutoHotkey2$DISPLAY$MZ@$Segoe UI$static
API String ID: 2836835088-3422131572
Opcode ID: a53ca1f1561eee625dfe5ac23d699acc1d6ee2d43ff0dcdc119db556eb7af1da
Instruction ID: be050891f345bdcc3dff80673354fe8a1bc207103d3dabe985dff002acf5ea75
Opcode Fuzzy Hash: a53ca1f1561eee625dfe5ac23d699acc1d6ee2d43ff0dcdc119db556eb7af1da
Instruction Fuzzy Hash: CF61D671644300BFE314DB64DC4AFAB7BE8EB89B04F04452DFA09D72D1D6B4A905CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041D240 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 101COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041D258
__wcsicoll.LIBCMT ref: 0041D270

Strings

Digit, xrefs: 0041D2C4
Integer, xrefs: 0041D252
Date, xrefs: 0041D2B2
Space, xrefs: 0041D354
Number, xrefs: 0041D282
Time, xrefs: 0041D29A
Lower, xrefs: 0041D33C
Xdigit, xrefs: 0041D2DC
Upper, xrefs: 0041D324
Alpha, xrefs: 0041D30C
Float, xrefs: 0041D26A
Alnum, xrefs: 0041D2F4

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Alnum$Alpha$Date$Digit$Float$Integer$Lower$Number$Space$Time$Upper$Xdigit
API String ID: 3832890014-3813714638
Opcode ID: a1d1bb18f098e7ce648c934f1b50fae8254401a79685c194322b59a2f3e79781
Instruction ID: ebb7f230caecdf28871441904cd33f103267cef10d7addf5b143c3b2238c979b
Opcode Fuzzy Hash: a1d1bb18f098e7ce648c934f1b50fae8254401a79685c194322b59a2f3e79781
Instruction Fuzzy Hash: 602149E5E4561122EF22712E5D03BEB24495FA1B4BF86407AFC14D1382F68DDA8790AE

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 128COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004143D0
__wcsicoll.LIBCMT ref: 004143E6
__wcsicoll.LIBCMT ref: 004143FC

Part of subcall function 00499409: __wcsicmp_l.LIBCMT ref: 00499489

__wcsicoll.LIBCMT ref: 00414412
__wcsicoll.LIBCMT ref: 00414428
__wcsicoll.LIBCMT ref: 0041443E
__wcsicoll.LIBCMT ref: 00414454
__wcsicoll.LIBCMT ref: 0041446C

Strings

WheelDown, xrefs: 004144B1
LEFT, xrefs: 004143CA
RIGHT, xrefs: 004143F6
WheelUp, xrefs: 00414489
WheelRight, xrefs: 004144F9
WheelLeft, xrefs: 004144D5
MIDDLE, xrefs: 00414422

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: LEFT$MIDDLE$RIGHT$WheelDown$WheelLeft$WheelRight$WheelUp
API String ID: 3172861507-1318937625
Opcode ID: 871f8077f7d165b0b753eaa30569fc0ba2e7ce4ba664e2e6877f44c96bfd9ed5
Instruction ID: 14f48a568263ad753b36f23830c02888d00734b74cdf2b62df146ab359c2529a
Opcode Fuzzy Hash: 871f8077f7d165b0b753eaa30569fc0ba2e7ce4ba664e2e6877f44c96bfd9ed5
Instruction Fuzzy Hash: CD31C5A1A4561132EF12253A5E07BEB14894FE1747F99007FB904E12C3F68DDB9790BE

Uniqueness

Uniqueness Score: -1.00%

Function 0043D1C0 Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 295windowCOMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0043D1E2

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

IsWindow.USER32(004AF9BC), ref: 0043D225
DestroyWindow.USER32(004AF9BC), ref: 0043D230
GetCursorPos.USER32 ref: 0043D284
MonitorFromPoint.USER32(?,?,00000002), ref: 0043D2FA
GetMonitorInfoW.USER32 ref: 0043D314
_memset.LIBCMT ref: 0043D35C
IsWindow.USER32(004AF9BC), ref: 0043D38A
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0043D3C7
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 0043D3E7
SendMessageW.USER32(00000000,0000041F,00000000,?), ref: 0043D412
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0043D432
SendMessageW.USER32(00000000,00000412,00000000,?), ref: 0043D451
SendMessageW.USER32(00000000,00000439,00000000,?), ref: 0043D482
GetWindowRect.USER32(00000000,?), ref: 0043D49C
SendMessageW.USER32(00000000,00000412,00000000,?), ref: 0043D536
SendMessageW.USER32(00000000,00000411,00000001,?), ref: 0043D545

Strings

tooltips_class32, xrefs: 0043D3BB
, xrefs: 0043D379
Max window number is 20., xrefs: 0043D562
,, xrefs: 0043D371
(, xrefs: 0043D309

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Monitor$CreateCursorDestroyFromInfoPointRect__fassign_memsetwcstoxl
String ID: $($,$Max window number is 20.$tooltips_class32
API String ID: 3638321345-788377568
Opcode ID: ab33431602c28c16e0ffe96b82471f2814f508758258a9c70693ab2e136e758d
Instruction ID: 6813e2b45c8f004794b356349b0cbb727b598bf36e81c4c0f5d20437d5990eba
Opcode Fuzzy Hash: ab33431602c28c16e0ffe96b82471f2814f508758258a9c70693ab2e136e758d
Instruction Fuzzy Hash: 56B190719083049FD320DF58EC84B6BBBF4EBC9704F10492EF58497291D7B8A948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00451230 Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 244COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00451291
__wcsicoll.LIBCMT ref: 004512EE
__wcsicoll.LIBCMT ref: 00451308
__wcsicoll.LIBCMT ref: 00451322
__wcsicoll.LIBCMT ref: 0045133C
__wcsicoll.LIBCMT ref: 00451356
__wcsicoll.LIBCMT ref: 00451370
__wcsicoll.LIBCMT ref: 0045138A
__wcsicoll.LIBCMT ref: 004513A4
__wcsicoll.LIBCMT ref: 004513BE
__wcsicoll.LIBCMT ref: 004513D8

Strings

Short, xrefs: 00451336
Int64, xrefs: 0045136A
AStr, xrefs: 004513B8
Int, xrefs: 004512E8
*pP, xrefs: 004512B4
Double, xrefs: 0045139E
Str, xrefs: 00451302
Ptr, xrefs: 0045131C
Char, xrefs: 00451350
Float, xrefs: 00451384
WStr, xrefs: 004513D2

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$_wcsncpy
String ID: *pP$AStr$Char$Double$Float$Int$Int64$Ptr$Short$Str$WStr
API String ID: 1630244902-313837492
Opcode ID: 250b977920e5da3facc1f2e8760c7cabdce9ca42ee068587c241f30fc67022f8
Instruction ID: 22adc98ab5d999a66ddcd31eaaecf3ef09abb8fb6de086155b7e8ae5ad3885ae
Opcode Fuzzy Hash: 250b977920e5da3facc1f2e8760c7cabdce9ca42ee068587c241f30fc67022f8
Instruction Fuzzy Hash: 7B71F2B260030556CB20DA55A8817BB7394AB81357F98842FFD44C6292F67ED94EC3AA

Uniqueness

Uniqueness Score: -1.00%

Function 004585E0 Relevance: 37.2, APIs: 12, Strings: 9, Instructions: 439windowCOMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045877A
__wcsnicmp.LIBCMT ref: 004587C4
__wcsnicmp.LIBCMT ref: 00458811
__wcsnicmp.LIBCMT ref: 004588A3
__wcsnicmp.LIBCMT ref: 00458870

Part of subcall function 00414390: __fassign.LIBCMT ref: 004143A0

__wcsicoll.LIBCMT ref: 004588D2
SendMessageW.USER32(00000001,00001004,00000000,00000000), ref: 00458937

Strings

Focus, xrefs: 004587BE
Select, xrefs: 00458771
A, xrefs: 00458639
Icon, xrefs: 0045889D
Col, xrefs: 0045886A
M, xrefs: 0045866E
Check, xrefs: 0045880B
Vis, xrefs: 004588CC
I, xrefs: 00458B6A

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp$MessageSend__fassign__wcsicoll
String ID: A$Check$Col$Focus$I$Icon$M$Select$Vis
API String ID: 1367502766-1624853574
Opcode ID: 720f314f86cadc04defba916246f4b7719cd944dceab27522d00f6a28798d380
Instruction ID: 383f3affeda5b0a7df26afd361c1898acb4e7e4ee0adf806cb1392a4c1eb7d42
Opcode Fuzzy Hash: 720f314f86cadc04defba916246f4b7719cd944dceab27522d00f6a28798d380
Instruction Fuzzy Hash: 2BF181B0A083418FD7209F25C88576BB7E5EB85305F14492FED85A7392DFB8D848CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00406440 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 190COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00406478

Strings

max_depth, xrefs: 004065A4
supports_threads, xrefs: 00406486
version, xrefs: 004064C0
max_data, xrefs: 00406555
AutoHotkey, xrefs: 004064B2
<response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>, xrefs: 00406634
language_, xrefs: 00406467
protocol_version, xrefs: 004064FD
UTF-8, xrefs: 004064EF
multiple_sessions, xrefs: 00406541
max_children, xrefs: 0040657F
line exception, xrefs: 00406533
1.1.36.02 (Unicode), xrefs: 004064D3
name, xrefs: 004064A3
supports_async, xrefs: 00406511
encoding, xrefs: 004064E1
breakpoint_types, xrefs: 00406525

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _strncmp
String ID: 1.1.36.02 (Unicode)$<response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>$AutoHotkey$UTF-8$breakpoint_types$encoding$language_$line exception$max_children$max_data$max_depth$multiple_sessions$name$protocol_version$supports_async$supports_threads$version
API String ID: 909875538-3206166689
Opcode ID: c2f9b74efa22d3e9f4544e272cbf12310426dd0486a9b8a911e1358f26a1bfbb
Instruction ID: d2556a61637ab4671aefbc8fd80a6bfb1a141bee1598400973bd5894eb224af0
Opcode Fuzzy Hash: c2f9b74efa22d3e9f4544e272cbf12310426dd0486a9b8a911e1358f26a1bfbb
Instruction Fuzzy Hash: 4A513732A04208BBDB288E548C817973B55A701315F1AC477F906BF2C1DB7BCD6593AC

Uniqueness

Uniqueness Score: -1.00%

Function 00451510 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 181libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,?,?,?,00000000), ref: 00451537
GetModuleHandleW.KERNEL32(kernel32,?,00000000), ref: 00451543
GetModuleHandleW.KERNEL32(comctl32,?,00000000), ref: 0045154F
GetModuleHandleW.KERNEL32(gdi32,?,00000000), ref: 0045155B
_wcsncpy.LIBCMT ref: 00451577
_wcsrchr.LIBCMT ref: 00451593
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,00000000), ref: 004515C0
GetProcAddress.KERNEL32(00000000,?), ref: 004515E0
GetProcAddress.KERNEL32(?,?), ref: 0045162F
WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,000000FF,?,00000104,00000000,00000000,?,?,?,?,00000000), ref: 0045165D
GetModuleHandleW.KERNEL32(?,?,?,?,?,00000000), ref: 0045166B
LoadLibraryW.KERNEL32(?,?,?,?,?,00000000), ref: 00451686
GetProcAddress.KERNEL32(00000000,?), ref: 004516BF
GetProcAddress.KERNEL32(00000000,?), ref: 004516E8

Strings

gdi32, xrefs: 00451551
user32, xrefs: 00451532
kernel32, xrefs: 00451539
DllCall, xrefs: 00451694, 00451736
comctl32, xrefs: 00451545

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule$AddressProc$ByteCharMultiWide$LibraryLoad_wcsncpy_wcsrchr
String ID: DllCall$comctl32$gdi32$kernel32$user32
API String ID: 1361463379-1793033601
Opcode ID: 4a66e51ec79bc4591fc50aea44f942e4f660af83507bcc19d5cacc0595c629f0
Instruction ID: bad41cd13a23302804f6c44f7f0421b67be71d430cf484c4473a340c18faea05
Opcode Fuzzy Hash: 4a66e51ec79bc4591fc50aea44f942e4f660af83507bcc19d5cacc0595c629f0
Instruction Fuzzy Hash: 41511A72A0030567C730DB64DCC5FABB3D9EB94710F05062BED4487392EBB9E80987A9

Uniqueness

Uniqueness Score: -1.00%

Function 004680D0 Relevance: 31.9, APIs: 13, Strings: 5, Instructions: 414COMMON

Download Yara Rule

Strings

%sW, xrefs: 0046837A
%sH, xrefs: 004683E2
%sX, xrefs: 004682A6
MZ@, xrefs: 004685D3
%sY, xrefs: 00468310

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcstoui64
String ID: %sH$%sW$%sX$%sY$MZ@
API String ID: 3882282163-3248170440
Opcode ID: b52bdff4dad9db26b87473a58fa66836fe5d568f64a8f0b4f8b24a99d4962441
Instruction ID: 7b2be640db927da8f634d05ab42af52b44dcdb53242448ab1d7e53b34c0f9e56
Opcode Fuzzy Hash: b52bdff4dad9db26b87473a58fa66836fe5d568f64a8f0b4f8b24a99d4962441
Instruction Fuzzy Hash: 24E1CEB1704201AFD710DF25DC95FAB77A9AB84704F044A2EF5458B391EB78EC05CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00470270 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 358windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047028C
SendMessageW.USER32(00000001,00000472,00000000,00000000), ref: 004702C6
SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0047031B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00470337
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0047034F
SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00470385
SendMessageW.USER32(?,00001001,00000000,?), ref: 004703B4
GetWindowLongW.USER32(?,000000F0), ref: 00470401
SendMessageW.USER32(?,00001005,00000000,?), ref: 0047041A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004704A7
__wcsicoll.LIBCMT ref: 004704D6

Strings

Submit, xrefs: 00470284
Text, xrefs: 004704D0

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$__wcsicoll$LongWindow
String ID: Submit$Text
API String ID: 4045105239-2749448349
Opcode ID: 9c9479df573bd128423765a655e133282eee4c233e05c5262a08bd31603a0d8f
Instruction ID: 2b9b72a7cc23475c40644d4b001709e62ae10f18069b6516ec0d452a9a6ac1ef
Opcode Fuzzy Hash: 9c9479df573bd128423765a655e133282eee4c233e05c5262a08bd31603a0d8f
Instruction Fuzzy Hash: 46B18E72344300A7D720AF299C46FA77798EB95715F108A7FFA48EB2C1C6B9E844C358

Uniqueness

Uniqueness Score: -1.00%

Function 00482560 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 268clipboardCOMMON

Download Yara Rule

APIs

EnumClipboardFormats.USER32(00000000), ref: 004825A3
GlobalSize.KERNEL32(00000000), ref: 004825E5
EnumClipboardFormats.USER32(00000000), ref: 0048260C
GlobalUnWire.KERNEL32(00000000), ref: 00482636
CloseClipboard.USER32 ref: 00482642

Strings

Can't open clipboard for reading., xrefs: 00482576
Out of memory., xrefs: 0048272B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard$EnumFormatsGlobal$CloseSizeWire
String ID: Can't open clipboard for reading.$Out of memory.
API String ID: 269228917-4067353709
Opcode ID: 5eac3d6cec7096029926d5e381ad5903b160d356fba62ae97ba60a1ea25f262b
Instruction ID: 740ca751b165b8f8b8da37cbef786be5684cf737a591ae7ee69ae7fba4c6c415
Opcode Fuzzy Hash: 5eac3d6cec7096029926d5e381ad5903b160d356fba62ae97ba60a1ea25f262b
Instruction Fuzzy Hash: 4991C3729003018BC721BF29DA4466FB7E4EB84750F554D2FE841A3360E7B8D945CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4B0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 169threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00002000,0040E7E0,00000000,00000000,004D85A0), ref: 0040E50A
SetThreadPriority.KERNEL32(00000000,0000000F,?,00408CE2,?,00408938,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E520
PostThreadMessageW.USER32(00000000,00000417,004062BD,00000000), ref: 0040E544
Sleep.KERNEL32(0000000A,?,00408CE2,?,00408938,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E550
GetTickCount.KERNEL32 ref: 0040E567
PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E58A
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd), ref: 0040E605
GetExitCodeThread.KERNEL32(00000000,?), ref: 0040E61A
GetTickCount.KERNEL32 ref: 0040E62A
Sleep.KERNEL32(00000000), ref: 0040E637
CloseHandle.KERNEL32(00000000), ref: 0040E64F

Part of subcall function 0040EB80: _free.LIBCMT ref: 0040EBED

CloseHandle.KERNEL32(00000000), ref: 0040E66F
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse), ref: 0040E694
CloseHandle.KERNEL32(00000000), ref: 0040E6AB

Strings

AHK Keybd, xrefs: 0040E5FC
AHK Mouse, xrefs: 0040E68B
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function., xrefs: 0040E6D9

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Thread$CloseCreateHandle$CountMessageMutexSleepTick$CodeExitPeekPostPriority_free
String ID: AHK Keybd$AHK Mouse$Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
API String ID: 1532042170-3816831916
Opcode ID: b230ceeae324c15aed96bfb0430533f314b76b11f94dad4ac88c9105ae843b26
Instruction ID: 4e47ffe3bdd9164d24f60697a05b0d8bd7e6ca4e4b0069e4342a2315b7a798b2
Opcode Fuzzy Hash: b230ceeae324c15aed96bfb0430533f314b76b11f94dad4ac88c9105ae843b26
Instruction Fuzzy Hash: 9B512770509340AAE720EF72AC05B5A7F949B51308F084C7FF981A62E2D7FD9954CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0045D290 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 460windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C630: __wcsicoll.LIBCMT ref: 0041C648

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

SendMessageTimeoutW.USER32(00000000,000000F0,00000000,00000000,00000002,000007D0,?), ref: 0045D308
IsWindowEnabled.USER32(00000000), ref: 0045D33C
IsWindowVisible.USER32(00000000), ref: 0045D366
SendMessageTimeoutW.USER32(00000000,0000130B,00000000,00000000,00000002,000007D0,?), ref: 0045D3A4
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D3DA
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D437
SendMessageTimeoutW.USER32(00000000,00000188,00000000,00000000,00000002,000007D0,?), ref: 0045D49B
SendMessageTimeoutW.USER32(00000000,0000018A,?,00000000,00000002,000007D0,?), ref: 0045D4C1
SendMessageTimeoutW.USER32(00000000,00000189,?,00000000), ref: 0045D51A
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D5BF

Strings

SysListView32, xrefs: 0045D5C8
List, xrefs: 0045D3FA, 0045D461, 0045D61A
Combo, xrefs: 0045D3E3, 0045D440, 0045D5F5

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendTimeout$Window$ClassName$Visible$EnabledForeground__wcsicoll
String ID: Combo$List$SysListView32
API String ID: 4132077911-371123625
Opcode ID: d1a763b8678a9109f1746a29f6018966e21d2c8333976550f998b3f4dbd8af26
Instruction ID: c79905c7d2559333bad2a7e6dfd45740cd3c71518115155d05284aff09525612
Opcode Fuzzy Hash: d1a763b8678a9109f1746a29f6018966e21d2c8333976550f998b3f4dbd8af26
Instruction Fuzzy Hash: 75F1B231E00205ABDB30DBA58C85BAF7774EF45715F10422AF911AB2C2D778AD4AC7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00468620 Relevance: 27.2, APIs: 18, Instructions: 196windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00468673
SendMessageW.USER32(?,00000414,00000000,00000000), ref: 0046868C
DestroyCursor.USER32(00000000), ref: 00468693
IsWindow.USER32(00000000), ref: 004686A2
ShowWindow.USER32(00000000,00000000,?,004D9B24,75295780,75C0FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 004686B2
SetMenu.USER32(00000000,00000000), ref: 004686BE
DestroyWindow.USER32(00000000,?,004D9B24,75295780,75C0FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 004686D8
DeleteObject.GDI32(?), ref: 0046871F
DeleteObject.GDI32(?), ref: 00468733
DragFinish.SHELL32(?,?,004D9B24,75295780,75C0FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 00468747
DestroyCursor.USER32(?), ref: 0046877B
DeleteObject.GDI32(?), ref: 00468783
_free.LIBCMT ref: 00468793
DestroyCursor.USER32(?), ref: 004687FA
DestroyCursor.USER32(?), ref: 00468801
DestroyAcceleratorTable.USER32(?), ref: 0046880B
_free.LIBCMT ref: 00468824

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Destroy$Cursor$DeleteObjectWindow$MessageSend_free$AcceleratorDragFinishMenuShowTable
String ID:
API String ID: 3295956662-0
Opcode ID: 0897b52ce2ccdef060f882ef19fceb2ebb799a71ffb42a1950b07bceab24a9e6
Instruction ID: 7e70e907f13ef7ea1bf94592863e9da0516713b6fb85fa7f13e4e766bd0fcdf7
Opcode Fuzzy Hash: 0897b52ce2ccdef060f882ef19fceb2ebb799a71ffb42a1950b07bceab24a9e6
Instruction Fuzzy Hash: 91617EB5A002059BCB20DF64DC84B6B77A9BB45705F14862EF906D7341EF78EC01CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2E0 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 209COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0041B2E9
__fassign.LIBCMT ref: 0041B32B

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

Strings

Master, xrefs: 0041B351
Digital, xrefs: 0041B3A3
N/A, xrefs: 0041B4CF
Telephone, xrefs: 0041B439
Synth, xrefs: 0041B3FD
Analog, xrefs: 0041B4B1
PCSpeaker, xrefs: 0041B457
Microphone, xrefs: 0041B3DF
Headphones, xrefs: 0041B385
Aux, xrefs: 0041B493
Speakers, xrefs: 0041B36B
Wave, xrefs: 0041B475
Line, xrefs: 0041B3C1

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fassign$_wcschr
String ID: Analog$Aux$Digital$Headphones$Line$Master$Microphone$N/A$PCSpeaker$Speakers$Synth$Telephone$Wave
API String ID: 3927346847-2477456585
Opcode ID: 807440ed7d8a4043fc01e7d36501dd3642ce5c0fd85e8fb26fdb5077d2f124e1
Instruction ID: 514343a7a175dd003931788d502404ba6bb8c36e7628bbc431df0bcd8e5ab511
Opcode Fuzzy Hash: 807440ed7d8a4043fc01e7d36501dd3642ce5c0fd85e8fb26fdb5077d2f124e1
Instruction Fuzzy Hash: AB515C3261412512DE21212D7D417EA318D8B9537AF28C73BFC3DDA3C6EB8D889452EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040F160 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0040F178
__wcsicoll.LIBCMT ref: 0040F190

Strings

Toggle, xrefs: 0040F221
AltTab, xrefs: 0040F172
Off, xrefs: 0040F209
AltTabMenuDismiss, xrefs: 0040F1D2
AltTabMenu, xrefs: 0040F1A2
ShiftAltTab, xrefs: 0040F18A
AltTabAndMenu, xrefs: 0040F1BA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: AltTab$AltTabAndMenu$AltTabMenu$AltTabMenuDismiss$Off$ShiftAltTab$Toggle
API String ID: 3832890014-1651597821
Opcode ID: 28bd729fac991b97375f51599cde9360995ff47be5afcc07d8e21ece8bc010de
Instruction ID: 00bee9903f18ae3c38702471433ed3d19759995753db6a5c7d3b62c54d26d9aa
Opcode Fuzzy Hash: 28bd729fac991b97375f51599cde9360995ff47be5afcc07d8e21ece8bc010de
Instruction Fuzzy Hash: 5B1170A4E0561131EF32292A5D027AB25455FA1707F88407FFC04E57C2F6ADEE5B80AE

Uniqueness

Uniqueness Score: -1.00%

Function 0044B580 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 184windowCOMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0044B5BB
MessageBeep.USER32(00000000), ref: 0044B5D3

Part of subcall function 004998B8: __wcstoi64.LIBCMT ref: 004998C4

mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0044B60B
mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0044B620
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044B642

Strings

play AHK_PlayMe, xrefs: 0044B69F
close AHK_PlayMe, xrefs: 0044B61B, 0044B78E
stopped, xrefs: 0044B710
open "%s" alias AHK_PlayMe, xrefs: 0044B623
status AHK_PlayMe mode, xrefs: 0044B606, 0044B6F3, 0044B767

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: SendString$__wcstoi64$BeepMessage
String ID: close AHK_PlayMe$open "%s" alias AHK_PlayMe$play AHK_PlayMe$status AHK_PlayMe mode$stopped
API String ID: 315599926-4077410995
Opcode ID: 0d89839fa6df8727be9fb5e588875a47fb2a2c6a0cad1f249bf282da5188443d
Instruction ID: a59512be31c2f44ef7b952768743a444a8fa8e3aeae1832b1b1feec19a47f7ab
Opcode Fuzzy Hash: 0d89839fa6df8727be9fb5e588875a47fb2a2c6a0cad1f249bf282da5188443d
Instruction Fuzzy Hash: 6E51287278030461F620A6249C83FF77350DBA5B25F24053BF640A92D1E7AEE98982FD

Uniqueness

Uniqueness Score: -1.00%

Function 0041C070 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 61COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C082

Strings

Pos, xrefs: 0041C07C
Visible, xrefs: 0041C0DC
Focus, xrefs: 0041C094
Enabled, xrefs: 0041C0C4
FocusV, xrefs: 0041C0AC
Hwnd, xrefs: 0041C0F4
Name, xrefs: 0041C10C

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Enabled$Focus$FocusV$Hwnd$Name$Pos$Visible
API String ID: 3832890014-542124868
Opcode ID: 6b0cf7baff83b24d1400e744c4f44a3e57d96c221cb9590e97726be5e30937fa
Instruction ID: bc9ac6e8ff72f6a7ffb4b5a15c0e54f315aedd7080a02c6bc87ecbb9040aad37
Opcode Fuzzy Hash: 6b0cf7baff83b24d1400e744c4f44a3e57d96c221cb9590e97726be5e30937fa
Instruction Fuzzy Hash: 5C0144E5A84A11B2EF12226D4C037E764455BA1B17FD5407AF904D52C2F38EDA57807E

Uniqueness

Uniqueness Score: -1.00%

Function 0045C760 Relevance: 24.3, APIs: 16, Instructions: 258windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

__wcsicoll.LIBCMT ref: 0045C7EA
GetSystemMenu.USER32(00000000,00000000), ref: 0045C7F8
GetMenu.USER32(00000000), ref: 0045C814
GetMenuItemCount.USER32(00000000), ref: 0045C829
__fassign.LIBCMT ref: 0045C8A9
GetMenuItemID.USER32(?,?), ref: 0045C8D0
GetSubMenu.USER32(?,?), ref: 0045C8DF
GetMenuItemCount.USER32(00000000), ref: 0045C8EA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Item$CountWindow$ForegroundSystemVisible__fassign__wcsicoll
String ID:
API String ID: 3951159358-0
Opcode ID: 42e2dbe19847abb0c93aecc31c3886ec6805693b78a8517852eeeb95e40f8c78
Instruction ID: f786b000fcda9a4ca3e460338c6a59aabbfa3e864da7d3d57e48403bbf6adccc
Opcode Fuzzy Hash: 42e2dbe19847abb0c93aecc31c3886ec6805693b78a8517852eeeb95e40f8c78
Instruction Fuzzy Hash: 4F91C3B16043059FC720DF64DC85B6B7BE4EB89316F00492EFD9697282D778D908CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042D3A0 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 410COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042D400
__wcsicoll.LIBCMT ref: 0042D452
_memmove.LIBCMT ref: 0042D5BE
_memmove.LIBCMT ref: 0042D746
__wcsicoll.LIBCMT ref: 0042D78E
__wcsicoll.LIBCMT ref: 0042D82F
_memmove.LIBCMT ref: 0042D86A

Strings

", xrefs: 0042D4D8
Illegal parameter name., xrefs: 0042D48A
ErrorLevel, xrefs: 0042D44C
Variable name too long., xrefs: 0042D3E2
Out of memory., xrefs: 0042D6D1

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll_memmove$_wcsncpy
String ID: "$ErrorLevel$Illegal parameter name.$Out of memory.$Variable name too long.
API String ID: 3055118137-3900197193
Opcode ID: 3f2978ca08b5823e59234dcb84cac4d8f72408b5737be3d636cadafe55491627
Instruction ID: 597ed60744be9f5bb511461ab132ca5a6ba6c0cf59070a1053b609ac598c24a4
Opcode Fuzzy Hash: 3f2978ca08b5823e59234dcb84cac4d8f72408b5737be3d636cadafe55491627
Instruction Fuzzy Hash: 33E1E375A043158FC720DF18E880AABB3E1FF94318F54466EE84887351E779EE46CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0045D050 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 133windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000020), ref: 0045D05C
SendMessageTimeoutW.USER32(?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D09E
GetParent.USER32 ref: 0045D0B4
SetLastError.KERNEL32(00000000,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D0C6
GetDlgCtrlID.USER32 ref: 0045D0CD
GetLastError.KERNEL32(?,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D0D9
SendMessageTimeoutW.USER32(00000000,00000111,?,?,00000002,000007D0,000000FF), ref: 0045D106
SendMessageTimeoutW.USER32(00000000,00000111,00000002,?,00000002,000007D0,000000FF), ref: 0045D12E
GetWindowLongW.USER32(?,000000F0), ref: 0045D154
SendMessageTimeoutW.USER32(?,0000018F,000000FF,?,00000002,000007D0,?), ref: 0045D199
SendMessageTimeoutW.USER32(?,00000185,00000001,?,00000002,000007D0,?), ref: 0045D1BD

Strings

List, xrefs: 0045D13D
Combo, xrefs: 0045D066

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendTimeout$ErrorLast$ClassCtrlLongNameParentWindow
String ID: Combo$List
API String ID: 3027087493-1246219895
Opcode ID: 9d0bd323d2027afc60b7deb037bf2b3968fe2c55dec6f6482042ec59cd7cc6be
Instruction ID: b2f99dfb8b04b2abc930e2567c4349aaa6524976b9ac8e221910365341d07884
Opcode Fuzzy Hash: 9d0bd323d2027afc60b7deb037bf2b3968fe2c55dec6f6482042ec59cd7cc6be
Instruction Fuzzy Hash: 8B410A70A4470779E6209F209C46F7B36A8AF81B55F10432AFE50E51D1DBA8DC0A877A

Uniqueness

Uniqueness Score: -1.00%

Function 00467110 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Icon, xrefs: 00467353
MZ@, xrefs: 00467809

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcstoui64
String ID: Icon$MZ@
API String ID: 3882282163-1469380288
Opcode ID: 5d9b4d442fbe6cd93e1b3edc4756a4248635910355e3758068181f3abc589fc4
Instruction ID: 8a493aa0fa0bef176bec299ea456ef39cb30a6f7b45cafd14f0dd07a348eb3f0
Opcode Fuzzy Hash: 5d9b4d442fbe6cd93e1b3edc4756a4248635910355e3758068181f3abc589fc4
Instruction Fuzzy Hash: 2AC1F371608300ABC720EF25DC45BAB77E4AB88718F04492FF9458B391E779A945CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00443490 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 289COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004434DF

Strings

%sBottom, xrefs: 00443667
h, xrefs: 004434E8
Parameter #2 invalid., xrefs: 004434BB
%sTop, xrefs: 00443607
%sRight, xrefs: 00443637
%sLeft, xrefs: 004435CB

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memset
String ID: %sBottom$%sLeft$%sRight$%sTop$Parameter #2 invalid.$h
API String ID: 2102423945-3189716140
Opcode ID: 361f6bbfd2fc1d4f5d9ddf487c0baddf788c4cc8aae2a36b47072e8ce631c801
Instruction ID: d4e7abf59d4070fa54747ad06f1ca0fe5cd917a949eecd05da3ed2bb8b2cc8d5
Opcode Fuzzy Hash: 361f6bbfd2fc1d4f5d9ddf487c0baddf788c4cc8aae2a36b47072e8ce631c801
Instruction Fuzzy Hash: 6D9196B13442006BD214EE19DC41FABB3A9EBC8B15F10852FF948DB391DA79DD1487AA

Uniqueness

Uniqueness Score: -1.00%

Function 0047C180 Relevance: 19.8, APIs: 13, Instructions: 292registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,00000000,004AF9BC,00000000,?,00000000,?,?,?,004AF9BC,?,00000000,?,004AF9BC,004AF9BC), ref: 0047C1D0
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?,?,004AF9BC,?,00000000,?,004AF9BC,004AF9BC), ref: 0047C223
_malloc.LIBCMT ref: 0047C278
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,00000000,00000000), ref: 0047C2F1
_free.LIBCMT ref: 0047C2FA
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 0047C339
_malloc.LIBCMT ref: 0047C37F
RegCloseKey.ADVAPI32(?,?,004AF9BC,?,00000000,?,004AF9BC,004AF9BC), ref: 0047C46B
GetLastError.KERNEL32(?,004AF9BC,?,00000000,?,004AF9BC,004AF9BC), ref: 0047C476

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value$_malloc$CloseCreateErrorLast_free
String ID:
API String ID: 1054883360-0
Opcode ID: 1e526ac73728ca32e499448e28cab08a46f28660050d793f9b52d95741b0c3df
Instruction ID: 0461442c398d0faff4db75e9c84df6d5c0e8cbe74f27a73c4e78cb77a220ba59
Opcode Fuzzy Hash: 1e526ac73728ca32e499448e28cab08a46f28660050d793f9b52d95741b0c3df
Instruction Fuzzy Hash: 499123716043019BC7209F64CCC1BE773A5EB88724F14CA2FF9099B291E7B8ED458759

Uniqueness

Uniqueness Score: -1.00%

Function 0045D27E Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 243windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C630: __wcsicoll.LIBCMT ref: 0041C648

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

SendMessageTimeoutW.USER32(00000000,000000F0,00000000,00000000,00000002,000007D0,?), ref: 0045D308
IsWindowEnabled.USER32(00000000), ref: 0045D33C
IsWindowVisible.USER32(00000000), ref: 0045D366
SendMessageTimeoutW.USER32(00000000,0000130B,00000000,00000000,00000002,000007D0,?), ref: 0045D3A4
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D3DA
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D437
SendMessageTimeoutW.USER32(00000000,00000188,00000000,00000000,00000002,000007D0,?), ref: 0045D49B
SendMessageTimeoutW.USER32(00000000,0000018A,?,00000000,00000002,000007D0,?), ref: 0045D4C1
SendMessageTimeoutW.USER32(00000000,00000189,?,00000000), ref: 0045D51A
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D5BF

Strings

SysListView32, xrefs: 0045D5C8
Combo, xrefs: 0045D3E3, 0045D440

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendTimeout$Window$ClassName$Visible$EnabledForeground__wcsicoll
String ID: Combo$SysListView32
API String ID: 4132077911-871643043
Opcode ID: 2430bb9f795c8816207e9c7302c48ebfe567a87afadb421e45e2e7fdceca4436
Instruction ID: 9bcfc81be60550c6068f3feb5087d46eeb933df4e18782bb5d57e1a9c42ad08c
Opcode Fuzzy Hash: 2430bb9f795c8816207e9c7302c48ebfe567a87afadb421e45e2e7fdceca4436
Instruction Fuzzy Hash: E671E470E042057BEB20DAA49C86FBF7778DF45711F10422ABE15EB2C1D7B8AD098769

Uniqueness

Uniqueness Score: -1.00%

Function 004120D0 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

__itow.LIBCMT ref: 0041215B
__swprintf.LIBCMT ref: 004122CC

Strings

%i-%i, xrefs: 004122C6
PART, xrefs: 00412291
(no), xrefs: 00412352
%s%s%s%s%s%s, xrefs: 0041237A
OFF, xrefs: 00412241, 0041225D, 0041236C
TypeOff?LevelRunningName-------------------------------------------------------------------, xrefs: 004120DF

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __itow__swprintf_vswprintf_s
String ID: %i-%i$%s%s%s%s%s%s$(no)$OFF$PART$TypeOff?LevelRunningName-------------------------------------------------------------------
API String ID: 726126973-1635122839
Opcode ID: a1d0f89bee5c33ce93391b826a2795e2f35dc68cc88e7a75cc90153950a6620b
Instruction ID: 34bf3e5c0087f181332967067a8d545fd9b9b4404796f165b32140a00490d79c
Opcode Fuzzy Hash: a1d0f89bee5c33ce93391b826a2795e2f35dc68cc88e7a75cc90153950a6620b
Instruction Fuzzy Hash: EF81F3712083019AD724DF69CA40BBB77E4AF85304F1449AFE88AC7251E3BCD9A5C35A

Uniqueness

Uniqueness Score: -1.00%

Function 00474540 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 190windowlibraryloaderCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00474580
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00474627
__fassign.LIBCMT ref: 00474641
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00474685
LoadLibraryW.KERNEL32(shlwapi,?,?,00001004,00000000,00000000,00000000,?,?,004593DC,00000000,00000000,00000041), ref: 004746CA
GetProcAddress.KERNEL32(00000000,StrCmpLogicalW), ref: 004746DA
SendMessageW.USER32 ref: 00474749
SendMessageW.USER32(00000000,0000104C,00000000,00000004), ref: 0047477E
SendMessageW.USER32(00000001,00001030,?,00474380), ref: 004747C3

Strings

StrCmpLogicalW, xrefs: 004746D4
shlwapi, xrefs: 004746C5

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$AddressLibraryLoadProc__fassign
String ID: StrCmpLogicalW$shlwapi
API String ID: 179551950-63816878
Opcode ID: aece04ec7635ab8c1e6fde562b3a804c5271cc6ad21ae6fd2bd98425d74328f4
Instruction ID: 5995b38b6d8d70bf30ef631f21e030ec937cbfca5242952c5c7f691f80a5e4a9
Opcode Fuzzy Hash: aece04ec7635ab8c1e6fde562b3a804c5271cc6ad21ae6fd2bd98425d74328f4
Instruction Fuzzy Hash: 5D7182B4508384AFD764DF24C880BABBBE4ABC5304F14891EF5C987291D7B9D948CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043F330 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 167COMMON

Download Yara Rule

Strings

EndKey, xrefs: 0043F4DC
Stopped, xrefs: 0043F512
Max, xrefs: 0043F4EE
sc%03X, xrefs: 0043F49D
Match, xrefs: 0043F367
Timeout, xrefs: 0043F355
EndKey:, xrefs: 0043F394
NewInput, xrefs: 0043F500

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: EndKey$EndKey:$Match$Max$NewInput$Stopped$Timeout$sc%03X
API String ID: 0-3482771585
Opcode ID: 2dd8544c31d98b52655b32ff5c91582ef3165c650e9ceb13a89a39e54645ecd0
Instruction ID: c95364e054c216d5446ddaf2595f1ffb2a7acf93bcac0a0a06727b461c2fbe7e
Opcode Fuzzy Hash: 2dd8544c31d98b52655b32ff5c91582ef3165c650e9ceb13a89a39e54645ecd0
Instruction Fuzzy Hash: CE515E72B0425056D730472DA8417F7B3A0DBE9325F04803FEA8486381E66E999DC37E

Uniqueness

Uniqueness Score: -1.00%

Function 00476240 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 147windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004762FA
SetMenuItemInfoW.USER32 ref: 004763FD

Strings

Break, xrefs: 0047634E
BarBreak, xrefs: 00476372
Radio, xrefs: 004762F1
0, xrefs: 004763E9
Right, xrefs: 00476324
, xrefs: 00476388

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoItemMenu__wcsicoll
String ID: $0$BarBreak$Break$Radio$Right
API String ID: 4222793379-1315102453
Opcode ID: 76a3b46789b63ae370d0f613f381f8de91c706c77331fba836b3d477b9ca7788
Instruction ID: 8d0ca1c8e1922e1f532a8a2a8c603a1b6a78e451ade42486e9af547a6d324f81
Opcode Fuzzy Hash: 76a3b46789b63ae370d0f613f381f8de91c706c77331fba836b3d477b9ca7788
Instruction Fuzzy Hash: 66411671504B1286D7209F10CA006BBB7A6EF90705F16845FECCD97782E37C9E0AC7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0046F100 Relevance: 18.2, APIs: 12, Instructions: 217windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0046F13E
GetWindowLongW.USER32 ref: 0046F16D
_wcschr.LIBCMT ref: 0046F1B1
SendMessageW.USER32(?,?,00000000,?), ref: 0046F1FC
SendMessageW.USER32(?,00001061,?,?), ref: 0046F237
SendMessageW.USER32(?,?,00000000,00000000), ref: 0046F299
SendMessageW.USER32(?,0000108F,00000000,00000000), ref: 0046F2D2
GetWindowLongW.USER32(?,000000F0), ref: 0046F2D9
SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 0046F2FE
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0046F320
SendMessageW.USER32(?,0000014E,00000001,?), ref: 0046F33E
SendMessageW.USER32(0000014E,0000014E,?,00000000), ref: 0046F350

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$LongWindow$_wcschr
String ID:
API String ID: 958538355-0
Opcode ID: 3eece04c8e4ef4e6b7f8504e59e413abb7ae7cc1b6231b780bc68e99a075c784
Instruction ID: acc37d17634192ab70c2d38dd8c908b5a4024bb85b070ee8b658300eaab9f4f0
Opcode Fuzzy Hash: 3eece04c8e4ef4e6b7f8504e59e413abb7ae7cc1b6231b780bc68e99a075c784
Instruction Fuzzy Hash: 8471BFB4604341ABD320CF68EC91B7777E5EB85710F104A6EF9D1872C0E7799889CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004626C0 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 412memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00462A14

Strings

File, xrefs: 00462AAD
Message, xrefs: 004629D3
Line, xrefs: 00462B1A
What, xrefs: 00462A40

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocString
String ID: File$Line$Message$What
API String ID: 2525500382-2423932577
Opcode ID: 98789537752971a8182dcafd0dfd4b66361628883d3ab238250a974c8f89ed9d
Instruction ID: 7942f8a2fb03a59f32bd8b01f1dcf0afa47e82e19b2d14bd93b61cec370c33fd
Opcode Fuzzy Hash: 98789537752971a8182dcafd0dfd4b66361628883d3ab238250a974c8f89ed9d
Instruction Fuzzy Hash: 49025BB16087419FC724CF14C584A9BB7E4FB88304F14892EE99987321E7B5E949CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00438590 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004385D9
_wcsncpy.LIBCMT ref: 00438643
_wcschr.LIBCMT ref: 0043868A
_memmove.LIBCMT ref: 004386D6
_wcschr.LIBCMT ref: 004386E3

Strings

", xrefs: 004386A9
Out of memory., xrefs: 004385F0

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcschr$_malloc_memmove_wcsncpy
String ID: "$Out of memory.
API String ID: 278627150-1555670740
Opcode ID: e8591cd33f91e315fb57ce74a34fb7f6f12808056887d5351ed3335fe17eadb9
Instruction ID: 999bcaa21686f6be214ae958bbfde84434e70bdbe1f61e35890ff8e0660d1f40
Opcode Fuzzy Hash: e8591cd33f91e315fb57ce74a34fb7f6f12808056887d5351ed3335fe17eadb9
Instruction Fuzzy Hash: 0C91B0B1E002159BDF20DB54DC81AAFB7B5EF48310F14406EF905A7341EB78AE45CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004604E0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0046064F
__wcsicoll.LIBCMT ref: 00460668
__wcsicoll.LIBCMT ref: 004606BC
SysStringLen.OLEAUT32(?), ref: 004606EE
SysFreeString.OLEAUT32(?), ref: 00460702
__wcsicoll.LIBCMT ref: 00460721

Strings

class, xrefs: 00460649
iid, xrefs: 00460674, 0046071B
clsid, xrefs: 00460662
name, xrefs: 0046065B, 004606B6

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$String$Free
String ID: class$clsid$iid$name
API String ID: 637319055-3724380462
Opcode ID: 113fc1c96e34fccf5c1cdd7b883b9e1a91a053569f7b95b1f65b896196ec69c5
Instruction ID: a05b808ae967ab5224aac7840156afee5113f0117b7b95a15f9afeb498deebe5
Opcode Fuzzy Hash: 113fc1c96e34fccf5c1cdd7b883b9e1a91a053569f7b95b1f65b896196ec69c5
Instruction Fuzzy Hash: D481AC75604201AFDB10DF19D880B27B3A4EF85315F14856EF94A8B391E778EC16CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004145E0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

@, xrefs: 004146A9

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 21413663c1a70620908940de7f001471520e2de3903fb628938eea3e9f1f187f
Instruction ID: e2d7767ee30d8d3715f9d0fa255fca04d6fd0b4f98cfc70d02e2837637dac6be
Opcode Fuzzy Hash: 21413663c1a70620908940de7f001471520e2de3903fb628938eea3e9f1f187f
Instruction Fuzzy Hash: 2C91D434509384DED310DF28E850BA7BFE0AF96304F4984BFD5848B3A1DB789944DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00484280 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 196windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000406,00000000,00000000,00000002,000007D0,?), ref: 00484301
GetTickCount.KERNEL32 ref: 00484340
SendMessageTimeoutW.USER32(?,0000040C,?,00000000,00000002,000007D0,?), ref: 00484365
SendMessageTimeoutW.USER32(?,0000040D,?,?,00000002,000007D0,?), ref: 0048438F
ReadProcessMemory.KERNEL32(?,?,?,?,00000000,?,0000040D,?,?,00000002,000007D0,?,?,0000040C,?,00000000), ref: 004843AC
IsWindow.USER32 ref: 004843D5
GetTickCount.KERNEL32 ref: 004843EE
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000,?,?,000000FF,00000000,00000001,?,0000040C,?,00000000,00000002,000007D0,?), ref: 0048448F
CloseHandle.KERNEL32(000000FF,?,0000040C,?,00000000,00000002,000007D0,?), ref: 00484496

Strings

2, xrefs: 004842C8

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendTimeout$CountTick$CloseFreeHandleMemoryProcessReadVirtualWindow
String ID: 2
API String ID: 1969275300-450215437
Opcode ID: 5780e1c6e06f86fb329e9f2accf5e53601474ce00edffa58bd9e0269de7f1ea2
Instruction ID: 5f02aea699df8904a79e18c2b6c6c1686094d7063d14967b86cbf429e501baf7
Opcode Fuzzy Hash: 5780e1c6e06f86fb329e9f2accf5e53601474ce00edffa58bd9e0269de7f1ea2
Instruction Fuzzy Hash: 0961E731604301ABD721AB619C45FAF73A4ABC4B14F14492FF684AB2C0D6BDE985876E

Uniqueness

Uniqueness Score: -1.00%

Function 00443840 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 0044384D
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00443891
_malloc.LIBCMT ref: 004438E4
SelectObject.GDI32(?,?), ref: 00443927
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00443947
GetSystemPaletteEntries.GDI32(?,00000000,00000100), ref: 00443977

Strings

(, xrefs: 00443880

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Bits$CompatibleCreateEntriesObjectPaletteSelectSystem_malloc
String ID: (
API String ID: 1101625044-3887548279
Opcode ID: 6b96f9dcb9396a292764b8086e0fd596592656cc7616b9539c27107d32c0f28c
Instruction ID: ad798e3e8185a9a283abac946956045d51a21a710dbc96a9d4e6fd0f371ba2b6
Opcode Fuzzy Hash: 6b96f9dcb9396a292764b8086e0fd596592656cc7616b9539c27107d32c0f28c
Instruction Fuzzy Hash: 6061A3B1E002199FEF10CF65CC44BEEBBB4EF49705F0081AAE945A7340D678AE45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0047C5E0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,?,00000000,?,?,?,?,00000000,00434E7D,?,004AF9BC), ref: 0047C61F
RegCloseKey.ADVAPI32(?,004AF9BC), ref: 0047C647
GetModuleHandleW.KERNEL32(advapi32,RegDeleteKeyExW), ref: 0047C66E
GetProcAddress.KERNEL32(00000000), ref: 0047C675
GetLastError.KERNEL32(?,?,00000000,00434E7D,?,004AF9BC), ref: 0047C6A9
RegDeleteKeyW.ADVAPI32(00000000,?), ref: 0047C6B3
RegDeleteValueW.ADVAPI32(?,00000000,?,?,00000000,00434E7D,?,004AF9BC), ref: 0047C6BD
RegCloseKey.ADVAPI32(?,?,?,00000000,00434E7D,?,004AF9BC), ref: 0047C6CA

Strings

advapi32, xrefs: 0047C669
RegDeleteKeyExW, xrefs: 0047C664

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDelete$AddressErrorHandleLastModuleOpenProcValue
String ID: RegDeleteKeyExW$advapi32
API String ID: 1329167188-3857959575
Opcode ID: e72b6a8230bd936b4ac538a78201742b577c0020bc7a8b8c9030bdcc14223146
Instruction ID: d57583017dad03ac2bad04c37ef0300e89c0053c32fe1b04efc208e5aa11c72c
Opcode Fuzzy Hash: e72b6a8230bd936b4ac538a78201742b577c0020bc7a8b8c9030bdcc14223146
Instruction Fuzzy Hash: 4231B4B0A053159BD6209F60EDC8F6777A9AB98714F11952FFC0A97341DB38DC018ABD

Uniqueness

Uniqueness Score: -1.00%

Function 0041B750 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B784

Strings

Monitor, xrefs: 0041B7AE
MonitorWorkArea, xrefs: 0041B7C6
MonitorPrimary, xrefs: 0041B796
MonitorCount, xrefs: 0041B77E
MonitorName, xrefs: 0041B7DE

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Monitor$MonitorCount$MonitorName$MonitorPrimary$MonitorWorkArea
API String ID: 3832890014-629551668
Opcode ID: d17115075d7f6471e149693e9a3b643435df823e4da4479ffd9f44a72b6bba49
Instruction ID: c6425b100e508f058a8959a63f5b0f4faa84fb59fc1a79ce48577125f116d9c1
Opcode Fuzzy Hash: d17115075d7f6471e149693e9a3b643435df823e4da4479ffd9f44a72b6bba49
Instruction Fuzzy Hash: CF011265B81A1132EF32213D5C03BE754458BA0B07F94457AB914D52C6F78DCA4681ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3F0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C400
__wcsicoll.LIBCMT ref: 0041C418

Strings

WaitClose, xrefs: 0041C45A
Close, xrefs: 0041C412
Exist, xrefs: 0041C3FA
Wait, xrefs: 0041C442
Priority, xrefs: 0041C42A

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Close$Exist$Priority$Wait$WaitClose
API String ID: 3832890014-1466124334
Opcode ID: 80740709f46aa77b9e42f35d71546a86018188b7a208182927762f9b1387efde
Instruction ID: 002f69016ed5d0bfb1156b44c8af77ecc82072f8f28f633c089ee56fff300c41
Opcode Fuzzy Hash: 80740709f46aa77b9e42f35d71546a86018188b7a208182927762f9b1387efde
Instruction Fuzzy Hash: 07F090A1AC9A1131DF22213E5C63BFB20445BA1B0BFD4417BF840D12C2F78CDA8380AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1B0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041D1C0
__wcsicoll.LIBCMT ref: 0041D1D3

Strings

ToolTip, xrefs: 0041D1E5
Pixel, xrefs: 0041D1BA
Mouse, xrefs: 0041D1CD
Caret, xrefs: 0041D1FD
Menu, xrefs: 0041D215

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Caret$Menu$Mouse$Pixel$ToolTip
API String ID: 3832890014-3728172800
Opcode ID: f7c489f79ff862c87d5e5056180509b16fd2c5991eba654e87aafe202eacc9cf
Instruction ID: 6b7eab92bbd90ef485dd7c641224e689282238dbf4668b6ea19f21cff2c5ea31
Opcode Fuzzy Hash: f7c489f79ff862c87d5e5056180509b16fd2c5991eba654e87aafe202eacc9cf
Instruction Fuzzy Hash: 97F067A0E4160132EF22252E4D027EB14455F6170BF9540BEBC10D2382F79CDA8691AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1B0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B1B6
__wcsicoll.LIBCMT ref: 0041B1CE

Strings

REG_SZ, xrefs: 0041B1B0
REG_MULTI_SZ, xrefs: 0041B1E0
REG_EXPAND_SZ, xrefs: 0041B1C8
REG_BINARY, xrefs: 0041B210
REG_DWORD, xrefs: 0041B1F8

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ
API String ID: 3832890014-2346799943
Opcode ID: 636ca79d1d711a199542fd432caeb1d53e84408aa76cdd028bbc58aea0e9143a
Instruction ID: db48ba164207f6db3d397e00ad028db4db0dbe4bb3af8cf376f2fc54541ef08c
Opcode Fuzzy Hash: 636ca79d1d711a199542fd432caeb1d53e84408aa76cdd028bbc58aea0e9143a
Instruction Fuzzy Hash: C0F0FEA1A85A1531DF02203E5C03BEB64845FA1B87FD9117AFC04D1382F78D9A5681ED

Uniqueness

Uniqueness Score: -1.00%

Function 0046F380 Relevance: 16.6, APIs: 11, Instructions: 137windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00480EF0: __wcsnicmp.LIBCMT ref: 00480F39
Part of subcall function 00480EF0: __wcsnicmp.LIBCMT ref: 00480F4D
Part of subcall function 00480EF0: __wcstoi64.LIBCMT ref: 00480FAB
Part of subcall function 00480EF0: _wcsrchr.LIBCMT ref: 00480FCD
Part of subcall function 00480EF0: __wcsicoll.LIBCMT ref: 00481005
Part of subcall function 00480EF0: __wcsicoll.LIBCMT ref: 00481017
Part of subcall function 00480EF0: __wcsicoll.LIBCMT ref: 00481029
Part of subcall function 00480EF0: __wcsicoll.LIBCMT ref: 0048103B

SendMessageW.USER32(?,00000172,00000002,00000000), ref: 0046F3D0
DestroyCursor.USER32(00000000), ref: 0046F3D3
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0046F3E5
DeleteObject.GDI32(00000000), ref: 0046F3E8
DestroyCursor.USER32(?), ref: 0046F422
GetWindowLongW.USER32(?,000000F0), ref: 0046F432
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0046F462
SendMessageW.USER32(?,00000172,?,?), ref: 0046F475
SendMessageW.USER32(00000000,00000173,?,00000000), ref: 0046F482
DeleteObject.GDI32(?), ref: 0046F496
DestroyCursor.USER32(?), ref: 0046F49E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend__wcsicoll$CursorDestroy$DeleteLongObjectWindow__wcsnicmp$__wcstoi64_wcsrchr
String ID:
API String ID: 3956547231-0
Opcode ID: 1de272d16afe86be8d4f7eae551de673f3a750b3281a76ecaa06b6637ce86ffb
Instruction ID: 09f958eb69e3ef082951419ae80796751e14e2b22207021ec21a5c222c8700f2
Opcode Fuzzy Hash: 1de272d16afe86be8d4f7eae551de673f3a750b3281a76ecaa06b6637ce86ffb
Instruction Fuzzy Hash: 8641E9715087046BD2348B64EC44F27B7E9EF95324F204A2EF5E686BD0DB78E845C62A

Uniqueness

Uniqueness Score: -1.00%

Function 00453500 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 316COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004D8588), ref: 00453527
RtlLeaveCriticalSection.NTDLL(004D8588), ref: 0045368C
RtlLeaveCriticalSection.NTDLL(004D8588), ref: 0045383F
_free.LIBCMT ref: 0045388A
__wcsdup.LIBCMT ref: 004538B4
RtlLeaveCriticalSection.NTDLL(004D8588), ref: 004538F7

Strings

0, xrefs: 004537D5
Compile error %d at offset %d: %hs, xrefs: 004537BD
MZ@, xrefs: 0045371B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$Enter__wcsdup_free
String ID: 0$Compile error %d at offset %d: %hs$MZ@
API String ID: 2407865940-621107290
Opcode ID: 9261572cfc13caa62c50edb1e90310031600812ec5bc7d1e75ac7d952361f823
Instruction ID: 0a8a2376a8eda69d11c22995ba1e06167350aa36c143cb948624275ee154f761
Opcode Fuzzy Hash: 9261572cfc13caa62c50edb1e90310031600812ec5bc7d1e75ac7d952361f823
Instruction Fuzzy Hash: 07C102B1A04205DBC714DF24C84076677E0FF49396F14496FEC5587392E378EA49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004484B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00448550
_wcschr.LIBCMT ref: 00448561
_wcsrchr.LIBCMT ref: 004485A0
_wcsrchr.LIBCMT ref: 004485B4
_wcschr.LIBCMT ref: 004485D9
_wcsrchr.LIBCMT ref: 00448617
_wcsrchr.LIBCMT ref: 00448628
_wcsrchr.LIBCMT ref: 004486B6

Strings

://, xrefs: 00448532

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcsrchr$_wcschr
String ID: ://
API String ID: 2648016162-1869659232
Opcode ID: 035b3e0356e366f738353e4e109bf200e6c284bd2d54192a67d02fb55a55a6b4
Instruction ID: 8bcf4223b7bbd0c7b9fa99477e12ae5b7fff0f90b92f95893d03c038d46b2c27
Opcode Fuzzy Hash: 035b3e0356e366f738353e4e109bf200e6c284bd2d54192a67d02fb55a55a6b4
Instruction Fuzzy Hash: 40712632A403015BEB34AE198D42BAF73E5DB80754F06492FFD459B381EAACED44C699

Uniqueness

Uniqueness Score: -1.00%

Function 0044C5B0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 253COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0044C5EF

Part of subcall function 00499840: wcstoxq.LIBCMT ref: 00499861

Strings

pB@, xrefs: 0044C6AD
PA@, xrefs: 0044C671

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcstoi64wcstoxq
String ID: PA@$pB@
API String ID: 2194140525-3984362343
Opcode ID: 2fc9ba6d745af4b6e2030191979a906f6802a5d0a2886c6cde62b30f4df589ef
Instruction ID: 98e56b39d11ef32ec0adde4c166550d4fa0f1bc9eb0b817ae16e7a245f6a06ee
Opcode Fuzzy Hash: 2fc9ba6d745af4b6e2030191979a906f6802a5d0a2886c6cde62b30f4df589ef
Instruction Fuzzy Hash: B2A1FD716093019BE360EF25CC81F5BB7E4BB85704F184A2FF4549B291DBB99805CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0043A580 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043A790

Strings

File, xrefs: 0043A742
__Delete will now return., xrefs: 0043A803
Unhandled exception., xrefs: 0043A7F4
Extra, xrefs: 0043A6FA
Message, xrefs: 0043A6D9
The current thread will exit., xrefs: 0043A80A, 0043A816
This DllCall requires a prior VarSetCapacity., xrefs: 0043A5A0
Line, xrefs: 0043A71E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Extra$File$Line$Message$The current thread will exit.$This DllCall requires a prior VarSetCapacity.$Unhandled exception.$__Delete will now return.
API String ID: 3832890014-3230239306
Opcode ID: da1e35bf049fcc6164c849a76e1ef3b3dd58603ca7ace7b19cef089c247ae8f3
Instruction ID: 19567ad700a7bf9a5f8a29faff85ec1f3400d064ae9a7cb3af0d69c5ee52fb8d
Opcode Fuzzy Hash: da1e35bf049fcc6164c849a76e1ef3b3dd58603ca7ace7b19cef089c247ae8f3
Instruction Fuzzy Hash: CF61E1716842009BD720EF158C41BAB73E4AB88718F04442FF9C49B391D779ED618B9F

Uniqueness

Uniqueness Score: -1.00%

Function 004274CD Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00427504
__wcsicoll.LIBCMT ref: 0042751D

Strings

Integer, xrefs: 004275B3
Parameter #1 invalid., xrefs: 004272A1
Parameter #2 invalid., xrefs: 0042759A
Fast, xrefs: 00427514, 004275C9
Float, xrefs: 004274FE

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll__wcsnicmp
String ID: Fast$Float$Integer$Parameter #1 invalid.$Parameter #2 invalid.
API String ID: 28402859-2639214213
Opcode ID: e77722db7d1114f14b243402929a27333a3f5173c68ae18f05fff8d630ae3aa8
Instruction ID: 78b9faa7227f0889ba17207453ccc45d74af977406fb8f5fdf3847e743574e4a
Opcode Fuzzy Hash: e77722db7d1114f14b243402929a27333a3f5173c68ae18f05fff8d630ae3aa8
Instruction Fuzzy Hash: 5D5156307043109BEB209B1AF8447E777D29B41314F88442FE8498B396E77EAC85C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00461490 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004614EE
FormatMessageW.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000,004AF9BC), ref: 00461511
_vswprintf_s.LIBCMT ref: 00461556
SysFreeString.OLEAUT32(?), ref: 00461586
SysFreeString.OLEAUT32(00000000), ref: 0046158C
SysFreeString.OLEAUT32(?), ref: 00461592

Strings

0x%08X - , xrefs: 004614E8
No valid COM object!, xrefs: 004614DC
Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d, xrefs: 0046154D

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeString$FormatMessage__swprintf_vswprintf_s
String ID: Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d$0x%08X - $No valid COM object!
API String ID: 380084984-3028990165
Opcode ID: 68d0894721cb238c5c9bd485fc00ef7966248919d791223bd30f722a6212f008
Instruction ID: 191914e5ffae442f18943f495a3a66eff0293f9cecff3748f6909c0bf6ae88e8
Opcode Fuzzy Hash: 68d0894721cb238c5c9bd485fc00ef7966248919d791223bd30f722a6212f008
Instruction Fuzzy Hash: 3E310972A003006BD714EB64DC84F6777ACEFC4750F08447EA90697295E678D804C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041D370 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041D38B
__wcsicoll.LIBCMT ref: 0041D3A4

Strings

UTF-8, xrefs: 0041D385
UTF-16, xrefs: 0041D3B7
UTF-16-RAW, xrefs: 0041D3D0
UTF-8-RAW, xrefs: 0041D39E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: UTF-16$UTF-16-RAW$UTF-8$UTF-8-RAW
API String ID: 3832890014-2787617770
Opcode ID: 1e08c170795e1eb99c3f92f4f3a7d2a989a1df6d76a214828b3e5b367b003693
Instruction ID: fe47605b6019905f47338be509509b2ce0185d2eef72e63ffa06a1245d634fee
Opcode Fuzzy Hash: 1e08c170795e1eb99c3f92f4f3a7d2a989a1df6d76a214828b3e5b367b003693
Instruction Fuzzy Hash: 6E010CF2E4562122EE21312E3C02BEB11484B5076AF1A417BFD14E5786F79DEDC251EE

Uniqueness

Uniqueness Score: -1.00%

Function 0045A1E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0045A2E9
__fassign.LIBCMT ref: 0045A32C
__wcsnicmp.LIBCMT ref: 0045A351
__fassign.LIBCMT ref: 0045A370
__wcsnicmp.LIBCMT ref: 0045A395

Strings

0.6f, xrefs: 0045A36F, 0045A37E
GDI+, xrefs: 0045A38F
Icon, xrefs: 0045A34B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fassign$__wcsnicmp
String ID: 0.6f$GDI+$Icon
API String ID: 1066767119-1296671160
Opcode ID: ef8bdc071543b7902bc2c213db1879e84b5b98d6192ce4115e7727aa9fa61636
Instruction ID: 5ed88e9080d8f1f9fb406006ac9245464924e4f635579074e49692c53dd58749
Opcode Fuzzy Hash: ef8bdc071543b7902bc2c213db1879e84b5b98d6192ce4115e7727aa9fa61636
Instruction Fuzzy Hash: C591F3705002009BCB209F19884277B77E09F56756F144A6FFC859B382E379DD69C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 0043A676 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 152COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043A790

Strings

File, xrefs: 0043A742
__Delete will now return., xrefs: 0043A803
Unhandled exception., xrefs: 0043A7F4
Extra, xrefs: 0043A6FA
Message, xrefs: 0043A6D9
The current thread will exit., xrefs: 0043A80A, 0043A816
Line, xrefs: 0043A71E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Extra$File$Line$Message$The current thread will exit.$Unhandled exception.$__Delete will now return.
API String ID: 3832890014-689785920
Opcode ID: 77754a55a646b393a41e2cdced0437dcf38e10bc365a1b9e9c521c784cb01b25
Instruction ID: ad524ae1bc14c49465ca95e1ccbe2e06e71f0faac895eaf9abbecdd3e741a62f
Opcode Fuzzy Hash: 77754a55a646b393a41e2cdced0437dcf38e10bc365a1b9e9c521c784cb01b25
Instruction Fuzzy Hash: 8D5103306842005BD710EB148882B6B73E5AB88718F09546FF9C49B392D77DED66C78F

Uniqueness

Uniqueness Score: -1.00%

Function 0044F7E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0044F813
GetForegroundWindow.USER32 ref: 0044F81A

Strings

0, xrefs: 0044F86C

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountForegroundTickWindow
String ID: 0
API String ID: 1022652907-4108050209
Opcode ID: 6e7ea347bc7129ec467f6a06d1e446147a76fe609ec362c69ae3a6c64a60247c
Instruction ID: 2c376fb56ea014c708cea0e7ee17bf80b60a8f0505219084e605189d383812f7
Opcode Fuzzy Hash: 6e7ea347bc7129ec467f6a06d1e446147a76fe609ec362c69ae3a6c64a60247c
Instruction Fuzzy Hash: 21419D72A152049BD710EF69E84565AB7E4FB84B64F05457FEC08C73A0EB3598088BDA

Uniqueness

Uniqueness Score: -1.00%

Function 0045C100 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 0045C14E

Strings

0.0.0.0, xrefs: 0045C1B7

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Startup
String ID: 0.0.0.0
API String ID: 724789610-3771769585
Opcode ID: 989fb97feed612ff752f784a1ed887b65df582be2ad3b042ed9a986b21a6647d
Instruction ID: 9c576b0ed2434dbdaa5375153f88b1a4b6e095ed9703ce71e5074f76ac8e7f31
Opcode Fuzzy Hash: 989fb97feed612ff752f784a1ed887b65df582be2ad3b042ed9a986b21a6647d
Instruction Fuzzy Hash: AF41A075A047418FC720DF68D88579B77A8FF85711F04466EE855C7741EB38D808CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A021 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion), ref: 0041A03A
GetProcAddress.KERNEL32(00000000), ref: 0041A041
GetVersionExW.KERNEL32(004DB230), ref: 0041A06D
__snwprintf.LIBCMT ref: 0041A0A4

Strings

ntdll.dll, xrefs: 0041A035
10.0.19045, xrefs: 0041A08E
RtlGetVersion, xrefs: 0041A030
%u.%u.%u, xrefs: 0041A087

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcVersion__snwprintf
String ID: %u.%u.%u$10.0.19045$RtlGetVersion$ntdll.dll
API String ID: 3388246157-3673595452
Opcode ID: fe2be610fc5eae03b47f9d251dc46594e8054e2d39619e390839d956cb11a5fa
Instruction ID: 8759b6a96d92ad7b9e60c1121f2ef0af13fb81733101d4a95d02437c91f332a2
Opcode Fuzzy Hash: fe2be610fc5eae03b47f9d251dc46594e8054e2d39619e390839d956cb11a5fa
Instruction Fuzzy Hash: 5D316171507380DBDF10CB64AC8A7963FA0E316718F26407FD84986761C7B948D4A7AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041C7B0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C7C0
__wcsicoll.LIBCMT ref: 0041C7D8

Strings

Eject, xrefs: 0041C7BA
Lock, xrefs: 0041C7D2
Label, xrefs: 0041C802
Unlock, xrefs: 0041C7EA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Eject$Label$Lock$Unlock
API String ID: 3832890014-1359929989
Opcode ID: 198c000c882611f307bbf2d7a2640c5fa0bf9f0dbfffbe054ba0add9c2aaa653
Instruction ID: 26aebac09cb40e35d5dd9c798f69efaa5b3f05884ab439b3ac882effcd6c6ad4
Opcode Fuzzy Hash: 198c000c882611f307bbf2d7a2640c5fa0bf9f0dbfffbe054ba0add9c2aaa653
Instruction Fuzzy Hash: D3F0A7F1AC1A1121EF1220394D437F758451B60B07F84413BF800D12C2F38CCD8780AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041D140 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041D150
__wcsicoll.LIBCMT ref: 0041D162
__wcsicoll.LIBCMT ref: 0041D174

Part of subcall function 00499409: __wcsicmp_l.LIBCMT ref: 00499489

__wcsicoll.LIBCMT ref: 0041D186

Strings

Screen, xrefs: 0041D14A
Client, xrefs: 0041D180
Relative, xrefs: 0041D15C
Window, xrefs: 0041D16E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: Client$Relative$Screen$Window
API String ID: 3172861507-2312238187
Opcode ID: 389fc2dc23fbb36090d37af25982b9f9ef53e983f3dd7bfabc1222de5a2db906
Instruction ID: a900d9552ae410e3e6313ba961ee67032e00c001389ed5ca3302fca8e23d3a9c
Opcode Fuzzy Hash: 389fc2dc23fbb36090d37af25982b9f9ef53e983f3dd7bfabc1222de5a2db906
Instruction Fuzzy Hash: CDE0C0E1F46A1131EF2231258D027FB90440F51747F99017BBC08E16C5F68DCD8690BD

Uniqueness

Uniqueness Score: -1.00%

Function 00474230 Relevance: 13.6, APIs: 9, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000019F,00000000,00000000), ref: 0047426A
SendMessageW.USER32(?,00000198,00000000,80000000), ref: 00474283
SendMessageW.USER32(00000000,0000100C,000000FF,00000001), ref: 00474299
SendMessageW.USER32(?,0000100E,00000000,80000000), ref: 004742B6
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004742CC
SendMessageW.USER32(?,00001104,00000001,80000000), ref: 004742E5
SendMessageW.USER32(?,00000419,00000000,80000000), ref: 004742F8
GetWindowRect.USER32(?,80000000), ref: 00474310
MapWindowPoints.USER32(?,00000000,00000002,00000002), ref: 00474324

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$PointsRect
String ID:
API String ID: 467674420-0
Opcode ID: 346b056c67873efc7fdd8c612ddcfb56faf0ec810fe3487c00370a25644a108a
Instruction ID: 8b07480056d6b1c07f7b9e10b4dfd9b3ceaa409341a3a6b351bcc2b98dfbc944
Opcode Fuzzy Hash: 346b056c67873efc7fdd8c612ddcfb56faf0ec810fe3487c00370a25644a108a
Instruction Fuzzy Hash: 2731CF70244301BBD324CF68CC85FAAB7A8EBD8750F208A1DF699972E4D7B4E8418B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040F690 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F6B1
UnregisterHotKey.USER32(00010424,?,004D82E0,00000028,004DA6C0), ref: 0040F74B

Strings

+I@, xrefs: 0040FA72, 0040F8A0

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Unregister_memset
String ID: +I@
API String ID: 2392160147-2621359567
Opcode ID: 958f1b0fe1759e7ae6c0546d4a8cd93a611ab1a09577a5171f5d0a95110cc678
Instruction ID: adb740670463004cfe2d5e12b1818e76b7f31ee1aab3a39e96d1d0febf72ff1e
Opcode Fuzzy Hash: 958f1b0fe1759e7ae6c0546d4a8cd93a611ab1a09577a5171f5d0a95110cc678
Instruction Fuzzy Hash: 14E1D360A087809ADB35CF2594447637BA16B12708F0844BBD4C5ABFD2D37DED8EC79A

Uniqueness

Uniqueness Score: -1.00%

Function 0040835E Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 004083C9
__wcstoui64.LIBCMT ref: 004083D9
__wcsicoll.LIBCMT ref: 00408447

Strings

<response command="source" success="0" transaction_id="%e"/>, xrefs: 0040868A
</response>, xrefs: 00408631
lT@, xrefs: 004084E1
<response command="source" success="1" transaction_id="%e" encoding="base64">, xrefs: 004084CC

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcstoui64$__wcsicoll
String ID: </response>$<response command="source" success="0" transaction_id="%e"/>$<response command="source" success="1" transaction_id="%e" encoding="base64">$lT@
API String ID: 400967290-2605269931
Opcode ID: 48c4c74edd8535ddaa4e350a028e5f0c79cb85c27335ebcc0bfbdbbab3abc75c
Instruction ID: 508038350793ddb0889309a683fc63c339571ad4e4d1caf4e39d0c50e309b7bd
Opcode Fuzzy Hash: 48c4c74edd8535ddaa4e350a028e5f0c79cb85c27335ebcc0bfbdbbab3abc75c
Instruction Fuzzy Hash: 8191DE315083019BD720DF29CA81B9BB7E4AB94714F144A3EF5D4E72D1EB79D8048B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00438290 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004382D7
_wcsncpy.LIBCMT ref: 00438343
_wcsncpy.LIBCMT ref: 00438366
_wcschr.LIBCMT ref: 00438403
_free.LIBCMT ref: 00438425
_free.LIBCMT ref: 0043850A

Strings

Out of memory., xrefs: 004382EE

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free_wcsncpy$_malloc_wcschr
String ID: Out of memory.
API String ID: 609840974-4087320997
Opcode ID: 0abee521e9d52a45302ef2197034f91ab14c2a92f8df07c3a4ea94c3450e7e8c
Instruction ID: 506b89859ed1b56aed38349df0a4b25dcf904bc87594b32a87bb147968f223a6
Opcode Fuzzy Hash: 0abee521e9d52a45302ef2197034f91ab14c2a92f8df07c3a4ea94c3450e7e8c
Instruction Fuzzy Hash: 2E91AFB1A002169BCF20DF58C8416BFB3B4EF98710F18505EF84597341EB79AE55CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004581F0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 224windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(02C410B8,00001032,00000000,00000000), ref: 004582CF
__wcsnicmp.LIBCMT ref: 004582EA
SendMessageW.USER32(02C410B8,00001004,00000000,00000000), ref: 00458321

Strings

Col, xrefs: 004582E4

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$__wcsnicmp
String ID: Col
API String ID: 2103314646-737980560
Opcode ID: 26099f610d69601eff0ae24319f03ed8e3b87f464a97081735e8018b9a440437
Instruction ID: 8d7fb60e2da1b6f9f17f72c6fa7fd382c62d3d93dc44dbc2d435e95008db5d4f
Opcode Fuzzy Hash: 26099f610d69601eff0ae24319f03ed8e3b87f464a97081735e8018b9a440437
Instruction Fuzzy Hash: AA6104716003018BD720DF29D881B2AB7E4EB95B16F10456FFD45A7382DF39EC49C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 00412550 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 170sleepCOMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,?,0040218E,?,?), ref: 00412631
CharUpperW.USER32(?,?,?,?,?,0040218E,?,?), ref: 00412642
__swprintf.LIBCMT ref: 004126AC
Sleep.KERNEL32(00000000), ref: 00412721

Strings

{Text}, xrefs: 00412688
{Raw}, xrefs: 00412678, 004126A1
%s%c, xrefs: 004126A6

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharUpper$Sleep__swprintf
String ID: %s%c${Raw}${Text}
API String ID: 676149037-2444501380
Opcode ID: f8768d4323739141c2f803a0e8b6586ff4d3852917af653cc688b8a6239d6e67
Instruction ID: dd99d662d94cfe82523cbcb363a1a8d639b18e47ac8b77dd1236bfabf992d280
Opcode Fuzzy Hash: f8768d4323739141c2f803a0e8b6586ff4d3852917af653cc688b8a6239d6e67
Instruction Fuzzy Hash: B3519F306047419BDB249F29C5506EBBBE1FF89304F05492EE8CAC7391E678E8A4C769

Uniqueness

Uniqueness Score: -1.00%

Function 004767E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00476808
CreatePopupMenu.USER32 ref: 00476834
SetMenuDefaultItem.USER32(?,00445613,00000000,?,?,?,?,?,?,?,?,?,?,?,00476C08), ref: 00476878
SetMenuInfo.USER32 ref: 004768BE
SetMenuInfo.USER32 ref: 004768E1
CreateMenu.USER32 ref: 004768F7

Strings

tray, xrefs: 00476802

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$CreateInfo$DefaultItemPopup__wcsicoll
String ID: tray
API String ID: 3246407819-3344156567
Opcode ID: 58702ca8244081cd8df56b119dc4598f46b31b1c276d5f25efa5a7a6a4aa2732
Instruction ID: d8baa1242c2ff0945b70a06a6ea1e3d7266dc287fb8ece4ce7e89bf886772e67
Opcode Fuzzy Hash: 58702ca8244081cd8df56b119dc4598f46b31b1c276d5f25efa5a7a6a4aa2732
Instruction Fuzzy Hash: C0317271505B019FD720EF25C80479BBBE6BFC8704F06892EE48D97740E778E8058B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0049D048 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049D054

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__amsg_exit.LIBCMT ref: 0049D074
__lock.LIBCMT ref: 0049D084
InterlockedDecrement.KERNEL32(?), ref: 0049D0A1
_free.LIBCMT ref: 0049D0B4
InterlockedIncrement.KERNEL32(00A62D20), ref: 0049D0CC

Strings

BM, xrefs: 0049D0AB

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: BM
API String ID: 3470314060-773030966
Opcode ID: ca83c0c4e9c9ce2f27bb6eaa3788bfd4167bb4b303ff3dc4e74f8162e4b92dc6
Instruction ID: 60105e8036aa53d2e8b53c38c13c2e1c48d0f69e4f7f7582894f30c29d4dc866
Opcode Fuzzy Hash: ca83c0c4e9c9ce2f27bb6eaa3788bfd4167bb4b303ff3dc4e74f8162e4b92dc6
Instruction Fuzzy Hash: CB018431E026119BCF21AB6A980575E7FA0BF45719F05413BE84567780CB7CAD42CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00472770 Relevance: 12.1, APIs: 8, Instructions: 122COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0047278D
CallWindowProcW.USER32(00000000,?,?,?,?), ref: 004727C9
GetDlgCtrlID.USER32(?), ref: 004727DD
GetParent.USER32(?), ref: 004727EE
GetDlgCtrlID.USER32(00000000), ref: 004727FB
CallWindowProcW.USER32(00000000,?,00000047,?,?), ref: 00472853
GetClipBox.GDI32(?,?), ref: 0047288B
FillRect.USER32(?,?,00000000), ref: 0047289B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallCtrlParentProcWindow$ClipFillRect
String ID:
API String ID: 1046380989-0
Opcode ID: f5a6e3420fd5680ec3159ec6cb54bd9abf8363ac639463d9cf0d9a4235e6f7f8
Instruction ID: 5982cf7acbca502d04d8714398e0e1661b4c5961508523c6e59a6f7b63b90c23
Opcode Fuzzy Hash: f5a6e3420fd5680ec3159ec6cb54bd9abf8363ac639463d9cf0d9a4235e6f7f8
Instruction Fuzzy Hash: B241EE766011459BCB28DF08DA889FB77B9FB95310B05816AFC0A97341D778EC81CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00437340 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 340COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004373B5

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

_free.LIBCMT ref: 00437473

Strings

_NewEnum, xrefs: 0043744B
MZ@, xrefs: 004373BD
Next, xrefs: 004374AE

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: MZ@$Next$_NewEnum
API String ID: 776569668-859543902
Opcode ID: 1adbfe5d77cd32ecca0437256f8ef6fc4c3faf278c09a0601b805fb3ef3fe2f2
Instruction ID: 43456afb34cfdc9fa657791ae87aa16bcc03d39cbb6885d4f22aa9db32ac606b
Opcode Fuzzy Hash: 1adbfe5d77cd32ecca0437256f8ef6fc4c3faf278c09a0601b805fb3ef3fe2f2
Instruction Fuzzy Hash: 9DD177B1A083419FD760DF58C890A6BB7E4BBC8314F14592EE5CA87350D778EC45CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00408026 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 280COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00408271

Strings

float, xrefs: 00408184
string, xrefs: 00408055
<exception>, xrefs: 004081E2
integer, xrefs: 00408159
<response command="property_set" success="%i" transaction_id="%e"/>, xrefs: 00408323

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID: <exception>$<response command="property_set" success="%i" transaction_id="%e"/>$float$integer$string
API String ID: 269201875-2023057498
Opcode ID: a9878c18357ddd63bbd89cb60b05f898ec33a5beb5b3d6edfa57497887d9089d
Instruction ID: cd42c75e66b259a114bb2ffeff451e1deb067067da43e370cd3e6624a1d6fca2
Opcode Fuzzy Hash: a9878c18357ddd63bbd89cb60b05f898ec33a5beb5b3d6edfa57497887d9089d
Instruction Fuzzy Hash: 25A1DF711087029FCB10CF65C641A2BBBE1BB94714F14492FF4D4AB2C1DB39E946CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004234D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00010424,00000009,0000000A,00000000), ref: 00423604
KillTimer.USER32(00010424,00000009), ref: 0042364D
__wcstoi64.LIBCMT ref: 004236D1
__fassign.LIBCMT ref: 00423761
GetTickCount.KERNEL32 ref: 00423785

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

Strings

Out of memory., xrefs: 00423575

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Timer__fassign$CountKillTick__wcstoi64
String ID: Out of memory.
API String ID: 925375575-4087320997
Opcode ID: d8b4b5674ead970790b3891ba920a7fc3039405ff3ace9c02ef770c11821bc44
Instruction ID: fc6bcee34546581538d54a7a1a3f90d1cae2aab2ee9fd3b7f5a50b831930a387
Opcode Fuzzy Hash: d8b4b5674ead970790b3891ba920a7fc3039405ff3ace9c02ef770c11821bc44
Instruction Fuzzy Hash: 428119B1B00360ABDF349F14A8807777BB4AF16711F98442FE48686791E37C9E84C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0042B280 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 0042B38A
_wcschr.LIBCMT ref: 0042B3A5

Part of subcall function 0042B1F0: GetFileAttributesW.KERNEL32(0042B2BF), ref: 0042B220

Part of subcall function 0044F750: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,00000000), ref: 0044F762

Strings

#Include %-0.*s#IncludeAgain %s, xrefs: 0042B453
\AutoHotkey\Lib\, xrefs: 0042B2CE
.ahk, xrefs: 0042B366
\Lib\, xrefs: 0042B2B0, 0042B2E7

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile$FolderPath_wcschr
String ID: #Include %-0.*s#IncludeAgain %s$.ahk$\AutoHotkey\Lib\$\Lib\
API String ID: 3341327518-2992999288
Opcode ID: 95cd0e968a4c8799b9744c8f97e9f83349e0315529c5296879c0870586eeb261
Instruction ID: 1f101769fe2fbaf9103fd5764babab83c1438d8bc7abeccccb3c6647e7fb8973
Opcode Fuzzy Hash: 95cd0e968a4c8799b9744c8f97e9f83349e0315529c5296879c0870586eeb261
Instruction Fuzzy Hash: 126102317002158FC710DF29E881BAB73A4EF98304F40852FED448B3A1EB78A915CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00440650 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

__fassign.LIBCMT ref: 004406A4

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

__fassign.LIBCMT ref: 004406E0
GetWindowRect.USER32(00000000,?), ref: 00440726
GetWindowRect.USER32(00000000,?), ref: 00440758
GetParent.USER32(00000000), ref: 00440783
ScreenToClient.USER32(00000000,80000000), ref: 00440793
MoveWindow.USER32(00000000,?,?,?,?,00000001,?,?,?,?,?,?,?,?,00432FE9), ref: 0044083A

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect__fassign$ClientForegroundMoveParentScreenVisiblewcstoxl
String ID:
API String ID: 4198355719-0
Opcode ID: 2635aa29da962e53f588dfc6880f2c22bd87df70d0202ed7520b0791c599878c
Instruction ID: a61a20ebbddf82122a898a34785317a2d7c88a676bedaf39aaa2eb719384a132
Opcode Fuzzy Hash: 2635aa29da962e53f588dfc6880f2c22bd87df70d0202ed7520b0791c599878c
Instruction Fuzzy Hash: A551B1B1A04301ABE710EF24DC41B5F77E4AB84710F14092EFA4197391D7B9EC95CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0047F250 Relevance: 10.7, APIs: 7, Instructions: 174timeCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0047F279
_wcsncpy.LIBCMT ref: 0047F2A5
_wcsncpy.LIBCMT ref: 0047F2DD
_wcsncpy.LIBCMT ref: 0047F311
_wcsncpy.LIBCMT ref: 0047F346
_wcsncpy.LIBCMT ref: 0047F37B
SystemTimeToFileTime.KERNEL32(?,?), ref: 0047F422

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcsncpy$Time$FileSystem
String ID:
API String ID: 456616543-0
Opcode ID: 62aef3695b26939a59dffcd19f42a4789964ddc22bda4d290c9eae8f59cab432
Instruction ID: 116c2c015460527e3f92fde828d369f602415525a7cebdddae21ad1deb615ec5
Opcode Fuzzy Hash: 62aef3695b26939a59dffcd19f42a4789964ddc22bda4d290c9eae8f59cab432
Instruction Fuzzy Hash: E751C37191530196D718EB69CC82AABB2E5EFD8300F44CD3FF85AC7251F639E509835A

Uniqueness

Uniqueness Score: -1.00%

Function 00451000 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?), ref: 00451039
GetLastError.KERNEL32 ref: 0045113C
__itow.LIBCMT ref: 00451168

Strings

0, xrefs: 004511BF
DllCall, xrefs: 004511E1

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$__itow
String ID: 0$DllCall
API String ID: 3125673013-1800201163
Opcode ID: f76db294036b85b086df669964c404c6de938ddb5128781bce957d49728f4ac9
Instruction ID: 435e9edd59bc84051a32e6960529c8a17d6b3bdade0838c8458c6ac64cdbf108
Opcode Fuzzy Hash: f76db294036b85b086df669964c404c6de938ddb5128781bce957d49728f4ac9
Instruction Fuzzy Hash: 6A618170E01208AFDF14DFA8C885BAEBBB4FB08714F10426BE915A73A1D7785845CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00417750 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004D85B4), ref: 004177E8
GetSystemMetrics.USER32(00000000), ref: 00417860
GetSystemMetrics.USER32(00000001), ref: 00417866
GetCursorPos.USER32(?), ref: 004178C5

Strings

d, xrefs: 004178A9

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorMetricsSystem
String ID: d
API String ID: 3091566494-2564639436
Opcode ID: f89fd4ef7ae1550b366f40461004737d39f97c3f644aaece7940061a6b1dccc7
Instruction ID: 119d6539a4c3c058e01fc4c3233a64bbc2f0d8b6b3b92e21f048465a99026b57
Opcode Fuzzy Hash: f89fd4ef7ae1550b366f40461004737d39f97c3f644aaece7940061a6b1dccc7
Instruction Fuzzy Hash: 5151C2757083019BE714DF29E881BAA73E1FB88315F24493EE886C7341DB39E985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00476420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148windowCOMMON

Download Yara Rule

APIs

SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004764F4
_wcschr.LIBCMT ref: 00476513
_wcschr.LIBCMT ref: 0047651D
__wcsicoll.LIBCMT ref: 0047652F
SetMenuItemInfoW.USER32(?,?,?,00000000), ref: 0047655C

Strings

0, xrefs: 0047648E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemMenu_wcschr$DefaultInfo__wcsicoll
String ID: 0
API String ID: 697447621-4108050209
Opcode ID: b5f8bdb52d5466c9898a0f9a4d9e59b38958a60e437932432c2c10b822c26a60
Instruction ID: 02261b57988016f57a9a0e9b29c8f655d426d673cab6de95d053a5ca00cf7a3d
Opcode Fuzzy Hash: b5f8bdb52d5466c9898a0f9a4d9e59b38958a60e437932432c2c10b822c26a60
Instruction Fuzzy Hash: 1C4139B16047016BD7249F18E8007AB77E5BB80314F05852FFC89973D5EB79E904C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00433438 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00433519

Strings

Target label does not exist., xrefs: 0043346C
Parameter #1 invalid., xrefs: 00433496
Parameter #1 must not be blank in this case., xrefs: 004334CC
Parameter #2 invalid., xrefs: 0043354A
Delete, xrefs: 00433513

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Delete$Parameter #1 invalid.$Parameter #1 must not be blank in this case.$Parameter #2 invalid.$Target label does not exist.
API String ID: 3832890014-14243736
Opcode ID: 86c0aaff76b6ce81f1437f36f9f7af26baa6f8112e9420dce3722020ee45889a
Instruction ID: e24b93fe6442b73996c024722daf9e01c2109cd0b4a87424bb1e2e76ce4a84c7
Opcode Fuzzy Hash: 86c0aaff76b6ce81f1437f36f9f7af26baa6f8112e9420dce3722020ee45889a
Instruction Fuzzy Hash: 7241F271740200B7DB21AF019C02B2773B6AB99715F29506FF8509B391D7BDED4287AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042F211 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 110COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0042F2CA

Strings

Missing close-quote, xrefs: 0042FC76
+-*&~!, xrefs: 0042F2C5
Out of memory., xrefs: 0042FC54
-, xrefs: 0042F312
Expression too long, xrefs: 0043076B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcschr
String ID: +-*&~!$-$Expression too long$Missing close-quote$Out of memory.
API String ID: 2691759472-2428279368
Opcode ID: 21d358b574a6c61366203aa2416cae8e5efab34523fb5948f7f50951a35798b2
Instruction ID: 24abdf7c417dbac91f6914fe5f90e9ab67c60156a4daccadf6aff6cdae6b3aa1
Opcode Fuzzy Hash: 21d358b574a6c61366203aa2416cae8e5efab34523fb5948f7f50951a35798b2
Instruction Fuzzy Hash: 6B311375B40225E6CF30DE8598817BE72B0AB54B10FB441BBEC45A32C0E77CAE45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0047F4F0 Relevance: 10.6, APIs: 7, Instructions: 82timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F527
GetSystemTimeAsFileTime.KERNEL32(?,004AF9BC,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F53D
FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F54D
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F572
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F586
FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F596
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0047F5B8

Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F279
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2A5
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2DD
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F311
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F346
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F37B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$File$_wcsncpy$System$Local$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1899144181-0
Opcode ID: 9b4c0722e3b4447c1c64732a54f1b12daeb79bfa3bb53ba4e12e176010e4b2eb
Instruction ID: ec7f1e55bf55ed5fa15d96d36325509feef5b0460418d3e3c2bdb78589e7a9c1
Opcode Fuzzy Hash: 9b4c0722e3b4447c1c64732a54f1b12daeb79bfa3bb53ba4e12e176010e4b2eb
Instruction Fuzzy Hash: B721BF766043016BC700EF69DC44AEB7BA9ABC8704F44892AF54993241E674E60DC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00473030 Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0047304C
SendMessageW.USER32(?,0000102F,00000000,00000000), ref: 00473060
SendMessageW.USER32(?,00001024,00000000,?), ref: 0047308F
GetSysColor.USER32(00000005), ref: 004730A3
SendMessageW.USER32(?,00001026,00000000,?), ref: 004730B6
SendMessageW.USER32(?,00001001,00000000,?), ref: 004730C3
InvalidateRect.USER32(00000000,00000000,00000001,?,0000000B,00000000,00000000,?,00000192,?,?), ref: 004730CC

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$ColorInvalidateRect
String ID:
API String ID: 2722326260-0
Opcode ID: 3e7659e6f9082ed6dc79fcb128e74a30ed78c172b3edf45ec36e39176db946fd
Instruction ID: 14fb7c1128e58af52256454588768c376876988844bf7dba871c3fd5e3d664a9
Opcode Fuzzy Hash: 3e7659e6f9082ed6dc79fcb128e74a30ed78c172b3edf45ec36e39176db946fd
Instruction Fuzzy Hash: EB118670740341ABD6308F688C85FD7B7A8AF0CB11F104519FA99A73C4D3B4B891DA58

Uniqueness

Uniqueness Score: -1.00%

Function 004620A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 60COMMON

Download Yara Rule

Strings

ComObject, xrefs: 0046212E
ComObjArray, xrefs: 004620AF
ComObjRef, xrefs: 004620BE
ComObj, xrefs: 00462135

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ComObj$ComObjArray$ComObjRef$ComObject
API String ID: 0-4247866589
Opcode ID: 1123917aa73091fe6352a00bd7fe85667e0040399a4a726faddcbaadc29494c1
Instruction ID: 7468727b151b88665252e983340ae9065c02ba835f7346ba8c548fc048de484e
Opcode Fuzzy Hash: 1123917aa73091fe6352a00bd7fe85667e0040399a4a726faddcbaadc29494c1
Instruction Fuzzy Hash: 0401E1613002017BDA289A4DAD54BA36398EB84B10F20483FF651CB6D0EBA8D840C36F

Uniqueness

Uniqueness Score: -1.00%

Function 0044A0C5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044A0EE
mciSendStringW.WINMM(status cd mode,?,00000080,00000000), ref: 0044A107
mciSendStringW.WINMM(close cd wait,00000000,00000000,00000000), ref: 0044A116

Strings

close cd wait, xrefs: 0044A10F
status cd mode, xrefs: 0044A102
open %s type cdaudio alias cd wait shareable, xrefs: 0044A0C6

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: SendString$_vswprintf_s
String ID: close cd wait$open %s type cdaudio alias cd wait shareable$status cd mode
API String ID: 3589064202-1182961480
Opcode ID: f0be755721c286a6d2e3fe2952afc5994a2f6ab0a61cbee5435d9c39b1f394bd
Instruction ID: 1fe73425bde0e4d091d7d48565b79ee7e345e2dd204b493497ef2076858621a5
Opcode Fuzzy Hash: f0be755721c286a6d2e3fe2952afc5994a2f6ab0a61cbee5435d9c39b1f394bd
Instruction Fuzzy Hash: 4C01B57278430036E630E6659C43FDB7758DB84B64F60062BB758AF1D0DAE9A81186ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

FAST, xrefs: 0041B70E
SLOW, xrefs: 0041B726
RegEx, xrefs: 0041B6F6

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: FAST$RegEx$SLOW
API String ID: 0-3371325577
Opcode ID: c9ff56912fc2a5445023e38118afcea68220d5fa3522d522f31d9742a3ad1101
Instruction ID: 40c3f79cf0f33fd675ea1d3eaf5275f6d4c181bb92bfb399535dd614a674d4ca
Opcode Fuzzy Hash: c9ff56912fc2a5445023e38118afcea68220d5fa3522d522f31d9742a3ad1101
Instruction Fuzzy Hash: 3CF08164A40A1022DF3126288C127EB61A1EBB1B16FD4886BF890C52C1F79CCDC6C1DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041C390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C3A0
__wcsicoll.LIBCMT ref: 0041C3B8

Strings

Priority, xrefs: 0041C39A
Interrupt, xrefs: 0041C3B2
NoTimers, xrefs: 0041C3CA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: Interrupt$NoTimers$Priority
API String ID: 3832890014-3223323590
Opcode ID: 0ca710a28c9a6fdd3e1655b68ceb6b56f3a61ba5b0623bdf83e2a57486d68abd
Instruction ID: 835642e8b9c5ad1680c26623e24ea8d40f3999fc457d8eeae818b5aa4d921401
Opcode Fuzzy Hash: 0ca710a28c9a6fdd3e1655b68ceb6b56f3a61ba5b0623bdf83e2a57486d68abd
Instruction Fuzzy Hash: 6EE0D872B9591522CF1220395C43BEF60844B90B07F88827BFC10D03C2F78DC99380AD

Uniqueness

Uniqueness Score: -1.00%

Function 004AB012 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004AB033

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__getptd.LIBCMT ref: 004AB044
__getptd.LIBCMT ref: 004AB052

Strings

RCC, xrefs: 004AB01E
csm, xrefs: 004AB02C
MOC, xrefs: 004AB025

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: b3449fbdd393e6848ef1480637f78e220a71a91307a74da33634cafec3fb0c87
Instruction ID: f48fb7160891fdb28535c3b3785d5e92de556274b7b77f759ccaad76ee94d93b
Opcode Fuzzy Hash: b3449fbdd393e6848ef1480637f78e220a71a91307a74da33634cafec3fb0c87
Instruction Fuzzy Hash: 0AE012305181188FCB14A76DC04AB6A3795EB5A318F9942B7E61DCB323C72CDC50998B

Uniqueness

Uniqueness Score: -1.00%

Function 00455600 Relevance: 9.4, APIs: 6, Instructions: 393COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,-0000F939,00000000,?,00000000,00000000,00000000,00000000), ref: 004558EA
GetLastError.KERNEL32 ref: 004558F0
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00455913
WideCharToMultiByte.KERNEL32(?,-0000F939,00000000,?,00010000,00000000,00000000,00000000), ref: 0045594B
MultiByteToWideChar.KERNEL32(000004B0,00000000,00010000,00000000,00000000,00000000), ref: 00455983
MultiByteToWideChar.KERNEL32(?,00000000,00010000,00000000,?,?), ref: 004559AF

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a95e92de48907b82a118ca304b45eeb7a39cbf35b2509a2e4d9736f7136a285d
Instruction ID: 73ff15921c81c7c2b8fc7e5a511ab08273d7f697bb374050a02301f8568d450e
Opcode Fuzzy Hash: a95e92de48907b82a118ca304b45eeb7a39cbf35b2509a2e4d9736f7136a285d
Instruction Fuzzy Hash: 7CD1E6716046019FD710CF18D890B3BB3A1EF84325F54866BED198B392E738EC09C799

Uniqueness

Uniqueness Score: -1.00%

Function 00474380 Relevance: 9.2, APIs: 6, Instructions: 152windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004743CA
SendMessageW.USER32(?,0000104B,00000000,?), ref: 004743E9
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00474426
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00474449
__wcsicoll.LIBCMT ref: 00474471
lstrcmpiW.KERNEL32(?,?), ref: 00474487

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$__wcsicolllstrcmpi
String ID:
API String ID: 2730042983-0
Opcode ID: 57d251954f89da3658f36c1efe7c78cee2eda118024af6682d7eeb2d842c1357
Instruction ID: e6e3da32dbd8d32ace067b7c15c597e0952ef42ba965c392ac380ee0be724a55
Opcode Fuzzy Hash: 57d251954f89da3658f36c1efe7c78cee2eda118024af6682d7eeb2d842c1357
Instruction Fuzzy Hash: E951C3B0500B019ED730DF25CC40BF3B7E9AB95310F10CA1EE69A86680E779F846DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0045B550 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 390COMMON

Download Yara Rule

APIs

joyGetDevCapsW.WINMM(?,?,000002D8), ref: 0045B58F
_memset.LIBCMT ref: 0045B5A5
joyGetPosEx.WINMM ref: 0045B5E7

Strings

4, xrefs: 0045B5D7
@, xrefs: 0045BA62

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Caps_memset
String ID: 4$@
API String ID: 675830301-1528247400
Opcode ID: 6f1df5e623130fc5519dfb89c1c6d076b81a087b6ec2a2738dc1641cfe1935c1
Instruction ID: 1b62503bb8dcafb966b9c70d5a13e8a36451d5d99be2e12f43ee9aadd3465e46
Opcode Fuzzy Hash: 6f1df5e623130fc5519dfb89c1c6d076b81a087b6ec2a2738dc1641cfe1935c1
Instruction Fuzzy Hash: 10E1A3356083428BD7248F15D8447AAB7E0FF85316F94492EEC9983792E73D990CDB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004621C0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 004621CD
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004621EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00462205
SafeArrayAccessData.OLEAUT32(?,?), ref: 0046221D
SafeArrayGetElemsize.OLEAUT32(?), ref: 00462241

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$AccessDataElemsize
String ID:
API String ID: 505432365-0
Opcode ID: 5fe2341cbd0f1ce19e45c4412c871bb5549257b7a25b6be60c07814c3c6dc15c
Instruction ID: e428f4cc4004f9e538e2e69b6b7fde91aa7d4e1d207dcc21ad0ff8ea57338000
Opcode Fuzzy Hash: 5fe2341cbd0f1ce19e45c4412c871bb5549257b7a25b6be60c07814c3c6dc15c
Instruction Fuzzy Hash: DE31B1B5504702AFD700DF28D9849ABBBE8EF88310F40886EFD4597321E779E8448B66

Uniqueness

Uniqueness Score: -1.00%

Function 0043D580 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043D592
__fassign.LIBCMT ref: 0043D5CB

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

__fassign.LIBCMT ref: 0043D5FB
_wcsncpy.LIBCMT ref: 0043D627
_wcsncpy.LIBCMT ref: 0043D64B
Shell_NotifyIconW.SHELL32(00000001), ref: 0043D663

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fassign$_wcsncpy$IconNotifyShell__memsetwcstoxl
String ID:
API String ID: 551406035-0
Opcode ID: 8caa16ff89198dd174f85cb7a1e571fa066b27e236fd9c204203ff1755e0abb7
Instruction ID: 876c258d2f17f98dd501aa890ebf4067990aa608e37c955939e4989fa1efd456
Opcode Fuzzy Hash: 8caa16ff89198dd174f85cb7a1e571fa066b27e236fd9c204203ff1755e0abb7
Instruction Fuzzy Hash: 9C2166B1A0430067EB21EB14DC42BAF76EC9F85704F44443FF6899A2C2EBB99605875F

Uniqueness

Uniqueness Score: -1.00%

Function 004AB2BF Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004AB2E7

Part of subcall function 004AABB1: __getptd.LIBCMT ref: 004AABBF
Part of subcall function 004AABB1: __getptd.LIBCMT ref: 004AABCD

__getptd.LIBCMT ref: 004AB2F1

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__getptd.LIBCMT ref: 004AB2FF
__getptd.LIBCMT ref: 004AB30D
__getptd.LIBCMT ref: 004AB318
_CallCatchBlock2.LIBCMT ref: 004AB33E

Part of subcall function 004AAC56: __CallSettingFrame@12.LIBCMT ref: 004AACA2

Part of subcall function 004AB3E5: __getptd.LIBCMT ref: 004AB3F4
Part of subcall function 004AB3E5: __getptd.LIBCMT ref: 004AB402

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 76f0c4520016850ac94d2ba0d63413a0b5c51c2609147ee8bcbdc081ea961fdf
Instruction ID: 177d761e09cce0a390561c76f866a073fb92933ffe0de673f7bf7f8d10bec13a
Opcode Fuzzy Hash: 76f0c4520016850ac94d2ba0d63413a0b5c51c2609147ee8bcbdc081ea961fdf
Instruction Fuzzy Hash: 0311F6B1C00209DFDF00EFA9C846BADBBB0FF08314F50856AF854A7251DB389A519F58

Uniqueness

Uniqueness Score: -1.00%

Function 004541D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 296COMMON

Download Yara Rule

APIs

__wcsdup.LIBCMT ref: 0045447A
_free.LIBCMT ref: 004544DA

Strings

ERCP, xrefs: 004542C8
O, xrefs: 004544AC
RegExMatch, xrefs: 004543C9

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsdup_free
String ID: ERCP$O$RegExMatch
API String ID: 2088533098-700926398
Opcode ID: b2dcfb468934621f6407e4f9bcd8944f3d50b3aa7c5712ffe1754b4adac1ae56
Instruction ID: 31d996114747a65bd03f41cd5ec34fefb3b45e9e0d1dd7c269540ce4b78567f1
Opcode Fuzzy Hash: b2dcfb468934621f6407e4f9bcd8944f3d50b3aa7c5712ffe1754b4adac1ae56
Instruction Fuzzy Hash: DDB1C375A00214AFCB14DF94C881AAFB7B5FF85319F14819AFC04AB352D738AD89CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004037CC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00403838
GetTickCount.KERNEL32 ref: 00403909
_free.LIBCMT ref: 004039CB

Strings

call, xrefs: 0040395E
OnMessage, xrefs: 00403891

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick_free_wcsncpy
String ID: OnMessage$call
API String ID: 2355968416-3128857728
Opcode ID: 5316463bfb7c07a5ee4189eedc162c972cbf6df35f57d9ab929a979a7564367c
Instruction ID: fcfe2bf54736c17d21a39cf7b35f46c0fab28c2d1df972d39fbc2a21bdba88d8
Opcode Fuzzy Hash: 5316463bfb7c07a5ee4189eedc162c972cbf6df35f57d9ab929a979a7564367c
Instruction Fuzzy Hash: 3A71BBB06052408FC720DF29D88096BBBF9BB85304F18897FE4859B361D739E906CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042833D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 147COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 004283B8

Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F279
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2A5
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2DD
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F311
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F346
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F37B

Strings

MCA, xrefs: 004283B3
Parameter #4 invalid., xrefs: 004283F4
Parameter #1 invalid., xrefs: 004284FE
Parameter #5 invalid., xrefs: 0042845C

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcsncpy$_wcschr
String ID: MCA$Parameter #1 invalid.$Parameter #4 invalid.$Parameter #5 invalid.
API String ID: 585857694-2060875404
Opcode ID: d686314f4c978df5ada6b204da14649bac07d601e90125b3ba2c0e784efb08ee
Instruction ID: a213e4631e1f60fddd2d89f8af415b2c5647ab633988516b9b844c6a4182a90d
Opcode Fuzzy Hash: d686314f4c978df5ada6b204da14649bac07d601e90125b3ba2c0e784efb08ee
Instruction Fuzzy Hash: 1251E1307043618BEB208B0AE4047AB77E1AF50314F98445FED858B396E77EED95C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00414150 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON

Download Yara Rule

Strings

?, xrefs: 00414249
Too few parameters passed to function., xrefs: 0041416B
Invalid option., xrefs: 004142C4
{All}, xrefs: 00414262

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ?$Invalid option.$Too few parameters passed to function.${All}
API String ID: 0-1706679301
Opcode ID: c68af193537216e1fca643e98c41d250b25b3fec0216e2e742f5fd58f25bc69c
Instruction ID: e8044d063794a3151aa0f4c52f41973fb5085b30c1ad96ed797766c0dc14f8a9
Opcode Fuzzy Hash: c68af193537216e1fca643e98c41d250b25b3fec0216e2e742f5fd58f25bc69c
Instruction Fuzzy Hash: C641383664C29056D321DA1498447E7BB909BE63A5F1808AFFCD047292C13D99DEC7BF

Uniqueness

Uniqueness Score: -1.00%

Function 004061AD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004062A1
WSAAsyncSelect.WS2_32(000000FF,00000408,00000021), ref: 00406335

Strings

<response command="%s" transaction_id="%e"/>, xrefs: 004062F0
<error code="%i"/></response>, xrefs: 00406265
<response command="%s" transaction_id="%e, xrefs: 00406247

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AsyncSelect_memmove
String ID: <error code="%i"/></response>$<response command="%s" transaction_id="%e$<response command="%s" transaction_id="%e"/>
API String ID: 1861896769-3791457405
Opcode ID: 34ff95711f651e1b10e939fe571f1c611fd5a674ff2fd8dcafa14c006471f3a5
Instruction ID: 1a62f14bb35c1d81c5fcc6f624dfc9327277399aac9e9fd24749a6011f185448
Opcode Fuzzy Hash: 34ff95711f651e1b10e939fe571f1c611fd5a674ff2fd8dcafa14c006471f3a5
Instruction Fuzzy Hash: 37413A31A003019BCB21ABB489856AF77B5AF54328F11067FE553B62D1DB79EA19CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00482000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00482037

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

__fassign.LIBCMT ref: 00482057
_wcschr.LIBCMT ref: 0048206E
_wcschr.LIBCMT ref: 00482092

Strings

.-+, xrefs: 00482069, 0048208D

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fassign_wcschr$wcstoxl
String ID: .-+
API String ID: 1230976502-1090785623
Opcode ID: 9610d407098dae9b6b0bdeb7db8ae82cf25586f41b2efed7791b4f54d19c4b70
Instruction ID: 3d31504c10a88408d2a02cccfb865c86144822f7cf2f4485934edee3b832ff72
Opcode Fuzzy Hash: 9610d407098dae9b6b0bdeb7db8ae82cf25586f41b2efed7791b4f54d19c4b70
Instruction Fuzzy Hash: A131D6B2604221568B347E159DC423F73D5EA96761F344D2BFA42CA2C0E7EC88C1D3AA

Uniqueness

Uniqueness Score: -1.00%

Function 00470050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 004700BD
__itow.LIBCMT ref: 004700E5
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0047013F
ShowWindow.USER32(?,00000000), ref: 0047019F

Part of subcall function 00470270: __wcsicoll.LIBCMT ref: 0047028C

Strings

Submit, xrefs: 00470082

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$LongMessageSendShow__itow__wcsicoll
String ID: Submit
API String ID: 1467826441-949859957
Opcode ID: 7f338afbb582545b23edb08314924bbc423268a33eb14a32d0a4d6af7373ae6b
Instruction ID: e93b8146909e15d1773c3805e98e4050586de0dd1c423466079335ad8d7a8ef6
Opcode Fuzzy Hash: 7f338afbb582545b23edb08314924bbc423268a33eb14a32d0a4d6af7373ae6b
Instruction Fuzzy Hash: DB41B17090A311EBD630DF54C881B97B7A5FB44B20F508B1AF569672C1C7B9EC84C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 004AA792 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 004AA866
__CxxThrowException@8.LIBCMT ref: 004AA89E

Strings

Bad dynamic_cast!, xrefs: 004AA888

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8OffsetThrow
String ID: Bad dynamic_cast!
API String ID: 2691599830-2956939130
Opcode ID: 5375ab0a33b2a7387026c35007303dd1e7d7ade775b27ec2b321e4646a18c0c5
Instruction ID: 9a6bd26d37644e0d0fac2bec084c5bd9b779d614c2032c38d45217a7ed9a899c
Opcode Fuzzy Hash: 5375ab0a33b2a7387026c35007303dd1e7d7ade775b27ec2b321e4646a18c0c5
Instruction Fuzzy Hash: 0D31B375A002059FCF04EF65C851AAEB7A0AF69311F14446EF801E7351D73CEC12CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004102E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0041030B

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

GetTickCount.KERNEL32 ref: 00410321
GetTickCount.KERNEL32 ref: 00410424
PostMessageW.USER32(00010424,00000312,?,00000000), ref: 00410447

Strings

%u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file), xrefs: 004103AC

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$MessagePost_vswprintf_s
String ID: %u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file)
API String ID: 134691662-3609671246
Opcode ID: 17afcd9859a16385c97d5a21afd13ec17eadc8969b0937a7e4d3de00059e5087
Instruction ID: 244085edff8be58611c6e0e573786de16750f8735b5ffcafd24aea0ead46cdb6
Opcode Fuzzy Hash: 17afcd9859a16385c97d5a21afd13ec17eadc8969b0937a7e4d3de00059e5087
Instruction Fuzzy Hash: F5313371601240DBE721EFA4EC80BEA3B90EB55705F04403BEA8492391C7B858C8CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00441590 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

_wcsncpy.LIBCMT ref: 004415D4
__wcstoi64.LIBCMT ref: 00441614
__fassign.LIBCMT ref: 00441662
__fassign.LIBCMT ref: 0044168E

Part of subcall function 0049BD82: __wtof_l.LIBCMT ref: 0049BD8C

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

Strings

msctls_statusbar321, xrefs: 004415EB

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fassign$Window$ForegroundVisible__wcstoi64__wtof_l_wcsncpy
String ID: msctls_statusbar321
API String ID: 4167010027-1022929942
Opcode ID: 7d853f60dbb807625cb90e8ebb27f3763686600dc7ebc47fee0f7ca27cde5ca5
Instruction ID: e81e786bd3b8c8a7dd2fd0f7036c460b15d973a2291c7aca0ca955f0f748220c
Opcode Fuzzy Hash: 7d853f60dbb807625cb90e8ebb27f3763686600dc7ebc47fee0f7ca27cde5ca5
Instruction Fuzzy Hash: 32315A71A0430067E220BB265C42F6B37989F85318F09043FF94A57283EA7DD959C3AF

Uniqueness

Uniqueness Score: -1.00%

Function 0045F190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0045F19F
__wsplitpath.LIBCMT ref: 0045F1E6
__wsplitpath.LIBCMT ref: 0045F1FD
_wcschr.LIBCMT ref: 0045F27F

Strings

*, xrefs: 0045F291

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wsplitpath_wcschr
String ID: *
API String ID: 1241525681-163128923
Opcode ID: dd3c19fe5a57f5a345258c94b2447ebc6cf54899ebf3fc40ec573524a039fd72
Instruction ID: 9bb150c275161d5d26197bea011ddee46e51accbd289442bb181b83c814e053f
Opcode Fuzzy Hash: dd3c19fe5a57f5a345258c94b2447ebc6cf54899ebf3fc40ec573524a039fd72
Instruction Fuzzy Hash: 9531E1B65043009AD730E750C886BEBB3B8AF94315F00856FF98987291F7B8564CC797

Uniqueness

Uniqueness Score: -1.00%

Function 00476040 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

RemoveMenu.USER32(?,?,00000000), ref: 0047606E
SetMenuItemInfoW.USER32 ref: 004760B5
DeleteObject.GDI32(?), ref: 004760C7
DestroyCursor.USER32(?), ref: 004760D3

Strings

0, xrefs: 004760A1

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$CursorDeleteDestroyInfoItemObjectRemove
String ID: 0
API String ID: 2910511256-4108050209
Opcode ID: 062036dcf90c25c6aa1a430b1a52aa1ccc5b96ed00da7c2b613096453af6af17
Instruction ID: 37b093b8c93bb45f128d1c50df42bb5804af63f6545c64180b2bd1794ba6b386
Opcode Fuzzy Hash: 062036dcf90c25c6aa1a430b1a52aa1ccc5b96ed00da7c2b613096453af6af17
Instruction Fuzzy Hash: 08318CB16016409FC720CF59C884C6BBBEAFB49314B05867EE48E8B711C739EC45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412184 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004122CC

Strings

%i-%i, xrefs: 004122C6
(no), xrefs: 00412352
%s%s%s%s%s%s, xrefs: 0041237A
OFF, xrefs: 00412241, 0041236C

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __swprintf
String ID: %i-%i$%s%s%s%s%s%s$(no)$OFF
API String ID: 1857805200-721635399
Opcode ID: 8613c0c7f36b4631c54db5b6969d2941159ff2cbdb743f2b03bb499c0ccac6f9
Instruction ID: 697a3eef1c1f4c69f375fa34e8f3d3f4ea3ecd20db682625f14ac8ac8f2aed63
Opcode Fuzzy Hash: 8613c0c7f36b4631c54db5b6969d2941159ff2cbdb743f2b03bb499c0ccac6f9
Instruction Fuzzy Hash: BC3137311043409ADB28DE69C9407FB77F1AF85304F14496FE496C7740E7BD9995C399

Uniqueness

Uniqueness Score: -1.00%

Function 00419040 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,KbdLayerDescriptor), ref: 004190C2
GetCurrentProcess.KERNEL32(?), ref: 004190DE
IsWow64Process.KERNEL32(00000000), ref: 004190E5
FreeLibrary.KERNEL32(00000000), ref: 0041910B

Strings

KbdLayerDescriptor, xrefs: 004190BC

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$AddressCurrentFreeLibraryProcWow64
String ID: KbdLayerDescriptor
API String ID: 2487901806-1890577838
Opcode ID: b2d7b509e2caa1c39416aaf971f046d4676484bb8d071f3c907e2673ec1a3666
Instruction ID: d991a600d8f6fc8b461258ff220e162d17b1cde4a94af214da9bcc926f0446d1
Opcode Fuzzy Hash: b2d7b509e2caa1c39416aaf971f046d4676484bb8d071f3c907e2673ec1a3666
Instruction Fuzzy Hash: 11210A717013149BD7244F24FCA47A77BA8E748725F15053FE846C2260DB79DC90CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 004835F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00483639

Strings

_$#@, xrefs: 00483634
variable, xrefs: 00483664
function, xrefs: 0048366B, 00483674
The following %s name contains an illegal character:"%-1.300s", xrefs: 00483675

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcschr
String ID: The following %s name contains an illegal character:"%-1.300s"$_$#@$function$variable
API String ID: 2691759472-3792156013
Opcode ID: 474c0e5932dbf47c314e31d60c503162ec7c25967c3035a925af528ad8e0f116
Instruction ID: 9fb45b2d9d2496cbda5616e2469b7155100bad80590c4c9d7ed9f281b9c26bfa
Opcode Fuzzy Hash: 474c0e5932dbf47c314e31d60c503162ec7c25967c3035a925af528ad8e0f116
Instruction Fuzzy Hash: 0D11E762B0020026DB30A91FAC41B6B7398D781B66F04467BFD48E73C0F6699D1442EA

Uniqueness

Uniqueness Score: -1.00%

Function 0044E070 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetDateFormatW.KERNEL32(00000400,00000000,00000000,ddd,?,?), ref: 0044E0EB

Strings

dddd, xrefs: 0044E0BD
MMMM, xrefs: 0044E0A8
ddd, xrefs: 0044E0C4, 0044E0E1
MMM, xrefs: 0044E0AF

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DateFormat
String ID: MMM$MMMM$ddd$dddd
API String ID: 2793631785-2187213731
Opcode ID: 6222f31b7a83b363ae38b0487501c715728e0cbe8886c83ce5622683e32537f4
Instruction ID: 516f84411cdf78456ff86e9be08266e4064a3191b0a4a9b73a0b660eaea80255
Opcode Fuzzy Hash: 6222f31b7a83b363ae38b0487501c715728e0cbe8886c83ce5622683e32537f4
Instruction Fuzzy Hash: 8501D661A0562197F728961B9C45B776195FB81711F10CB27F9319B2C1C3BDDC4181AF

Uniqueness

Uniqueness Score: -1.00%

Function 00405040 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,0040500A,?,00000000,?,?,0041A46E,004AF9BC,00463AC5,?,00000001,?), ref: 00405051
GlobalFix.KERNEL32(00000000), ref: 00405076
GlobalFree.KERNEL32(00000000), ref: 00405087

Strings

GlobalLock, xrefs: 00405092
GlobalAlloc, xrefs: 00405063

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree
String ID: GlobalAlloc$GlobalLock
API String ID: 3394109436-3672399903
Opcode ID: 4483452e756e322fc70055b39f1a8f8d2d848ebc45db87d51577b4246f2d8fb4
Instruction ID: 04dba852938eae33b56b363fdb162d0cbbbb8a9a62c176812635ef6d514174e6
Opcode Fuzzy Hash: 4483452e756e322fc70055b39f1a8f8d2d848ebc45db87d51577b4246f2d8fb4
Instruction Fuzzy Hash: 73F03C74A00B019BD7209F758905A17BBE9EF66701700883FA486C3790FB78E8048F19

Uniqueness

Uniqueness Score: -1.00%

Function 0040E770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,02C41100,?,004149CE), ref: 0040E783
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse,?,02C41100,?,004149CE), ref: 0040E78E
GetLastError.KERNEL32 ref: 0040E796
CloseHandle.KERNEL32(00000000), ref: 0040E7C1

Strings

AHK Mouse, xrefs: 0040E785

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Mouse
API String ID: 2372642624-1022267635
Opcode ID: 8b8466653b4715c537ef547cf467df1c7b83c73994144e49d2a019f9fc83f725
Instruction ID: e5d791abfec9a7bc10ebe606da1a98460db5e8157a61fe4d04c0c5245e65f9f5
Opcode Fuzzy Hash: 8b8466653b4715c537ef547cf467df1c7b83c73994144e49d2a019f9fc83f725
Instruction Fuzzy Hash: 39F0A7B3B0132057DB206B7AEC88B4B6B589BC5B62F058833E505D72D0D7788C414768

Uniqueness

Uniqueness Score: -1.00%

Function 0040E700 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,02C41100,?,004149C1), ref: 0040E713
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,02C41100,?,004149C1), ref: 0040E71E
GetLastError.KERNEL32 ref: 0040E726
CloseHandle.KERNEL32(00000000), ref: 0040E751

Strings

AHK Keybd, xrefs: 0040E715

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Keybd
API String ID: 2372642624-4057427925
Opcode ID: 0cf30500f44346e3d25740c0d253ca2bec4f373ea5796d9e17539d5148542ed6
Instruction ID: ed4e07cce867f80287ce807022d2b6961fb4eedc167c48551130ad127cb9ff8b
Opcode Fuzzy Hash: 0cf30500f44346e3d25740c0d253ca2bec4f373ea5796d9e17539d5148542ed6
Instruction Fuzzy Hash: B4F0A7B3B0232057D7206B79ED88B8B67549BC5BA2F194833E505D72D4D7B88C804268

Uniqueness

Uniqueness Score: -1.00%

Function 004367AA Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 004964ae127b1730715ace7c35192c0863f607d9ac965b811d7a4cede65aaa5d
Instruction ID: 48752d9d18290a5b6f19c147175a7056f88d3b8878c9853a584df5e8c083cfb4
Opcode Fuzzy Hash: 004964ae127b1730715ace7c35192c0863f607d9ac965b811d7a4cede65aaa5d
Instruction Fuzzy Hash: 9E812B35905113B6EB10A7108C527B27350AB09758F1AD07BED46AB3C1E7ADDC43C3AE

Uniqueness

Uniqueness Score: -1.00%

Function 0045E530 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0045E54B
__fassign.LIBCMT ref: 0045E5D6
GetKeyboardLayout.USER32(00000000), ref: 0045E620
__fassign.LIBCMT ref: 0045E671

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 0045E6BE

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fassign$FullInitializeKeyboardLayoutNamePath
String ID:
API String ID: 3282345756-0
Opcode ID: b1d9b20903b53bdea41929694774a9e934d879e784a8dfdff31fa5fd3e9133fb
Instruction ID: 52db792a39c3e26bd4a94e9ebc1032de73813d1040626b417f3806f1de65675e
Opcode Fuzzy Hash: b1d9b20903b53bdea41929694774a9e934d879e784a8dfdff31fa5fd3e9133fb
Instruction Fuzzy Hash: 7B61D0B1604301AFD214EF65CC85FAB37A5AF89304F10485EF9448B2D2E7B9ED49C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00416260 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?,?), ref: 00416280
UnhookWindowsHookEx.USER32(00000000), ref: 004162BD
GetTickCount.KERNEL32 ref: 0041630C
GetTickCount.KERNEL32 ref: 0041644F

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountHookTick$CallNextUnhookWindows
String ID:
API String ID: 2092930497-0
Opcode ID: e87c4d9cea8544c6985c9845e4e84471d6cc1ab62c4353a4d87c3acf2d3ed46c
Instruction ID: 1630e8a46408fb69bf2889bb6d5f33ef418d88e7e923b46a6d445bc897383f14
Opcode Fuzzy Hash: e87c4d9cea8544c6985c9845e4e84471d6cc1ab62c4353a4d87c3acf2d3ed46c
Instruction Fuzzy Hash: D861BF70505601DAD314DF28E8A4BB6B7E0FB94704F05842FD89AC7361DB78E894CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0047C4F0 Relevance: 7.6, APIs: 5, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 0047C527
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0047C55A

Part of subcall function 0047C4F0: RegCloseKey.ADVAPI32(00000000,00000000), ref: 0047C576
Part of subcall function 0047C4F0: RegDeleteKeyW.ADVAPI32(?,?), ref: 0047C586
Part of subcall function 0047C4F0: RegEnumKeyExW.ADVAPI32 ref: 0047C5AE

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$CloseDeleteOpen
String ID:
API String ID: 2095303065-0
Opcode ID: cee1baf5ba707318230caac1b9f7ab549421d1ecf0f3ae4e074baf5a2cab67d8
Instruction ID: c683caca23a88791a041d526f859f880ace065df1b30f8efc2a4fe0d7e984c55
Opcode Fuzzy Hash: cee1baf5ba707318230caac1b9f7ab549421d1ecf0f3ae4e074baf5a2cab67d8
Instruction Fuzzy Hash: 9E21BD726042117BE320CA54DC80FBBB7ECEB98718F04492EFA4496240D669E90987B6

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3F0 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040E3FE

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00499913

_malloc.LIBCMT ref: 0040E423
_free.LIBCMT ref: 0040E432

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _malloc$AllocateHeap_free
String ID:
API String ID: 1159278337-0
Opcode ID: 0872bf2dd194d61856b1b4b6ba2741c9cd0a96555d1e4a296f5af4e06333b243
Instruction ID: f575827962c0ea3e288840b0cadad7e1e0e991ad5fef708aa991705e8e1b4358
Opcode Fuzzy Hash: 0872bf2dd194d61856b1b4b6ba2741c9cd0a96555d1e4a296f5af4e06333b243
Instruction Fuzzy Hash: CF1126F29012155BCA20EF9ABC81E67739CA781715F04043FF80497752F77AAD15C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0045F410 Relevance: 7.5, APIs: 5, Instructions: 37windowtimethreadCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000010,00000000,00000000,00000002,000001F4,?), ref: 0045F429
GetWindowThreadProcessId.USER32(00000000,?), ref: 0045F43D
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0045F453
TerminateProcess.KERNEL32(00000000,00000000), ref: 0045F462
CloseHandle.KERNEL32(00000000), ref: 0045F469

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$CloseHandleMessageOpenSendTerminateThreadTimeoutWindow
String ID:
API String ID: 1181120299-0
Opcode ID: 51942ed318b50e9245b20737dc44951c570c2997323ab49361e77c592a896834
Instruction ID: 0c78edcfc4abf563eac65214c09aaa03b9827659997d4ad8dfe5786bc2f302a0
Opcode Fuzzy Hash: 51942ed318b50e9245b20737dc44951c570c2997323ab49361e77c592a896834
Instruction Fuzzy Hash: F0F05471A413117BE3215B249C0AFDB3A989F16B52F444139FA46E61D0F7B498088AAA

Uniqueness

Uniqueness Score: -1.00%

Function 0045C2B0 Relevance: 7.5, APIs: 5, Instructions: 35serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000008), ref: 0045C2C6
LockServiceDatabase.ADVAPI32(00000000), ref: 0045C2D3
UnlockServiceDatabase.ADVAPI32(00000000), ref: 0045C2DE
GetLastError.KERNEL32 ref: 0045C2E6
CloseServiceHandle.ADVAPI32(00000000), ref: 0045C2F9

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Service$Database$CloseErrorHandleLastLockManagerOpenUnlock
String ID:
API String ID: 2828566434-0
Opcode ID: f8830ba1c346d0a214bcc3ebd8c1ddb82fbbf3bcd4dfa298330856064dcc8b8f
Instruction ID: e1ba19c1d5db8cac9ec9d17fe69e0613a02188c8b3e9d40f358535a4c70ad967
Opcode Fuzzy Hash: f8830ba1c346d0a214bcc3ebd8c1ddb82fbbf3bcd4dfa298330856064dcc8b8f
Instruction Fuzzy Hash: F6F02771E053106BE7300BA4DCC9F4B3A6CAF92756F044072FD06F6691C768C88A836D

Uniqueness

Uniqueness Score: -1.00%

Function 0049D7C9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049D7D5

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__getptd.LIBCMT ref: 0049D7EC
__amsg_exit.LIBCMT ref: 0049D7FA
__lock.LIBCMT ref: 0049D80A
__updatetlocinfoEx_nolock.LIBCMT ref: 0049D81E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ef45a07a389c7c544fcc1b0804f3c3b88c4504175edd98dae87338ff740137fb
Instruction ID: 42fb7c23aaf222e8bba8594be5dbbadf58be550955e94941d92bddd22a616598
Opcode Fuzzy Hash: ef45a07a389c7c544fcc1b0804f3c3b88c4504175edd98dae87338ff740137fb
Instruction Fuzzy Hash: E2F06231D412109BDF25FB6E980374E6AA06F40718F11427FF455A76D2CB2C5941865D

Uniqueness

Uniqueness Score: -1.00%

Function 004575A0 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 479COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0045763A
GetTickCount.KERNEL32 ref: 00457937

Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A

Strings

Callback, xrefs: 00457698

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AvailableClipboardFormat$CountTick_wcsncpy
String ID: Callback
API String ID: 4241739539-2156861040
Opcode ID: 1533cee847c586403f7a21973674cc2ca0711f0c36595f327df48ab992fcba0b
Instruction ID: 2c2aa610812bfd7bf0167f7bb11f46f5059ae8d080b48718a2d2f80c3b2593a8
Opcode Fuzzy Hash: 1533cee847c586403f7a21973674cc2ca0711f0c36595f327df48ab992fcba0b
Instruction Fuzzy Hash: E812AF70509641DFC714DF18E884A6AB7E1FF49315F18857FE8858B362C338E94ACB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00439360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

GetTickCount.KERNEL32 ref: 00439451

Strings

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after , xrefs: 0043936B
---- %s, xrefs: 0043948C
Press [F5] to refresh., xrefs: 00439532

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick_vswprintf_s
String ID: Press [F5] to refresh.$---- %s$Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after
API String ID: 1349412622-1384135373
Opcode ID: fc26da72e96caeaec8486255f625393123b3ec32fdf5a3e16c7ccecdd1f84356
Instruction ID: 60e482e8402927963350048a824f211a63c52be3151287eae012bdec4fcaa884
Opcode Fuzzy Hash: fc26da72e96caeaec8486255f625393123b3ec32fdf5a3e16c7ccecdd1f84356
Instruction Fuzzy Hash: D751E2719083029FD714DF2CD98466A77E1EB98314F18463EEC4583395EB78DD0ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 00428206 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00428231

Strings

+-^RASHNOT, xrefs: 0042822C
Parameter #1 invalid., xrefs: 004279F4
Parameter #3 invalid., xrefs: 00428162

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcschr
String ID: +-^RASHNOT$Parameter #1 invalid.$Parameter #3 invalid.
API String ID: 2691759472-20153427
Opcode ID: d5f1b93be6ad0314940e0029354aed85880483f86d67e9679187faa7c30f47ea
Instruction ID: a91bab1351b3cd19c5ecac0a0afb469d13fbc2654374cb225c63e19982c0a149
Opcode Fuzzy Hash: d5f1b93be6ad0314940e0029354aed85880483f86d67e9679187faa7c30f47ea
Instruction Fuzzy Hash: CD41CF307053658BEB308B16E4447B7B7E1AF40314F98446FE8858B396D73DAC95C76A

Uniqueness

Uniqueness Score: -1.00%

Function 004530F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00453212

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

Strings

Count, xrefs: 0045313B
array, xrefs: 00453187
object, xrefs: 00453110

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID: Count$array$object
API String ID: 1353095263-899595868
Opcode ID: b15cca4d1a6da6537073be9c7c7da9256b4e05ccd8648335006ba696072550af
Instruction ID: 75b02fc83696aa01e0dc4558d0abf97ba6053c19d5a36d8ba070f2b4c40ed50a
Opcode Fuzzy Hash: b15cca4d1a6da6537073be9c7c7da9256b4e05ccd8648335006ba696072550af
Instruction Fuzzy Hash: F34125B1208700AFC304CF59C880A6BF7E5BBC8714F108A1EF59987350D770E949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0043F160 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043F180

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00499913

_free.LIBCMT ref: 0043F1B7
_malloc.LIBCMT ref: 0043F1C5

Strings

Out of memory., xrefs: 0043F1DC

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _malloc$AllocateHeap_free
String ID: Out of memory.
API String ID: 1159278337-4087320997
Opcode ID: faec79506ab349064f9d040ecedd2be85dec563b1b67ef390f2f1dcda28431e2
Instruction ID: f321bdad49d7d9a1a8d9a69af1292d76e0e63c8517c7773031c59a15c2c2178c
Opcode Fuzzy Hash: faec79506ab349064f9d040ecedd2be85dec563b1b67ef390f2f1dcda28431e2
Instruction Fuzzy Hash: E4411CB5A10701CBDB20DF29D881A23B3E1FF5D300F14596ED48A87B80E379E895CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00465380 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004653E8
_malloc.LIBCMT ref: 00465402

Strings

MZ@, xrefs: 004653F0, 00465431
Out of memory., xrefs: 0046541B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free_malloc
String ID: MZ@$Out of memory.
API String ID: 845055658-1491408499
Opcode ID: e21ae786c6e9b8db64333e340c842a09a6c7fb063943bf23a6314815d1c1fc8b
Instruction ID: 6edd4201630c5618b3b346814b44ec0e210f623ce0764d09a1678dbcbdc49249
Opcode Fuzzy Hash: e21ae786c6e9b8db64333e340c842a09a6c7fb063943bf23a6314815d1c1fc8b
Instruction Fuzzy Hash: 44416BB26007059FC720DF19D880A2BB3E5EBC4700F10886FE99A87351EB75E985CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00462370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(atl), ref: 00462382
GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00462392

Strings

AtlAxGetControl, xrefs: 0046238C
atl, xrefs: 0046237D

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AtlAxGetControl$atl
API String ID: 1646373207-1501572552
Opcode ID: f323a2088a14fec1c0eb6621b70b875bd3db8fb2af03af3116e8cb42fa80b463
Instruction ID: f3be39ff9f6d87b59ac7e5cb09fa5c6b8457682dbf8b2c408e7a99e3e7b1a3b3
Opcode Fuzzy Hash: f323a2088a14fec1c0eb6621b70b875bd3db8fb2af03af3116e8cb42fa80b463
Instruction Fuzzy Hash: 0C313D74701701ABDB04DF69D950B6777E4AF84708F14846EE809CB361EBBED806CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00450110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004501A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 004501B9
__swprintf.LIBCMT ref: 004501ED

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 004501E7

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$File$LocalSystem__swprintf
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 3390705568-4847443
Opcode ID: cdd856a6a5cba0d886cdf29c32d8186da00b77f2554ddd61ef6c4e0b54c340d2
Instruction ID: 4bf516d7b8ab1e972ca914f8eb945455db21716bb46c54fb6b9e513826b2b7d7
Opcode Fuzzy Hash: cdd856a6a5cba0d886cdf29c32d8186da00b77f2554ddd61ef6c4e0b54c340d2
Instruction Fuzzy Hash: 0C3180766086019FC318DF19C844D7BB7E9EF88311F04895EFC95872A1E738E945C76A

Uniqueness

Uniqueness Score: -1.00%

Function 004092FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040935C
__wcstoi64.LIBCMT ref: 00409393

Strings

file://, xrefs: 0040933B
file:///, xrefs: 00409311

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcstoi64_memmove
String ID: file://$file:///
API String ID: 3802750240-3202756431
Opcode ID: ca6fe1fa0a4eb5a1d0128a02a452f52ce579525a54f6a47126a2bb294c1a0595
Instruction ID: 228adb1e2c64c27fd5af7c9564332824e60ecdba18ab1f92c03d7e87603bbe0c
Opcode Fuzzy Hash: ca6fe1fa0a4eb5a1d0128a02a452f52ce579525a54f6a47126a2bb294c1a0595
Instruction Fuzzy Hash: 6E212C61944244BADB214769CC46BDFBFBC5F25304F14006BE885772C2E17C6E458BAB

Uniqueness

Uniqueness Score: -1.00%

Function 004091F4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0040542E: __EH_prolog.LIBCMT ref: 00405433

_sprintf.LIBCMT ref: 0040927C

Strings

-_.!~*()/, xrefs: 0040924C
%%%02X, xrefs: 00409276
file:///, xrefs: 004091FA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog_sprintf
String ID: %%%02X$-_.!~*()/$file:///
API String ID: 1907722333-736925546
Opcode ID: 932a68f7643a3f509e63f3e22a914d7b3f5376c1dde38a70d35418f81c7149c6
Instruction ID: 3c943c9e6d5ff8764beb7e891663df72525a85a3ea475272d33d92f8a8cfe894
Opcode Fuzzy Hash: 932a68f7643a3f509e63f3e22a914d7b3f5376c1dde38a70d35418f81c7149c6
Instruction Fuzzy Hash: CC210575600702AFC720EE6AD880D2777E89F55324720887EE896977E2EB38EC41C759

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041F2FB
_wcschr.LIBCMT ref: 0041F33B

Strings

<>=/|^,:*&~!()[]{}+-?."'\;`, xrefs: 0041F336
Class, xrefs: 0041F2F5

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp_wcschr
String ID: <>=/|^,:*&~!()[]{}+-?."'\;`$Class
API String ID: 2237432580-400929710
Opcode ID: 3fa0ac90da6f11cfaf290d6626303dd51a1c61224933c921735cca7da6df2e48
Instruction ID: 73cbafe8aee45ee9c3ceeb6b08004815a7a22e724b4f6001eee5f2fced7aeaf5
Opcode Fuzzy Hash: 3fa0ac90da6f11cfaf290d6626303dd51a1c61224933c921735cca7da6df2e48
Instruction Fuzzy Hash: 91116B322046159ACB209B2DB8026FB73D0EF953107584937EC15CB244F32CDCCBC699

Uniqueness

Uniqueness Score: -1.00%

Function 0047F440 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 0047F454
FileTimeToSystemTime.KERNEL32(?,?), ref: 0047F472
__swprintf.LIBCMT ref: 0047F4A6

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 0047F4A0

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$File$LocalSystem__swprintf
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 3390705568-4847443
Opcode ID: 0c452a17264c90715c25bfd685b2e232ddf78e9e0220f7a006f8ae53647cc0b1
Instruction ID: 69ee923c25bac7f78ea06fb48614fbd1a7a1c61be3b154a77c01757d97b37213
Opcode Fuzzy Hash: 0c452a17264c90715c25bfd685b2e232ddf78e9e0220f7a006f8ae53647cc0b1
Instruction Fuzzy Hash: EF0152A1518211ABC314DF55DC4597BB7E8AF89A01F008A5EF88982290F67CD858D7B7

Uniqueness

Uniqueness Score: -1.00%

Function 0044F1D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 0044F1F4
__swprintf.LIBCMT ref: 0044F231

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 0044F22B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: SystemTime__swprintf
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 3074119229-4847443
Opcode ID: ae8279b8155f0432419f5b7d66090c7ae7ae250e19b47eec4f082ac7e4461f1c
Instruction ID: 6c830e8ffff33c79251de3424dd09309443451ca299721e0cf7b916c0585d6a0
Opcode Fuzzy Hash: ae8279b8155f0432419f5b7d66090c7ae7ae250e19b47eec4f082ac7e4461f1c
Instruction Fuzzy Hash: E1017575404320ABD314EB49C8859BBB3F8EEC8700F84895EF8D986291E378D958D3A6

Uniqueness

Uniqueness Score: -1.00%

Function 004041D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,004AC168,000000FF,00408678,?,?,00004001,00000001,0000030C), ref: 0040423A
_free.LIBCMT ref: 00404255

Strings

pB@, xrefs: 004041ED
PA@, xrefs: 00404247

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle_free
String ID: PA@$pB@
API String ID: 3521661170-3984362343
Opcode ID: 5ecb6d649011a881a1615aeb13f8f522805aafe551e7f7eb8111451983c33f8e
Instruction ID: 936d73d43ba938fa47b3fc9f03ac0f6029eea87e8276fecc4e9897818cbc2aef
Opcode Fuzzy Hash: 5ecb6d649011a881a1615aeb13f8f522805aafe551e7f7eb8111451983c33f8e
Instruction Fuzzy Hash: 0E118EB1600B409BD720CF18C944B17B7E4FF89B20F544A2EF0A6A7BD0C378A840CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00477030 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SetMenuItemInfoW.USER32 ref: 00477063
DeleteObject.GDI32(00000000), ref: 00477076
DestroyCursor.USER32(00000000), ref: 00477090

Strings

0, xrefs: 0047704B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorDeleteDestroyInfoItemMenuObject
String ID: 0
API String ID: 392443887-4108050209
Opcode ID: 8fe182bfc6fa1b5d3ef5d0b9c18640a74ac036c15acd338e6af6377507ab86b3
Instruction ID: ee6f528fee97588970cab22696269b78434f4982b2fea64e4973f0d9a385d81b
Opcode Fuzzy Hash: 8fe182bfc6fa1b5d3ef5d0b9c18640a74ac036c15acd338e6af6377507ab86b3
Instruction Fuzzy Hash: 05F04FF05053409FE324CF15C958B577BE4FB48704F844A1DE49A87690D7B9E808CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00424217 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00424224
__wcsicoll.LIBCMT ref: 0042423D

Strings

WHILE, xrefs: 00424237
f9U, xrefs: 00423B45

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll
String ID: WHILE$f9U
API String ID: 3832890014-1171745783
Opcode ID: 8c817246c82c98187fafd3f910828143b13ff07b61f4ba220981b8bab369cb55
Instruction ID: c5cdfe8719934b4225720b737b4a50bcb2e5d34332e8ff571b97da6aaa14f866
Opcode Fuzzy Hash: 8c817246c82c98187fafd3f910828143b13ff07b61f4ba220981b8bab369cb55
Instruction Fuzzy Hash: FEF0E9106483E095CF30DF659C057BBBAA09BB034AF84481FF84482282F2ACD788C26F

Uniqueness

Uniqueness Score: -1.00%

Function 004362BB Relevance: 6.4, APIs: 4, Instructions: 354stringCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004365EC
__wcsicoll.LIBCMT ref: 004365FE

Part of subcall function 0041A400: __wcstoi64.LIBCMT ref: 0041A413

lstrcmpiW.KERNEL32(004AF9BC,004AF9BC), ref: 00436617
lstrcmpiW.KERNEL32(004AF9BC,004AF9BC), ref: 00436624

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicolllstrcmpi$__wcstoi64
String ID:
API String ID: 455558549-0
Opcode ID: 9a7d1752987f0ad3d41bc1a9663a876de0dc2d4d735ff72631399082f474670f
Instruction ID: 45d2045dda6875f6f0292c47ba932af5119c93e2a452eee314bf208170be700c
Opcode Fuzzy Hash: 9a7d1752987f0ad3d41bc1a9663a876de0dc2d4d735ff72631399082f474670f
Instruction Fuzzy Hash: 73C13730B052037BDB109F24D88176B73A1AB68718F1AE17FE8455B392D669DC82C78E

Uniqueness

Uniqueness Score: -1.00%

Function 0042D0F0 Relevance: 6.2, APIs: 4, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0d0ee19a2c7d9d7d444e7d07f06a5dcbed08c38c33c376d513c3c10b53fcca
Instruction ID: a8907f5895546d634107f72b29e39a528a21f0366b9d94b3086508b11533b1e8
Opcode Fuzzy Hash: df0d0ee19a2c7d9d7d444e7d07f06a5dcbed08c38c33c376d513c3c10b53fcca
Instruction Fuzzy Hash: F681D276B043519BD730DA58E884BABB3E1AF88310F54055EE98457382D735EC06C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00448760 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 004487D5
__wcstoi64.LIBCMT ref: 00448808

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcstoi64
String ID:
API String ID: 398114495-0
Opcode ID: d368cd16a56b87dc9b1fca7be9f58092a5dc3d35ec999162e3d4214cda1dbf95
Instruction ID: 649cef476feb19c9ebc35da805fb32fdc699c4b9df499068426ad1c6de1e1cbf
Opcode Fuzzy Hash: d368cd16a56b87dc9b1fca7be9f58092a5dc3d35ec999162e3d4214cda1dbf95
Instruction Fuzzy Hash: 18414631A0410256FB11BF28CC417AF37A4AFD2754F98056FF881A7391EF2D9A06878E

Uniqueness

Uniqueness Score: -1.00%

Function 0045D7E5 Relevance: 6.1, APIs: 4, Instructions: 104windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,000000B0,?,?,00000002,000007D0,?), ref: 0045D804
SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,?), ref: 0045D825
SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,00000000), ref: 0045D852
SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,00000000), ref: 0045D883

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: abc15d4db83a00bbe4814480fab8bdd09ebd37df512acd02d9e4cb8715834d98
Instruction ID: 99854541b1f9583881b17842ba83f381779d9684196dfc2af038cc0d16be25bc
Opcode Fuzzy Hash: abc15d4db83a00bbe4814480fab8bdd09ebd37df512acd02d9e4cb8715834d98
Instruction Fuzzy Hash: 52316431B44209AAEB20DAA4DC86FBF7778AF44B11F10061BBA10B71C5D7B4AD0587A9

Uniqueness

Uniqueness Score: -1.00%

Function 004A504D Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004A5081
__isleadbyte_l.LIBCMT ref: 004A50B4
MultiByteToWideChar.KERNEL32(54896610,00000009,?,00009B8D,00000000,00000000,?,?,?,0047F78E,?,00000000), ref: 004A50E5
MultiByteToWideChar.KERNEL32(54896610,00000009,?,00000001,00000000,00000000,?,?,?,0047F78E,?,00000000), ref: 004A5153

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b59e0e4450bc800f9a93e2b1cc921e81cc40bbc7ad70f6c7594ba30609f1cf79
Instruction ID: 3cb286f00d7614339aaae4525e53b06ff45c314c0ccaedaef05e4e6b28e7892c
Opcode Fuzzy Hash: b59e0e4450bc800f9a93e2b1cc921e81cc40bbc7ad70f6c7594ba30609f1cf79
Instruction Fuzzy Hash: 3E310030A08A45EFDF20DF64C980ABA3BA1BF12350F1485AEF4618B2A1D334CD40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004612D0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 004612E5

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 75f7169935f71d0470cb2d8a072cb73fc8f75f28c1271252ab23fb96a1472ace
Instruction ID: f75ff6eebda167df49eca2dbdccf54938d51a1f2dba76d1c5790e1abba9c006d
Opcode Fuzzy Hash: 75f7169935f71d0470cb2d8a072cb73fc8f75f28c1271252ab23fb96a1472ace
Instruction Fuzzy Hash: 4D21083A6002045F9B10DF69D89487B77A8EBC9320B18857BFC1EC7720F638DC858796

Uniqueness

Uniqueness Score: -1.00%

Function 00484510 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00484588
EnumChildWindows.USER32(?,00484640,?), ref: 004845C9
EnumChildWindows.USER32(?,00484640,?), ref: 004845F5

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChildEnumWindows$_wcsncpy
String ID:
API String ID: 1330499146-0
Opcode ID: b349284bc6e80cce4c27efcf33d5ff29a9a481e893eba498b14e6b0c3b528829
Instruction ID: 36d5f45516869322ed6f36828927181cd33ce7801d169331c47538860fb52bc0
Opcode Fuzzy Hash: b349284bc6e80cce4c27efcf33d5ff29a9a481e893eba498b14e6b0c3b528829
Instruction Fuzzy Hash: FD2103316453465BC234EB259C017EFB3D8EFD5310F44492EEA8883240EB7D954983AA

Uniqueness

Uniqueness Score: -1.00%

Function 00473260 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00473298
GetWindowRect.USER32(?,?), ref: 004732BC
GetWindowRect.USER32(?,?), ref: 004732C6
IntersectRect.USER32(?,?,?), ref: 004732D7

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$IntersectParent
String ID:
API String ID: 3824346474-0
Opcode ID: 2ac69dfb495a91facff9cadf3a68977131fbd4e23206bd57c00ed3ff04adbbd7
Instruction ID: 4964f4b91146b61ffbff53206609cd3e2b5890edde46945eee19c8cd1ae7b7ff
Opcode Fuzzy Hash: 2ac69dfb495a91facff9cadf3a68977131fbd4e23206bd57c00ed3ff04adbbd7
Instruction Fuzzy Hash: AB21DD725082059FC310CF64C9849ABFBE4FBD5310F048A2EFD8A93200DB36E909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004195C0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00419601
_wcstoul.LIBCMT ref: 00419618
__wcsnicmp.LIBCMT ref: 0041962B
_wcstoul.LIBCMT ref: 00419646

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp_wcstoul
String ID:
API String ID: 372159744-0
Opcode ID: fd0662cd15e2bc9ecd537496a386419bc16261a8e307adae47ae9c4ca74dd4df
Instruction ID: 7bd494f741f576a8ce20771c02b6e433522962607588b9d2a8ec4f69cf03f2de
Opcode Fuzzy Hash: fd0662cd15e2bc9ecd537496a386419bc16261a8e307adae47ae9c4ca74dd4df
Instruction Fuzzy Hash: E511063264435126DA00AB596C52FEB739D6F9471CF04442BF84C9B242E36E9D4683BE

Uniqueness

Uniqueness Score: -1.00%

Function 004770B0 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 004770FE
GetObjectW.GDI32(?,00000018,?), ref: 00477114
DeleteObject.GDI32(?), ref: 0047713C
DeleteObject.GDI32(?), ref: 00477143

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: b20c8195ae865672dc496070bf4c94ebcad6d13cc7563a73ebd2f83cd2cdfb0c
Instruction ID: 6b43e1e7c084cecba670cf66b695526791576ca4083491f4fe897a7a06c25ca9
Opcode Fuzzy Hash: b20c8195ae865672dc496070bf4c94ebcad6d13cc7563a73ebd2f83cd2cdfb0c
Instruction Fuzzy Hash: B51151717082029FDB14DF2AC850AA7B7A9BF94754B85C52EE84DC7350E735EC02CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0045B4A0 Relevance: 6.1, APIs: 4, Instructions: 61keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(?), ref: 0045B4B5

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: e82773afbcbe8a1dc9b96c6ce42733924d3b951cf6b87cb4284e9e4482bea35d
Instruction ID: 965dc7b8fc80dce80f6196c731ca50fc8bb2cace639006f0240492d1892f7766
Opcode Fuzzy Hash: e82773afbcbe8a1dc9b96c6ce42733924d3b951cf6b87cb4284e9e4482bea35d
Instruction Fuzzy Hash: 011148B48501049ADB289B24A8253FA37D1F782707FCC049BF8498A593D32DC54EE61D

Uniqueness

Uniqueness Score: -1.00%

Function 00485090 Relevance: 6.1, APIs: 4, Instructions: 60threadCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,00007FFF), ref: 004850C7
GetWindowThreadProcessId.USER32(?,?), ref: 004850EF
GetWindowThreadProcessId.USER32(?,?), ref: 00485102
GetClassNameW.USER32(?,?,00000101), ref: 00485148

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ProcessThread$ClassNameText
String ID:
API String ID: 3420357866-0
Opcode ID: cbe98b434cf80826166d63d86ef2370306080e96a37b5017900a048dc547deef
Instruction ID: 1dddd29d0a0e8a65f278402aa56dbe997ca847a4857300b78447aad09caf0507
Opcode Fuzzy Hash: cbe98b434cf80826166d63d86ef2370306080e96a37b5017900a048dc547deef
Instruction Fuzzy Hash: 31118EB1604B419AD734EB38DC54BEBB7EAEF81740F148D1DF48687280EB78A941C768

Uniqueness

Uniqueness Score: -1.00%

Function 00413760 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004137D4
_free.LIBCMT ref: 004137DD
_free.LIBCMT ref: 004137E6
_free.LIBCMT ref: 004137F8

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84372ab366233e1e3f11ea76a1918e4a540dbec9360a488de1cafb9e99ed26ba
Instruction ID: 15c89f8d632e1da3948e614e22d90df01441973e613c2258d7b1f18d58110370
Opcode Fuzzy Hash: 84372ab366233e1e3f11ea76a1918e4a540dbec9360a488de1cafb9e99ed26ba
Instruction Fuzzy Hash: 83113AB5600B009FCB20DF69C880B57B3E8BF88B04F14895DE16A87791D739ED41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004A747C Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004A74A2

Part of subcall function 004A72CE: __fltout2.LIBCMT ref: 004A72F9

__cftog_l.LIBCMT ref: 004A74C8
__cftoe_l.LIBCMT ref: 004A74FA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 59b8ee1df70a32654047179b309df7b8dc7a692eb6fa6cc73ca9361a895a4520
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: FA11403600414EBBCF225F85DC01CEE3F26BB2E354B598516FE1859131C63AC9B1AB85

Uniqueness

Uniqueness Score: -1.00%

Function 004051C0 Relevance: 6.0, APIs: 4, Instructions: 45clipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 004051DC
CloseClipboard.USER32 ref: 004051E1
GlobalUnWire.KERNEL32(00000000), ref: 004051F5
GlobalFree.KERNEL32(00000000), ref: 00405205

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$Wire$ClipboardCloseFree
String ID:
API String ID: 3407575492-0
Opcode ID: cdb104fbe02ca3a2b87b981b4332b679801b1997406f8f313d5246e153e7d72b
Instruction ID: 7b06cf66b523ec39c383a240aa60a08e19c90baee00529917ca77d3278b74d3d
Opcode Fuzzy Hash: cdb104fbe02ca3a2b87b981b4332b679801b1997406f8f313d5246e153e7d72b
Instruction Fuzzy Hash: B201DA71900B009BC3209F5AD884827F7E9FF99711354C92FE59697A51DB35E980CF29

Uniqueness

Uniqueness Score: -1.00%

Function 0041E420 Relevance: 6.0, APIs: 4, Instructions: 20windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(00000000,0000FF81,00000003), ref: 0041E42E
EnableMenuItem.USER32(00000000,0000FF7E,00000003), ref: 0041E437
EnableMenuItem.USER32(00000000,0000FF7F,00000003), ref: 0041E440
EnableMenuItem.USER32(00000000,0000FF80,00000003), ref: 0041E449

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: 574a773f115e25bfa103674c532c74afdced1f61a0b464d7e107442c503312d9
Instruction ID: 6fa3dc5e3dabf9984090f1258573e8c6de812a1d7388ad0cb832bc4bef60568c
Opcode Fuzzy Hash: 574a773f115e25bfa103674c532c74afdced1f61a0b464d7e107442c503312d9
Instruction Fuzzy Hash: 76D0025164F31739B43172625DC5CBF5D2DDF8BEE87400175F208159C44E555C03B1B9

Uniqueness

Uniqueness Score: -1.00%

Function 00413730 Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00413734

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

_free.LIBCMT ref: 0041373D
_free.LIBCMT ref: 00413746
_free.LIBCMT ref: 00413758

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 345973364b0545af3fdb086cde8b5ba004b653dfe4a1be3d2f6b8bd271f90e75
Instruction ID: c2a0b7c4c52d022daa613f71fd762b6c0d849fc35d055dc1419f6c1ed5763def
Opcode Fuzzy Hash: 345973364b0545af3fdb086cde8b5ba004b653dfe4a1be3d2f6b8bd271f90e75
Instruction Fuzzy Hash: 84D012F15007009FCA34AB7AC845D5777AC7B44704B008D1EB1B657A42C63CE845CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00485150 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004852EE
EnumChildWindows.USER32(00000000,00484170,?), ref: 00485473

Strings

%s%u, xrefs: 004854E2

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChildEnumWindows__wcsicoll
String ID: %s%u
API String ID: 2617673624-679674701
Opcode ID: 9695a8490e76fbec8e3f7a5df6875ce0b74bb5ef3fe249b05653e96e94f5eca2
Instruction ID: fd503b9bf58d8d7e3ca49ccfc741b5e7740dbbe1e6e08fdb7da58b1b40acea88
Opcode Fuzzy Hash: 9695a8490e76fbec8e3f7a5df6875ce0b74bb5ef3fe249b05653e96e94f5eca2
Instruction Fuzzy Hash: 52B1C5316005849ADB74FE64DC44BEF33A6EF60355F44892BDC098B244EB39EB89CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004416D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 276windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

SendMessageTimeoutW.USER32(00000000,?,00000000,00000000,00000002,00001388,?), ref: 00441842

Strings

FAIL, xrefs: 00441865, 00441880, 0044199D, 004419BE, 004419DA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ForegroundMessageSendTimeoutVisible
String ID: FAIL
API String ID: 578228273-2964506365
Opcode ID: 6a046053245d6cf30cfad53be2095a8a857fce27ab5d9c60f8de29f11a81a135
Instruction ID: e3aab89251119bf91e039b484f3e32ec53d8a3168cdea2df42cb83aa19531c57
Opcode Fuzzy Hash: 6a046053245d6cf30cfad53be2095a8a857fce27ab5d9c60f8de29f11a81a135
Instruction Fuzzy Hash: ACA137B17042005BE720DF25E881B67B7A5AB85324F24856FE8458B3E2C77AECC5C799

Uniqueness

Uniqueness Score: -1.00%

Function 004033E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00403C40: GetTickCount.KERNEL32 ref: 00403C72

GetTickCount.KERNEL32 ref: 0040346D
_wcsncpy.LIBCMT ref: 004034E3

Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A

Strings

Timer, xrefs: 0040354B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AvailableClipboardCountFormatTick$_wcsncpy
String ID: Timer
API String ID: 1301760726-2870079774
Opcode ID: d0fff780e64689c34af00ca0d6334427c4046cc04e8364f15790e01347e6108e
Instruction ID: 88a1a9f590d70e8c25626c38314a5bdde0ade3cccdfd18b28cc201bae22654a4
Opcode Fuzzy Hash: d0fff780e64689c34af00ca0d6334427c4046cc04e8364f15790e01347e6108e
Instruction Fuzzy Hash: F851F170204744ABD730DF209845B27BFE9AB4130AF04057FE8816A6E1DB7CEE84879A

Uniqueness

Uniqueness Score: -1.00%

Function 00456280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00456389

Strings

%0.*f, xrefs: 00456383

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __swprintf
String ID: %0.*f
API String ID: 1857805200-3326200935
Opcode ID: f3efc868f029221008d738867895e1ecbe01fd11a00cb585197f70b68130d1e5
Instruction ID: 1ab908d5ddf41f0e68c28e2bead8703a9a00ba5176545fe044d82a1471ca67b7
Opcode Fuzzy Hash: f3efc868f029221008d738867895e1ecbe01fd11a00cb585197f70b68130d1e5
Instruction Fuzzy Hash: 16415470604605EBC700BF1AE90525ABBB0FF89316F5105AFEDC993252DB398829C78F

Uniqueness

Uniqueness Score: -1.00%

Function 00412770 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004127D3

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00499913

Strings

Out of memory., xrefs: 004127E9
Hotstring max abbreviation length is 40., xrefs: 004127A5

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: Hotstring max abbreviation length is 40.$Out of memory.
API String ID: 501242067-4290233147
Opcode ID: 194b1ed92c7ff72f5b6e2d027fe6ab39e016c2f1ec6577834c81b3699ec54cbb
Instruction ID: 5f0199ee1d96cee1de2ad668c0bcdfbb6d51e196393b572e948264f15dbae98a
Opcode Fuzzy Hash: 194b1ed92c7ff72f5b6e2d027fe6ab39e016c2f1ec6577834c81b3699ec54cbb
Instruction Fuzzy Hash: E141BCB0A083419FD704EF28D950B9777E4EB88314F048A2FE459D73A0E778D991CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040962B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409630

Part of subcall function 0040542E: __EH_prolog.LIBCMT ref: 00405433

Strings

<property name="%e" fullname="%e" type="%s" size="0" page="0" pagesize="%i" children="%i" numchildren="%i">, xrefs: 0040975C
<property name="%e" fullname="%e" type="%s" facet="%s" classname="%s" address="%p" size="0" page="%i" pagesize="%i" children="%i" numchildren="%i">, xrefs: 004096B7

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: <property name="%e" fullname="%e" type="%s" facet="%s" classname="%s" address="%p" size="0" page="%i" pagesize="%i" children="%i" numchildren="%i">$<property name="%e" fullname="%e" type="%s" size="0" page="0" pagesize="%i" children="%i" numchildren="%i">
API String ID: 3519838083-126030962
Opcode ID: 87c03c89220bf1667a2df9af8027606b09f5679cea5c4d0205409a389e4483e9
Instruction ID: ec74d3aad49231399a40807f729c761cf72e4b956a2551eb17b1f112bbe09f3e
Opcode Fuzzy Hash: 87c03c89220bf1667a2df9af8027606b09f5679cea5c4d0205409a389e4483e9
Instruction Fuzzy Hash: 6D417875600601DFCB28DF25C990E6ABBF6FF88304B04856EE8569B7A2DB35EC11CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00435197 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

Out of memory., xrefs: 004351AF
MZ@, xrefs: 00435218, 0043526C

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _malloc
String ID: MZ@$Out of memory.
API String ID: 1579825452-1491408499
Opcode ID: e9d0c8e9f246c29288c86b7ee040e0385337a5e38874a779e90bf8247356b1f4
Instruction ID: 716296394f96548ef18284d95659626aa61a6d511f97aef6cde54cec39c45a1d
Opcode Fuzzy Hash: e9d0c8e9f246c29288c86b7ee040e0385337a5e38874a779e90bf8247356b1f4
Instruction Fuzzy Hash: 2D312D72A056449FDB20DF69E851B6BB7E4F7D8710F004A7FE94583301E73A9814CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00411510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0041152B

Part of subcall function 00411640: _memset.LIBCMT ref: 00411657

Part of subcall function 00411990: __wcsicoll.LIBCMT ref: 004119F8
Part of subcall function 00411990: GetKeyboardLayout.USER32(00000000), ref: 00411A13

Strings

& , xrefs: 00411538
~, xrefs: 00411586

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: KeyboardLayout__wcsicoll_memset_wcsncpy
String ID: & $~
API String ID: 3335490538-4238529414
Opcode ID: 7f3c27bdc95818d8a23ff64d8ef0efa5f9c03b8e0289060384dccb39a313ac87
Instruction ID: 8403d1b8a5aa793223eeb62f93f7f5aa207cb0d099a890c58be16bcea9e4b3a7
Opcode Fuzzy Hash: 7f3c27bdc95818d8a23ff64d8ef0efa5f9c03b8e0289060384dccb39a313ac87
Instruction Fuzzy Hash: 1E31287294030467D730E745D886BFB73A9DBD8300F04481EF659C7351F279988083A7

Uniqueness

Uniqueness Score: -1.00%

Function 004282D3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00428328

Strings

MCA, xrefs: 00428323
Parameter #3 invalid., xrefs: 004270D2

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcschr
String ID: MCA$Parameter #3 invalid.
API String ID: 2691759472-426094000
Opcode ID: 99c10b2f9ec2c62e613d60c1175dbc594d1c7a0e5ebae668770c73f5539571ef
Instruction ID: 620bec29d5405416955c381e020a42c8167fe42f35d90869f4ce5332c18ff832
Opcode Fuzzy Hash: 99c10b2f9ec2c62e613d60c1175dbc594d1c7a0e5ebae668770c73f5539571ef
Instruction Fuzzy Hash: DF31DF307043658BE720CB1AE4487B3B7E19B80314F88445FE9858B396D33EEC95C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00439550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004395D5

Strings

Line#, xrefs: 004395A0
--->, xrefs: 004395C8

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcsncpy
String ID: Line#$--->
API String ID: 1735881322-1677359465
Opcode ID: ef0ffd32523b02768b7948e73913e6f595e644a01feeb1b1a6a9487ae7fac2de
Instruction ID: 9a1b2ea245bc89fee8f0bc56fb6d134bd86feeb250aba0773214a7f6adb49bda
Opcode Fuzzy Hash: ef0ffd32523b02768b7948e73913e6f595e644a01feeb1b1a6a9487ae7fac2de
Instruction Fuzzy Hash: 1B21E1727043016FC719DE298885B6BB3E4FBCC300F18592EE946D7394D6B4ED45879A

Uniqueness

Uniqueness Score: -1.00%

Function 0045E790 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(004AF9BC,00000104,?,?), ref: 0045E7BD
SHFileOperationW.SHELL32(?), ref: 0045E849

Strings

\, xrefs: 0045E7E3

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFullNameOperationPath
String ID: \
API String ID: 1380555793-2967466578
Opcode ID: 8d2b88e816f9bfa920931be6c4e0e962604c60e178c24eca5e5724a8e2b1ff8b
Instruction ID: 5e74e19621455cf54786bedec00dbe43cd3d9e43a3c016b8638d59fec8e1f197
Opcode Fuzzy Hash: 8d2b88e816f9bfa920931be6c4e0e962604c60e178c24eca5e5724a8e2b1ff8b
Instruction Fuzzy Hash: F831D3705043119AC729EF15D885A9BBBE8EF88714F444E2FF844C7290E3B8D748CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00483200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00483224
_free.LIBCMT ref: 00483274

Part of subcall function 004830C0: _free.LIBCMT ref: 0048313F

Strings

m|D, xrefs: 00483298, 00483213, 0048321B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free
String ID: m|D
API String ID: 269201875-1299526162
Opcode ID: d323d817c49f455b9659b15cdae31802fd86ec66cc1a6163e059b4f6bea27c63
Instruction ID: a2b3207b83cdd2c038929843f2c6aa8c30e1f4fbfb90af73473c345508218e98
Opcode Fuzzy Hash: d323d817c49f455b9659b15cdae31802fd86ec66cc1a6163e059b4f6bea27c63
Instruction Fuzzy Hash: D6318DB0404B408BD731AF25C405B6BBBE0AF51718F048D5EE4968B751C268FA45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00476150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00476240: __wcsicoll.LIBCMT ref: 004762FA
Part of subcall function 00476240: SetMenuItemInfoW.USER32 ref: 004763FD

SetMenuItemInfoW.USER32(00000000,?,00000000,00000030), ref: 004761EE
IsMenu.USER32(00000000), ref: 00476207

Strings

0, xrefs: 004761BA

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$InfoItem$__wcsicoll
String ID: 0
API String ID: 2393440583-4108050209
Opcode ID: 786428c6d6a4870ec218ea75ca3fdb487a24edbde43f20a466cdc27c74f8baaf
Instruction ID: 9f46653eb60ce519536a17eeb38ea7de185bcf515c425d723660681604daf2be
Opcode Fuzzy Hash: 786428c6d6a4870ec218ea75ca3fdb487a24edbde43f20a466cdc27c74f8baaf
Instruction Fuzzy Hash: 25217E70200B019FD724DF15C984BA7BBEAEB84304F06C92EE85D87752DB39E804CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406342 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004063C2

Strings

-, xrefs: 0040638A
i, xrefs: 00406379

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _strncmp
String ID: -$i
API String ID: 909875538-173159675
Opcode ID: e8fa6d294f546e0832f5d64c0caedce7f0bc7988bebd5de4885de1c013d19c23
Instruction ID: 10446c57bc6a0d5a714ce762a0e1b5e1d34010fb9f65103ee1ca0a9c7611fe24
Opcode Fuzzy Hash: e8fa6d294f546e0832f5d64c0caedce7f0bc7988bebd5de4885de1c013d19c23
Instruction Fuzzy Hash: 3821AE305492914FE7358B2480057A3BBD59F26310F2A50BBDCC2AB3D2D73E9826C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0042B336 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 0042B38A
_wcschr.LIBCMT ref: 0042B3A5

Strings

.ahk, xrefs: 0042B366

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile_wcschr
String ID: .ahk
API String ID: 3504862186-1610153849
Opcode ID: 82811bb11e0edf530550c7cf577b470fcda5e208f6050be767667e34ad2bd82a
Instruction ID: 757f1b1224c243466ffc8ddf836753953deab125922b7738243144f195b5fbe2
Opcode Fuzzy Hash: 82811bb11e0edf530550c7cf577b470fcda5e208f6050be767667e34ad2bd82a
Instruction Fuzzy Hash: 1521F3756002168BC720DF29EC81A6B7364EF91318F40462EED45C72B0E778A955CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004377F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00499F62: _malloc.LIBCMT ref: 00499F7C

Part of subcall function 004378C0: _malloc.LIBCMT ref: 00437949

_free.LIBCMT ref: 00437893
_free.LIBCMT ref: 004378A2

Part of subcall function 00437AD0: FindFirstFileW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?,?,?), ref: 00437B6E
Part of subcall function 00437AD0: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?), ref: 00437B95
Part of subcall function 00437AD0: FindClose.KERNEL32(00000000,00000000,?,?,?), ref: 00437C25

Strings

Out of memory., xrefs: 0043786B

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$File_free_malloc$CloseFirstNext
String ID: Out of memory.
API String ID: 1334603258-4087320997
Opcode ID: 0370aac5d5be72b740f8548dd181199583b6697839f540daa08704fe2db876e6
Instruction ID: e9e65c227f0058d7421a4c4165927854f5724022341d9465cd4b7566b11b8c72
Opcode Fuzzy Hash: 0370aac5d5be72b740f8548dd181199583b6697839f540daa08704fe2db876e6
Instruction Fuzzy Hash: AA1105F1604300ABC214FA199C41F6BB7D9ABCC718F04452DF58993342D778ED09C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00476660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 0047668E
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004766B9

Part of subcall function 00468DD0: GetMenu.USER32(?), ref: 00468DFC
Part of subcall function 00468DD0: IsWindowVisible.USER32(?), ref: 00468E10
Part of subcall function 00468DD0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00000000,00A61808,00476AE1,?), ref: 00468E32
Part of subcall function 00468DD0: RedrawWindow.USER32(?,00000000,00000000,00000501,?,?,00000000,00A61808,00476AE1,?), ref: 00468E49

Strings

0, xrefs: 0047667E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MenuWindow$InfoItem$RedrawVisible
String ID: 0
API String ID: 4094535373-4108050209
Opcode ID: add5e239ce0c558f9d418fb77cf3e284f11c644daf4064df16e3b35aa4938fdf
Instruction ID: ab7516d805ddf85ca77b04442448d77c058692d0457b97d863963f09d3841d74
Opcode Fuzzy Hash: add5e239ce0c558f9d418fb77cf3e284f11c644daf4064df16e3b35aa4938fdf
Instruction Fuzzy Hash: 671194B5210701AFE320CF15D845BA7B7E8BB54700F44462EE44983650E779F949CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004510F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0045113C
__itow.LIBCMT ref: 00451168

Strings

0, xrefs: 00451170

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__itow
String ID: 0
API String ID: 2292283701-4108050209
Opcode ID: aebd47600f01bfabd14335fbd3cf9b49aa7be08e6118b1397067c8e76fa0b1ec
Instruction ID: 0f713923508a108ba10baa6602ddcb62634484f821bc37a24d7f4c198d9fb580
Opcode Fuzzy Hash: aebd47600f01bfabd14335fbd3cf9b49aa7be08e6118b1397067c8e76fa0b1ec
Instruction Fuzzy Hash: 43215870E006089FDB14DF98C881BEEBBB0FB48311F20429AED14673A1D7786844CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004055F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004055F8
_malloc.LIBCMT ref: 00405617

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00499913

Strings

lT@, xrefs: 004056A3

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocateH_prologHeap_malloc
String ID: lT@
API String ID: 3218263244-377959062
Opcode ID: a910841c4ef2ae315d3e23a8661f81d7bc2e787031bb6a3737fe9164652d7850
Instruction ID: e14fd80463f9a8218ffbd095721ee173d9a01f1d5f740497f87c3140b771b3b1
Opcode Fuzzy Hash: a910841c4ef2ae315d3e23a8661f81d7bc2e787031bb6a3737fe9164652d7850
Instruction Fuzzy Hash: 29219FB0853240CAD701DF6AE989245BBA4F729314B9D827FD098977A0C3B88465CF5F

Uniqueness

Uniqueness Score: -1.00%

Function 0044B708 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0044B76C
mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0044B793

Strings

stopped, xrefs: 0044B710
status AHK_PlayMe mode, xrefs: 0044B767

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: SendString
String ID: status AHK_PlayMe mode$stopped
API String ID: 890592661-3192028569
Opcode ID: 88a2f15dd0127811a1fea2c13b03331054353b791249cb79a0fc7431b5f28811
Instruction ID: 90a743a28dc1e510f6c071264ebc81d95873bde1a0bf0aa5cce66f863cbbe56a
Opcode Fuzzy Hash: 88a2f15dd0127811a1fea2c13b03331054353b791249cb79a0fc7431b5f28811
Instruction Fuzzy Hash: 2EF0C22164020645FA20AB10CC83BF77362EBF0755F44053AEA445B391E76AD999C2EA

Uniqueness

Uniqueness Score: -1.00%

Function 004492A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004492B7

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

_malloc.LIBCMT ref: 004492C6

Strings

Out of memory., xrefs: 00449308

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFreeHeapLast_free_malloc
String ID: Out of memory.
API String ID: 1323848136-4087320997
Opcode ID: b0dac4ce8e9da8487236b924857553f1efec1d5f5d8e1e8d129324fe8273f5fd
Instruction ID: 2693c398b91f1d95f21fdc01312f9b509c04a017fbc576d01133cff1ec752299
Opcode Fuzzy Hash: b0dac4ce8e9da8487236b924857553f1efec1d5f5d8e1e8d129324fe8273f5fd
Instruction Fuzzy Hash: 5F01A270648201ABA700DF15C485A67F7D5BFA5300B29889FE8964B312E3BDDC06E79F

Uniqueness

Uniqueness Score: -1.00%

Function 004AB3E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004AAC04: __getptd.LIBCMT ref: 004AAC0A
Part of subcall function 004AAC04: __getptd.LIBCMT ref: 004AAC1A

__getptd.LIBCMT ref: 004AB3F4

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__getptd.LIBCMT ref: 004AB402

Strings

csm, xrefs: 004AB410

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: d6c216536e6c9934bd1e0d215e40cfabb2d9f4a4d9056726e4c472cc84c0db29
Instruction ID: 231d3972c73b5d16349401673d201e8cea309c931a7a14bb24a5a429e05a7387
Opcode Fuzzy Hash: d6c216536e6c9934bd1e0d215e40cfabb2d9f4a4d9056726e4c472cc84c0db29
Instruction Fuzzy Hash: 15018B308017458EDF389F25C444AAEB7B5FF3A311F58862FE08196253CB388D94CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0041D600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041D617

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

_free.LIBCMT ref: 0041D634

Strings

PA@, xrefs: 0041D629

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: PA@
API String ID: 776569668-205768822
Opcode ID: 265f50dd57715ff2e04b7fc1b221622a4115d048b372de8321d9ffd5dfdf7fd1
Instruction ID: 32dbed47d63e9e66d789fa0bc6641921a8cb2985dd1b26d74ba8c4f20b2832d6
Opcode Fuzzy Hash: 265f50dd57715ff2e04b7fc1b221622a4115d048b372de8321d9ffd5dfdf7fd1
Instruction Fuzzy Hash: A7F0A0F1D0134047DB209A298A047937AC82F10304F08083EE88992743E37CE884CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A

Strings

<<>>, xrefs: 0040107E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AvailableClipboardFormat
String ID: <<>>
API String ID: 778505046-913080871
Opcode ID: e466914c9b857a6ef36b3f1146f273cba9083202bc0a2492d8a84e718efd92e8
Instruction ID: 902c5d7fbcab7f026d29f3c887bb8a546b39c08af2ab105b567b58b6c4b53e64
Opcode Fuzzy Hash: e466914c9b857a6ef36b3f1146f273cba9083202bc0a2492d8a84e718efd92e8
Instruction Fuzzy Hash: 92E08622B1115196EA2076BEBD0079717C8AB667A0F41017BB894EB7F4D76CDC8146DC

Uniqueness

Uniqueness Score: -1.00%

Function 00404180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(000004E4,00000014,?,0040449B), ref: 004041B1

Strings

pB@, xrefs: 004041BE
PA@, xrefs: 00404188

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Info
String ID: PA@$pB@
API String ID: 1807457897-3984362343
Opcode ID: 50994e7b3b05678d09604cba5b4991f8dbc6ed780f9e971c4b92b8c424d275df
Instruction ID: a7a8e418d0f082675fe04da1f9baa0d48bca931afd4b41ac0baf6ceb1f0ac80c
Opcode Fuzzy Hash: 50994e7b3b05678d09604cba5b4991f8dbc6ed780f9e971c4b92b8c424d275df
Instruction Fuzzy Hash: 19F074B1501B418FC3308FA9C984453FBF4BE167203948B2EE1BA87AD0D374A449CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405240 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(00000000), ref: 0040524F
CloseClipboard.USER32 ref: 0040525C

Strings

GlobalLock, xrefs: 0040527E

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardCloseGlobalWire
String ID: GlobalLock
API String ID: 3720899524-2848605275
Opcode ID: 3ff1db746bfd5ef77d9276e8a10a358c417422890e16e74ebe7dfe66ec90dcda
Instruction ID: 38bf5e4e31e08a559ee7673862494085ba07db61dd880ce74c4b58258c67e2b9
Opcode Fuzzy Hash: 3ff1db746bfd5ef77d9276e8a10a358c417422890e16e74ebe7dfe66ec90dcda
Instruction Fuzzy Hash: 3AE06570400B018FE7306F95C408393BAF4EF59305F68486FE88692BE0DBBC8888CE59

Uniqueness

Uniqueness Score: -1.00%

Function 00433376 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00433389
PostMessageW.USER32(00000000), ref: 00433390

Strings

Shell_TrayWnd, xrefs: 00433384

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindMessagePostWindow
String ID: Shell_TrayWnd
API String ID: 2578315405-2988720461
Opcode ID: c350afa9e582d600c7521111a2b5b3c208c8ed7182aca823cae28acc3a43e3ff
Instruction ID: ba8efd1f5b3e9eb5217ddc9417771d947b3cdb3211b81847fa735299b7b8386f
Opcode Fuzzy Hash: c350afa9e582d600c7521111a2b5b3c208c8ed7182aca823cae28acc3a43e3ff
Instruction Fuzzy Hash: 03E0C231F80200BBF9082360DD4BF8836412B0A728F380222F621BF2E5C1FDD481462E

Uniqueness

Uniqueness Score: -1.00%

Function 0043332F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00433342
PostMessageW.USER32(00000000), ref: 00433349

Strings

Shell_TrayWnd, xrefs: 0043333D

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindMessagePostWindow
String ID: Shell_TrayWnd
API String ID: 2578315405-2988720461
Opcode ID: 246c4addbf8ed5f745e012487c1723215b5894df31d9bb5d1e1591d7eb8c3954
Instruction ID: 74412fba28eff483349229005a01184927baed5a2df12cb1e6602a068471502a
Opcode Fuzzy Hash: 246c4addbf8ed5f745e012487c1723215b5894df31d9bb5d1e1591d7eb8c3954
Instruction Fuzzy Hash: 3DE0C231F80200BBF9082360DD4BF9836411B0A728F340122F622BF2E1C5FED441462E

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetSystemDefaultUILanguage.KERNEL32 ref: 0044F3A9
__swprintf.LIBCMT ref: 0044F3B9

Strings

%04hX, xrefs: 0044F3B3

Memory Dump Source

Source File: 00000000.00000002.1820994010.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1820982300.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1820994010.00000000004E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1821103269.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLanguageSystem__swprintf
String ID: %04hX
API String ID: 1359733045-3571374829
Opcode ID: f9435cade1d7525a0e30c04fab40ca09abe64c8348ff6e313da6bd6930c62ec9
Instruction ID: 3bc3f87511c22233ea1fa0926701baa9e436478bdbe5c4d059401f84b2266587
Opcode Fuzzy Hash: f9435cade1d7525a0e30c04fab40ca09abe64c8348ff6e313da6bd6930c62ec9
Instruction Fuzzy Hash: F2C0127390257057D5502605B845BBA77585B81710F4940B7FD4096244D1288C5562FE

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{500D0D6D-FE93-11EE-8C2C-ECF4BBEA1588}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{500D0D6F-FE93-11EE-8C2C-ECF4BBEA1588}.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\haims_localconnect[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\piwik[1].js

C:\Users\user\AppData\Local\Temp\~DF1D0A298AAD15511E.TMP

C:\Users\user\AppData\Local\Temp\~DF79F3A13EFF4F3D66.TMP

C:\Users\user\Desktop\FileCompanyCode.txt

C:\Users\user\Desktop\HE_hotstring.ini

C:\Users\user\Desktop\Haims_ESC.exe

C:\Users\user\Desktop\VNDCD_memo\readme.txt

C:\Users\user\Desktop\config.ini

C:\Users\user\Desktop\images\esc.ico

C:\Users\user\Desktop\images\myEng_Arrow.cur

C:\Users\user\Desktop\images\myEng_ArrowB.cur

C:\Users\user\Desktop\images\myEng_Ibeam.cur

C:\Users\user\Desktop\images\myEng_IbeamB.cur

C:\Users\user\Desktop\images\myHan_Arrow.cur

C:\Users\user\Desktop\images\myHan_Ibeam.cur

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe

Function 0041D920 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 264
comwindowclipboardCOMMON

Function 0041F3CB Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 211
COMMON

Function 00483940 Relevance: 19.7, APIs: 13, Instructions: 170
threadCOMMON

Function 00404290 Relevance: 79.3, APIs: 27, Strings: 18, Instructions: 518
sleepwindowCOMMON

Function 0041E010 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 253
windowregistryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre