Edit tour

Windows Analysis Report
aMail_Ver1.exe

Overview

General Information

Sample name:	aMail_Ver1.exe
Analysis ID:	1430794
MD5:	06b0347315d3ab5385a0479134ec22cc
SHA1:	784d20632b7aa1c4d4c6a8f1c9597037ac94ab12
SHA256:	c9de15f068399626b8296c218150f31f1f9c0065442f0580cf1e3a9acad70464
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Compliance

Score:	49
Range:	0 - 100

Signatures

Installs new ROOT certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w7x64

aMail_Ver1.exe (PID: 1520 cmdline: "C:\Users\user\Desktop\aMail_Ver1.exe" MD5: 06B0347315D3AB5385A0479134EC22CC)

cleanup

Sigma Signatures

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\aMail_Ver1.exe, ProcessId: 1520, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: aMail_Ver1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a

Creates install or setup log file

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log

Jump to behavior

PE / OLE file has a valid certificate

Source: aMail_Ver1.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: aMail_Ver1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr
Source:	Binary string: sfxcab.pdb source: vstor_redist[1].exe.0.dr, vstor_redist.exe.0.dr
Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb? source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr

Spreading

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00318593 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,FindClose,		0_2_00318593
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034BCB5 FindFirstFileExW,		0_2_0034BCB5

Networking

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003254E2 URLDownloadToFileW,EnterCriticalSection,LeaveCriticalSection,CoInitialize,CoUninitialize,

0_2_003254E2

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe

Jump to behavior

Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: aMail_Ver1.exe, 00000000.00000002.366350837.000000000227A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comod
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr	String found in binary or memory: https://system.asite.com/aMail_Installer/TruePABegin
Source: aMail_Ver1.exe, 00000000.00000002.366084781.0000000000754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.asite.com/aMail_Installer/aMail.vstoullX64Bootstrapper

System Summary

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034223E	0_2_0034223E
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034B312	0_2_0034B312
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00350340	0_2_00350340
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034246D	0_2_0034246D
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_003585F9	0_2_003585F9
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_003507EE	0_2_003507EE
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA59	0_2_0030BA59

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A29B appears 62 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A268 appears 37 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 00314375 appears 33 times
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: String function: 0033A960 appears 43 times

Sample file is different than original file name gathered from version info

Source: aMail_Ver1.exe, 00000000.00000000.338200638.0000000000368000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe
Source: aMail_Ver1.exe	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe
Source: aMail_Ver1.exe.0.dr	Binary or memory string: OriginalFilenamesetup.exe vs aMail_Ver1.exe

Uses 32bit PE files

Source: aMail_Ver1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: sus29.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033404B __EH_prolog3_GS,SystemParametersInfoW,FindResourceW,LoadResource,LockResource,SizeofResource,CreateDialogIndirectParamW,CreateDialogParamW,MoveWindow,SetForegroundWindow,

0_2_0033404B

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp

Jump to behavior

Source: aMail_Ver1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File read: C:\Users\user\Desktop\aMail_Ver1.exe

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Window detected: &Don't AcceptFor the following components:Microsoft Visual Studio 2010 Tools for Office Runtime (x86 and x64)Please read the following license agreement. Press the page down key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL STUDIO TOOLS FOR OFFICE RUNTIME AND LANGUAGE PACK These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use. You may not do so to share this license between devices.6.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.7.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.8.ENTIRE AGREEMENT. This agreement a

PE / OLE file has a valid certificate

Source: aMail_Ver1.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aMail_Ver1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: aMail_Ver1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: aMail_Ver1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr
Source:	Binary string: sfxcab.pdb source: vstor_redist[1].exe.0.dr, vstor_redist.exe.0.dr
Source:	Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\e\out\binaries\x86ret\bin\i386\Bootstrapper\Engine\setup.pdb? source: aMail_Ver1.exe, aMail_Ver1.exe.0.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003247BB LoadLibraryW,GetProcAddress,GetProcAddress,

0_2_003247BB

PE file contains sections with non-standard names

Source: aMail_Ver1.exe	Static PE information: section name: .didat
Source: aMail_Ver1.exe.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A236 push ecx; ret	0_2_0033A249
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A9B0 push ecx; ret	0_2_0033A9C3
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA28 push esp; retn 0030h	0_2_0030BA51
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0030BA59 push esp; retn 0030h	0_2_0030BA51

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\aMail_Ver1.exe

File created: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Stores large binary data to the registry

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe			Jump to dropped file
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\aMail_Ver1.exe TID: 2976

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_00318593 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,FindClose,		0_2_00318593
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0034BCB5 FindFirstFileExW,		0_2_0034BCB5

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_00336EA3 GetProcAddress,GetNativeSystemInfo,GetProcAddress,GetCurrentProcess,FreeLibrary,GetSystemInfo,

0_2_00336EA3

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033A701 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0033A701

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_003247BB LoadLibraryW,GetProcAddress,GetProcAddress,

0_2_003247BB

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0034477A mov eax, dword ptr fs:[00000030h]

0_2_0034477A

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A701 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0033A701
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033E854 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0033E854
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: 0_2_0033A9F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0033A9F9

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0031513C ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,

0_2_0031513C

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033ABF6 cpuid

0_2_0033ABF6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_0034F0C0
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0034F18D
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_003477C6
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: IsValidCodePage,GetLocaleInfoW,	0_2_0034E842
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EAC9
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EB14
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_00347B6B
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: EnumSystemLocalesW,	0_2_0034EBAF
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0034EC40
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,	0_2_0034EE90
Source: C:\Users\user\Desktop\aMail_Ver1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0034EFB9

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_0033A5FB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0033A5FB

Source: C:\Users\user\Desktop\aMail_Ver1.exe

Code function: 0_2_00355503 GetVersion,GetEnvironmentVariableA,

0_2_00355503

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Modify Registry	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.comod	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	68.142.107.4	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net0D	aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net03	aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://system.asite.com/aMail_Installer/aMail.vstoullX64Bootstrapper	aMail_Ver1.exe, 00000000.00000002.366084781.0000000000754000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	aMail_Ver1.exe, 00000000.00000002.366084781.00000000007EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://system.asite.com/aMail_Installer/TruePABegin	aMail_Ver1.exe, aMail_Ver1.exe.0.dr	false		high
http://crl.comod	aMail_Ver1.exe, 00000000.00000002.366350837.000000000227A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430794
Start date and time:	2024-04-24 07:25:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aMail_Ver1.exe
Detection:	SUS
Classification:	sus29.winEXE@1/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 61% Number of executed functions: 73 Number of non-executed functions: 107
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.121.225, 184.28.122.21, 23.1.234.40, 23.1.234.9, 23.1.234.26, 23.1.234.73, 23.1.234.56, 23.1.234.80, 23.1.234.59, 23.1.234.11, 23.1.234.16
Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, go.microsoft.com, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, go.microsoft.com.edgekey.net, ctldl.windowsupdate.com, download.microsoft.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:26:01	API Interceptor	270x Sleep call for process: aMail_Ver1.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	68.142.107.4
	GHY7L7VaOL.exe	Get hash	malicious	Unknown	Browse	68.142.107.4
	https://auhsdbfjabsdfjs.z13.web.core.windows.net/Er0Win8helpline76/index.html	Get hash	malicious	TechSupportScam	Browse	68.142.107.4
	4BfhCycV4B.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	69.164.42.0
	https://caringhearts.foundation/wp-includes/widgets/ogk25/ogk/index.php&c=E,1,PBioTuoqxXxVmzOkxu8MYhWQ9ZbRNVLGpsstSuC0GQ2jNcQlIpYbU0K6d3lwsaeoT17vAF7VpKXs0qg9O-hGnfKxM3skSa-Jn2VJH7kX1A,,&typo=1	Get hash	malicious	Unknown	Browse	68.142.107.4
	https://caringhearts.foundation/wp-includes/widgets/ogk25/ogk/index.php&c=E,1,PBioTuoqxXxVmzOkxu8MYhWQ9ZbRNVLGpsstSuC0GQ2jNcQlIpYbU0K6d3lwsaeoT17vAF7VpKXs0qg9O-hGnfKxM3skSa-Jn2VJH7kX1A,,&typo=1	Get hash	malicious	Unknown	Browse	69.164.46.128
	CR-FEDEX_TN-775537409198_Doc.vbs	Get hash	malicious	Unknown	Browse	69.164.46.0
	copy_76499Kxls.vbs	Get hash	malicious	Remcos, GuLoader	Browse	69.164.46.0
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse	69.164.46.128
	szamla_sorszam_8472.xlsm	Get hash	malicious	Unknown	Browse	69.164.42.0

Process:	C:\Users\user\Desktop\aMail_Ver1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30573854
Entropy (8bit):	7.999820447996267
Encrypted:	true
SSDEEP:	786432:O/LmoRkCrQ8jONK+AUpJJMqpGjyw/hzFiT:oH07AU+qpGjhzK
MD5:	A185854995666F7AC6D9ED740A4A50AF
SHA1:	FE4F04D869018A44C4A3212DEF2D9A54233DF6FD
SHA-256:	5A2AB3209B30501CDD1ACFB711F1A2A35A5C10DFCCF6269A1FF6B40AE3BD8FF2
SHA-512:	C1420359112FE235C851975707B91AF03947EB3532A3DE5FE467F363D9B2FCA06FC4A43C4B8921B54D90D28856F8D414ED864635EBBEBB2D5CE265DB50B03F88
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................~.......... ....................................................~.H(.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............}.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe

Download File

Process:	C:\Users\user\Desktop\aMail_Ver1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	29155799
Entropy (8bit):	7.999813167806156
Encrypted:	true
SSDEEP:	393216:5DsmKfei43MnDSPdcnRkjqNb/k1VHE35q8Jyi1HONiD8oMAUpJJ/0JClpGHdNY9s:O/LmoRkCrQ8jONK+AUpJJMqpGjyw/ht
MD5:	CE0AADEC275A860B9A019212BEED8AE1
SHA1:	42C8FA5D8602FB3DE1DCCF67F0D0E15EC096EA88
SHA-256:	1114C429F3DF2F7A337FF22EDAA7292A10201E71817EB4786A0662F9F08EEC8C
SHA-512:	924EA9C1D8BDB840D6AFCFF164BBB2FA16E886CE607EBD0185F356E694294CB79B4AE74FE615BD9CA36E8BB512E89F431A0E20942AA2994FF54103AB25BDC4B3
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................~.......... ....................................................~.H(.......... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............}.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe

Download File

Process:	C:\Users\user\Desktop\aMail_Ver1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908040
Entropy (8bit):	5.658326719275916
Encrypted:	false
SSDEEP:	12288:XLNJYdaqX8PzxRU0EZ6CDQrwaVGua8eMb01JQntLOC9p9wNw:7xqsPzxWDQZem9pl
MD5:	06B0347315D3AB5385A0479134EC22CC
SHA1:	784D20632B7AA1C4D4C6A8F1C9597037AC94AB12
SHA-256:	C9DE15F068399626B8296C218150F31F1F9C0065442F0580CF1E3A9ACAD70464
SHA-512:	7DEAAEF9344541DB361FC0D3EA074BEC35C5C8EFA1E2CD0AF64C2331F338023D35BA504A1BB1CDAEB703E06929C2576FF9AA9EA30959C324CAF31BE50F76B05B
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.W.L...L...L..u.n..L..u.l._L..u.m..L...0...L...0...L...0...L....T..L...L...M...0...L...0...L...0...L...0`..L...0...L..Rich.L..................PE..L......d.........."....".................... ....@.......................................@...... ..................p...x...@S..........\D...............)......L8...+..T...........................`n..@............P..8...<........................text............................... ..`.data...,%... ......................@....idata..p....P......................@..@.didat..p....p.......0..............@....rsrc...\D.......F...2..............@..@.reloc..L8.......:...x..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\aMail_Ver1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log

Download File

Process:	C:\Users\user\Desktop\aMail_Ver1.exe
File Type:	data
Category:	dropped
Size (bytes):	6398
Entropy (8bit):	3.659819337920586
Encrypted:	false
SSDEEP:	96:s85uiOysPOg8AU6Bj7rBF7gBEO18Aj7PcERAnEi7bl72Z3ZyZMjh:V5RFRupg2guDb52Z3Z3jh
MD5:	79613F1DEB3343D4288067678F7FCBEA
SHA1:	8CDF685480AAA490F9090F59449B3D78866AE91C
SHA-256:	72AD884FF3F02B6934C41CBC020D8EBD87406A1474FD733C358B4BD4CCF79B39
SHA-512:	8AD66798DC4F3290D6902A839971E75B81BC1927C42EEF9542A979F79E1EFE7331931CBB36BC61CC20D571131C41C649DFF38582E65231208E184425849496B3
Malicious:	false
Reputation:	low
Preview:	T.h.e. .f.o.l.l.o.w.i.n.g. .p.r.o.p.e.r.t.i.e.s. .h.a.v.e. .b.e.e.n. .s.e.t.:.....P.r.o.p.e.r.t.y.:. .[.A.d.m.i.n.U.s.e.r.]. .=. .t.r.u.e. .{.b.o.o.l.e.a.n.}.....P.r.o.p.e.r.t.y.:. .[.I.n.s.t.a.l.l.M.o.d.e.]. .=. .H.o.m.e.S.i.t.e. .{.s.t.r.i.n.g.}.....P.r.o.p.e.r.t.y.:. .[.N.T.P.r.o.d.u.c.t.T.y.p.e.]. .=. .1. .{.i.n.t.}.....P.r.o.p.e.r.t.y.:. .[.P.r.o.c.e.s.s.o.r.A.r.c.h.i.t.e.c.t.u.r.e.]. .=. .A.M.D.6.4. .{.s.t.r.i.n.g.}.....P.r.o.p.e.r.t.y.:. .[.V.e.r.s.i.o.n.N.T.]. .=. .6...1...1. .{.v.e.r.s.i.o.n.}.....R.u.n.n.i.n.g. .c.h.e.c.k.s. .f.o.r. .p.a.c.k.a.g.e. .'.M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4...8. .(.x.8.6. .a.n.d. .x.6.4.).'.,. .p.h.a.s.e. .B.u.i.l.d.L.i.s.t.....R.e.a.d.i.n.g. .v.a.l.u.e. .'.R.e.l.e.a.s.e.'. .o.f. .r.e.g.i.s.t.r.y. .k.e.y. .'.H.K.L.M.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.N.E.T. .F.r.a.m.e.w.o.r.k. .S.e.t.u.p.\.N.D.P.\.v.4.\.F.u.l.l.'.....R.e.a.d. .i.n.t.e.g.e.r. .v.a.l.u.e. .5.2.8.0.4.9.....S.e.t.t.i.n.g. .v.a.l.u.e. .'.5.2.8.0.4.9. .{.i.n.t.}.'.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.658326719275916
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aMail_Ver1.exe
File size:	908'040 bytes
MD5:	06b0347315d3ab5385a0479134ec22cc
SHA1:	784d20632b7aa1c4d4c6a8f1c9597037ac94ab12
SHA256:	c9de15f068399626b8296c218150f31f1f9c0065442f0580cf1e3a9acad70464
SHA512:	7deaaef9344541db361fc0d3ea074bec35c5c8efa1e2cd0af64c2331f338023d35ba504a1bb1cdaeb703e06929c2576ff9aa9ea30959c324caf31be50f76b05b
SSDEEP:	12288:XLNJYdaqX8PzxRU0EZ6CDQrwaVGua8eMb01JQntLOC9p9wNw:7xqsPzxWDQZem9pl
TLSH:	021541265AD8B569E3F79B307FF242D3AB69BC623934CC4E12D1030D0965A41FDA076E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.W.L...L...L..u.n..L..u.l._L..u.m..L...0...L...0...L...0...L....T..L...L...M...0...L...0...L...0...L...0`..L...0...L..Rich.L.

File Icon


Icon Hash:	0e0f396929630f0e

Static PE Info

General

Entrypoint:	0x43a1e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A6FEE0 [Thu Jul 6 17:50:24 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2e4063684e52e96403e6efd64e422891

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	4/25/2022 5:00:00 PM 6/19/2024 4:59:59 PM
Subject Chain	CN=Asite Solutions Limited, O=Asite Solutions Limited, L=London, C=GB
Version:	3
Thumbprint MD5:	86EA3382B09890E3D2C31FC46C92B4B2
Thumbprint SHA-1:	EA51B1554C793D9EC73B4406F4B76BE860B36F7C
Thumbprint SHA-256:	C9C5AB2780E1885EC4FA6260BCD703F6240CF682A735A3ABF71CBE2FC6CFD104
Serial:	074002E0E1228CA7CE34E1C3685BF8BF

Entrypoint Preview

Instruction
call 00007FADF1A755A8h
jmp 00007FADF1A74FBDh
push ebp
mov ebp, esp
jmp 00007FADF1A7514Fh
push dword ptr [ebp+08h]
call 00007FADF1A80B51h
pop ecx
test eax, eax
je 00007FADF1A75151h
push dword ptr [ebp+08h]
call 00007FADF1A80BDAh
pop ecx
test eax, eax
je 00007FADF1A75128h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007FADF1A50566h
jmp 00007FADF1A75907h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FADF1A75283h
pop ecx
pop ebp
ret
cmp ecx, dword ptr [0046205Ch]
jne 00007FADF1A75143h
ret
jmp 00007FADF1A75930h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FADF1A75119h
jmp 00007FADF1A75122h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007FADF1A7510Ah
jmp 00007FADF1A75113h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0046205Ch]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x61070	0x78	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x65340	0xc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x68000	0x7445c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xdb200	0x2908
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdd000	0x384c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12b80	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6e60	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x65000	0x338	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x60d3c	0x80	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x600e8	0x60200	0d2e544ab6aab672ed6c6576f2015fe9	False	0.5105428112808843	data	6.450164375603211	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x62000	0x252c	0x1400	f41d72eb2c226a3a1a0907190befa736	False	0.266796875	DOS executable (block device driver)	3.3161911498156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x65000	0x1570	0x1600	de93a4c825fc59143b8094bac90af12c	False	0.42631392045454547	data	5.421901541324144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x67000	0x70	0x200	27eaca3c248e8b18c15c2a0a0bf4df22	False	0.162109375	data	1.1460240260218542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x68000	0x7445c	0x74600	e6513936fd06999b428973bca2753ab9	False	0.13159573039742212	data	4.219840040807034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdd000	0x384c	0x3a00	f7059413bd1f0b66ae84c624fdf523f2	False	0.7380118534482759	data	6.589152632057299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x69c8c	0x1e16	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9881848870423267
RT_ICON	0x6baa4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.18363539445628999
RT_ICON	0x6c94c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.23736462093862815
RT_ICON	0x6d1f4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.1856936416184971
RT_ICON	0x6d75c	0x1e8c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9874680306905371
RT_ICON	0x6f5e8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.08260510155880964
RT_ICON	0x73810	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.10518672199170125
RT_ICON	0x75db8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.16135084427767354
RT_ICON	0x76e60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2801418439716312
RT_ICON	0x772c8	0x75d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8058355437665783
RT_ICON	0x77a28	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.06716417910447761
RT_ICON	0x788d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.08167870036101083
RT_ICON	0x79178	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.08164739884393063
RT_ICON	0x796e0	0x830	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8664122137404581
RT_ICON	0x79f10	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.025330656589513462
RT_ICON	0x7e138	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.03464730290456432
RT_ICON	0x806e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.054643527204502815
RT_ICON	0x81788	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.10460992907801418
RT_DIALOG	0x81bf0	0x90	data	English	United States	0.7083333333333334
RT_DIALOG	0x81c80	0x1b4	data	English	United States	0.4724770642201835
RT_DIALOG	0x81e34	0x1a4	data	English	United States	0.5095238095238095
RT_GROUP_ICON	0x81fd8	0x84	data	English	United States	0.6515151515151515
RT_GROUP_ICON	0x8205c	0x84	data	English	United States	0.6590909090909091
RT_VERSION	0x820e0	0x2dc	data	English	United States	0.49043715846994534
RT_MANIFEST	0x823bc	0x562	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4528301886792453
None	0x82920	0x54	data			0.8333333333333334
None	0x82974	0xa	data			1.8
None	0x82980	0x46c4	data			0.1445131375579598
None	0x87044	0x10	data			1.5
None	0x87054	0x14	data			1.3
None	0x87068	0xe	data			1.5714285714285714
None	0x87078	0x18	data			1.25
None	0x87090	0x18	data			1.25
None	0x870a8	0x8	data			2.0
None	0x870b0	0x6	data			2.3333333333333335
None	0x870b8	0x7a	data			0.680327868852459
None	0x87134	0x8a	data			0.644927536231884
None	0x871c0	0x34	data			0.9423076923076923
None	0x871f4	0x3c	data			0.9
None	0x87230	0x12	data			1.4444444444444444
None	0x87244	0x22	data			1.0294117647058822
None	0x87268	0x122	data			0.5103448275862069
None	0x8738c	0x1a6	data			0.43364928909952605
None	0x87534	0x410	data			0.32211538461538464
None	0x87944	0x36	data			0.9444444444444444
None	0x8797c	0xe	data			1.4285714285714286
None	0x8798c	0x62	data			0.7755102040816326
None	0x879f0	0xa	data			1.8
None	0x879fc	0x48	data			0.8888888888888888
None	0x87a44	0x9a	data			0.6753246753246753
None	0x87ae0	0x7a	data			0.6885245901639344
None	0x87b5c	0x84	data			0.6590909090909091
None	0x87be0	0x17e	data			0.4319371727748691
None	0x87d60	0x46	data			0.8285714285714286
None	0x87da8	0xc4	data			0.5969387755102041
None	0x87e6c	0x4a	data			0.8513513513513513
None	0x87eb8	0x66	data			0.7843137254901961
None	0x87f20	0x100	data			0.578125
None	0x88020	0xc	data			1.6666666666666667
None	0x8802c	0x48	data			0.8194444444444444
None	0x88074	0x20	data			1.15625
None	0x88094	0x42	data			0.8939393939393939
None	0x880d8	0x74	data			0.7155172413793104
None	0x8814c	0x6c	data			0.7592592592592593
None	0x881b8	0x9e	data			0.6518987341772152
None	0x88258	0x5a	data			0.8222222222222222
None	0x882b4	0x68	data			0.75
None	0x8831c	0x58	data			0.8068181818181818
None	0x88374	0x2	data			5.0
None	0x88378	0x16	data			1.2272727272727273
None	0x88390	0x58	data			0.7954545454545454
None	0x883e8	0xa6	data			0.6265060240963856
None	0x88490	0xe	data			1.5714285714285714
None	0x884a0	0x30	data			1.0208333333333333
None	0x884d0	0x12	data			1.4444444444444444
None	0x884e4	0xb8	data			0.6304347826086957
None	0x8859c	0x10	data			1.5
None	0x885ac	0x14c	data			0.5271084337349398
None	0x886f8	0x78	data			0.7666666666666667
None	0x88770	0x3c	data			0.9333333333333333
None	0x887ac	0xce	data			0.5194174757281553
None	0x8887c	0x2e	data			1.0
None	0x888ac	0x74	data			0.7155172413793104
None	0x88920	0xb6	data			0.6043956043956044
None	0x889d8	0x10	data			1.375
None	0x889e8	0x1c	data			1.1785714285714286
None	0x88a04	0x78	data			0.725
None	0x88a7c	0x6c	data			0.7407407407407407
None	0x88ae8	0x52	data			0.8292682926829268
None	0x88b3c	0x4e	data			0.8717948717948718
None	0x88b8c	0x12	data			1.3333333333333333
None	0x88ba0	0x10	data			1.5
None	0x88bb0	0x12	data			1.4444444444444444
None	0x88bc4	0x130	data			0.5131578947368421
None	0x88cf4	0x56	data			0.7906976744186046
None	0x88d4c	0x4a	data			0.9594594594594594
None	0x88d98	0x6c	data			0.7777777777777778
None	0x88e04	0x76	data			0.6864406779661016
None	0x88e7c	0x44	data			0.8676470588235294
None	0x88ec0	0x44	data			0.8676470588235294
None	0x88f04	0x5a	data			0.7777777777777778
None	0x88f60	0xda	data			0.573394495412844
None	0x8903c	0x84	data			0.7045454545454546
None	0x890c0	0xd2	data			0.5428571428571428
None	0x89194	0x5e	data			0.7872340425531915
None	0x891f4	0x8c	data			0.7142857142857143
None	0x89280	0xc8	data			0.595
None	0x89348	0xd2	data			0.5857142857142857
None	0x8941c	0x50	data			0.8125
None	0x8946c	0x88	data			0.7573529411764706
None	0x894f4	0x78	data			0.6916666666666667
None	0x8956c	0x4e	data			0.8974358974358975
None	0x895bc	0x8e	data			0.6690140845070423
None	0x8964c	0xa8	data			0.6130952380952381
None	0x896f4	0x6c	data			0.7314814814814815
None	0x89760	0x82	data			0.7153846153846154
None	0x897e4	0xe4	data			0.5789473684210527
None	0x898c8	0x7a	data			0.7377049180327869
None	0x89944	0xee	data			0.5714285714285714
None	0x89a34	0x6	data			2.3333333333333335
None	0x89a3c	0x4	data			3.0
None	0x89a40	0x26cc	data			0.2400322190898107
None	0x8c10c	0x5013e	data			0.08128403221970866
None	0xdc24c	0xa	data			1.6
None	0xdc258	0x202	data			0.29377431906614787

Imports

DLL	Import
KERNEL32.dll	GetNativeSystemInfo, EndUpdateResourceW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetEvent, CreateEventW, LoadResource, LockResource, SizeofResource, FindResourceW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, DeleteFileW, GetFileAttributesW, GetTempFileNameW, GetCurrentProcessId, GetTempPathW, GetCurrentProcess, GetSystemInfo, GetSystemDirectoryW, GetWindowsDirectoryW, GetVersionExW, GetModuleFileNameW, GlobalAlloc, GlobalFree, LocalFree, FormatMessageW, CopyFileW, GetDateFormatW, GetTimeFormatW, CompareStringW, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, Sleep, HeapSetInformation, SetFilePointer, GetDiskFreeSpaceExW, CreateFileW, DeleteCriticalSection, CreateThread, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, lstrlenW, OpenProcess, MulDiv, GetTickCount, GetExitCodeProcess, LoadLibraryW, ReadFile, SwitchToThread, FindNextFileW, BeginUpdateResourceA, FindResourceA, lstrlenA, DeleteFileA, CreateFileA, UpdateResourceW, BeginUpdateResourceW, GetVersion, GetEnvironmentVariableA, LCMapStringEx, InitializeCriticalSectionEx, HeapReAlloc, HeapSize, WriteConsoleW, GetProcessHeap, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, FindFirstFileExW, OutputDebugStringW, SetEndOfFile, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, FindFirstFileW, FindClose, GetProcAddress, FreeLibrary, WaitForSingleObject, GetLastError, CloseHandle, UpdateResourceA, WriteFile, LCMapStringW, HeapFree, HeapAlloc, GetFileType, GetStringTypeW, GetACP, GetModuleHandleExW, RaiseException, VirtualProtect, VirtualQuery, GetModuleHandleW, LoadLibraryExA, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, MultiByteToWideChar, ExitProcess
GDI32.dll	GetStockObject, EnumFontFamiliesExW, DeleteObject, CreateFontIndirectW, GetObjectW, GetTextMetricsW, SelectObject, GetTextExtentPoint32W, GetDeviceCaps, DeleteDC, CreateCompatibleDC
ole32.dll	CoUninitialize, CoInitialize
Secur32.dll	GetComputerObjectNameW
SHELL32.dll	ShellExecuteExW, SHGetMalloc, SHGetPathFromIDListW, SHGetSpecialFolderLocation, ShellExecuteW, ShellExecuteA
USER32.dll	SystemParametersInfoW, IsDialogMessageW, LoadImageW, LoadIconW, LoadCursorW, SetClassLongW, ScreenToClient, GetWindowRect, GetClientRect, SetWindowTextW, ShowScrollBar, SetForegroundWindow, EnableWindow, MsgWaitForMultipleObjects, SetFocus, SendDlgItemMessageW, SetDlgItemTextW, GetDlgItem, CreateDialogIndirectParamW, CreateDialogParamW, MoveWindow, ShowWindow, DestroyWindow, SendMessageW, SendMessageA, PeekMessageW, DispatchMessageW, TranslateMessage, ExitWindowsEx, MessageBoxW, ReleaseDC, GetDC, DrawTextW, GetSystemMetrics, GetDialogBaseUnits, MessageBoxA, SetCursor, GetFocus
CRYPT32.dll	CertGetCertificateChain, CertFreeCertificateChain, CertVerifyCertificateChainPolicy
WININET.dll	InternetCrackUrlW, InternetCombineUrlW
msi.dll

Exports

Name	Ordinal	Address
_DecodePointerInternal@4	1	0x424800
_EncodePointerInternal@4	2	0x424830

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 07:26:19.714799881 CEST	8.8.8.8	192.168.2.22	0xd78c	No error (0)	windowsupdatebg.s.llnwi.net		68.142.107.4	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:26:01
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\aMail_Ver1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aMail_Ver1.exe"
Imagebase:	0x300000
File size:	908'040 bytes
MD5 hash:	06B0347315D3AB5385A0479134EC22CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.9%
Total number of Nodes:	1358
Total number of Limit Nodes:	118

Executed Functions

Function 0033404B Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00334055
SystemParametersInfoW.USER32 ref: 003340BD
FindResourceW.KERNEL32(?,?,00000005), ref: 003341EF
LoadResource.KERNEL32(?,00000000,?,?), ref: 003341FF
LockResource.KERNEL32(00000000,?,?), ref: 0033420A
SizeofResource.KERNEL32(?,00000000,00000000,00000000), ref: 00334226
CreateDialogIndirectParamW.USER32(?,?,?,?,?), ref: 0033424D
CreateDialogParamW.USER32 ref: 0033427D

Part of subcall function 00333ED2: GetWindowRect.USER32(?,?), ref: 00333F0A

MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 003342D2
SetForegroundWindow.USER32(00000000), ref: 003342DB

Strings

BaseFont, xrefs: 00334146
Name, xrefs: 00334138
BoldFont, xrefs: 0033415C
Font, xrefs: 003340F9
Fonts, xrefs: 003340D3

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Resource$Window$CreateDialogParam$FindForegroundH_prolog3_IndirectInfoLoadLockMoveParametersRectSizeofSystem
String ID: BaseFont$BoldFont$Font$Fonts$Name
API String ID: 2278804457-2070303938
Opcode ID: 0251460595bc2c5ae261fe0105231b721ad23956eacf97cdfaf0b40cdfe2b153
Instruction ID: bb46e993401002c71daf652ae93a6042bc2dccdcfc15ad99827bca2440def095
Opcode Fuzzy Hash: 0251460595bc2c5ae261fe0105231b721ad23956eacf97cdfaf0b40cdfe2b153
Instruction Fuzzy Hash: 9F814171901218AFDF169F50DD89AEEBBB9EF08310F0444A9F909AA251D775EE90CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00336EA3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 83
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00337E17: GetSystemDirectoryW.KERNEL32 ref: 00337E54
Part of subcall function 00337E17: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00337E8F
Part of subcall function 00337E17: LoadLibraryW.KERNEL32(00000001), ref: 00337EB1

GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00336EDF
GetNativeSystemInfo.KERNEL32 ref: 00336EF7
GetProcAddress.KERNEL32(00000000,IsWow64Process2), ref: 00336F0A
GetCurrentProcess.KERNEL32(?,?), ref: 00336F28
FreeLibrary.KERNEL32(00000000), ref: 00336F58
GetSystemInfo.KERNEL32(?), ref: 00336F66

Strings

kernel32.dll, xrefs: 00336EC4
IsWow64Process2, xrefs: 00336F04
GetNativeSystemInfo, xrefs: 00336ED9

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: System$AddressDirectoryInfoLibraryProc$CurrentFreeLoadNativeProcessWindows
String ID: GetNativeSystemInfo$IsWow64Process2$kernel32.dll
API String ID: 4217954525-2275168552
Opcode ID: d09430567fa51c80206d6ffa3f62a3de1a5eb5bae4ece4be668d7717c5a566ac
Instruction ID: f5e1343d0be88f2f1b03ddfe10d4046c2d3bf1c490ede58afdf6b27296d2cab2
Opcode Fuzzy Hash: d09430567fa51c80206d6ffa3f62a3de1a5eb5bae4ece4be668d7717c5a566ac
Instruction Fuzzy Hash: EE21B375A11608BFCB13ABB4EC6AEEEB7B8AF45B00F418425F905E7250EB708D01C751

Uniqueness

Uniqueness Score: -1.00%

Function 003254E2 Relevance: 7.6, APIs: 5, Instructions: 101filenetworkCOMMON

Download Yara Rule

APIs

URLDownloadToFileW.URLMON ref: 00325531
EnterCriticalSection.KERNEL32(?,?), ref: 0032557D
LeaveCriticalSection.KERNEL32(?), ref: 00325588
CoInitialize.OLE32(00000000), ref: 003255D5
CoUninitialize.OLE32 ref: 003255E3

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CriticalSection$DownloadEnterFileInitializeLeaveUninitialize
String ID:
API String ID: 907980118-0
Opcode ID: b6cfdf77d9018e0ba543ac1900f71a57524f86ccf743643dc3bf32dd3f019f7e
Instruction ID: 120d526d16c18131db5871ac8c758d334d04b61102786371692e2e35440e1f74
Opcode Fuzzy Hash: b6cfdf77d9018e0ba543ac1900f71a57524f86ccf743643dc3bf32dd3f019f7e
Instruction Fuzzy Hash: E431BF70601A24EFC709DB65EC48AAAB7BDBF49B01F508069E40687150DBB0EA55CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0034477A Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00344750,00000000,00360648,0000000C,003448A7,00000000,00000002,00000000), ref: 0034479B
TerminateProcess.KERNEL32(00000000,?,00344750,00000000,00360648,0000000C,003448A7,00000000,00000002,00000000), ref: 003447A2
ExitProcess.KERNEL32 ref: 003447B4

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5545281727485b9d8b5be3bba6bf97cad30b1daa8ac78fb3aa38eb03b5472304
Instruction ID: 33f6fa06b87ac59b2a9aa81f74aaba61812715ed1b6ff50de01578db3691233a
Opcode Fuzzy Hash: 5545281727485b9d8b5be3bba6bf97cad30b1daa8ac78fb3aa38eb03b5472304
Instruction Fuzzy Hash: 8AE09231010A08AFCF126F54D949A493FA9EB51782F028834F915AE122CB7AED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00338277 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 251
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00338281
RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020019,?), ref: 003383F7
RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00318A9C), ref: 00338425
RegQueryValueExW.KERNEL32(?,?,00000000,00000004,?,00318A9C), ref: 00338471
RegCloseKey.KERNEL32(?), ref: 0033848F
RegQueryValueExW.KERNEL32(?,?,00000000,00000001,?,00318A9C,00318A9C,?), ref: 003384F6
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 00338519
ExpandEnvironmentStringsW.KERNEL32(?,\e0,00000000,00000000,?), ref: 0033854F

Strings

HKEY_USERS, xrefs: 00338396
HKCR, xrefs: 00338363
HKLM, xrefs: 00338313
HKU, xrefs: 00338385
HKCU, xrefs: 00338341
\e0, xrefs: 00338532, 00338546, 00338549, 0033855F, 00338581
HKEY_LOCAL_MACHINE, xrefs: 0033832C
HKEY_CURRENT_USER, xrefs: 00338352
HKEY_CLASSES_ROOT, xrefs: 00338374

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: QueryValue$EnvironmentExpandStrings$CloseH_prolog3_catch_Open
String ID: HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$\e0
API String ID: 342522750-4137772877
Opcode ID: c90d49ea9046d531a7560ab52b407ad4a07be2ec0c4c9c1986e29850efe2c4a8
Instruction ID: d0c4b2e4678b50b53bedf2148af6860185ec8c1425a1149710afaaaa237920a0
Opcode Fuzzy Hash: c90d49ea9046d531a7560ab52b407ad4a07be2ec0c4c9c1986e29850efe2c4a8
Instruction Fuzzy Hash: 8991387090461AEEDF16DFA5CC91AEEBBB8BF59354F104029F406A7290EF709E44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00337225 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0033722C
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,0000004C,00318630,?,?,Looking up path for special folder '%s',?,000002C4,003170A5,?,?,?,?,?), ref: 003373BE
GetEnvironmentVariableW.KERNEL32(?,?,00000000,00000000,?), ref: 003373FF

Strings

StartupFolder, xrefs: 003372F2
CommonProgramFilesFolder, xrefs: 003372BB
AppDataFolder, xrefs: 0033726A
ProgramFilesFolder, xrefs: 003372D7
WindowsVolume, xrefs: 0033733C, 00337468
ProgramFiles, xrefs: 003372EB
APPDATA, xrefs: 00337288
CommonAppDataFolder, xrefs: 00337292
CommonFilesFolder, xrefs: 003372A7
WindowsFolder, xrefs: 00337319
SystemFolder, xrefs: 00337303
LocalAppDataFolder, xrefs: 003372C2
windir, xrefs: 0033732D, 00337354

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: EnvironmentVariable$H_prolog3_
String ID: APPDATA$AppDataFolder$CommonAppDataFolder$CommonFilesFolder$CommonProgramFilesFolder$LocalAppDataFolder$ProgramFiles$ProgramFilesFolder$StartupFolder$SystemFolder$WindowsFolder$WindowsVolume$windir
API String ID: 3605364767-201842807
Opcode ID: f919d9b5e725933bb6e70d8ac0b209541ebd61e2c17b82153163e8b197379587
Instruction ID: 8bc2a952e137229ff102280c85f24aa908b4094f6be98b74f8c9026337c89a01
Opcode Fuzzy Hash: f919d9b5e725933bb6e70d8ac0b209541ebd61e2c17b82153163e8b197379587
Instruction Fuzzy Hash: 7E91C571D09719AEDB26DBA8D8C7EEEB7B89F08720F20441AF401FA1C1EB74A940C754

Uniqueness

Uniqueness Score: -1.00%

Function 00324070 Relevance: 23.3, APIs: 11, Strings: 2, Instructions: 573
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateCompatibleDC.GDI32(00000000), ref: 003240F4

Strings

msctls_trackbar32, xrefs: 0032457F
@, xrefs: 003242CF

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CompatibleCreate
String ID: @$msctls_trackbar32
API String ID: 3111197059-876234929
Opcode ID: b09a640bcbeeade8419c005237518b7cee872b17bc9f2442bce7198df73284ad
Instruction ID: 7ea5e4163c0740d85b30cb29b4b3c7295577362ffe126ded82ee0ac5b215a435
Opcode Fuzzy Hash: b09a640bcbeeade8419c005237518b7cee872b17bc9f2442bce7198df73284ad
Instruction Fuzzy Hash: 3632E575D04228CFDB25CF69D981BADB7B5BF09304F2581AAE549EB252E7309E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00334515 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0033404B: __EH_prolog3_GS.LIBCMT ref: 00334055
Part of subcall function 0033404B: SystemParametersInfoW.USER32 ref: 003340BD

GetDlgItem.USER32(00000000,0000040B), ref: 003345A4
GetWindowRect.USER32(00000000), ref: 003345AB
GetWindowRect.USER32(00000000,?), ref: 003345B8

Part of subcall function 003350A0: SendDlgItemMessageW.USER32 ref: 003350C6

SetWindowTextW.USER32 ref: 00334621
SetDlgItemTextW.USER32 ref: 0033463B
GetDlgItem.USER32(00000429,00000069), ref: 00334646
ShowWindow.USER32(00000000), ref: 0033464D
GetDlgItem.USER32(00000429,000003F0), ref: 0033465D
ShowWindow.USER32(00000000), ref: 00334664
ShowWindow.USER32(00000429,00000000), ref: 0033466E

Strings

f, xrefs: 003345DA
h, xrefs: 003345E4

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Window$Item$Show$RectText$H_prolog3_InfoMessageParametersSendSystem
String ID: f$h
API String ID: 4019109293-26895948
Opcode ID: 6b521d311f58d16436026082a19f25e0fe30aef644460b533fe8666c0a1e0ae6
Instruction ID: 7cefe690e755a6d21ed9a8789a07e692f3869b4604551e9a6b5060feb0e28aed
Opcode Fuzzy Hash: 6b521d311f58d16436026082a19f25e0fe30aef644460b533fe8666c0a1e0ae6
Instruction Fuzzy Hash: 254117B1900208EFCF02DF95DD88A9EBBB9FF49305F048469F905AB261C7B19955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00333A44 Relevance: 21.1, APIs: 14, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000002,0000042F), ref: 00333A6F
ShowWindow.USER32(00000000), ref: 00333A76
GetDlgItem.USER32(00000002,00000430), ref: 00333A85
ShowWindow.USER32(00000000), ref: 00333A8C
GetDlgItem.USER32(00000002,0000042C), ref: 00333A9B
ShowWindow.USER32(00000000), ref: 00333AA2
GetDlgItem.USER32(00000002,00000431), ref: 00333AB1
ShowWindow.USER32(00000000), ref: 00333AB8
GetDlgItem.USER32(00000002,0000042F), ref: 00333AEA
GetWindowRect.USER32(00000000), ref: 00333AF1
GetDlgItem.USER32(00000002,00000432), ref: 00333B03
GetWindowRect.USER32(00000000), ref: 00333B0A
GetWindowRect.USER32(00000002,?), ref: 00333B17

Part of subcall function 003346AB: GetDlgItem.USER32(00000002,?), ref: 003346C7
Part of subcall function 003346AB: GetWindowRect.USER32(00000000,00000000), ref: 003346E6
Part of subcall function 003346AB: ScreenToClient.USER32(00000002,00333B36), ref: 00334703
Part of subcall function 003346AB: MoveWindow.USER32(00000000,?,?,00000000,?,00000000), ref: 00334727

MoveWindow.USER32(00000002,?,?,?,?,00000001), ref: 00333B83

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Window$Item$RectShow$Move$ClientScreen
String ID:
API String ID: 4252227071-0
Opcode ID: d4c815a0d7fc3e178df3c56dc17697af09184a747e94efb0c59acce92bae688b
Instruction ID: 627f5b8c7ae4e70b2ae523130ff09b087a8eb9fe10d4e0aad079217fae686ef4
Opcode Fuzzy Hash: d4c815a0d7fc3e178df3c56dc17697af09184a747e94efb0c59acce92bae688b
Instruction Fuzzy Hash: AA413FB1A01609AFCF019FA5DD99E9FFFBDEF85701F008469F605AA1A1C7B05901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0032A6E7 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0032A6F1

Part of subcall function 0032ABFA: __EH_prolog3_GS.LIBCMT ref: 0032AC01

Strings

' for property '%s', xrefs: 0032A86A
@ 6, xrefs: 0032A724, 0032A83E, 0032A84E, 0032A91B, 0032A97E, 0032AA98
Not setting value for property '%s', xrefs: 0032A8D6
Running checks for package '%s', phase , xrefs: 0032A70C
Property: [%s] = , xrefs: 0032A968
The following properties have been set for package '%s':, xrefs: 0032A938
'%s' RunConditionsBeforeInstallChecks result: 'Fail', xrefs: 0032A7A7
Setting value ', xrefs: 0032A844
'%s' RunConditionsBeforeInstallChecks result: 'Bypass', xrefs: 0032A7C1
'%s' RunCheck result: , xrefs: 0032AA80

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID: ' for property '%s'$'%s' RunCheck result: $'%s' RunConditionsBeforeInstallChecks result: 'Bypass'$'%s' RunConditionsBeforeInstallChecks result: 'Fail'$@ 6$Not setting value for property '%s'$Property: [%s] = $Running checks for package '%s', phase $Setting value '$The following properties have been set for package '%s':
API String ID: 2427045233-411732193
Opcode ID: 0f8f2542998f656720086319bc7f7da5c29b53fc6c205914f85e992e84ddc45c
Instruction ID: eb4956233496166bc2b1b2c5c156d4f0e556ea8eab38c72b9c40cd4420336964
Opcode Fuzzy Hash: 0f8f2542998f656720086319bc7f7da5c29b53fc6c205914f85e992e84ddc45c
Instruction Fuzzy Hash: 34C17E71900629DFCF26DFA8D885BDDB7B5BF08304F118469E809AB292DB706E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0031CE27 Relevance: 16.6, APIs: 11, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0031CE2E
std::_Lockit::_Lockit.LIBCPMT ref: 0031CE3B

Part of subcall function 0031E240: std::_Lockit::_Lockit.LIBCPMT ref: 0031E25C
Part of subcall function 0031E240: std::_Lockit::~_Lockit.LIBCPMT ref: 0031E278

ctype.LIBCPMT ref: 0031CE72
std::_Facet_Register.LIBCPMT ref: 0031CE89
std::_Lockit::~_Lockit.LIBCPMT ref: 0031CEA9
Concurrency::cancel_current_task.LIBCPMT ref: 0031CEB6
__EH_prolog3_GS.LIBCMT ref: 0031CEC3
std::_Lockit::_Lockit.LIBCPMT ref: 0031CED0
std::_Lockit::~_Lockit.LIBCPMT ref: 0031CF3E

Part of subcall function 0031FD19: __EH_prolog3.LIBCMT ref: 0031FD20
Part of subcall function 0031FD19: std::_Locinfo::~_Locinfo.LIBCPMT ref: 0031FD73

std::_Facet_Register.LIBCPMT ref: 0031CF1E
Concurrency::cancel_current_task.LIBCPMT ref: 0031CF4B

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_Register$H_prolog3LocinfoLocinfo::~_ctype
String ID:
API String ID: 3036960765-0
Opcode ID: 6ad91a9b7b0b55d3a91e4afedaa43e7d4cd7e4b7d57cd7dd92b615ac988d6469
Instruction ID: 8994ef9425f715212ff9cdef0f0233fefff54c38083d27e8d625abeced685f1f
Opcode Fuzzy Hash: 6ad91a9b7b0b55d3a91e4afedaa43e7d4cd7e4b7d57cd7dd92b615ac988d6469
Instruction Fuzzy Hash: EE3169719005059FCB0BEB64D486BFDB775AF88711F250408F901AF392CF309E858B91

Uniqueness

Uniqueness Score: -1.00%

Function 0031BBA8 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0031BBAF

Strings

Result of running operator '%s' on property '%s': %s, xrefs: 0031BCC7
ByPassIf, xrefs: 0031BBFE, 0031BC15
true, xrefs: 0031BCA1, 0031BCC4, 0031BCDC, 0031BD0A
false, xrefs: 0031BCAA, 0031BCE5
Skipping %s because Property '%s' was not defined, xrefs: 0031BC16
Result of running operator '%s' on property '%s' and value '%s': %s, xrefs: 0031BD0E
FailIf, xrefs: 0031BC07

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID: ByPassIf$FailIf$Result of running operator '%s' on property '%s' and value '%s': %s$Result of running operator '%s' on property '%s': %s$Skipping %s because Property '%s' was not defined$false$true
API String ID: 2427045233-871101263
Opcode ID: 45fcc25bbbe379a635b82599832777cd7f66026dfb99da4904e91891c2a33a8e
Instruction ID: 6258f205ac85cb8423e5121402fef616fc58e7f4d967f83706b15b362bf6bbc7
Opcode Fuzzy Hash: 45fcc25bbbe379a635b82599832777cd7f66026dfb99da4904e91891c2a33a8e
Instruction Fuzzy Hash: 88818D71910649DFDF1ADFA8D881AEEF7B9EF0C300F20442DE505AB291DB31AA85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00325781 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0032578B

Part of subcall function 00337C8D: __EH_prolog3_GS.LIBCMT ref: 00337C97
Part of subcall function 00337C8D: GetComputerObjectNameW.SECUR32(00000007,?,?,00000248,003257CB), ref: 00337CB8

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\VisualStudio\Setup,00000000,00000001,?), ref: 003257E7
RegQueryValueExW.ADVAPI32(?,DownloadManager,00000000,?,?,?), ref: 00325826

Part of subcall function 00336E0E: __EH_prolog3_GS.LIBCMT ref: 00336E15
Part of subcall function 00336E0E: InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00336E82

Part of subcall function 0033688F: __EH_prolog3_GS.LIBCMT ref: 00336896
Part of subcall function 0033688F: InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00336903

Part of subcall function 00335DA9: InternetCombineUrlW.WININET(?,?,?,00000825,20000000), ref: 00335E3E

RegCloseKey.ADVAPI32(?), ref: 00325995

Strings

DownloadManager, xrefs: 0032581B
Downloading "%s" instead of "%s", xrefs: 00325966
http://, xrefs: 00325895
Software\Microsoft\VisualStudio\Setup, xrefs: 003257DD

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_$Internet$Crack$CloseCombineComputerNameObjectOpenQueryValue
String ID: DownloadManager$Downloading "%s" instead of "%s"$Software\Microsoft\VisualStudio\Setup$http://
API String ID: 2360869629-1408139357
Opcode ID: 5fa2561d55a779a19614f0338be3e4c2df427001968279a72ed91f9ffd389794
Instruction ID: 64b81c1796ce1652c355944ccdc163865ea98e0728c3abb566d3f232a40cde55
Opcode Fuzzy Hash: 5fa2561d55a779a19614f0338be3e4c2df427001968279a72ed91f9ffd389794
Instruction Fuzzy Hash: E9511AB1901528EACB26EB50CC55BDEB7BCBF48740F4480E5F489A6141EF715B84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00328E89 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00328E90

Strings

%s {boolean}, xrefs: 00328F80
false, xrefs: 00328F7A, 00328F7F
true, xrefs: 00328F73
%s {version}, xrefs: 00328F1F
%s {string}, xrefs: 00328F9C
%d {int}, xrefs: 00328F8A
{empty}, xrefs: 00328FAF

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID: %d {int}$%s {boolean}$%s {string}$%s {version}$false$true${empty}
API String ID: 2427045233-4233488036
Opcode ID: 77341fdc3578f3d83a3a9ba21e481452dd1968bf4352ace3e90593f37bbe4a52
Instruction ID: ad8e7a640166903b547142c48df292bb038b01376bc9332174c26f223176cef1
Opcode Fuzzy Hash: 77341fdc3578f3d83a3a9ba21e481452dd1968bf4352ace3e90593f37bbe4a52
Instruction Fuzzy Hash: E7416371D11619EFDB06DFA8E981ADEB7BAEF48300F20442AE101F7250DB31EA46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00323FCF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(00000000), ref: 00323FF0
SelectObject.GDI32(00000000,?), ref: 00323FFE
GetTextMetricsW.GDI32(00000000,?), ref: 0032400B
GetTextExtentPoint32W.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 0032401F
SelectObject.GDI32(00000000,00000000), ref: 0032403D
GetDialogBaseUnits.USER32 ref: 00324045
ReleaseDC.USER32(00000000,00000000), ref: 0032405B

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00324019

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ObjectSelectText$BaseDialogExtentMetricsPoint32ReleaseUnits
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1972319055-222967699
Opcode ID: 4f8c78c51d64892c1fa068df1cbf21cce5cbf6e5608c5d43761c4d564d9110a5
Instruction ID: 48d500b9a593a4ee0eec659dcbcca2ca5534f3a63f034e743ebf262822c6411b
Opcode Fuzzy Hash: 4f8c78c51d64892c1fa068df1cbf21cce5cbf6e5608c5d43761c4d564d9110a5
Instruction Fuzzy Hash: DB114275A01218AFCB12DFA9EC58EAEBBFCEF49711F008469F905DB250DB709901CB65

Uniqueness

Uniqueness Score: -1.00%

Function 003342EF Relevance: 13.6, APIs: 9, Instructions: 131
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0033404B: __EH_prolog3_GS.LIBCMT ref: 00334055
Part of subcall function 0033404B: SystemParametersInfoW.USER32 ref: 003340BD

SetWindowTextW.USER32 ref: 00334367
LoadImageW.USER32 ref: 0033437B
SetClassLongW.USER32(00000000,000000DE,00000000), ref: 0033438B
GetDlgItem.USER32(00000432,00000434), ref: 00334417
GetWindowRect.USER32(00000000), ref: 0033441E
LoadImageW.USER32 ref: 00334439
SendDlgItemMessageW.USER32 ref: 0033444F
GetDlgItem.USER32(00000432,00000434), ref: 0033445B
ShowWindow.USER32(00000000), ref: 00334462

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ItemWindow$ImageLoad$ClassH_prolog3_InfoLongMessageParametersRectSendShowSystemText
String ID:
API String ID: 2132083509-0
Opcode ID: f665aa6abbed932cac85a36c77ce6db5e3aac1db463b3225dab30d1684db9ee4
Instruction ID: 4b68b3da493e516e94d7f25bfc843dfeb28494858ebcc07d4713302dbc58da86
Opcode Fuzzy Hash: f665aa6abbed932cac85a36c77ce6db5e3aac1db463b3225dab30d1684db9ee4
Instruction Fuzzy Hash: 99414FB0A00609BFEB01DFA5DDC5FAEBBB9FB08304F408515F611A6290C7B46955CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0034536A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00349F5D: RtlAllocateHeap.NTDLL(00000000,00313FDD,00313FD9,?,0033AEB0,00313FDF,00313FD9,003371CA,?,?,0031D95A,?,00313FDD,00313FD9), ref: 00349F8F

_free.LIBCMT ref: 00345475
_free.LIBCMT ref: 0034548C
_free.LIBCMT ref: 003454AB
_free.LIBCMT ref: 003454C6
_free.LIBCMT ref: 003454DD

Strings

h|0, xrefs: 003453BD
.K4, xrefs: 0034539A, 0034551C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: .K4$h|0
API String ID: 3033488037-4279754225
Opcode ID: d1a0bb547207d527134718c553d48b56de6b6c6cd5a6c8b40fe16b92a127139c
Instruction ID: a4a5c4ffcb79f118aa99926d42f46489f58e6580249847fdf9fc32a0ea973a5f
Opcode Fuzzy Hash: d1a0bb547207d527134718c553d48b56de6b6c6cd5a6c8b40fe16b92a127139c
Instruction Fuzzy Hash: A651A032E00B04ABDB22DF6AC881A6A77F4EF45721B154569E849DF292E731FD41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003250B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003250B7
InitializeCriticalSection.KERNEL32(?), ref: 0032512B

Part of subcall function 00337E17: GetSystemDirectoryW.KERNEL32 ref: 00337E54
Part of subcall function 00337E17: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00337E8F
Part of subcall function 00337E17: LoadLibraryW.KERNEL32(00000001), ref: 00337EB1

GetProcAddress.KERNEL32(00000000,URLDownloadToFileW), ref: 00325157
GetProcAddress.KERNEL32(?,URLDownloadToCacheFileW), ref: 0032516B

Strings

URLDownloadToCacheFileW, xrefs: 0032515D
urlmon.dll, xrefs: 0032513F
URLDownloadToFileW, xrefs: 00325151

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressDirectoryProc$CriticalH_prolog3InitializeLibraryLoadSectionSystemWindows
String ID: URLDownloadToCacheFileW$URLDownloadToFileW$urlmon.dll
API String ID: 4214704922-2432372630
Opcode ID: 1976753fce3c37a0060dbcf2b2e5255eb972a263ed1a2c6ced2270280efa3576
Instruction ID: b6cf70028a92ba5efcde68a2d66ca54fd17773eb5f64e6655e99329cb3e70457
Opcode Fuzzy Hash: 1976753fce3c37a0060dbcf2b2e5255eb972a263ed1a2c6ced2270280efa3576
Instruction Fuzzy Hash: 1F21C4B4911F40AFE362CF7AC444646FAF0BF49704F508D2ED68AD7A60E7B4A544CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0031A25F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031A266

Strings

Result of checks for command '%s' is 'Install', xrefs: 0031A32C
Result of checks for command '%s' is '%s', xrefs: 0031A37C
Running checks for command '%s', xrefs: 0031A2A2
Bypass, xrefs: 0031A36D
Fail, xrefs: 0031A366, 0031A37A

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID: Bypass$Fail$Result of checks for command '%s' is '%s'$Result of checks for command '%s' is 'Install'$Running checks for command '%s'
API String ID: 2427045233-1246856847
Opcode ID: 2ad12da15eb50a1627be1ac730b6f1fdd2d64cd9c7fb3378ab76051ecc6a489f
Instruction ID: 796edfd17895bdb82e3bed6b655a9ace46f06781492bbfe41d6cc887f715bb31
Opcode Fuzzy Hash: 2ad12da15eb50a1627be1ac730b6f1fdd2d64cd9c7fb3378ab76051ecc6a489f
Instruction Fuzzy Hash: 3D418D34911508EFDB0ADFE8C891AEEB7B4AF0C315F104428E441FB261D730AE89CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0034FFE3 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00342A9F,00342A9F,?,?,?,00350234,00000001,00000001,21E85006), ref: 0035003D
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00350234,00000001,00000001,21E85006,?,?,?), ref: 003500C3
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,21E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003501BD
__freea.LIBCMT ref: 003501CA

Part of subcall function 00349F5D: RtlAllocateHeap.NTDLL(00000000,00313FDD,00313FD9,?,0033AEB0,00313FDF,00313FD9,003371CA,?,?,0031D95A,?,00313FDD,00313FD9), ref: 00349F8F

__freea.LIBCMT ref: 003501D3
__freea.LIBCMT ref: 003501F8

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 450fed41d6994576e66af3d5afb0c61321a65446a05a9d69bc85b1336ebdf9bf
Instruction ID: 25d6254522b92698a64c70bb92274e2da4e4d3b4af0b1a0a4d508d5066a955cf
Opcode Fuzzy Hash: 450fed41d6994576e66af3d5afb0c61321a65446a05a9d69bc85b1336ebdf9bf
Instruction Fuzzy Hash: 1C51F272600606AFDB2B8E60CC81FBF77A9EF40751F164629FC14EB1A0DB76DD488661

Uniqueness

Uniqueness Score: -1.00%

Function 00357690 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 003576BC
__cftoe.LIBCMT ref: 003576EE

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: cbd51633fcaeb0c0403300a2f4a491d96555d0321d1cc185c56a923d9c784d98
Instruction ID: 9210b139ce2b0aa0c2b16a99eec76ead23b3a12dcea43109a364c36761b02b16
Opcode Fuzzy Hash: cbd51633fcaeb0c0403300a2f4a491d96555d0321d1cc185c56a923d9c784d98
Instruction Fuzzy Hash: 57512C32908205ABDB275B69EC86EBE77E8EF4C362F164119FC14DA1A2DB30DD04C664

Uniqueness

Uniqueness Score: -1.00%

Function 0033448F Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0033404B: __EH_prolog3_GS.LIBCMT ref: 00334055
Part of subcall function 0033404B: SystemParametersInfoW.USER32 ref: 003340BD

SetWindowTextW.USER32 ref: 003344C2
SetDlgItemTextW.USER32 ref: 003344DC
SetForegroundWindow.USER32(00000000), ref: 003344E5
ShowWindow.USER32(00000000,00000005), ref: 003344F0
LoadCursorW.USER32 ref: 003344FD
SetCursor.USER32(00000000), ref: 00334504

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Window$CursorText$ForegroundH_prolog3_InfoItemLoadParametersShowSystem
String ID:
API String ID: 1228017994-0
Opcode ID: bccafa7e4670f1e6ecc9ba00cdf9b68ed07c5d6eeb724466a3153504e2152da5
Instruction ID: 63ce9551b52d5ce35ebde1978537576fd5328f6048fed5d6d03d2644bbca90d5
Opcode Fuzzy Hash: bccafa7e4670f1e6ecc9ba00cdf9b68ed07c5d6eeb724466a3153504e2152da5
Instruction Fuzzy Hash: 50011A31140605AFDB225F56EC8DE963BA9FB06702F008464F6569A6B1C7B1E861DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0034C3CE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

Part of subcall function 0034C4EE: _abort.LIBCMT ref: 0034C520
Part of subcall function 0034C4EE: _free.LIBCMT ref: 0034C554

Part of subcall function 0034C162: GetOEMCP.KERNEL32(00000000), ref: 0034C18D

_free.LIBCMT ref: 0034C446
_free.LIBCMT ref: 0034C47C

Strings

&6, xrefs: 0034C470
HGv, xrefs: 0034C4C0
HGv, xrefs: 0034C4C5

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: HGv$HGv$&6
API String ID: 2991157371-2277563591
Opcode ID: 00bebefb6592f5a4b4b84f01d0b932e9c1c46eda316fa0ed536f2e914a9114b0
Instruction ID: f1149c2258e90d81f7fca8eb5bacfdff3e8accfde8c77270600a3ab7aa31a0bb
Opcode Fuzzy Hash: 00bebefb6592f5a4b4b84f01d0b932e9c1c46eda316fa0ed536f2e914a9114b0
Instruction Fuzzy Hash: 9831C431905108AFDB93DF6AD551BBD7BE5EF41320F225099E5049F291DB71BD40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033535A Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040B), ref: 003353AA
GetWindowRect.USER32(00000000), ref: 003353B1
GetWindowRect.USER32(?,?), ref: 003353BE
SetDlgItemTextW.USER32 ref: 00335419
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 0033542E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Window$ItemRect$MoveText
String ID:
API String ID: 739774251-0
Opcode ID: e4b9d50be209881bcbc6017f691ce6d45ee19e446a7b7e3c1ecb0614bfc2c0ec
Instruction ID: 133ed261b91483d93d9917ebef7b997d726c33756e105cc708ee8153f61f5a6a
Opcode Fuzzy Hash: e4b9d50be209881bcbc6017f691ce6d45ee19e446a7b7e3c1ecb0614bfc2c0ec
Instruction Fuzzy Hash: 86315C719016099FCB15CFB9C984AEEBBF9FF49300F14892AE14AE3260D770A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00337578 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 003375C3
GetTempFileNameW.KERNEL32(?,VSD,00000000,?), ref: 003375E6

Part of subcall function 0033793B: GetFileAttributesW.KERNEL32(0031876B,00000001,?,0031876B,?), ref: 0033794E

DeleteFileW.KERNEL32(?), ref: 00337608

Strings

VSD, xrefs: 003375DA

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: File$Temp$AttributesDeleteNamePath
String ID: VSD
API String ID: 838033943-2002190350
Opcode ID: 0c0686e4411abcac09904dfc701739c1f105d81517bf1a93032b6cafbd4d1120
Instruction ID: aaf8cb4c4fc205ab5292d5adffe10ae4e329cf4f98af4fb85fe087c075c21fc9
Opcode Fuzzy Hash: 0c0686e4411abcac09904dfc701739c1f105d81517bf1a93032b6cafbd4d1120
Instruction Fuzzy Hash: B611D3F190560DAAEF22EB64DC9AFDA73BC9F44700F1044A5F504E7082DB30DA868AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0031D7C5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0031D7CC
std::_Lockit::_Lockit.LIBCPMT ref: 0031D7D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0031D816

Part of subcall function 00353F54: _Yarn.LIBCPMT ref: 00353F73
Part of subcall function 00353F54: _Yarn.LIBCPMT ref: 00353F97

Strings

bad locale name, xrefs: 0031D827

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 482894088-1405518554
Opcode ID: c28a46b4e77fbb15eeb6bcb5ec97d5310c2f38985475ff33215263675352992d
Instruction ID: de1c447e30ddc3b10149abc688fc04f8e5186ef6a046f4490d0a6be8bb3277ec
Opcode Fuzzy Hash: c28a46b4e77fbb15eeb6bcb5ec97d5310c2f38985475ff33215263675352992d
Instruction Fuzzy Hash: 92016270805B408EC722DF6A848154BFEF0BF19701B508A2EE58ED7A51D7309608CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0033E622 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0033E5D3,00000000,00000001,00363A8C,?,?,?,0033E776,00000004,InitializeCriticalSectionEx,00307A3C,InitializeCriticalSectionEx), ref: 0033E62F
GetLastError.KERNEL32(?,0033E5D3,00000000,00000001,00363A8C,?,?,?,0033E776,00000004,InitializeCriticalSectionEx,00307A3C,InitializeCriticalSectionEx,00000000,?,0033E52D), ref: 0033E639
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,0033D433), ref: 0033E661

Strings

api-ms-, xrefs: 0033E646

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: edca7fdaf069b74574bf71e5975ac765c8f5d2bab463820e2f3add70013fe6ab
Instruction ID: 9448eabef6ef63ff0078d3996c92b01bf5a9875cc725aa3b6075d59661500f2e
Opcode Fuzzy Hash: edca7fdaf069b74574bf71e5975ac765c8f5d2bab463820e2f3add70013fe6ab
Instruction Fuzzy Hash: B6E04F30690604B7EF121F60EC47F593F689B20B50F104430F90CEC0F0D7A1A8509A88

Uniqueness

Uniqueness Score: -1.00%

Function 00347928 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0000000A,00000000,00000000,?,003478CF,0000000A,00000000,00000000,00000000,?,00347B39,00000006,FlsSetValue), ref: 0034795A
GetLastError.KERNEL32(?,003478CF,0000000A,00000000,00000000,00000000,?,00347B39,00000006,FlsSetValue,003091E4,FlsSetValue,00000000,00000364,?,00346827), ref: 00347966
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003478CF,0000000A,00000000,00000000,00000000,?,00347B39,00000006,FlsSetValue,003091E4,FlsSetValue,00000000), ref: 00347974

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: bd31222548c2b0dc67f3417d57a165e644c073e7d9a77035a3ddc18c5d328e80
Instruction ID: 96988b16adf9ef5225173c2dae68d4023b9c9875280deba854881e960d960df4
Opcode Fuzzy Hash: bd31222548c2b0dc67f3417d57a165e644c073e7d9a77035a3ddc18c5d328e80
Instruction Fuzzy Hash: 3D01A73661A627ABC7234B789C44A5677ECAF05BA1F264624F905DB240D760E801C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 003347BE Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32 ref: 003347DD
TranslateMessage.USER32(?), ref: 003347EB
DispatchMessageW.USER32(?), ref: 003347F5
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00334804

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 785d1d8abb8860524f2c0a12fab2f730c6ce8d7dca877c2ba5ce7f0ccf82cdd8
Instruction ID: 92f371f4b8f326b01ddffb1c143849cb3562bb38ff89a5245a8c91c2165644a1
Opcode Fuzzy Hash: 785d1d8abb8860524f2c0a12fab2f730c6ce8d7dca877c2ba5ce7f0ccf82cdd8
Instruction Fuzzy Hash: C6F06D31A00609ABCF22DFA6DC88CEFB7BCFB49700F004629E411E2050EBB4E9018B60

Uniqueness

Uniqueness Score: -1.00%

Function 0033544B Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000069), ref: 00335463
ShowWindow.USER32(00000000), ref: 0033546A
GetDlgItem.USER32(?,00000429), ref: 00335479
ShowWindow.USER32(00000000), ref: 00335480

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 7626e1bc95cc153b1af5afbd2e84ffcc732ec23d71034c387917e10f3eb8d86a
Instruction ID: d32e48e83375dc4114267d9582a335d2a844fd57cc88aab668ec3ed64b0a3ad7
Opcode Fuzzy Hash: 7626e1bc95cc153b1af5afbd2e84ffcc732ec23d71034c387917e10f3eb8d86a
Instruction Fuzzy Hash: 85E04F335016217BC61117A6EC1DC8B7F3DEB46763F018931F6499A4A0CAB2581087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00337C8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00337C97
GetComputerObjectNameW.SECUR32(00000007,?,?,00000248,003257CB), ref: 00337CB8

Strings

microsoft.com, xrefs: 00337D4C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ComputerH_prolog3_NameObject
String ID: microsoft.com
API String ID: 4158867444-499418652
Opcode ID: a8642a7292ccfbef855d8ad0be00afbce950b5fb68f6c33e594dee4949ed69b7
Instruction ID: 83b72325748c78d7754bb98517e48e37b9ef4fd6017a36746ffd34bd07a87a47
Opcode Fuzzy Hash: a8642a7292ccfbef855d8ad0be00afbce950b5fb68f6c33e594dee4949ed69b7
Instruction Fuzzy Hash: 6B216871841628AACB76FB50CC9AEDEB378AF19350F4006D5B519AA0A1EF345FC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003548EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003462DC
_EncodePointerInternal@4.AMAIL_VER1(?,?,00353FFB,00354050,?,00353E86,00000000,00000000,00000000,00000004,0031D382,00000001,00000000,0031D028), ref: 003548FF

Strings

0H2, xrefs: 003548FF

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: EncodeFeatureInternal@4PointerPresentProcessor
String ID: 0H2
API String ID: 336596936-727558159
Opcode ID: 2ee640aad9c75f77ca24daa475a7a1708fdfc715a29973cf182d650b8ea56749
Instruction ID: fedaa9e6c0e13b022cd3aeb877919dd0682b34f42e26ecc1f86846e94c559a9f
Opcode Fuzzy Hash: 2ee640aad9c75f77ca24daa475a7a1708fdfc715a29973cf182d650b8ea56749
Instruction Fuzzy Hash: 3BF0E2701486097AFB172F60BC5BB6636DCBB46718F0A0039FA0DAD5E2DFE2A420C512

Uniqueness

Uniqueness Score: -1.00%

Function 00339470 Relevance: 4.6, APIs: 3, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 00337D90: GetVersionExW.KERNEL32(0000011C,?,?,?), ref: 00337DD6

SHGetSpecialFolderLocation.SHELL32(00000000,?,?), ref: 003394E0
SHGetPathFromIDListW.SHELL32(?,?), ref: 003394FB
SHGetMalloc.SHELL32(?), ref: 00339516

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: FolderFromListLocationMallocPathSpecialVersion
String ID:
API String ID: 2333304065-0
Opcode ID: a82875cf8e8149042f8f99be98e5e88224c3241f1c01969ff6d6d9b030fd2757
Instruction ID: 2539db0581dffd0a37a7ea4e3c4b028afeb809348ceae1a98c6bb77a0e336450
Opcode Fuzzy Hash: a82875cf8e8149042f8f99be98e5e88224c3241f1c01969ff6d6d9b030fd2757
Instruction Fuzzy Hash: 2341ABB490021DDFDB26EF24CCC8BEAB77CEB55304F4445AAE91A96241D7B09E858F60

Uniqueness

Uniqueness Score: -1.00%

Function 00337E17 Relevance: 4.6, APIs: 3, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 00337E54
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00337E8F
LoadLibraryW.KERNEL32(00000001), ref: 00337EB1

Part of subcall function 00337EC6: __EH_prolog3_GS.LIBCMT ref: 00337ECD
Part of subcall function 00337EC6: LoadLibraryW.KERNEL32(00339620), ref: 00337F17

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: DirectoryLibraryLoad$H_prolog3_SystemWindows
String ID:
API String ID: 240044452-0
Opcode ID: 06ba33ddaa831316f1f1f14c622aa8dc85c21b6b6c5afd0e1c8f0129646fc409
Instruction ID: f9c9a0ba641326bea598f726bc58a87894907ce0c34babeb34a1b56a4ecf8aaf
Opcode Fuzzy Hash: 06ba33ddaa831316f1f1f14c622aa8dc85c21b6b6c5afd0e1c8f0129646fc409
Instruction Fuzzy Hash: 2D1186F590961CAAEB21E760EC89F9F736CDB04314F1045A6F914D6182E674DE448664

Uniqueness

Uniqueness Score: -1.00%

Function 00333FF0 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000069), ref: 0033400E
SendMessageW.USER32(00000000,00000406,00000000,?), ref: 00334024
SendMessageW.USER32(00000000,00000402,?,00000000), ref: 00334038

Part of subcall function 003347BE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00334804

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Message$Send$ItemPeek
String ID:
API String ID: 634455558-0
Opcode ID: e116b70db54f0292c0f5beca654b5e7e98023f4119cbcc4adcd7d69220bdfb65
Instruction ID: b0ef3902e2b3b4133031b43bf261dafd18bcc062947668f4f0f888fdb87e0e45
Opcode Fuzzy Hash: e116b70db54f0292c0f5beca654b5e7e98023f4119cbcc4adcd7d69220bdfb65
Instruction Fuzzy Hash: 6AF082353017017BD7455B64DC45F99FBAAFB45710F008021FB1896291C7B164218795

Uniqueness

Uniqueness Score: -1.00%

Function 0034C23A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0034C25F

Strings

, xrefs: 0034C2A4

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3748aa6ca73ae6f2bf7cbe66e77c6bea36d13cc46a8bf774cb90f34d61d085aa
Instruction ID: 745fb83733b2f34d191b7f279ee7cbfa03ee54f3b43ec5320570c285e6969ecb
Opcode Fuzzy Hash: 3748aa6ca73ae6f2bf7cbe66e77c6bea36d13cc46a8bf774cb90f34d61d085aa
Instruction Fuzzy Hash: D94138745053489BDF238F64CC84AFABBFDEB45308F1448EDE59A8A142D279BA45CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00347D6B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 00347DDC

Strings

LCMapStringEx, xrefs: 00347D7C, 00347D86

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: dfa29407dca8766d1a5fbad2460646d855532bc32437463407a2ecf608419eb8
Instruction ID: 80e75ff758bd25d69a9200dfdb3acc58cbde24c662c3e75f2d56623b5164aa01
Opcode Fuzzy Hash: dfa29407dca8766d1a5fbad2460646d855532bc32437463407a2ecf608419eb8
Instruction Fuzzy Hash: 0901C53254120DBBCF039F90DD06EEE7FAAEF09750F058555FA0869160C6729921EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00347A10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00347A4F

Strings

FlsAlloc, xrefs: 00347A21, 00347A2B

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 38a9a8e7be4fc587e3bf75032cb2b44de71f38ee99ba7f9b63cfe25bb0c9c896
Instruction ID: 94d5268ab20392a148350ee046b4075fe7f8b52f8d0c9cb04b017459edff6070
Opcode Fuzzy Hash: 38a9a8e7be4fc587e3bf75032cb2b44de71f38ee99ba7f9b63cfe25bb0c9c896
Instruction Fuzzy Hash: D9E0233074571867C707AB509C1696EBBD9CF04B10F014155FC056B3D1CEB15E0185D5

Uniqueness

Uniqueness Score: -1.00%

Function 0034C590 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0034C162: GetOEMCP.KERNEL32(00000000), ref: 0034C18D

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0034C430,?,00000000), ref: 0034C604
GetCPInfo.KERNEL32(00000000,0034C430,?,?,?,0034C430,?,00000000), ref: 0034C617

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 37ff7eb9e41f7467f6e1d38b4c8f18826b1c36de59e7a020a61980c713e3cfbd
Instruction ID: 7a421e34126c78be9c6a949629456c140b3cf184672c752a0f3d809c69850195
Opcode Fuzzy Hash: 37ff7eb9e41f7467f6e1d38b4c8f18826b1c36de59e7a020a61980c713e3cfbd
Instruction Fuzzy Hash: AE514970A112059FDB63CF71C8906BBBBE8EF41300F1AA46ED0968F252D739B945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0033E582 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000001,00363A8C,?,?,?,0033E776,00000004,InitializeCriticalSectionEx,00307A3C,InitializeCriticalSectionEx,00000000,?,0033E52D,00363A8C,00000FA0), ref: 0033E605
GetProcAddress.KERNEL32(00000000,?,00000001,00363A8C,?,?,?,0033E776,00000004,InitializeCriticalSectionEx,00307A3C,InitializeCriticalSectionEx,00000000,?,0033E52D,00363A8C), ref: 0033E60F

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID:
API String ID: 3013587201-0
Opcode ID: 8f2be052c9407f51e0f0682da8419f37562300cbedf355b1fd1c415bb93cdecc
Instruction ID: d1ecbbb8cbc4ee114511c941614c9653c9dbd2f1840e0e312d557e225acf61a3
Opcode Fuzzy Hash: 8f2be052c9407f51e0f0682da8419f37562300cbedf355b1fd1c415bb93cdecc
Instruction Fuzzy Hash: AA114F31A05525DFAF23CF64D8C099A73A8FB46358F154269E94197290E770DE02DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00337EC6 Relevance: 3.1, APIs: 2, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00337ECD
LoadLibraryW.KERNEL32(00339620), ref: 00337F17

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_LibraryLoad
String ID:
API String ID: 4225965883-0
Opcode ID: 3bdf48e271f6cc5b6099687aa7d1ce961692e3958f6e8885f041eb45b6e2e888
Instruction ID: ceb9f76e736ca7558d5ae268cf8c37dd592ffb477b3e96f0e0750b0d1a70fc46
Opcode Fuzzy Hash: 3bdf48e271f6cc5b6099687aa7d1ce961692e3958f6e8885f041eb45b6e2e888
Instruction Fuzzy Hash: CB115BB1D14119EBDF15DFA8D885ADEB7B9FB08310F10841AF905EB240D6349A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0032C5E4 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0032C619
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0032C627

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: 3e11ade8556398229cfe49fcf1edf3700b25fe0f07616852efebdec4f89ac46f
Instruction ID: 8c4b9a5c184ab0910f0c11e5b191386af15653eb12c2aed612b66cb4d37eec46
Opcode Fuzzy Hash: 3e11ade8556398229cfe49fcf1edf3700b25fe0f07616852efebdec4f89ac46f
Instruction Fuzzy Hash: 9EF0AEB110051C7EF7015B58EC85F7F775CEB887A4F104122F550961A0C7F05D55C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 003352F6 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(000000FF,00000000), ref: 00335320
ShowWindow.USER32(00000000), ref: 00335327

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 219cc794a242b6cba67eee6d1e84a15ae4517ef9d3c7a42b99bdcbff93c6b342
Instruction ID: 2478388620dace581b79321922054828e337bc21efb8a4d2f59d316905c01914
Opcode Fuzzy Hash: 219cc794a242b6cba67eee6d1e84a15ae4517ef9d3c7a42b99bdcbff93c6b342
Instruction Fuzzy Hash: 6DE04F71010A65ABCB221B78DC49ABA7BAC9B01362F058A25F4A5C50A1E7B589558790

Uniqueness

Uniqueness Score: -1.00%

Function 0033D593 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0033D5B1
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0033D5BC

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 485b118643b5aa2ac4a7672fa6b37e80e5b6ca462036b40883725b1e4b755012
Instruction ID: 03fcb6ca2c33f6175719c4ef632f66804937626a066415a17ee39ab583086a31
Opcode Fuzzy Hash: 485b118643b5aa2ac4a7672fa6b37e80e5b6ca462036b40883725b1e4b755012
Instruction Fuzzy Hash: 52D0223892870108BD03B7B438C389923884B63B7CFB11346E0208F4C2EF2090452111

Uniqueness

Uniqueness Score: -1.00%

Function 003255D0 Relevance: 2.5, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003255D5

Part of subcall function 003254E2: URLDownloadToFileW.URLMON ref: 00325531
Part of subcall function 003254E2: EnterCriticalSection.KERNEL32(?,?), ref: 0032557D
Part of subcall function 003254E2: LeaveCriticalSection.KERNEL32(?), ref: 00325588

CoUninitialize.OLE32 ref: 003255E3

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CriticalSection$DownloadEnterFileInitializeLeaveUninitialize
String ID:
API String ID: 907980118-0
Opcode ID: eeda4f6bacce760206035c8feebd7e242f63a526018808b808dce1a09644545e
Instruction ID: 91b38b4a3cbcbbb3ced0b936f80905c8d690107964eac7d1bafe45df026b6f86
Opcode Fuzzy Hash: eeda4f6bacce760206035c8feebd7e242f63a526018808b808dce1a09644545e
Instruction Fuzzy Hash: EEC04C35198A086BD201BBB2EC09B19BB9CAB58B92F908035F90589251DAF1955085A5

Uniqueness

Uniqueness Score: -1.00%

Function 00345D96 Relevance: 1.6, APIs: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00345E6C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 932bdd5569acf7214ce94fd30f980efb739d8f77a56a723cbee9200ba0d7a0ec
Instruction ID: 08c2a6ad5db7395743dcfda5aed669df22fb8dbc5421ca8a04c00192610011ed
Opcode Fuzzy Hash: 932bdd5569acf7214ce94fd30f980efb739d8f77a56a723cbee9200ba0d7a0ec
Instruction Fuzzy Hash: 4C418272E10A148FCB19CF69D8809AEB7F5EF8D310B168199E515EF3A1C770AD41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0032AB17 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0032AB1E

Part of subcall function 0031A25F: __EH_prolog3_GS.LIBCMT ref: 0031A266

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: 491fa1305e873a704a837926e9d527890474263a52da8139e477e9d3c61cc78e
Instruction ID: 6d65accce8c7caa0e24c7254b72630a3ac90dac094a35c514e5c0fe756c1dcdb
Opcode Fuzzy Hash: 491fa1305e873a704a837926e9d527890474263a52da8139e477e9d3c61cc78e
Instruction Fuzzy Hash: D0318C31910609EFDF16DFA4C485ADEFBB1EF58314F148429E501BB261DB346E86CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0034788C Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000596,00000000,00000000,00000000,?,00347B39,00000006,FlsSetValue,003091E4,FlsSetValue,00000000,00000364,?,00346827,00000000), ref: 003478EC

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: b0450a54698e3e89e3b1f91dde81052002e3e0e84ae4c817d7c20d47b500125c
Instruction ID: ac4c675ab842552104725e4f40a0fae70391d2fc49794711c77bc7696710a086
Opcode Fuzzy Hash: b0450a54698e3e89e3b1f91dde81052002e3e0e84ae4c817d7c20d47b500125c
Instruction Fuzzy Hash: 1511C233A085259F9F279E28EC4595B73E9AB81360B178621FC15EF294D730FC02C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00314375 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031437C

Part of subcall function 0033642E: __EH_prolog3_GS.LIBCMT ref: 00336435

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: 0b7c807aa38794070f8da7ea9f7b5894de334e1cbbb0356de3eb153e6eb99eba
Instruction ID: f237efa1ff29027de640585a2f4ecbd9ca773ca4a9733aa3315a387154d8f6ee
Opcode Fuzzy Hash: 0b7c807aa38794070f8da7ea9f7b5894de334e1cbbb0356de3eb153e6eb99eba
Instruction Fuzzy Hash: F4110A71D11509EBDF06DFE8D8819DEB7BABF48300F10882AE501FB250DB35AA458B65

Uniqueness

Uniqueness Score: -1.00%

Function 00337F64 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00337F6B

Part of subcall function 00336FCD: FindResourceW.KERNEL32(?,?,00337F9F), ref: 00337004
Part of subcall function 00336FCD: LoadResource.KERNEL32(?,00000000,?,?,00337F9F,?,?,00000000,?), ref: 00337010
Part of subcall function 00336FCD: SizeofResource.KERNEL32(?,00000000,?,?,00337F9F,?,?,00000000,?), ref: 00337021

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Resource$FindH_prolog3_LoadSizeof
String ID:
API String ID: 3109335684-0
Opcode ID: 94e1af241d6647951a57dca37475dac2c7256a8915b6c26b6ebe8881e32e9ec6
Instruction ID: 015089464f87f8f3417c43c484b5da667b150efc7c82ff18def92dba102bdca6
Opcode Fuzzy Hash: 94e1af241d6647951a57dca37475dac2c7256a8915b6c26b6ebe8881e32e9ec6
Instruction Fuzzy Hash: 62112BB1D00619AF8F069F98C8919EFBBB9FF49304F514019F805AB251DB399A05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00325CA3 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00325CAA

Part of subcall function 003250B0: __EH_prolog3.LIBCMT ref: 003250B7
Part of subcall function 003250B0: InitializeCriticalSection.KERNEL32(?), ref: 0032512B
Part of subcall function 003250B0: GetProcAddress.KERNEL32(00000000,URLDownloadToFileW), ref: 00325157
Part of subcall function 003250B0: GetProcAddress.KERNEL32(?,URLDownloadToCacheFileW), ref: 0032516B

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressH_prolog3Proc$CriticalInitializeSection
String ID:
API String ID: 3942641501-0
Opcode ID: 248c9e1cdabc325958096ec03a45938e77fe846cfa2d37f4202ed5927aa56a30
Instruction ID: cdad918f28299faad73e306b1c246f80da8870f3c7f5b0ea3c24cae54dc7209c
Opcode Fuzzy Hash: 248c9e1cdabc325958096ec03a45938e77fe846cfa2d37f4202ed5927aa56a30
Instruction Fuzzy Hash: 0311B475911B00AEE3598FB9C480796FBE0BF0D314F60897ED59ECB261DB71A905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00319393 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031939A

Part of subcall function 0033642E: __EH_prolog3_GS.LIBCMT ref: 00336435

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: 82bbd58acb74749bfa6cce92b6d919b4b7c9ab2579b1cdf6a80c98a920ab712c
Instruction ID: 1f3d9826044ab5b52410b2170464dfde2fc79a62d6e6d727ec2b6e63d85cc5d9
Opcode Fuzzy Hash: 82bbd58acb74749bfa6cce92b6d919b4b7c9ab2579b1cdf6a80c98a920ab712c
Instruction Fuzzy Hash: F511D471D10609AFDF06DFA8E8819DEB7B9BF4C300F10842AE515FB250DB35AA458B65

Uniqueness

Uniqueness Score: -1.00%

Function 0034C830 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003476E3: RtlAllocateHeap.NTDLL(00000008,00000596,00000000,?,0034680A,00000001,00000364,?,00343700,?,00000596,0000007F,0000000A,00000000,000007FF), ref: 00347724

_free.LIBCMT ref: 0034C89C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 315d337b0b3b295f8495b4b645191244a8c2e2bded218d0073d832f2508a0379
Instruction ID: e91eb5513fb36a8f4abe92f2632a573623120e31f90b4cb7a14f00f72ac08954
Opcode Fuzzy Hash: 315d337b0b3b295f8495b4b645191244a8c2e2bded218d0073d832f2508a0379
Instruction Fuzzy Hash: 370149726043046BE3328F6AC881A6AFBDDEB89370F65052DE1849B2C0EB70B805C774

Uniqueness

Uniqueness Score: -1.00%

Function 0031556B Relevance: 1.5, APIs: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,003143D2,003143D2,003143D2,00000000), ref: 003155AB

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 06d9a11bcd039993f66724319d461fe85da1bc95db13f258135f316a4bdc273e
Instruction ID: 5a92f1565ecc55cf743c7279a156e9df69cb8adf9fb41085aaa85ff39615abcf
Opcode Fuzzy Hash: 06d9a11bcd039993f66724319d461fe85da1bc95db13f258135f316a4bdc273e
Instruction Fuzzy Hash: 27F0FC71200104AF8B14DF5DDC81CEFB7AEDF4A314751426EE402D7140D7716902C660

Uniqueness

Uniqueness Score: -1.00%

Function 003476E3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000596,00000000,?,0034680A,00000001,00000364,?,00343700,?,00000596,0000007F,0000000A,00000000,000007FF), ref: 00347724

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2285c0a63de0d231403b1e31480a509274e80b9ef91c7c35defca2a8c63d73d8
Instruction ID: b467e812d5ba336912ddc0d91045d892a9581e1724303228410039fabe98a34a
Opcode Fuzzy Hash: 2285c0a63de0d231403b1e31480a509274e80b9ef91c7c35defca2a8c63d73d8
Instruction Fuzzy Hash: 29F05E32A19A3467DB236B669C05B6A3FDEEB41760F5A8521E804DE191DBA0F800C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00344ADA Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003476E3: RtlAllocateHeap.NTDLL(00000008,00000596,00000000,?,0034680A,00000001,00000364,?,00343700,?,00000596,0000007F,0000000A,00000000,000007FF), ref: 00347724

_free.LIBCMT ref: 00344AFA

Part of subcall function 00347740: HeapFree.KERNEL32(00000000,00000000), ref: 00347756
Part of subcall function 00347740: GetLastError.KERNEL32(00000596,?,0034D7FA,00000596,00000000,00000596,00000000,?,0034DA9E,00000596,00000007,00000596,?,0034DFB6,00000596,00000596), ref: 00347768

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 2c70311869603143b045842da7ba2c71aec972283b9842a38735d47546a16570
Instruction ID: 666590fb3a369535c457f48d2e6b4000cf3a42146b5f569e55caa5b56aa13a79
Opcode Fuzzy Hash: 2c70311869603143b045842da7ba2c71aec972283b9842a38735d47546a16570
Instruction Fuzzy Hash: A3F03C76A04605AFC311EF69D442B5AFBF4EB48710F114166ED18DB341E771A910CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00349F5D Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00313FDD,00313FD9,?,0033AEB0,00313FDF,00313FD9,003371CA,?,?,0031D95A,?,00313FDD,00313FD9), ref: 00349F8F

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ea58842a285e4ab07a1b65c0eedc74639f661a44bfb88c91ec82d7b634d3bb39
Instruction ID: 21522dba139b5c876577eaffc90cbf8d695618a86d332e4459ceddd3f9dddfd3
Opcode Fuzzy Hash: ea58842a285e4ab07a1b65c0eedc74639f661a44bfb88c91ec82d7b634d3bb39
Instruction Fuzzy Hash: 62E06D355056206BDA2327A69C05B9B3ACCDB827B2F164662FC55DE491DBA0FC0485E1

Uniqueness

Uniqueness Score: -1.00%

Function 0032218C Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::ios_base::_Init.LIBCPMT ref: 00322192

Part of subcall function 003202B8: __EH_prolog3.LIBCMT ref: 003202BF
Part of subcall function 003202B8: std::locale::_Init.LIBCPMT ref: 00320308

Part of subcall function 00323853: __EH_prolog3.LIBCMT ref: 0032385A

Part of subcall function 00320DBD: std::ios_base::failure::failure.LIBCPMT ref: 00320E07

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3Init$std::ios_base::_std::ios_base::failure::failurestd::locale::_
String ID:
API String ID: 642969389-0
Opcode ID: 32c32561204b7d7155c4d73f75d198bfc9c4bb708b7f188a8e93cd824a9b1c74
Instruction ID: 890ee5cfb1b3e36940a750aef6598d598a2e3cc91700fdaaa85cecc15a1135c4
Opcode Fuzzy Hash: 32c32561204b7d7155c4d73f75d198bfc9c4bb708b7f188a8e93cd824a9b1c74
Instruction Fuzzy Hash: 7EF0E53120076467DB35A6A1E84AB8B77D8AF01734F40480EF9864FA82D6B9F444CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00323853 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0032385A

Part of subcall function 0031CE27: __EH_prolog3_GS.LIBCMT ref: 0031CE2E
Part of subcall function 0031CE27: std::_Lockit::_Lockit.LIBCPMT ref: 0031CE3B
Part of subcall function 0031CE27: std::_Lockit::~_Lockit.LIBCPMT ref: 0031CEA9

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
String ID:
API String ID: 2728201062-0
Opcode ID: c1497d5456b4a9b7c4638bc51b4746e00e0e23fca5095df397df7794c4268a8d
Instruction ID: 86fe41f6df5f70660ef2e5b3713255b99816a877921a5c62e594c1e78aee0b73
Opcode Fuzzy Hash: c1497d5456b4a9b7c4638bc51b4746e00e0e23fca5095df397df7794c4268a8d
Instruction Fuzzy Hash: 0BF06D3AA112059BCF4AFBA0C481AAE7775FF58311F204018E801AF292CF765E46CB66

Uniqueness

Uniqueness Score: -1.00%

Function 003551F0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0035522B

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9948dfd1374a806e6b225e4a1d83ef71e511049b056478814c5d11a04b4da726
Instruction ID: 92bd43ca992b8b4b592bc835035b1d9c0813ad4a5401001ff3c56a282743aa67
Opcode Fuzzy Hash: 9948dfd1374a806e6b225e4a1d83ef71e511049b056478814c5d11a04b4da726
Instruction Fuzzy Hash: 56E0E53240052CAB8F035F80EC00C8E3F6AFB19791F018021FE0466130C772A875EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0033793B Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(0031876B,00000001,?,0031876B,?), ref: 0033794E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 495479bb41854db667e9f66ff7b733700f6c12a60aad659d8854253e9de3ee71
Instruction ID: ca5182c3de4be198f298d60ad9785dff9b6d7b7d58d080c7104fcfc1baaf2763
Opcode Fuzzy Hash: 495479bb41854db667e9f66ff7b733700f6c12a60aad659d8854253e9de3ee71
Instruction Fuzzy Hash: 05D095B204C305CF4F3209F858D46A6338E590B374F111310E428932C1D350DC415360

Uniqueness

Uniqueness Score: -1.00%

Function 0033790E Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(003186C4,00000001,?,003186C4,?), ref: 00337921

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8ab20259076c889a7e8d35b9fd0e94bbd7ac6ebcafdc009ba0b34e83463a74f0
Instruction ID: 46059b9b12ae947fcfdb2646e586122ff16f992ec99ac016d7b76d9f74571a56
Opcode Fuzzy Hash: 8ab20259076c889a7e8d35b9fd0e94bbd7ac6ebcafdc009ba0b34e83463a74f0
Instruction Fuzzy Hash: 0FD097B248C3049F7F720AF86CE4BE7338C6A02368F610310E8648B0C0D320EC46A2F0

Uniqueness

Uniqueness Score: -1.00%

Function 00334C08 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 00334C32

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 3ec43a8e5bc0a2ee3139f491478103796a306d4c0f1dc8691b005935d612324f
Instruction ID: 28d3d3281e5b128dacd65e5df7f7544ac667cc073265ddaa83c0c3db688b2e91
Opcode Fuzzy Hash: 3ec43a8e5bc0a2ee3139f491478103796a306d4c0f1dc8691b005935d612324f
Instruction Fuzzy Hash: 55E08630001308BFCB269F18DC889967BACFB02321F458729F4558A071D770ED55C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00355390 Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 003553C5

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4362762543e76bc2593d86192f84d6bf672d445846623cdaab33df0b8c32e8bf
Instruction ID: 3524aafa2d16f118e89b423b220fe00bdaff9a0c3732c2258f4d505f3bd4f4a6
Opcode Fuzzy Hash: 4362762543e76bc2593d86192f84d6bf672d445846623cdaab33df0b8c32e8bf
Instruction Fuzzy Hash: CEE04F36400628AB8F035F80EC0088E7F29EB047A1F044021FE0457130C7725864EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00335254 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 00335278

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 9dd3ce138d7742759f7865fa3e9342a070ace99b548f9d5691a4ff9c933207d3
Instruction ID: b125b5c26d9ba3f349d0d91f5aac6657bb62d7b2dde6f83598abbad044e6634b
Opcode Fuzzy Hash: 9dd3ce138d7742759f7865fa3e9342a070ace99b548f9d5691a4ff9c933207d3
Instruction Fuzzy Hash: 00E0C230001A04AFC7129F98DC88E937BBCFB01310F448425F800CA031C3B0ED50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00334C3D Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 00334C5E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 1fe514d87f47da5cee25a7e573f84533017f73c6b588e40a4274f34f636d6cf9
Instruction ID: 13c4a549f668d363b528c73f88bd83333cbfca745a09a4d58bb823d14c3b78ad
Opcode Fuzzy Hash: 1fe514d87f47da5cee25a7e573f84533017f73c6b588e40a4274f34f636d6cf9
Instruction Fuzzy Hash: 08D05E31001758BBCB232F68DC889D67F6CEB01374F08C626F8A8450B0C7B1A9A5D794

Uniqueness

Uniqueness Score: -1.00%

Function 00324830 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 003247BB: LoadLibraryW.KERNEL32(kernel32.dll), ref: 003247C9
Part of subcall function 003247BB: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 003247DA
Part of subcall function 003247BB: GetProcAddress.KERNEL32(DecodePointer), ref: 003247F0

RtlEncodePointer.NTDLL ref: 0032484E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressProc$EncodeLibraryLoadPointer
String ID:
API String ID: 3567909009-0
Opcode ID: c0480595a3f31744aa319c875b2d59edce9a8a113578f568859b3a85be070060
Instruction ID: 94d96667aeee257f8d560bf69e4d3a5359dad7f46edd95e8cf08c2396aed0087
Opcode Fuzzy Hash: c0480595a3f31744aa319c875b2d59edce9a8a113578f568859b3a85be070060
Instruction Fuzzy Hash: E6D0A739501538A747036F04F80089DBB5CAF01B60B018035FD155B710CB619D014BC5

Uniqueness

Uniqueness Score: -1.00%

Function 00324800 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 003247BB: LoadLibraryW.KERNEL32(kernel32.dll), ref: 003247C9
Part of subcall function 003247BB: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 003247DA
Part of subcall function 003247BB: GetProcAddress.KERNEL32(DecodePointer), ref: 003247F0

RtlDecodePointer.NTDLL ref: 0032481E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressProc$DecodeLibraryLoadPointer
String ID:
API String ID: 600893357-0
Opcode ID: f14a269a2e41da9b1087def6ecef713324962e6581df0d5c5ae702168cf29535
Instruction ID: 17997fcca35c432a603e279858d183abf8a95d3be8fc10bebafaa1cc96d1340d
Opcode Fuzzy Hash: f14a269a2e41da9b1087def6ecef713324962e6581df0d5c5ae702168cf29535
Instruction Fuzzy Hash: 9FD0A739601578A74603AF04F80089DBB5CDF15B61B008021FD055B310CBA15D0147C5

Uniqueness

Uniqueness Score: -1.00%

Function 0031568B Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 003156A5

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 083e806f40a7d5821ae2d9297cda37d9e164619911c66b8626790655889c0b29
Instruction ID: d6f2be3b7e2b80d098478af82b6e5b4646554ce076c7f8f6d2fa88ed2e7e5ffa
Opcode Fuzzy Hash: 083e806f40a7d5821ae2d9297cda37d9e164619911c66b8626790655889c0b29
Instruction Fuzzy Hash: 21C08C721042088A6609B3B4A80689E73CC85787747A01611B628CB5C2EA20ECC000AC

Uniqueness

Uniqueness Score: -1.00%

Function 00339A76 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00339B1F: RtlAcquireSRWLockExclusive.NTDLL ref: 00339B3C

DloadProtectSection.DELAYIMP ref: 00339A9E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AcquireDloadExclusiveLockProtectSection
String ID:
API String ID: 3680172570-0
Opcode ID: 7a28bbc75c3b2d8eb7f5d98afcd20b8336991a72017a25cae65d7b378fc53ef2
Instruction ID: 415778a82788d7bf52bddacd68cab8e518aa716159febacc0244910045da1199
Opcode Fuzzy Hash: 7a28bbc75c3b2d8eb7f5d98afcd20b8336991a72017a25cae65d7b378fc53ef2
Instruction Fuzzy Hash: 71D01230641241EEC607EB18E9C7795629DB304344F50510BF1138A6A5CBF14690C601

Uniqueness

Uniqueness Score: -1.00%

Function 003352BE Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 003352D0

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 81474cf52095aaa581ab91544a1b2e7a91acd70f33914dc1fa17480a36219a6e
Instruction ID: 8ab54b423f8f597dd56e96c26cedabf0844382ff2594a73b2d3777426c632924
Opcode Fuzzy Hash: 81474cf52095aaa581ab91544a1b2e7a91acd70f33914dc1fa17480a36219a6e
Instruction Fuzzy Hash: B7C02B320A420D5A87010B74DC06C767FECC711603B04C071F448C4092E22BD851D5A0

Uniqueness

Uniqueness Score: -1.00%

Function 0033487A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 0033488B

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 677c7852e6fe62bd4ab5586c3c0458ab5693dc8941559f61ef41304b2ca61e96
Instruction ID: a4f4cc59e134a9fd6ab0f1c557237462a47ee70d03c629160a9fbecfda987455
Opcode Fuzzy Hash: 677c7852e6fe62bd4ab5586c3c0458ab5693dc8941559f61ef41304b2ca61e96
Instruction Fuzzy Hash: BFC08C31044B88ABEB030B40DC08B907F69BB10308F5880A4F20C0C4B2C7B3D8B2D780

Uniqueness

Uniqueness Score: -1.00%

Function 003350D7 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 003350E5

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 3669b7b7fcc66901d08370c548141c78446177c0d3b09fa4e1ad501dcc138285
Instruction ID: 4c73140782102e38cfcf23bb2bc8ee97118ad414aac967bc23615ef9ab0cc49b
Opcode Fuzzy Hash: 3669b7b7fcc66901d08370c548141c78446177c0d3b09fa4e1ad501dcc138285
Instruction Fuzzy Hash: 1EB0927614020CBBCB021B81EC05C85BF2DEB18754F84C021F70808061C7B39862EA98

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00318593 Relevance: 30.1, APIs: 5, Strings: 12, Instructions: 397fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031859D

Part of subcall function 0031556B: WriteFile.KERNEL32(?,003143D2,003143D2,003143D2,00000000), ref: 003155AB

FindFirstFileW.KERNEL32(?,?), ref: 003188A8
FindNextFileW.KERNEL32(00000000,00000010), ref: 0031892A
FindClose.KERNEL32(00000000), ref: 00318935
FindClose.KERNEL32(00000000), ref: 00318A3A

Strings

Looking up path for special folder '%s', xrefs: 00318616
Running check with folder '%s' and file '%s', xrefs: 003186A0
., xrefs: 003188C4
%s\*.*, xrefs: 00318886
@ 6, xrefs: 00318637, 00318717, 003187E4
Unable to find directory '%s', xrefs: 003186D5
Error constructing path: The pathname principles exceed _MAX_PATH., xrefs: 0031871F
Unable to find special folder, xrefs: 0031863F
Attempting to find file '%s', xrefs: 00318747
Could not determine file version, xrefs: 003187EC
File version is '%s', xrefs: 003187C3
Could not find file '%s' in folder '%s', xrefs: 00318833

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Find$File$Close$FirstH_prolog3_NextWrite
String ID: %s\*.*$.$@ 6$Attempting to find file '%s'$Could not determine file version$Could not find file '%s' in folder '%s'$Error constructing path: The pathname principles exceed _MAX_PATH.$File version is '%s'$Looking up path for special folder '%s'$Running check with folder '%s' and file '%s'$Unable to find directory '%s'$Unable to find special folder
API String ID: 3800712701-4046004000
Opcode ID: 12ec384afd0ffbad8481fefa70e18bdc4970367f2dafc90f23c95e738ab63cb7
Instruction ID: c53078b3c8489998d88e3abb39e1f82711b0c55c9f6a532f294557aa405798ed
Opcode Fuzzy Hash: 12ec384afd0ffbad8481fefa70e18bdc4970367f2dafc90f23c95e738ab63cb7
Instruction Fuzzy Hash: 4CE15E71D01618EFDF1ADFA8D885AEEB7B9AF0C300F204469E505EB191DB30AA85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0031513C Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00337D90: GetVersionExW.KERNEL32(0000011C,?,?,?), ref: 00337DD6

ShellExecuteExW.SHELL32(?), ref: 00315200
GetLastError.KERNEL32 ref: 0031520A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00315234
CloseHandle.KERNEL32(?), ref: 0031523E

Strings

runas, xrefs: 003151D1
ShellExecuteEx failed with error code %d, xrefs: 00315213
Will attempt to elevate process., xrefs: 003151B8
Running command '%s' with arguments '%s', xrefs: 003151E9
@ 6, xrefs: 003151B0

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastObjectShellSingleVersionWait
String ID: @ 6$Running command '%s' with arguments '%s'$ShellExecuteEx failed with error code %d$Will attempt to elevate process.$runas
API String ID: 2307727384-1390299409
Opcode ID: 65d8dc8017c85d7b4ad3f8eff4fcfdfaf1ed38e2442c408ec708705a45cb1c08
Instruction ID: 198689e3e5383101bfeaa40f2729f0c59469aee0289b6846a934d724a07c0050
Opcode Fuzzy Hash: 65d8dc8017c85d7b4ad3f8eff4fcfdfaf1ed38e2442c408ec708705a45cb1c08
Instruction Fuzzy Hash: 32318071A01608FBCF0ADF64DC88ADEBBB9EF49750F104429E405EB290D7B0A950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 003247BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll), ref: 003247C9
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 003247DA
GetProcAddress.KERNEL32(DecodePointer), ref: 003247F0

Strings

DecodePointer, xrefs: 003247E0
EncodePointer, xrefs: 003247CF
kernel32.dll, xrefs: 003247C4

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DecodePointer$EncodePointer$kernel32.dll
API String ID: 2238633743-1525541703
Opcode ID: 73fc25dbc5c1cb22747a61412c3804f2a57d1a37337a908f196c7698f6ee3904
Instruction ID: f9cff3a4c9953d99816e1722e9d6f8245d0ab8dcf01c83c00bbc6867c5932056
Opcode Fuzzy Hash: 73fc25dbc5c1cb22747a61412c3804f2a57d1a37337a908f196c7698f6ee3904
Instruction Fuzzy Hash: 97E02DF9945700BFDB039FA5EC99A44BAACA716705F01D569F612922A0DBF482249F00

Uniqueness

Uniqueness Score: -1.00%

Function 003507EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1387COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00350934

Strings

1#SNAN, xrefs: 00351B33
1#IND, xrefs: 00351B2C
1#QNAN, xrefs: 00351B3A
1#INF, xrefs: 00351B41

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8e576c7aecbf97da282d97e9579a554da1701adf3daf0dee8408471d6b5f7377
Instruction ID: 14063ef99a3e17fe231d62428572ea4b0eb61dd2ea0eba9950c8004f414738d6
Opcode Fuzzy Hash: 8e576c7aecbf97da282d97e9579a554da1701adf3daf0dee8408471d6b5f7377
Instruction Fuzzy Hash: DFC27271E046288FDB2ACF28DD40BE9B7B9EB44306F1541EAD84DE7250E775AE858F40

Uniqueness

Uniqueness Score: -1.00%

Function 0034EFB9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0034F2D8,?,00000000), ref: 0034F052
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0034F2D8,?,00000000), ref: 0034F07B
GetACP.KERNEL32(?,?,0034F2D8,?,00000000), ref: 0034F090

Strings

ACP, xrefs: 0034EFD7
OCP, xrefs: 0034F00D

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 1e71a2cec3e2f8a19cdb11320a3b9ce3a7773a20b7874f08d9c4413e7747de5a
Instruction ID: 02b25ddb60ebe8a510158b796cbef3a4dbe780c91c021c385b0d2a02e6036430
Opcode Fuzzy Hash: 1e71a2cec3e2f8a19cdb11320a3b9ce3a7773a20b7874f08d9c4413e7747de5a
Instruction Fuzzy Hash: 9F219032A00104AEEB379F64D900B9772EAAB94B60F5B8474E909CF112E733ED41C750

Uniqueness

Uniqueness Score: -1.00%

Function 0034F18D Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

Part of subcall function 00346755: _free.LIBCMT ref: 003467B4
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467C1

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0034F299
IsValidCodePage.KERNEL32(00000000), ref: 0034F2F4
IsValidLocale.KERNEL32(?,00000001), ref: 0034F303
GetLocaleInfoW.KERNEL32(?,00001001,003450DB,00000040,?,003451FB,00000055,00000000,?,?,00000055,00000000), ref: 0034F34B
GetLocaleInfoW.KERNEL32(?,00001002,0034515B,00000040), ref: 0034F36A

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: e69883c85491a532c7e7ab7c0e5ce67fbac98cff2d1db00bbc4b07bcea438bca
Instruction ID: e49cfb35548a758435617a0c3b5169902ea18a742655304462ceab6594324b8e
Opcode Fuzzy Hash: e69883c85491a532c7e7ab7c0e5ce67fbac98cff2d1db00bbc4b07bcea438bca
Instruction Fuzzy Hash: F5516D79A00606AFEF12DFA4DC45ABA77F8FF05700F194939E901EF191E7B1A9008B61

Uniqueness

Uniqueness Score: -1.00%

Function 0033A701 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0033A70D
IsDebuggerPresent.KERNEL32 ref: 0033A7D9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0033A7F9
UnhandledExceptionFilter.KERNEL32(?), ref: 0033A803

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: f27e32fba08fc8a02ead8a8184209ffb1f7071a8e7e6aa7c62a33d8ad9aa58e2
Instruction ID: f4011547677ee420a2839e3d1bcafb4b58e7a388855f576990855e6e9be0e627
Opcode Fuzzy Hash: f27e32fba08fc8a02ead8a8184209ffb1f7071a8e7e6aa7c62a33d8ad9aa58e2
Instruction Fuzzy Hash: 70314A75D0531C9BDB21DFA4D9897CDBBB8BF08300F1041AAE50DAB250EB709A858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0033A9F9 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0033A9FE
UnhandledExceptionFilter.KERNEL32(0033AB19), ref: 0033AA07
GetCurrentProcess.KERNEL32(C0000409,?,0033AB19,876), ref: 0033AA12
TerminateProcess.KERNEL32(00000000,?,0033AB19,876), ref: 0033AA19

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 04cf711419507666078420b57dc745cee41c310c682e9c79fb87688ec03c7ca6
Instruction ID: a0b6c896a67d256a847672236372b29cc024a7e82200308dd5326d904a1b307f
Opcode Fuzzy Hash: 04cf711419507666078420b57dc745cee41c310c682e9c79fb87688ec03c7ca6
Instruction Fuzzy Hash: DFD01272081A08EFCB022BE0EC1CA0E7F2CFB08B02F00C830F30AD6021CBB184118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0034E842 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,003450E2,?,?,?,?,?,?,00000004), ref: 0034E924
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,P4,00000000,?), ref: 0034EA74

Strings

P4, xrefs: 0034E93B, 0034E983, 0034EA3A

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
String ID: P4
API String ID: 1661935332-2134785405
Opcode ID: 5ed0dc443115d5a78b2e684da465faa993b5adca66621ab31b1660d8e65bf31e
Instruction ID: 88384aa976911d30b68cf45bc54830d7c720804e6ee2b85e14dde6812a421d85
Opcode Fuzzy Hash: 5ed0dc443115d5a78b2e684da465faa993b5adca66621ab31b1660d8e65bf31e
Instruction Fuzzy Hash: 42610132A00206AAEB26AF75CC86EA673ECFF05710F15452AF945DF581EB74F900C761

Uniqueness

Uniqueness Score: -1.00%

Function 00355503 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,003554FD,003551B9), ref: 00355504
GetEnvironmentVariableA.KERNEL32(VSD_FORCE_ANSI,00000000,00000000,?,003554FD,003551B9), ref: 00355517

Strings

VSD_FORCE_ANSI, xrefs: 00355512

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: EnvironmentVariableVersion
String ID: VSD_FORCE_ANSI
API String ID: 2186837676-2962394276
Opcode ID: 49f5404110f693b2fa342400608cd23dceabbaa675673a70e913b344e24b4bac
Instruction ID: 2d1bcd3ec5ef2157226a06896fda34b70b22a99e0529f9d0a216ff3428be0213
Opcode Fuzzy Hash: 49f5404110f693b2fa342400608cd23dceabbaa675673a70e913b344e24b4bac
Instruction Fuzzy Hash: 33D0A7603066405FE70347B33CE8F133B4C4722789F459834F402C5160F6D1D8085730

Uniqueness

Uniqueness Score: -1.00%

Function 0034EC40 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

Part of subcall function 00346755: _free.LIBCMT ref: 003467B4
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467C1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0034EC94
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0034ECE5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0034EDA5

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 99e4e5f2deee6bc2454d7949fad5151f86ea4ba0da3f9466b04e6d3d8fc5d0ed
Instruction ID: 390b468aa540ae237412bb0be4a9c080583d4f93623984004bba7719a760ad88
Opcode Fuzzy Hash: 99e4e5f2deee6bc2454d7949fad5151f86ea4ba0da3f9466b04e6d3d8fc5d0ed
Instruction Fuzzy Hash: 006179719006079FEB2A9F24CC86BBAB7E8FF05300F1181B9E906CA595F775A981DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033E854 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0033E94C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0033E956
UnhandledExceptionFilter.KERNEL32(?), ref: 0033E963

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 18e311854158b65dca548dca4acb092f243317f48585978be0d6ee84006d17ea
Instruction ID: 5c45d051229fd9075e06e95263966270b5ce99438c960be6e2046bde14bc477e
Opcode Fuzzy Hash: 18e311854158b65dca548dca4acb092f243317f48585978be0d6ee84006d17ea
Instruction Fuzzy Hash: 0331C67590121C9BCB62DF64D88978DBBB8BF08310F5046EAE91CAB290E7749F818F45

Uniqueness

Uniqueness Score: -1.00%

Function 0034BCB5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0034BD7F

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 2abddb6cea2d9ceba85bca4fcd1a7cb0c79334c6543ae37488a6d8e89df0aae4
Instruction ID: 7757cbb8a7650951ca73699baaf3dc5eb8eb038c36545046f36c0358632ffe04
Opcode Fuzzy Hash: 2abddb6cea2d9ceba85bca4fcd1a7cb0c79334c6543ae37488a6d8e89df0aae4
Instruction Fuzzy Hash: 1E410A76900219AECB219F79DC89EABB7BCEB85714F1046A8F505DF180E771ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00347B6B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 00347BBE

Strings

GetLocaleInfoEx, xrefs: 00347B7C, 00347B86

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 5f57a5df334fb040191116e43e2f8287fe289f8668e7d5951f8facc59c963a18
Instruction ID: 73ff48ad367651836ac5f4c1092b71e346ab12d8efe36cd7a07cd7acc9774431
Opcode Fuzzy Hash: 5f57a5df334fb040191116e43e2f8287fe289f8668e7d5951f8facc59c963a18
Instruction Fuzzy Hash: 51F0963164520CBBCF03AF54DC06FAE7F59EF14B10F414455FC056A292CBB19A2096D1

Uniqueness

Uniqueness Score: -1.00%

Function 00350340 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe4a3cac6b74d8397d1e53268adbc6a63f7501bb2db78ef523d729117f8960b
Instruction ID: 2542529cc48b64f11ab36f820f69dc90ea63b718234d2a1976bd09b55e8a6caf
Opcode Fuzzy Hash: 5fe4a3cac6b74d8397d1e53268adbc6a63f7501bb2db78ef523d729117f8960b
Instruction Fuzzy Hash: B7023D71E002199FDF19CFA9C980AAEB7F1EF88315F258169D915EB350D731AA45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0034B312 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0034B30D,?,?,00000008,?,?,003539D7,00000000), ref: 0034B53F

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 88dd243504005fa93af11219b8894ff6c0162800eeb10ba92c57569743f16059
Instruction ID: 131478f43e78c6d201955c664d72dc1ccb959ed638198a1c85aa30ddbc7e5116
Opcode Fuzzy Hash: 88dd243504005fa93af11219b8894ff6c0162800eeb10ba92c57569743f16059
Instruction Fuzzy Hash: E5B15035510608DFD716CF29C48AB65BBE0FF45365F268698E8D9CF2A2C335E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0033ABF6 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0033AC0C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5f803dd3687d752144eeb5cfef78c62759b31e3b55779ca144452f2f57f60a70
Instruction ID: d4749eb89387acd37a958d54a71d73d8f58889a481bd412a8ef942e29c231261
Opcode Fuzzy Hash: 5f803dd3687d752144eeb5cfef78c62759b31e3b55779ca144452f2f57f60a70
Instruction Fuzzy Hash: BA51CEB1A01A058FDB16CF94D9D17AABBF8FB48310F25D42AC481EB650D3B89900CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0034EE90 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

Part of subcall function 00346755: _free.LIBCMT ref: 003467B4
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467C1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0034EEE4

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 89994cafd732a7bff4a62bb092bf1e40fe641b37c59dde07ceaa72b24ecf232c
Instruction ID: 8660abeee2fc44dbf350035c91dca44e0c84b08bc5200011762a0d002f0cffa2
Opcode Fuzzy Hash: 89994cafd732a7bff4a62bb092bf1e40fe641b37c59dde07ceaa72b24ecf232c
Instruction Fuzzy Hash: 8D21C53251410AABEB2A9F24DC42BBA77ECFB05310F1540BAED01DE181EB75BD44C750

Uniqueness

Uniqueness Score: -1.00%

Function 0034EB14 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

EnumSystemLocalesW.KERNEL32(0034EC40,00000001,00000000,?,003450DB,?,0034F26D,00000000,?,?,?), ref: 0034EB86

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 93f6812603449442dd6a82bf79ac9a2f5f95d30d52fd4919735a01ddff82ccc9
Instruction ID: 5ef4bf8ddb320ad993d22eb19714a77a0a7927f81838a7845459ea1774d2cbb7
Opcode Fuzzy Hash: 93f6812603449442dd6a82bf79ac9a2f5f95d30d52fd4919735a01ddff82ccc9
Instruction Fuzzy Hash: 1F11E93B2047055FDB199F39C8915BABBD1FF84368B19482CE5874BA40D7717942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0034F0C0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0034EE5E,00000000,00000000,?), ref: 0034F0EC

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: c0c37c643084e9637c7ecf403e3d3116bc784525597113a2c0471cf6bf129078
Instruction ID: d183f2c1072ac1c5657a5c288e98909854ecf07f2a1f5164e888527e10a8e4d7
Opcode Fuzzy Hash: c0c37c643084e9637c7ecf403e3d3116bc784525597113a2c0471cf6bf129078
Instruction Fuzzy Hash: 16F0F936900116EFDB269A65CC06BBB7BD8EB40354F1A4479EC05AB540EB70FD41C690

Uniqueness

Uniqueness Score: -1.00%

Function 0034EBAF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

EnumSystemLocalesW.KERNEL32(0034EE90,00000001,00000000,?,003450DB,?,0034F231,003450DB,?,?,?,?,?,003450DB,?,?), ref: 0034EBFB

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 45fe3d217213e92077064f1f39489f92c912c82310d8bca70a333c87f93f4f45
Instruction ID: ecaa36df6d6f69e2a3555beab396033dc34b93a09c02f848d767eb0cd1cea1da
Opcode Fuzzy Hash: 45fe3d217213e92077064f1f39489f92c912c82310d8bca70a333c87f93f4f45
Instruction Fuzzy Hash: 59F0C2362047055FEB165F799C82A6A7BD5FF81368F05482CF9468F640D6B1AC428A40

Uniqueness

Uniqueness Score: -1.00%

Function 003477C6 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00348391: EnterCriticalSection.KERNEL32(?,?,00345C5E,00000000,003606D0,0000000C,00345C19,00000596,?,?,00347716,00000596,?,0034680A,00000001,00000364), ref: 003483A0

EnumSystemLocalesW.KERNEL32(00347780,00000001,003607F0,0000000C), ref: 003477FE

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: fa0af8b596a49a20a0e347b18db2c9f367583b15e490a95e22f281c855895f0d
Instruction ID: 73596873393ba0dc267e23090ccafea59163c57a2f75ea70b630bbdaa4535bce
Opcode Fuzzy Hash: fa0af8b596a49a20a0e347b18db2c9f367583b15e490a95e22f281c855895f0d
Instruction Fuzzy Hash: 8DF04972A10604EFDB16EF68D986B9D77E0EB04720F128119F914EF2E1CBB49945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0034EAC9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

EnumSystemLocalesW.KERNEL32(0034EA20,00000001,00000000,?,?,0034F28F,003450DB,?,?,?,?,?,003450DB,?,?,?), ref: 0034EB00

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 21f32ae1e5d136a59deff35e5951630d74c5e28b710d6d426e9a79bbf5e487fc
Instruction ID: ba64afbb0f9f81dfabd4d13d71c95fcbcbf0294fd18de56e9764656e2dd99593
Opcode Fuzzy Hash: 21f32ae1e5d136a59deff35e5951630d74c5e28b710d6d426e9a79bbf5e487fc
Instruction Fuzzy Hash: A5F0E53A30020557DB069F35D855B6BBFD5FFC2764F074468EA0A8F650C671AC42C790

Uniqueness

Uniqueness Score: -1.00%

Function 0034223E Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 003423AE

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 7764a7755c296639e13db4d3e66b0e8850aa4acfb1436331d14c5fa2db2da257
Instruction ID: 1c71fb4c7516eb7cef252cf48288feb6e3f5dc353343845177d7fc90940b2c0c
Opcode Fuzzy Hash: 7764a7755c296639e13db4d3e66b0e8850aa4acfb1436331d14c5fa2db2da257
Instruction Fuzzy Hash: 0C519835700A455BDFBB8D6884457BF67E9AB12300FCA0D19F842FF682C688FE459751

Uniqueness

Uniqueness Score: -1.00%

Function 003585F9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ac370eeeab77e1e9dda8e0cdcdfbd21d23e3c9baa68a7db03d26220921085f
Instruction ID: 26e3cfff14acb8a494257ddbc0ba1e876fdb9d535d48ed6be02973b9c564bee9
Opcode Fuzzy Hash: 68ac370eeeab77e1e9dda8e0cdcdfbd21d23e3c9baa68a7db03d26220921085f
Instruction Fuzzy Hash: 4532D126D2AF414DD7239634C832336A29CAFB73D5F15DB37E81AB5DA6EF2984874100

Uniqueness

Uniqueness Score: -1.00%

Function 0034246D Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12df0760cef5137ca4129e23a68dfaae09503d0dfe9308320fbcaaaa103340f3
Instruction ID: ccb9026f30800cfa2b107b55e826e70799494a0385690c242cbd65303b259587
Opcode Fuzzy Hash: 12df0760cef5137ca4129e23a68dfaae09503d0dfe9308320fbcaaaa103340f3
Instruction Fuzzy Hash: E361597160060857DA3B5A298865BBFA3D8EF43300FD7089AF886FF681D655FD828725

Uniqueness

Uniqueness Score: -1.00%

Function 0030BA59 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a260699a14cd6a9100b2afcf9afa1d2d2108013f65280e4475c7e1209e7a3b2c
Instruction ID: fc1a01abdee54a1feaa66b9ba7a71674a274191cc5b5b2e251bb729b1316d082
Opcode Fuzzy Hash: a260699a14cd6a9100b2afcf9afa1d2d2108013f65280e4475c7e1209e7a3b2c
Instruction Fuzzy Hash: 2F11346546F3C05EE3439B7898656827FB4AE572A4B0B85D7C4C1CF4B3C218495AD733

Uniqueness

Uniqueness Score: -1.00%

Function 00337968 Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 264libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00337E17: GetSystemDirectoryW.KERNEL32 ref: 00337E54
Part of subcall function 00337E17: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00337E8F
Part of subcall function 00337E17: LoadLibraryW.KERNEL32(00000001), ref: 00337EB1

GetProcAddress.KERNEL32(00000000,WinVerifyTrust,?,00000000,?), ref: 00337A2A
GetProcAddress.KERNEL32(00000000,WTHelperProvDataFromStateData), ref: 00337A39
GetProcAddress.KERNEL32(00000000,WTHelperGetProvSignerFromChain), ref: 00337A48
GetProcAddress.KERNEL32(00000000,WTHelperGetProvCertFromChain), ref: 00337A57

Part of subcall function 0031556B: WriteFile.KERNEL32(?,003143D2,003143D2,003143D2,00000000), ref: 003155AB

Strings

0, xrefs: 003379DC
WTHelperProvDataFromStateData, xrefs: 00337A30
Subject form unknown, xrefs: 00337AFE, 00337B14
@ 6, xrefs: 00337A01, 00337AD4, 00337B0C, 00337C57
wintrust.dll, xrefs: 003379B1
Could not get procedures out of Wintrust., xrefs: 00337C5F
WinVerifyTrust, xrefs: 00337A24
WTHelperGetProvCertFromChain, xrefs: 00337A4E
WTHelperGetProvSignerFromChain, xrefs: 00337A3F
File trusted, xrefs: 00337AEC
Wintrust not found on machine., xrefs: 00337A09
WinVerifyTrust returned %d, xrefs: 00337AA9
Wintrust not on machine, xrefs: 00337B05
File not signed, xrefs: 00337AF7
File not trusted, xrefs: 00337AE3
crypt32.dll, xrefs: 00337B77
CertDuplicateCertificateContext, xrefs: 00337B88

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressProc$Directory$FileLibraryLoadSystemWindowsWrite
String ID: 0$@ 6$CertDuplicateCertificateContext$Could not get procedures out of Wintrust.$File not signed$File not trusted$File trusted$Subject form unknown$WTHelperGetProvCertFromChain$WTHelperGetProvSignerFromChain$WTHelperProvDataFromStateData$WinVerifyTrust$WinVerifyTrust returned %d$Wintrust not found on machine.$Wintrust not on machine$crypt32.dll$wintrust.dll
API String ID: 1334061755-2670583483
Opcode ID: 25070e83d127cf8671c100f328fea0c55eb74e45a43fa92e3c7b6d3002092afd
Instruction ID: 9f9a855e284579c3b947b5ea7e1ad221fcf9bb021e347dadcf8fddefd8f7fd42
Opcode Fuzzy Hash: 25070e83d127cf8671c100f328fea0c55eb74e45a43fa92e3c7b6d3002092afd
Instruction Fuzzy Hash: FB917BB5E056189FDF269FA9D899ADEBBB8FF08710F15412AF405A7290DBB08D40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00315DDE Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 226COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00315DE5
__EH_prolog3.LIBCMT ref: 00315E57

Strings

SearchPath, xrefs: 00315FAC
Arguments, xrefs: 00315EE0
Property, xrefs: 00315E14
Property not specified for Install Check., xrefs: 00315E32
No PackageFile specified for External Check '%s'., xrefs: 00315F10
FileName, xrefs: 00315F8D
SearchDepth, xrefs: 00315FC7
Log, xrefs: 00315EEF
No FileName value specified for File Check '%s'., xrefs: 00315FE8
SpecialFolder, xrefs: 00315FBB
PackageFile, xrefs: 00315EC3
Product, xrefs: 00316048
Feature, xrefs: 0031605A

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3
String ID: Arguments$Feature$FileName$Log$No FileName value specified for File Check '%s'.$No PackageFile specified for External Check '%s'.$PackageFile$Product$Property$Property not specified for Install Check.$SearchDepth$SearchPath$SpecialFolder
API String ID: 431132790-89009226
Opcode ID: 9ae36e98139c956b48c400fbb2898fec54c31a5d0e81aff01bec5f2213171b09
Instruction ID: 7136959ac3e1f7fb8b4599d91a7141e3a08bdc7c0f8e860586c650c34c017f06
Opcode Fuzzy Hash: 9ae36e98139c956b48c400fbb2898fec54c31a5d0e81aff01bec5f2213171b09
Instruction Fuzzy Hash: 4B71A071511B00FEF746EFA4C886B9BB7A4AF08705F004469FA44DE1A2D7B9EA05C792

Uniqueness

Uniqueness Score: -1.00%

Function 0034DE1E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0034DE62

Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D09B
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D0AD
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D0BF
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D0D1
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D0E3
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D0F5
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D107
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D119
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D12B
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D13D
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D14F
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D161
Part of subcall function 0034D07E: _free.LIBCMT ref: 0034D173

_free.LIBCMT ref: 0034DE57

Part of subcall function 00347740: HeapFree.KERNEL32(00000000,00000000), ref: 00347756
Part of subcall function 00347740: GetLastError.KERNEL32(00000596,?,0034D7FA,00000596,00000000,00000596,00000000,?,0034DA9E,00000596,00000007,00000596,?,0034DFB6,00000596,00000596), ref: 00347768

_free.LIBCMT ref: 0034DE79
_free.LIBCMT ref: 0034DE8E
_free.LIBCMT ref: 0034DE99
_free.LIBCMT ref: 0034DEBB
_free.LIBCMT ref: 0034DECE
_free.LIBCMT ref: 0034DEDC
_free.LIBCMT ref: 0034DEE7
_free.LIBCMT ref: 0034DF1F
_free.LIBCMT ref: 0034DF26
_free.LIBCMT ref: 0034DF43
_free.LIBCMT ref: 0034DF5B

Strings

h!6, xrefs: 0034DE34

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h!6
API String ID: 161543041-4204839920
Opcode ID: 7265aead060991cb13dfe63ad55e90e92a7db48a3bd1cae0daa09120b985017c
Instruction ID: d0a705cd8590fbcee4853845ce8de835eb22668f1b48bcae41176d8d50ee247b
Opcode Fuzzy Hash: 7265aead060991cb13dfe63ad55e90e92a7db48a3bd1cae0daa09120b985017c
Instruction Fuzzy Hash: D8314A316082019FEB32AA39D885B66B7E9EF11310F515869F489DF292DB31FC84CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0034D180 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034D1C8
_free.LIBCMT ref: 0034D1EC
_free.LIBCMT ref: 0034D1F9
_free.LIBCMT ref: 0034D21E
_free.LIBCMT ref: 0034D22B
_free.LIBCMT ref: 0034D234
_free.LIBCMT ref: 0034D512
_free.LIBCMT ref: 0034D51A

Strings

`!6, xrefs: 0034D1AE, 0034D497

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free
String ID: `!6
API String ID: 269201875-4105409096
Opcode ID: 623410c33240196dc44816c97a6959f9d4b745d345a52a9ba98c6b5478e65238
Instruction ID: 8f413e184f036e8808db61f2739ffbe9d1c8be1756cb313541d8c6af9e393247
Opcode Fuzzy Hash: 623410c33240196dc44816c97a6959f9d4b745d345a52a9ba98c6b5478e65238
Instruction Fuzzy Hash: 10C14376E40205AFDB21DBA8CC82FAF77F8AB09701F154555FE44EF382D670AA458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0034CCE0 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034CD50
_free.LIBCMT ref: 0034CD66
_free.LIBCMT ref: 0034CD77
_free.LIBCMT ref: 0034CD88
_free.LIBCMT ref: 0034CD9F
GetCPInfo.KERNEL32(?,?), ref: 0034CDE7

Part of subcall function 0035215A: _free.LIBCMT ref: 003521C5

_free.LIBCMT ref: 0034CF93
_free.LIBCMT ref: 0034CFA6
_free.LIBCMT ref: 0034CFB4
_free.LIBCMT ref: 0034CFBF
_free.LIBCMT ref: 0034D001
_free.LIBCMT ref: 0034D009
_free.LIBCMT ref: 0034D011
_free.LIBCMT ref: 0034D019
_free.LIBCMT ref: 0034D027

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 52811fd0cb2e5e87e9def17bb30ad4cc3537b2565454ee03fba7b5b7901c70da
Instruction ID: 18094838ee48fd34580ede3c499fdc984556ef3c823f25253ab27b03dc943d6a
Opcode Fuzzy Hash: 52811fd0cb2e5e87e9def17bb30ad4cc3537b2565454ee03fba7b5b7901c70da
Instruction Fuzzy Hash: 1EB1DF71911205AFDB22DF69C881BEEBBF6FF08300F144469F498AF252DB75A845CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00335C6C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 95COMMON

Download Yara Rule

Strings

SeShutdownPrivilege, xrefs: 00335D0A
advapi32.dll, xrefs: 00335C96
LookupPrivilegeValueW, xrefs: 00335CBE
OpenProcessToken, xrefs: 00335CB2
AdjustTokenPrivileges, xrefs: 00335CCC

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Version
String ID: AdjustTokenPrivileges$LookupPrivilegeValueW$OpenProcessToken$SeShutdownPrivilege$advapi32.dll
API String ID: 1889659487-3661999180
Opcode ID: c7f15c8b62b3114bae944216526c5d7e2e2ef79679e7d6d384803eef42d25812
Instruction ID: 7f7b318b680a2090d0151b4d5dc25bc3142cb7a7f6c30e0527579c355586eb0e
Opcode Fuzzy Hash: c7f15c8b62b3114bae944216526c5d7e2e2ef79679e7d6d384803eef42d25812
Instruction Fuzzy Hash: 5921B475601A09AFDF13AF64DC8DEBFBBBD9F86B04F014429F801D6255DBB088018660

Uniqueness

Uniqueness Score: -1.00%

Function 00315991 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 377COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 003159EB

Part of subcall function 0031779F: __EH_prolog3_GS.LIBCMT ref: 003177A6

Strings

Version, xrefs: 00315B30
No Name value specified for Assembly Check '%s', xrefs: 00315DD1
Name, xrefs: 00315A80
PublicKeyToken, xrefs: 00315ADA
ProcessorArchitecture, xrefs: 00315BEA
neutral, xrefs: 00315B9E
No Version value specified for Assembly Check '%s'., xrefs: 00315B4B
No PublicKeyToken value specified for Assembly Check '%s'., xrefs: 00315DC1
Culture, xrefs: 00315B8C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID: Culture$Name$No Name value specified for Assembly Check '%s'$No PublicKeyToken value specified for Assembly Check '%s'.$No Version value specified for Assembly Check '%s'.$ProcessorArchitecture$PublicKeyToken$Version$neutral
API String ID: 2427045233-1850210091
Opcode ID: 5fe45548ef7554b6f3ef62beb3fb9ccc2dddedb33e57fa3a4a1556085e47ee9c
Instruction ID: 9ebf501e7bbee12a2736fd8afb3ea192d1cd7d853e1aff4d9f2c17910d295111
Opcode Fuzzy Hash: 5fe45548ef7554b6f3ef62beb3fb9ccc2dddedb33e57fa3a4a1556085e47ee9c
Instruction Fuzzy Hash: 4FD16E71910608EFEB1ADFA8D885BDEB7B9FF4C300F20442AE505E7251DB34AA85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0033D838 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0033D957
___TypeMatch.LIBVCRUNTIME ref: 0033DA65
CatchIt.LIBVCRUNTIME ref: 0033DAB6
_UnwindNestedFrames.LIBCMT ref: 0033DBB7
CallUnexpected.LIBVCRUNTIME ref: 0033DBD2
_abort.LIBCMT ref: 0033DBD7

Strings

csm, xrefs: 0033D875
Xn0, xrefs: 0033D94E
csm, xrefs: 0033D98E
csm, xrefs: 0033D8E2

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: Xn0$csm$csm$csm
API String ID: 445410325-2128354375
Opcode ID: 6d55d8330a3053e610e41ecd1c71fa7a92ac866db2ed60f288a917ae2f60699e
Instruction ID: 20b746b33aeb662b269b812aee0092fc2cb559cf11ae2cbd9bd60e73f72537d9
Opcode Fuzzy Hash: 6d55d8330a3053e610e41ecd1c71fa7a92ac866db2ed60f288a917ae2f60699e
Instruction Fuzzy Hash: A0B18A71800209EFCF2ADFA4E9C1AAEBBB5FF14310F16415AF8156B212D735EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00349901 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00349B77

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 256ae4f9cf9811b665622bcf0cdb379e173b4ec9749f7950ee00a24f34fe3b59
Instruction ID: 8480bdb89523793b14baec94bc6bc85af5ba67c8ca6df74f0cb1f8799c1029c3
Opcode Fuzzy Hash: 256ae4f9cf9811b665622bcf0cdb379e173b4ec9749f7950ee00a24f34fe3b59
Instruction Fuzzy Hash: A5C1A374A04245AFDF17DFA8D881BAE7BF8AF0A310F15419AE445AF392C770AD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00359711 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00359450: CreateFileW.KERNEL32(00000000,00000000,?,003597BA,?,?,00000000), ref: 0035946D

GetLastError.KERNEL32 ref: 00359825
__dosmaperr.LIBCMT ref: 0035982C
GetFileType.KERNEL32(00000000), ref: 00359838
GetLastError.KERNEL32 ref: 00359842
__dosmaperr.LIBCMT ref: 0035984B
CloseHandle.KERNEL32(00000000), ref: 0035986B
CloseHandle.KERNEL32(?), ref: 003599B5
GetLastError.KERNEL32 ref: 003599E7
__dosmaperr.LIBCMT ref: 003599EE

Strings

H, xrefs: 00359973

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 78a37cb223151da3bec01268b96065334e97ceabf9eb57439cd7a2da0769393d
Instruction ID: 899cd17b0e342b6688f852a2d035749fb90a452a7269a2623f814b1d13c80d60
Opcode Fuzzy Hash: 78a37cb223151da3bec01268b96065334e97ceabf9eb57439cd7a2da0769393d
Instruction Fuzzy Hash: 11A13432A141449FDF1ADF68D842BAE3BB4EB0A321F14015EEC15DF2A1CB709D1ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00334895 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204filewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0033489C
CreateFileW.KERNEL32(?,?,?,00000002), ref: 0033491F
MessageBoxW.USER32 ref: 0033497C
WriteFile.KERNEL32(00000000,?,00000002,?,00000000), ref: 00334A09
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00334A4A
CloseHandle.KERNEL32(00000000), ref: 00334A51
SetEvent.KERNEL32(?,00000040,00333D5F,00000002), ref: 00334AD9

Strings

open, xrefs: 00334A79
pT5, xrefs: 00334A6B
eula.rtf, xrefs: 003348E1

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: File$Write$CloseCreateEventH_prolog3_HandleMessage
String ID: eula.rtf$open$pT5
API String ID: 3097060125-1495875868
Opcode ID: 8327b132575f541dcaa780a1f5558b22d3ca004d94b97efa88cdece9b803bca3
Instruction ID: 52ad5263d4f65158b9f317e2bb7fbb0ced48ca0a3d3c28d37f1662b40e70a658
Opcode Fuzzy Hash: 8327b132575f541dcaa780a1f5558b22d3ca004d94b97efa88cdece9b803bca3
Instruction Fuzzy Hash: 79715A71911218EFDB06CF94D885BEEBBB9EF09700F10442AF505EB290DB74A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00338FBA Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 207libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00338FC1

Part of subcall function 0033793B: GetFileAttributesW.KERNEL32(0031876B,00000001,?,0031876B,?), ref: 0033794E

Part of subcall function 00314375: __EH_prolog3_GS.LIBCMT ref: 0031437C

GetProcAddress.KERNEL32(00000000,CertFreeCertificateContext), ref: 00339174
FreeLibrary.KERNEL32(?), ref: 0033918E

Strings

No hash or public key info found., xrefs: 003391DB
@ 6, xrefs: 00339056, 003391D5
CertFreeCertificateContext, xrefs: 0033916E
Verifying file hash, xrefs: 0033905E
Verifying file integrity of %s, xrefs: 00338FE2
crypt32.dll, xrefs: 0033915B

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_$AddressAttributesFileFreeLibraryProc
String ID: @ 6$CertFreeCertificateContext$No hash or public key info found.$Verifying file hash$Verifying file integrity of %s$crypt32.dll
API String ID: 1786674265-3549955070
Opcode ID: cb71e0b4dc11f8e292b16dcf2084037a2d41ed066dc8eea9d3c789e134d74dff
Instruction ID: ea961bbaf6d98839ebb12a266a5ce57f13f2b25daec862565c621690349bdfdd
Opcode Fuzzy Hash: cb71e0b4dc11f8e292b16dcf2084037a2d41ed066dc8eea9d3c789e134d74dff
Instruction Fuzzy Hash: FB61D375900615EBDF2BAB94CCD2BEEB738AF48B00F09441AF8027B281D7A15E85C650

Uniqueness

Uniqueness Score: -1.00%

Function 0034D5B0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034D61F
_free.LIBCMT ref: 0034D62D
_free.LIBCMT ref: 0034D75B
_free.LIBCMT ref: 0034D766

Strings

`!6, xrefs: 0034D5DB, 0034D7A0
d!6, xrefs: 0034D7B7

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free
String ID: `!6$d!6
API String ID: 269201875-3621835713
Opcode ID: 24632c6e4f3f35d6ca543c745c982fdfb413a159f75c3a990a2ac44d2729766d
Instruction ID: cca165c0d666b23c7cb6965739addd926ea387fdbbf752f44af8fd13f82c4a6e
Opcode Fuzzy Hash: 24632c6e4f3f35d6ca543c745c982fdfb413a159f75c3a990a2ac44d2729766d
Instruction Fuzzy Hash: 3761D375D04205AFDB22DF68C841BAABBF5EF05310F1545AAED44EF282D770AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003350EF Relevance: 15.1, APIs: 10, Instructions: 114windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 003350F9
GetDC.USER32(?), ref: 0033510B
ShowScrollBar.USER32 ref: 0033511D
GetClientRect.USER32 ref: 00335134
GetSystemMetrics.USER32 ref: 0033513C

Part of subcall function 00338796: __EH_prolog3_GS.LIBCMT ref: 0033879D

ReleaseDC.USER32(?,?), ref: 003351F0
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003351FD
GetStockObject.GDI32(0000000D), ref: 00335209
GetObjectW.GDI32(00000000,0000005C,?), ref: 0033521D
ShowScrollBar.USER32 ref: 00335240

Part of subcall function 00333BF2: GetTextExtentPoint32W.GDI32(00000008,?,?,00000000), ref: 00333C31

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_ObjectScrollShow$ClientExtentMessageMetricsPoint32RectReleaseSendStockSystemText
String ID:
API String ID: 1108648939-0
Opcode ID: a46be396c92acf922da816644139a4cb612f02db7048685586ff383b12a6e31b
Instruction ID: 5af2dfc80f0069536e73ddb468cc9c76ac035b01932cdb564fcd39469142e95e
Opcode Fuzzy Hash: a46be396c92acf922da816644139a4cb612f02db7048685586ff383b12a6e31b
Instruction Fuzzy Hash: 74412A71E406199FDF21DFB8CC95BEEBBB9BB48700F0484A9E508F6251D7745A818F60

Uniqueness

Uniqueness Score: -1.00%

Function 00346661 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00346675

Part of subcall function 00347740: HeapFree.KERNEL32(00000000,00000000), ref: 00347756
Part of subcall function 00347740: GetLastError.KERNEL32(00000596,?,0034D7FA,00000596,00000000,00000596,00000000,?,0034DA9E,00000596,00000007,00000596,?,0034DFB6,00000596,00000596), ref: 00347768

_free.LIBCMT ref: 00346681
_free.LIBCMT ref: 0034668C
_free.LIBCMT ref: 00346697
_free.LIBCMT ref: 003466A2
_free.LIBCMT ref: 003466AD
_free.LIBCMT ref: 003466B8
_free.LIBCMT ref: 003466C3
_free.LIBCMT ref: 003466CE
_free.LIBCMT ref: 003466DC

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d343500dabb48de9e51a2b6e93a953d017b5e40b92f503555b5917d36fd2c7d7
Instruction ID: 55175d581d37ff02daa9cd996cc2e9608409579da2731e7c1e6a2ed5160be319
Opcode Fuzzy Hash: d343500dabb48de9e51a2b6e93a953d017b5e40b92f503555b5917d36fd2c7d7
Instruction Fuzzy Hash: 8111897A514108BFCB02EF54C942CEA3FB6EF05350B5155A5B9484F122DB31EE50DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00334EB3 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00334EBD
GetDC.USER32(?), ref: 00334ED7

Part of subcall function 003381D2: __EH_prolog3_GS.LIBCMT ref: 003381D9

EnumFontFamiliesExW.GDI32(?,?,Function_00033D00,?,00000000), ref: 00334FD2
CreateFontIndirectW.GDI32(00000007), ref: 00335005

Strings

Height, xrefs: 00334F4B
CharSet, xrefs: 00334F31
Weight, xrefs: 00334F65
FontName, xrefs: 00334F0A

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: FontH_prolog3_$CreateEnumFamiliesIndirect
String ID: CharSet$FontName$Height$Weight
API String ID: 281542929-1759768386
Opcode ID: 18661470a930eb72dc29c3b54005efc5ce42283cdeea8b00b6257daea019c9d5
Instruction ID: a2fe5cc86f00d2faeee84cb4d4bf04577433e8a5320d6057509f3d9a5eec021b
Opcode Fuzzy Hash: 18661470a930eb72dc29c3b54005efc5ce42283cdeea8b00b6257daea019c9d5
Instruction Fuzzy Hash: 11515F71D00609AFDF16DFB4C8C1AEEBBB9AF09300F104469F509E7252DB35AA84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00353443 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

_DecodePointerInternal@4.AMAIL_VER1(?,?,?,?,?,?,?,?,?,?,00352E1F), ref: 00353466

Strings

exp, xrefs: 0035352B, 0035358D
sqrt, xrefs: 003535EA
pow, xrefs: 0035354A, 003535F6, 00353609
asin, xrefs: 003535D2
log, xrefs: 0035350C, 00353518
log10, xrefs: 003534B0, 00353500
acos, xrefs: 003535DE

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: DecodeInternal@4Pointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3958391079-3064271455
Opcode ID: 62413fdf16713f9a7b59e43ba378d2ae262d42e1a775417897c6e901d8cbfc34
Instruction ID: 70a28642e09ee758886b7c9fee3acee5ec9ce5512e330e0aa82e123a4761a08e
Opcode Fuzzy Hash: 62413fdf16713f9a7b59e43ba378d2ae262d42e1a775417897c6e901d8cbfc34
Instruction Fuzzy Hash: DA518FB4900509DBCF03CF58E5889ADBBB4FF0A346F214589D881A76B4D7758B28CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00324E37 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00324E3E

Strings

Size, xrefs: 00324F25
HomeSite, xrefs: 00324F70
Name, xrefs: 00324F07
TargetPath, xrefs: 00324EED
PublicKey, xrefs: 00324F43
UrlName, xrefs: 00324F19
Hash, xrefs: 00324F34

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID: Hash$HomeSite$Name$PublicKey$Size$TargetPath$UrlName
API String ID: 2427045233-2227013664
Opcode ID: 5e007da7640c7ce4752f088e5a41f6ce38629751b4095cdf36e5443c41db4b70
Instruction ID: 737ed90556ef701f662d0ac5a440a849547a3c0cea05b3f5869d443bc5817d70
Opcode Fuzzy Hash: 5e007da7640c7ce4752f088e5a41f6ce38629751b4095cdf36e5443c41db4b70
Instruction Fuzzy Hash: 54515E71810604FFEB42DFF8C9C1BEAB7B4AF49309F004465EA04EA156D779DA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00337777 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00337E17: GetSystemDirectoryW.KERNEL32 ref: 00337E54
Part of subcall function 00337E17: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00337E8F
Part of subcall function 00337E17: LoadLibraryW.KERNEL32(00000001), ref: 00337EB1

GetProcAddress.KERNEL32(00000000,IsUserAnAdmin), ref: 003377B5
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00337823
FreeLibrary.KERNEL32(00000000), ref: 0033784B
FreeLibrary.KERNEL32(00000000), ref: 00337862

Strings

IsUserAnAdmin, xrefs: 003377AF
advapi32.dll, xrefs: 00337809
shell32.dll, xrefs: 0033779E
CheckTokenMembership, xrefs: 0033781D

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Library$AddressDirectoryFreeProc$LoadSystemWindows
String ID: CheckTokenMembership$IsUserAnAdmin$advapi32.dll$shell32.dll
API String ID: 3233287316-4205908389
Opcode ID: a01db48646f5700a990ad59daf0f37e53a2346e0137ee2fbd9a81949755d027d
Instruction ID: 979dc63d7306a338c6e77829abf9d5901b751cd72bdb30f8021ca5c1f2abeb56
Opcode Fuzzy Hash: a01db48646f5700a990ad59daf0f37e53a2346e0137ee2fbd9a81949755d027d
Instruction Fuzzy Hash: 3821B674605609ABDB239BA0DCCEBBE77BCEF45B05F114028E401AA280DBB09D05DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00338C4B Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 315fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00338C52
CreateFileW.KERNEL32 ref: 00338D8A
ReadFile.KERNEL32(000000FF,?,00004000,0033907B,00000000), ref: 00338DBF
ReadFile.KERNEL32(000000FF,?,00004000,0033907B,00000000), ref: 00338E2A
CloseHandle.KERNEL32(000000FF), ref: 00338F43

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00338D15
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype), xrefs: 00338D32

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: File$Read$CloseCreateH_prolog3_Handle
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider$Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
API String ID: 3109496628-3432907261
Opcode ID: 680c3840fe8f7273d2ec7f7931ab876e4e22b822e5016d7dfe480533db03810e
Instruction ID: e6a114a280d2e635f1b1044dfb3ac4c5d5944b1a0ae5fa0ad8797672621ff3da
Opcode Fuzzy Hash: 680c3840fe8f7273d2ec7f7931ab876e4e22b822e5016d7dfe480533db03810e
Instruction Fuzzy Hash: 40B13971D00209AFDB16DFA8DC85AEEBBBDEF08310F25452AF911F7190EA709D458B64

Uniqueness

Uniqueness Score: -1.00%

Function 0034A65D Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0034A6E8
__alldvrm.LIBCMT ref: 0034A8E9
__alldvrm.LIBCMT ref: 0034A90B

Strings

C%4, xrefs: 0034A667
C%4, xrefs: 0034A8AA
C%4, xrefs: 0034A673, 0034A6CE, 0034A6E7, 0034A86D

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: C%4$C%4$C%4
API String ID: 1036877536-1632645473
Opcode ID: 104e74f01146504a49e5e37293d18aef5f2464869ebe3142408da1fc5e239df6
Instruction ID: 065f1e82b85b4e633f82eeb4a23f2f4d014a39c7a88fcacb230b534939edf06c
Opcode Fuzzy Hash: 104e74f01146504a49e5e37293d18aef5f2464869ebe3142408da1fc5e239df6
Instruction Fuzzy Hash: BAA15A75984B8A9FEB23CF58C881BAEBFE4EF15310F16416DE4859F251C338A942C752

Uniqueness

Uniqueness Score: -1.00%

Function 003362AA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00337D90: GetVersionExW.KERNEL32(0000011C,?,?,?), ref: 00337DD6

ShellExecuteExW.SHELL32(0000003C), ref: 00336336

Part of subcall function 0031556B: WriteFile.KERNEL32(?,003143D2,003143D2,003143D2,00000000), ref: 003155AB

CloseHandle.KERNEL32(?), ref: 00336352

Strings

runas, xrefs: 0033632B
Will attempt to elevate process., xrefs: 00336315
@ 6, xrefs: 0033630D
<, xrefs: 003362E6
@, xrefs: 003362F7

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CloseExecuteFileHandleShellVersionWrite
String ID: <$@$@ 6$Will attempt to elevate process.$runas
API String ID: 644025995-1185998176
Opcode ID: 42f2c29fc6748e0aeecad5408ab2f84b1fdb18082b3a41f029e2328aa230a167
Instruction ID: 25ce3a29d85db95176f1236a4f9a38ef65b3ffab9b11e5684159b90ff61baf8d
Opcode Fuzzy Hash: 42f2c29fc6748e0aeecad5408ab2f84b1fdb18082b3a41f029e2328aa230a167
Instruction Fuzzy Hash: 76219DB5A01208EFDF02DFA4DC95AEEB7BCAF48314F144019E901FB250D7B0AA05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00339604 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00337E17: GetSystemDirectoryW.KERNEL32 ref: 00337E54
Part of subcall function 00337E17: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00337E8F
Part of subcall function 00337E17: LoadLibraryW.KERNEL32(00000001), ref: 00337EB1

GetProcAddress.KERNEL32(00000000,SHGetFolderPathW,?,00000007,00000000,?,00339597,00000000,?,00000000,00000001,?,?,00000008,?), ref: 0033962E
FreeLibrary.KERNEL32(00000000,?,00339597,00000000,?,00000000,00000001,?,?,00000008,?), ref: 0033963B
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW,?,00339597,00000000,?,00000000,00000001,?,?,00000008,?), ref: 00339658
FreeLibrary.KERNEL32(00000000,?,00339597,00000000,?,00000000,00000001,?,?,00000008,?), ref: 00339680

Strings

shell32.dll, xrefs: 0033960E
shfolder.dll, xrefs: 00339641
SHGetFolderPathW, xrefs: 00339628, 00339652

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Library$AddressDirectoryFreeProc$LoadSystemWindows
String ID: SHGetFolderPathW$shell32.dll$shfolder.dll
API String ID: 3233287316-240897930
Opcode ID: 141c458fe05776ce0004fb26d8c9174a2dd7152c3e36f31ec413b210a0bc39d9
Instruction ID: bfcd92dd58ee42dbddd3a5c6ded4f75cd42b63c33f5a6b5ddde2c83985127fc8
Opcode Fuzzy Hash: 141c458fe05776ce0004fb26d8c9174a2dd7152c3e36f31ec413b210a0bc39d9
Instruction Fuzzy Hash: E301D436102A15AB9B132F24DC46D9F7B69EF86B60F064125FC0097250DBB18C208795

Uniqueness

Uniqueness Score: -1.00%

Function 00346755 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
_free.LIBCMT ref: 0034678C
_free.LIBCMT ref: 003467B4
SetLastError.KERNEL32(00000000,?,?,?), ref: 003467C1
SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
_abort.LIBCMT ref: 003467D3

Strings

!6, xrefs: 003467A7

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: !6
API String ID: 3160817290-2803111142
Opcode ID: 91cf6bd4176a729ce71a0fd707c66d053e86a9def878425adf660fbb07c0b35d
Instruction ID: 087285322c2de77590d37ba81e5625f3179b78e10f6e903ccf821a461699985f
Opcode Fuzzy Hash: 91cf6bd4176a729ce71a0fd707c66d053e86a9def878425adf660fbb07c0b35d
Instruction Fuzzy Hash: CDF0C836608A0166D6133B346C4BB6B2DED9BC3B69F220424F514DF192EF61B8054162

Uniqueness

Uniqueness Score: -1.00%

Function 0031CD92 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031CD99
std::_Lockit::_Lockit.LIBCPMT ref: 0031CDA6

Part of subcall function 0031E240: std::_Lockit::_Lockit.LIBCPMT ref: 0031E25C
Part of subcall function 0031E240: std::_Lockit::~_Lockit.LIBCPMT ref: 0031E278

ctype.LIBCPMT ref: 0031CDDD
std::_Facet_Register.LIBCPMT ref: 0031CDF4
std::_Lockit::~_Lockit.LIBCPMT ref: 0031CE14
Concurrency::cancel_current_task.LIBCPMT ref: 0031CE21

Strings

B6, xrefs: 0031CDB1

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_Registerctype
String ID: B6
API String ID: 3568167758-3921947778
Opcode ID: 5e31a6eaa3dc16423051a3ff068cae8592f8463acae5357d34395da4566b5f40
Instruction ID: 3827555ead0f649d178a6a97d5324194139605dd1fce838341d5f2ff7bb6a87e
Opcode Fuzzy Hash: 5e31a6eaa3dc16423051a3ff068cae8592f8463acae5357d34395da4566b5f40
Instruction Fuzzy Hash: 7601D6359005159FCB0BEBA4D896ABDB7749F8C721F250418F901AB391DF709E858791

Uniqueness

Uniqueness Score: -1.00%

Function 00339AA9 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00339B24,00339CCD), ref: 00339AC0
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive,?,?,00339B24,00339CCD), ref: 00339AD6
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive,?,?,00339B24,00339CCD), ref: 00339AEB

Strings

66, xrefs: 00339AFC
ReleaseSRWLockExclusive, xrefs: 00339AE0
KERNEL32.DLL, xrefs: 00339ABB
AcquireSRWLockExclusive, xrefs: 00339AD0

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$66
API String ID: 667068680-1485218826
Opcode ID: fe6076a64d10b040f240c9018bb3c8aa77f0317d0faa0fee1f6e2b7b4756bdea
Instruction ID: bd9d9c7d63d8c67bf34d2245e93915141241edaf16f5aaed2441917929ad803e
Opcode Fuzzy Hash: fe6076a64d10b040f240c9018bb3c8aa77f0317d0faa0fee1f6e2b7b4756bdea
Instruction Fuzzy Hash: 2AF0C231706722EBAF239F65ECD27A7A2DC6A12745F1A413BE403D7240DAD1CC449690

Uniqueness

Uniqueness Score: -1.00%

Function 003457E8 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

_free.LIBCMT ref: 00345B03
_free.LIBCMT ref: 00345B1C
_free.LIBCMT ref: 00345B4E
_free.LIBCMT ref: 00345B57
_free.LIBCMT ref: 00345B63

Strings

C, xrefs: 00345950

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$ErrorLast$_abort
String ID: C
API String ID: 1702784200-1037565863
Opcode ID: 1b047391b366cd35184149f848aa597e113f01658cce1c95680985c2586d285a
Instruction ID: 7245126e707d9f485d7fb71f5e6fe099d5890f25a6509a385124b5abd81844e8
Opcode Fuzzy Hash: 1b047391b366cd35184149f848aa597e113f01658cce1c95680985c2586d285a
Instruction Fuzzy Hash: A8B13775E016199FDB26DF18C884AADB7F5FB08304F1185AAE849AB351E730BE80CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00348539 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0034857B
__fassign.LIBCMT ref: 003485F6
__fassign.LIBCMT ref: 00348611
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00348637
WriteFile.KERNEL32(?,?,00000000,00348CAE,00000000), ref: 00348656
WriteFile.KERNEL32(?,?,00000001,00348CAE,00000000), ref: 0034868F

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3e58ab0b9342b0a4eccd996a4eae98ea297ef3004dbd0f7a5e46e1cf0c67aa5a
Instruction ID: 00b5316089f8aae5b84544843a709f057f2c2ad3d5df7e3bd91c7f0cadcb5f30
Opcode Fuzzy Hash: 3e58ab0b9342b0a4eccd996a4eae98ea297ef3004dbd0f7a5e46e1cf0c67aa5a
Instruction Fuzzy Hash: C551CA71D00209AFDB12CFA8DC45AEEBBF8EF09300F15415AE956FB251DB74A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0033D2D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0033D307
___except_validate_context_record.LIBVCRUNTIME ref: 0033D30F
_ValidateLocalCookies.LIBCMT ref: 0033D398
__IsNonwritableInCurrentImage.LIBCMT ref: 0033D3C3
_ValidateLocalCookies.LIBCMT ref: 0033D418

Strings

csm, xrefs: 0033D3AD

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5c8df747cf139e63df034b02188d8a51cb9a6afd90f54821db66f42c75f8307f
Instruction ID: c23e4594025f1953a2622097e899dd16d49cf1b98d02db09ef21ec9ce7781fb4
Opcode Fuzzy Hash: 5c8df747cf139e63df034b02188d8a51cb9a6afd90f54821db66f42c75f8307f
Instruction Fuzzy Hash: DA41C238A00208DFCF12DF68D8C5A9EBBB4BF45324F148155E8159B396D731DE15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0033DBDD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_EncodePointerInternal@4.AMAIL_VER1(00000000,?), ref: 0033DC02
CatchIt.LIBVCRUNTIME ref: 0033DCE8
_abort.LIBCMT ref: 0033DD0D

Strings

RCC, xrefs: 0033DC1C
0H2, xrefs: 0033DC02
MOC, xrefs: 0033DC14

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CatchEncodeInternal@4Pointer_abort
String ID: 0H2$MOC$RCC
API String ID: 2271687597-1859609490
Opcode ID: 7284a00daf4499bb0a6169e80916c6f895aeefd97ca75645eefc610a5db8c60e
Instruction ID: cf510fd5007ee185d6dbb0da10c9f819924f1aa0106ed51ae24303809269a450
Opcode Fuzzy Hash: 7284a00daf4499bb0a6169e80916c6f895aeefd97ca75645eefc610a5db8c60e
Instruction Fuzzy Hash: AB419A71900209AFCF17DF98ED81AEEBBB5FF48300F198159F904AB261D375A990CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00314421 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

#92.MSI(?,00000000,?), ref: 0031448A
#78.MSI(?,00000000,00000000,?,?,00000000,?), ref: 003144A2
#150.MSI(?,00000007,0000001E,00000000,00000000,?,00000040,?,00000000,00000000,?,?,00000000,?), ref: 003144CA
#8.MSI(00000000,?,00000000,?), ref: 003144FE
#8.MSI(00000000,?,00000000,?), ref: 00314512

Strings

@, xrefs: 0031446F

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: #150
String ID: @
API String ID: 847422065-2766056989
Opcode ID: 0c3a420ea5e3b4291e0cf799c5ddee986f95092fbf104a4aa507196c5a55fb90
Instruction ID: 7c80425a5af28f2023532304b890a9b57a7b34a601697b7ffc51e2bd9ef7d96a
Opcode Fuzzy Hash: 0c3a420ea5e3b4291e0cf799c5ddee986f95092fbf104a4aa507196c5a55fb90
Instruction Fuzzy Hash: A3313071900118ABEF359B25DC45FEAB7BCBF85304F4180A9EA48E7151EE749E89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0034DA85 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0034D7CC: _free.LIBCMT ref: 0034D7F5

_free.LIBCMT ref: 0034DAD3

Part of subcall function 00347740: HeapFree.KERNEL32(00000000,00000000), ref: 00347756
Part of subcall function 00347740: GetLastError.KERNEL32(00000596,?,0034D7FA,00000596,00000000,00000596,00000000,?,0034DA9E,00000596,00000007,00000596,?,0034DFB6,00000596,00000596), ref: 00347768

_free.LIBCMT ref: 0034DADE
_free.LIBCMT ref: 0034DAE9
_free.LIBCMT ref: 0034DB3D
_free.LIBCMT ref: 0034DB48
_free.LIBCMT ref: 0034DB53
_free.LIBCMT ref: 0034DB5E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4d1b8025fce6acedd6cfebefbbde793e76daa062d0660ff0044225d31086b531
Instruction ID: 0074381b78cf6d1b50b6be02339ae65061d5913505a9016a54f84f01b5f1e2d1
Opcode Fuzzy Hash: 4d1b8025fce6acedd6cfebefbbde793e76daa062d0660ff0044225d31086b531
Instruction Fuzzy Hash: DF11EC71944B04AAD622BBB1DC47FDB7FDCAF04F00F804C15B299AF153DB65B5048690

Uniqueness

Uniqueness Score: -1.00%

Function 00338095 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\VisualStudio\Setup,00000000,00000001,?,?,?,?,00337D66,microsoft.com,00000000), ref: 003380BC
RegQueryValueExW.ADVAPI32(?,IsInCorpnetHook,00000000,?,?,f}3,00000000,?,?,00337D66,microsoft.com,00000000), ref: 003380E8
RegCloseKey.ADVAPI32(?,?,?,00337D66,microsoft.com,00000000), ref: 00338107

Strings

IsInCorpnetHook, xrefs: 003380E0
f}3, xrefs: 003380CA, 003380D0
Software\Microsoft\VisualStudio\Setup, xrefs: 003380AF

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: IsInCorpnetHook$Software\Microsoft\VisualStudio\Setup$f}3
API String ID: 3677997916-1532326437
Opcode ID: d6b2611edf295c2786bc945e3875bca439bd0154ee135015f12ba9b124059dab
Instruction ID: 8bfc84dc927ec5f0dc07af4608c981aeb7a79817d949184165b9328aec85d923
Opcode Fuzzy Hash: d6b2611edf295c2786bc945e3875bca439bd0154ee135015f12ba9b124059dab
Instruction Fuzzy Hash: A61109B0E0021DAFDF12DF919C85AEFBB7CFB40758F11406AF902A6140D6719E45CA61

Uniqueness

Uniqueness Score: -1.00%

Function 003467D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00346928,00343685,?,?,00343700,?,00000596,0000007F,0000000A,00000000,000007FF,?,00337112), ref: 003467DE
_free.LIBCMT ref: 00346813
_free.LIBCMT ref: 0034683A
SetLastError.KERNEL32(00000000,00000596), ref: 00346847
SetLastError.KERNEL32(00000000,00000596), ref: 00346850

Strings

!6, xrefs: 0034682E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$_free
String ID: !6
API String ID: 3170660625-2803111142
Opcode ID: bdd6e9e26e2615375037d16dedf3c4d00ecd26ed652071cca3ff7ac3c1c3dd91
Instruction ID: 50d783543d9f773c35c5e64abd0ac31cf2c8f64af297c1315e692bbe02d84a33
Opcode Fuzzy Hash: bdd6e9e26e2615375037d16dedf3c4d00ecd26ed652071cca3ff7ac3c1c3dd91
Instruction Fuzzy Hash: D801C836608A017782132F356D9BE6B27EEDBC7771F224438F515AE293EFA0BD054162

Uniqueness

Uniqueness Score: -1.00%

Function 0032C516 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 0032C52E

Strings

Intel64, xrefs: 0032C566
Arm, xrefs: 0032C56D
x64, xrefs: 0032C55F
Intel, xrefs: 0032C574, 0032C579
Arm64, xrefs: 0032C558

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: InfoNativeSystem
String ID: Arm$Arm64$Intel$Intel64$x64
API String ID: 1721193555-3325060975
Opcode ID: 3ed29601e15d2881c5c42b2b404583b3961c8d3255eb82feffde5ed11f190831
Instruction ID: 4476116a32e88645121a07b603d89ba97c7295f0a60321bd984ce6cbbc5103b5
Opcode Fuzzy Hash: 3ed29601e15d2881c5c42b2b404583b3961c8d3255eb82feffde5ed11f190831
Instruction Fuzzy Hash: 14F0A435A25128C6C7079AAF75595BC76A8D70F340F652112F402EB5A4C630EEC4D361

Uniqueness

Uniqueness Score: -1.00%

Function 0035491B Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00354964
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 003549CF
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003549EC
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00354A2B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00354A8A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00354AAD

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: c1ce48f19c9f357ce200ce91ec175293b167d88438122d2b8f23101577304af7
Instruction ID: d45c07284d9f77f31d0f95b046462e63907479a812b2d8dbf3f4757971f68e7f
Opcode Fuzzy Hash: c1ce48f19c9f357ce200ce91ec175293b167d88438122d2b8f23101577304af7
Instruction Fuzzy Hash: 4151E17250020AAFDF268FA5DC45FAF7BA9EF4074AF168525FD009A1A0D731DC988B94

Uniqueness

Uniqueness Score: -1.00%

Function 0033D4CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0033D4C1,0033BBEC,0033A8E4), ref: 0033D4D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0033D4E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0033D4FF
SetLastError.KERNEL32(00000000,0033D4C1,0033BBEC,0033A8E4), ref: 0033D551

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 59e470ca8776db51595d5fd9b5ad12ca479e7d6a4a71a3802f69c659b485ef48
Instruction ID: 7867f8a4e30b43ffce42fc1b51c49053db5eb88089fb31a0409ec218aab58c23
Opcode Fuzzy Hash: 59e470ca8776db51595d5fd9b5ad12ca479e7d6a4a71a3802f69c659b485ef48
Instruction Fuzzy Hash: CF01F73651DB115EF717277A7CC66572B9EEB02778F220239F5155A0E1EF915C00D144

Uniqueness

Uniqueness Score: -1.00%

Function 0031CC68 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031CC6F
std::_Lockit::_Lockit.LIBCPMT ref: 0031CC7C

Part of subcall function 0031E240: std::_Lockit::_Lockit.LIBCPMT ref: 0031E25C
Part of subcall function 0031E240: std::_Lockit::~_Lockit.LIBCPMT ref: 0031E278

codecvt.LIBCPMT ref: 0031CCB3
std::_Facet_Register.LIBCPMT ref: 0031CCCA
std::_Lockit::~_Lockit.LIBCPMT ref: 0031CCEA
Concurrency::cancel_current_task.LIBCPMT ref: 0031CCF7

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_Registercodecvt
String ID:
API String ID: 2765983240-0
Opcode ID: 192a28f89dc47c5cf3c20c47aeb4de83dbf816c73e5956480f1b4ed07b307cc6
Instruction ID: 8f9ebf4d2276f0e4494ee91b96307766c5a9d6d9caba9fd633bd21c5d6f06641
Opcode Fuzzy Hash: 192a28f89dc47c5cf3c20c47aeb4de83dbf816c73e5956480f1b4ed07b307cc6
Instruction Fuzzy Hash: BB0126319001059FCB0BEB64C486ABEB774AF88710F250018F801EF391CB709E868B81

Uniqueness

Uniqueness Score: -1.00%

Function 0031CCFD Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031CD04
std::_Lockit::_Lockit.LIBCPMT ref: 0031CD11

Part of subcall function 0031E240: std::_Lockit::_Lockit.LIBCPMT ref: 0031E25C
Part of subcall function 0031E240: std::_Lockit::~_Lockit.LIBCPMT ref: 0031E278

codecvt.LIBCPMT ref: 0031CD48
std::_Facet_Register.LIBCPMT ref: 0031CD5F
std::_Lockit::~_Lockit.LIBCPMT ref: 0031CD7F
Concurrency::cancel_current_task.LIBCPMT ref: 0031CD8C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_Registercodecvt
String ID:
API String ID: 2765983240-0
Opcode ID: 64abfe823b8b1af82d4cdb7f7ffb18e23d9a8ea1db7ae5cfff2294a5065ec120
Instruction ID: f3c6956799dce296d4f380666f093f8b0db6793dc71337b889a79be1ebda7ac3
Opcode Fuzzy Hash: 64abfe823b8b1af82d4cdb7f7ffb18e23d9a8ea1db7ae5cfff2294a5065ec120
Instruction Fuzzy Hash: 9F01D6319046058FCB0BEB64D496BFDBB749F88710F250418F901AF391CF709E858B91

Uniqueness

Uniqueness Score: -1.00%

Function 0031CF51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031CF58
std::_Lockit::_Lockit.LIBCPMT ref: 0031CF65

Part of subcall function 0031E240: std::_Lockit::_Lockit.LIBCPMT ref: 0031E25C
Part of subcall function 0031E240: std::_Lockit::~_Lockit.LIBCPMT ref: 0031E278

numpunct.LIBCPMT ref: 0031CF9C
std::_Facet_Register.LIBCPMT ref: 0031CFB3
std::_Lockit::~_Lockit.LIBCPMT ref: 0031CFD3
Concurrency::cancel_current_task.LIBCPMT ref: 0031CFE0

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3_Registernumpunct
String ID:
API String ID: 1047916130-0
Opcode ID: 8f4f31809f6e1c8d4330c47e39c605850370e40e366456ba4b7e461d080c2def
Instruction ID: b9cc1b1ad117d494e64091dcf75dec723a046dc9f945a9bc0c41371482d6f0b8
Opcode Fuzzy Hash: 8f4f31809f6e1c8d4330c47e39c605850370e40e366456ba4b7e461d080c2def
Instruction Fuzzy Hash: 8F01F9319006059FCB0BEB64D496EBEB7759F48711F250408F901AF3A1DF709E868791

Uniqueness

Uniqueness Score: -1.00%

Function 00334B97 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00334BAA
GetDlgItem.USER32(000000FF,00000066), ref: 00334BB7
GetDlgItem.USER32(000000FF,000003EF), ref: 00334BC9
GetDlgItem.USER32(000000FF,0000040A), ref: 00334BDB
GetDlgItem.USER32(000000FF,00000000), ref: 00334BF5
SetFocus.USER32 ref: 00334BFC

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Item$Focus
String ID:
API String ID: 2803794159-0
Opcode ID: 645e4fdbee92c9cf927d8030887786ce827be32ed4c6f9e2842ac319c01bc8e6
Instruction ID: 0dce4d3a14e11521188a9c92188da8279d2123c943a666b353697169e04686af
Opcode Fuzzy Hash: 645e4fdbee92c9cf927d8030887786ce827be32ed4c6f9e2842ac319c01bc8e6
Instruction Fuzzy Hash: 9DF04431100701BBDB231B65EC8DA597A6FEB40391F058935F296950B0DBB1AC919650

Uniqueness

Uniqueness Score: -1.00%

Function 00317E5D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00317E67

Part of subcall function 00317D8C: __EH_prolog3_GS.LIBCMT ref: 00317D93

Part of subcall function 00318146: LoadLibraryW.KERNEL32(mscoree.dll), ref: 0031815B
Part of subcall function 00318146: GetLastError.KERNEL32(?,?,0031665E,00000000), ref: 00318167

Part of subcall function 003182E0: GetProcAddress.KERNEL32(?,00318007,00000000,?,00318007,?,GetRequestedRuntimeInfo), ref: 003182EC
Part of subcall function 003182E0: GetLastError.KERNEL32(?,00318007,?,GetRequestedRuntimeInfo), ref: 003182F6

FreeLibrary.KERNEL32(?), ref: 003180CA
FreeLibrary.KERNEL32(?), ref: 00318112

Part of subcall function 00317CEF: __EH_prolog3_GS.LIBCMT ref: 00317CF6

Strings

v4.0.0, xrefs: 00317F3E
GetRequestedRuntimeInfo, xrefs: 00317FEE

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_Library$ErrorFreeLast$AddressLoadProc
String ID: GetRequestedRuntimeInfo$v4.0.0
API String ID: 2221631392-1665928025
Opcode ID: 60edc01540d2a68064f9d20ba7321ad7e3973f21b1f598143199f5d58e73a76f
Instruction ID: 1b9a6dbc7327311877dbe5ab25398e94a3a47d0df23ef5c99cdf86b5545d649d
Opcode Fuzzy Hash: 60edc01540d2a68064f9d20ba7321ad7e3973f21b1f598143199f5d58e73a76f
Instruction Fuzzy Hash: 3D812E71901629AFDB368F24CC45BD9B7BAAF98710F0041E5E909E7250DB31AEE1CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00336FCD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00337F9F), ref: 00337004
LoadResource.KERNEL32(?,00000000,?,?,00337F9F,?,?,00000000,?), ref: 00337010
SizeofResource.KERNEL32(?,00000000,?,?,00337F9F,?,?,00000000,?), ref: 00337021
LockResource.KERNEL32(?,?,?,00337F9F,?,?,00000000,?), ref: 00337039

Strings

2q3+, xrefs: 00336FF8

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: 2q3+
API String ID: 3473537107-1988260129
Opcode ID: 3f04bebbd29531c4d38f8c827772934bb7b54a4947277366e72fd1869662af90
Instruction ID: c8ed0bbb01d2255665ad1a5c17f7a0f4e7e0085789a3dc52e6ac83b6d4ae1f2a
Opcode Fuzzy Hash: 3f04bebbd29531c4d38f8c827772934bb7b54a4947277366e72fd1869662af90
Instruction Fuzzy Hash: 3A11C1B1608626FBDB361F24DC94AAF7BACEF14790F154035F906E6260D771DC109BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00318146 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(mscoree.dll), ref: 0031815B
GetLastError.KERNEL32(?,?,0031665E,00000000), ref: 00318167

Strings

mscoree.dll, xrefs: 00318156
`26, xrefs: 0031817E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLastLibraryLoad
String ID: `26$mscoree.dll
API String ID: 3568775529-2038885189
Opcode ID: 978418a19d2abf3ade49c34f2581fc8273c2ca3d9d177b54fef123a8fae80c5c
Instruction ID: 31f513e0b6f3750006594d21c592a200c6fea0c2957e5ff406c3ec7e3a9600d7
Opcode Fuzzy Hash: 978418a19d2abf3ade49c34f2581fc8273c2ca3d9d177b54fef123a8fae80c5c
Instruction Fuzzy Hash: CFF06236348715ABE7078B6DDC40AA237EDBF59750F15C439E845C3310EAB0D8829794

Uniqueness

Uniqueness Score: -1.00%

Function 003447FF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003447B0,00000000,?,00344750,00000000,00360648,0000000C,003448A7,00000000,00000002), ref: 0034481F
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,003447B0,00000000,?,00344750,00000000,00360648,0000000C,003448A7,00000000,00000002), ref: 00344832
FreeLibrary.KERNEL32(00000000,?,?,?,003447B0,00000000,?,00344750,00000000,00360648,0000000C,003448A7,00000000,00000002), ref: 00344855

Strings

mscoree.dll, xrefs: 00344818
CorExitProcess, xrefs: 0034482A

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4afa90b3d57aff34fa57842e43f4a55c7f3796d0ed474e330a5c89567c99a329
Instruction ID: d447459a6f128687283b7cd644a558b30aea131a7c40974345d05e02c1770b4b
Opcode Fuzzy Hash: 4afa90b3d57aff34fa57842e43f4a55c7f3796d0ed474e330a5c89567c99a329
Instruction Fuzzy Hash: 95F06830901608BBCB139F90EC19B9EBFB8EF45751F418175F805A61A0DBB15E41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00357EC5 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb7d84b822ccb852fc09d48393e8b6217805fd3af1dcb0f0fedf37d52ea6e8f
Instruction ID: 5c40f4a82ccb6f1993d221f322ca06b065b64f0bbae40e38486e239da12b49e9
Opcode Fuzzy Hash: 1fb7d84b822ccb852fc09d48393e8b6217805fd3af1dcb0f0fedf37d52ea6e8f
Instruction Fuzzy Hash: 8771AE31900256ABCB22CF58C884EBFBBB9EF51352F154269EC517B1A1DF708D4AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0033D5E1 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0033D6A8
___AdjustPointer.LIBCMT ref: 0033D6CB
_abort.LIBCMT ref: 0033D719
___AdjustPointer.LIBCMT ref: 0033D767

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 12563fb50efed3432d202020749fc82ae49c414a62cbeab34db3e2803ad60c7e
Instruction ID: 9e9ad17d21c1835a33669c9407c40d71a2e5047d66967b5217d9c5284a316cb1
Opcode Fuzzy Hash: 12563fb50efed3432d202020749fc82ae49c414a62cbeab34db3e2803ad60c7e
Instruction Fuzzy Hash: E95128B6A006069FDB279F10E8C2BBAB3B4FF44714F15412DE9565B5A1D731EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0034D53C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0034D554

Part of subcall function 00347740: HeapFree.KERNEL32(00000000,00000000), ref: 00347756
Part of subcall function 00347740: GetLastError.KERNEL32(00000596,?,0034D7FA,00000596,00000000,00000596,00000000,?,0034DA9E,00000596,00000007,00000596,?,0034DFB6,00000596,00000596), ref: 00347768

_free.LIBCMT ref: 0034D566
_free.LIBCMT ref: 0034D578
_free.LIBCMT ref: 0034D58A
_free.LIBCMT ref: 0034D59C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 74683f9a04ac0567c1dfd43e57e14071c798fccb1dec5c052f505d0132d06000
Instruction ID: 5cdb607a0695189410ba9de19c78691b02443e3010b80ef587456d75e7f2709b
Opcode Fuzzy Hash: 74683f9a04ac0567c1dfd43e57e14071c798fccb1dec5c052f505d0132d06000
Instruction Fuzzy Hash: F6F036325086106B8623EB6AF5CAC2B77DDAA06714BA65C85F189DF551CF70FC80CA54

Uniqueness

Uniqueness Score: -1.00%

Function 003366FD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00336707

Part of subcall function 0033793B: GetFileAttributesW.KERNEL32(0031876B,00000001,?,0031876B,?), ref: 0033794E

GlobalAlloc.KERNEL32(00000040,00000000,?,?), ref: 003367BC
GlobalFree.KERNEL32(00000000), ref: 00336857

Strings

%d.%d.%d.%d, xrefs: 0033682B

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Global$AllocAttributesFileFreeH_prolog3_
String ID: %d.%d.%d.%d
API String ID: 965710651-3491811756
Opcode ID: d24c0885f44b4bb1d5cd503fe310e873f591944d0d5c0ded0045ecd1b37fc16b
Instruction ID: b5ad5f186d80d8a9914740ee0336f4fa7e1bf9dfaf6eebfd97eb23445eb2a35c
Opcode Fuzzy Hash: d24c0885f44b4bb1d5cd503fe310e873f591944d0d5c0ded0045ecd1b37fc16b
Instruction Fuzzy Hash: 2141B671900629BFCB229F549CD9AEAB7B8AF58310F4541D9F90CAB151DB309E818F64

Uniqueness

Uniqueness Score: -1.00%

Function 0034402E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\aMail_Ver1.exe,00000104), ref: 00344069
_free.LIBCMT ref: 00344134
_free.LIBCMT ref: 0034413E

Strings

C:\Users\user\Desktop\aMail_Ver1.exe, xrefs: 00344060, 00344067, 00344096, 003440CE

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\aMail_Ver1.exe
API String ID: 2506810119-3790761183
Opcode ID: f13ec69ecc7c9b842da91980f3d4e06e8fa0ecd1c0229ae3e9b7815f2a58bb15
Instruction ID: fc13757cc5443f99f0db49ca0f3e7b7a9776ba8a18213afbcc2e8c5db5908c7d
Opcode Fuzzy Hash: f13ec69ecc7c9b842da91980f3d4e06e8fa0ecd1c0229ae3e9b7815f2a58bb15
Instruction Fuzzy Hash: 3F316471A04218AFDB23DF99DC85A9EBBFCEB95310F118076E5049F211D7B06E80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003370A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 003370AE
FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?), ref: 0033719D
LocalFree.KERNEL32(?,?), ref: 003371B6

Strings

\r\n, xrefs: 00337151

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: FormatFreeH_prolog3_LocalMessage
String ID: \r\n
API String ID: 2435402305-1273924927
Opcode ID: 6eb560cbb31f1cf2cfeb0567deca56808d4e2cf95289c4ff5dd12d8a51358645
Instruction ID: a834043659303c8e95584016234019533dd12d813e2e19dc25d35f1545d279b3
Opcode Fuzzy Hash: 6eb560cbb31f1cf2cfeb0567deca56808d4e2cf95289c4ff5dd12d8a51358645
Instruction Fuzzy Hash: 9F318E71900218AADB26EB60CC86BEDB3F9BF48700F00C4E5E549A6190DE319F85CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0031A15B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031A162

Strings

Result of checking conditions before installer checks for command '%s' is: , xrefs: 0031A210
Checking conditions before installer checks for command '%s', xrefs: 0031A1C6
@ 6, xrefs: 0031A228

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID: @ 6$Checking conditions before installer checks for command '%s'$Result of checking conditions before installer checks for command '%s' is:
API String ID: 2427045233-3845421497
Opcode ID: b37fe8ffda575e1a97b890ad2b835ac34d50a39df3f48a445178bec6d9844152
Instruction ID: 50cfe1c3120c6f325c786cf768f3d27cc7dc74c24f0d22cabdbd101279f12b54
Opcode Fuzzy Hash: b37fe8ffda575e1a97b890ad2b835ac34d50a39df3f48a445178bec6d9844152
Instruction Fuzzy Hash: 0C317371901504EBDF0ADFA8D891ADDB7B5BF4C300F058429E915FB291D7319D85CB22

Uniqueness

Uniqueness Score: -1.00%

Function 003181B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003181BB

Part of subcall function 00317E5D: __EH_prolog3_GS.LIBCMT ref: 00317E67

Strings

x66, xrefs: 003181D7
p26, xrefs: 0031824C
l26, xrefs: 00318258

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3H_prolog3_
String ID: l26$p26$x66
API String ID: 3355343447-3321302052
Opcode ID: 672a6fbcb739517f80e709c4848f698808a9a8f38ac1c059add07dad0193058a
Instruction ID: 051f430d05503660d9155d78e17172c0ff987b3b5916f9db2b2c6ab194c86d85
Opcode Fuzzy Hash: 672a6fbcb739517f80e709c4848f698808a9a8f38ac1c059add07dad0193058a
Instruction Fuzzy Hash: E811E334945365DFCF03DFA4C856AEE7BB4BF19710F108928E8409B210CBB18A44CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00336D57 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 00336D95
GetVersionExW.KERNEL32(0000011C), ref: 00336DBA
CompareStringW.KERNEL32(00000409,00000001,?,000000FF,Service Pack 6,000000FF), ref: 00336DED

Strings

Service Pack 6, xrefs: 00336DD8

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Version$CompareString
String ID: Service Pack 6
API String ID: 2665538635-3350390674
Opcode ID: b07bfd18ae41e7e7feb9fba78a858b57a09f620682a8a03a397207b5f42b5a9c
Instruction ID: 02a801a6140022118ddc8fa5e7c3934048b4ba5ae38768bc75d1438037da9be5
Opcode Fuzzy Hash: b07bfd18ae41e7e7feb9fba78a858b57a09f620682a8a03a397207b5f42b5a9c
Instruction Fuzzy Hash: 6811A370A0021CEFDF228F60DC56BD9B3BCAB09704F0082A5E554AA1C1E7B0DA44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00336CB3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00336CBD

Part of subcall function 00338277: __EH_prolog3_catch_GS.LIBCMT ref: 00338281

GetSystemDirectoryW.KERNEL32 ref: 00336D19

Strings

HKLM\Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 00336CE0
InstallerLocation, xrefs: 00336CDB

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: DirectoryH_prolog3_H_prolog3_catch_System
String ID: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer$InstallerLocation
API String ID: 1341912231-3782479466
Opcode ID: 9f3a3243d2240c0004a50dda7a802b95052579c7d8da447e0c2c4eda4c12112c
Instruction ID: 7ceae556e23622902c02786e8b0116e52c993d0459a2c54babaf36c73b537e6e
Opcode Fuzzy Hash: 9f3a3243d2240c0004a50dda7a802b95052579c7d8da447e0c2c4eda4c12112c
Instruction Fuzzy Hash: AD01B570A00A18AECF26FBA0C8DBADE7338EB44300F5008A5B4499B191DE348EC9CE50

Uniqueness

Uniqueness Score: -1.00%

Function 0034C4EE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00346755: GetLastError.KERNEL32(?,?,0033EABC,?,?,?,0034138F,?,?,?,?), ref: 00346759
Part of subcall function 00346755: _free.LIBCMT ref: 0034678C
Part of subcall function 00346755: SetLastError.KERNEL32(00000000,?,?,?), ref: 003467CD
Part of subcall function 00346755: _abort.LIBCMT ref: 003467D3

_abort.LIBCMT ref: 0034C520
_free.LIBCMT ref: 0034C554

Strings

&6, xrefs: 0034C54B
HGv, xrefs: 0034C55A, 0034C562

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: HGv$&6
API String ID: 289325740-2649336136
Opcode ID: e9b515a880945b0d551da03bfec78f34162de5276770608782630652c1baf7c7
Instruction ID: 81e964957ca5c199c003f303a839f5a6c7e61b420a269a6926ebbe3345b810e0
Opcode Fuzzy Hash: e9b515a880945b0d551da03bfec78f34162de5276770608782630652c1baf7c7
Instruction Fuzzy Hash: B301C031D13A299BC7A3AF6A840126EB3E0BF45B20F075289E454AF281CB707D418FC1

Uniqueness

Uniqueness Score: -1.00%

Function 00320DBD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::failure::failure.LIBCPMT ref: 00320E07

Strings

ios_base::badbit set, xrefs: 00320DDF
ios_base::eofbit set, xrefs: 00320DF0, 00320E03
ios_base::failbit set, xrefs: 00320DE6

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2264918676-1866435925
Opcode ID: 27b08b022147db407292bf676a16798e53d36455a0ed5889e2827b1d8ad685f5
Instruction ID: 164d45949c428fda9887b60246f0354135afc2a6a69f15ab091bd2221686c6f8
Opcode Fuzzy Hash: 27b08b022147db407292bf676a16798e53d36455a0ed5889e2827b1d8ad685f5
Instruction Fuzzy Hash: B2F04CB2C00228AFDB1AD684EC12FEAB3984B04710F158414EB006F0C7E668AE49C790

Uniqueness

Uniqueness Score: -1.00%

Function 003364D6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00337E17: GetSystemDirectoryW.KERNEL32 ref: 00337E54
Part of subcall function 00337E17: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00337E8F
Part of subcall function 00337E17: LoadLibraryW.KERNEL32(00000001), ref: 00337EB1

GetProcAddress.KERNEL32(00000000,crypt32.dll,?,00000003,?,00339117,00000000), ref: 003364F5
FreeLibrary.KERNEL32(00000000,?,00339117,00000000), ref: 0033650F

Strings

CertFreeCertificateContext, xrefs: 003364ED
crypt32.dll, xrefs: 003364E1

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: DirectoryLibrary$AddressFreeLoadProcSystemWindows
String ID: CertFreeCertificateContext$crypt32.dll
API String ID: 2033963604-2264772026
Opcode ID: e40e3f0ae57d8e4c012dc8842738225140bdc0a5a4125a367716df2d3877f261
Instruction ID: 1c9e621b6ec7eb60464618fd86527158947965d20ea854e08aab695c57d214c6
Opcode Fuzzy Hash: e40e3f0ae57d8e4c012dc8842738225140bdc0a5a4125a367716df2d3877f261
Instruction Fuzzy Hash: 03E08635142A58AFDB132B29DC4DBAE7EADDFC2752F158034F84882250DBB48D51C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00359A5A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00359B89

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 37e111643f5cb328f9fdde8f341732d831e6b3b40d05f66e7197d135da6c4617
Instruction ID: f96d252efd48d28d859d4c178f73071c03ae343ba61411db66e39138f67afa66
Opcode Fuzzy Hash: 37e111643f5cb328f9fdde8f341732d831e6b3b40d05f66e7197d135da6c4617
Instruction Fuzzy Hash: 4E413D31A04100EBEF236BB9AC46FAE3BE8DF41731F150657FC18DE1A1D7B4584492A2

Uniqueness

Uniqueness Score: -1.00%

Function 0034DC84 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,21E85006,00341A5E,00000000,00000000,00342A9F,?,00342A9F,?,00000001,00341A5E,21E85006,00000001,00342A9F,00342A9F), ref: 0034DCD1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0034DD5A
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0034DD6C
__freea.LIBCMT ref: 0034DD75

Part of subcall function 00349F5D: RtlAllocateHeap.NTDLL(00000000,00313FDD,00313FD9,?,0033AEB0,00313FDF,00313FD9,003371CA,?,?,0031D95A,?,00313FDD,00313FD9), ref: 00349F8F

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: fb7b007dbdd02b2597ec0f725d036579c61009a7d5eab47ef663458931094ec0
Instruction ID: 7d8b594e2f66cb209f21af91c8a521fb750044b1c0c5e41477bfc16544e477f1
Opcode Fuzzy Hash: fb7b007dbdd02b2597ec0f725d036579c61009a7d5eab47ef663458931094ec0
Instruction Fuzzy Hash: 7A31AE72A0060AABDF26DF64DC85DAE7BA9EF01710F154268FC14DB190E735ED50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00333ED2 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00333F0A
SystemParametersInfoW.USER32 ref: 00333F2E
GetSystemMetrics.USER32 ref: 00333F41
GetSystemMetrics.USER32 ref: 00333F4C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: System$Metrics$InfoParametersRectWindow
String ID:
API String ID: 1941969595-0
Opcode ID: 72339d02a0dcbfc5e71b89923e285363b8dff3078ff4edcb56da071790a2fb18
Instruction ID: b100ccde43019ea8ef4bb6f404eced75c5bc6d65148ccedfa2f64080ebbe927d
Opcode Fuzzy Hash: 72339d02a0dcbfc5e71b89923e285363b8dff3078ff4edcb56da071790a2fb18
Instruction Fuzzy Hash: 5D31A2B5E0420A9FCB09CFA8D9959AEBBF8FB08300F50856DE515E7340D775AA018B64

Uniqueness

Uniqueness Score: -1.00%

Function 003346AB Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000002,?), ref: 003346C7
GetWindowRect.USER32(00000000,00000000), ref: 003346E6
ScreenToClient.USER32(00000002,00333B36), ref: 00334703
MoveWindow.USER32(00000000,?,?,00000000,?,00000000), ref: 00334727

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Window$ClientItemMoveRectScreen
String ID:
API String ID: 646222375-0
Opcode ID: a8e1caec5619763b02cb4de2ec06b810a245967b2118f16b98f865a0d6724dc4
Instruction ID: 63c54e7b056e397afbaa3abe5e9191c3618456d71cc5246f51ff570f21cf99ac
Opcode Fuzzy Hash: a8e1caec5619763b02cb4de2ec06b810a245967b2118f16b98f865a0d6724dc4
Instruction Fuzzy Hash: 6211D7B590060AAFCB01DFA9DD849AFBBFCFF08304F108529E515E3210D770AE018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00339249 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 0033927B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00339293
TranslateMessage.USER32(?), ref: 003392A1
DispatchMessageW.USER32(?), ref: 003392AB

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Message$DispatchMultipleObjectsPeekTranslateWait
String ID:
API String ID: 2231909638-0
Opcode ID: 30bc69f1f3d6323a37a323288cd1f90607f2a514d9e232789af97af975ecf440
Instruction ID: bfcaed407f8c7dbf6dcaf3bcb61f0dd441c92bd9fdfa2c2ce32d7c6c4003e95d
Opcode Fuzzy Hash: 30bc69f1f3d6323a37a323288cd1f90607f2a514d9e232789af97af975ecf440
Instruction Fuzzy Hash: 9A016D72A0151CFBCF11DBA5DD88EDFBBACAB09710F104926E501E6180DAB1DA0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00334CDD Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00333E1D: GetDlgItem.USER32(?,00000000), ref: 00333E34

SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00334CF8
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00334D0F
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 00334D27
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00334D41

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 2ae2b05450568a185191e244de7e32ace6b1b11f47f0e6019b698bf0023fe72f
Instruction ID: 042f5c50acb2a8e9246488a6fa6dd8f35a4d57f7edbb512524a43833de34a7b1
Opcode Fuzzy Hash: 2ae2b05450568a185191e244de7e32ace6b1b11f47f0e6019b698bf0023fe72f
Instruction Fuzzy Hash: 0CF096B26403057BE72227A69C9DD3FB91DD7C2F64F408928F6159A192CDB54D118670

Uniqueness

Uniqueness Score: -1.00%

Function 00333E4E Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00333E55
GetDlgItem.USER32(?,0000040B), ref: 00333E65
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00333E74
SendMessageW.USER32(00000000,0000000D,00000001,00000000), ref: 00333EA4

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: MessageSend$H_prolog3_Item
String ID:
API String ID: 4098331016-0
Opcode ID: 7b813ed82599fbb855830a3e633e4b321f618c776ca4341e05a6f50252c483c5
Instruction ID: 1e15228ef2bd3079101034040c03d3a12aa637423672e62aa28b1579d81fcbf5
Opcode Fuzzy Hash: 7b813ed82599fbb855830a3e633e4b321f618c776ca4341e05a6f50252c483c5
Instruction Fuzzy Hash: B0019232901629ABDB129FA0DD45AFFBB38EF09B10F108419F911BB191CB755A02CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0033481C Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00334842
LoadIconW.USER32 ref: 00334851
GetDlgItem.USER32(?,00000065), ref: 00334868
SendMessageW.USER32(00000000), ref: 0033486F

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: Load$IconImageItemMessageSend
String ID:
API String ID: 1259760789-0
Opcode ID: 0ae3d6f7cef2bc59b409c1a6bf2165ccb30953445a6a01a7c2976c0f22ee76b8
Instruction ID: 55c20c00a806950ac528664fd116ec4b3322556b4a0502bc1d7f7094b53cde40
Opcode Fuzzy Hash: 0ae3d6f7cef2bc59b409c1a6bf2165ccb30953445a6a01a7c2976c0f22ee76b8
Instruction Fuzzy Hash: D1F08C30284B50BBE7220B34AC4EFB67A6CAB00B11F108924F665AD8E1C7E2B8408654

Uniqueness

Uniqueness Score: -1.00%

Function 0034E6A1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0034E8FC,?,00000050,?,?,?,?,?), ref: 0034E77C

Strings

ACP, xrefs: 0034E6BF
OCP, xrefs: 0034E6F5

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: d7078ee3f5675b8c08446a729b249d4b5f5825ecf3e8ad08142f63955e99d39d
Instruction ID: 577a72fd850e9a250a588126d923d7e4f38949604e8ad3ae96d663ce66bb112f
Opcode Fuzzy Hash: d7078ee3f5675b8c08446a729b249d4b5f5825ecf3e8ad08142f63955e99d39d
Instruction Fuzzy Hash: 0721C266A00100A6EB36CB588941BA776EAFF64B71F578564EA09DF200F732FE40C350

Uniqueness

Uniqueness Score: -1.00%

Function 0033811C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00338123

Strings

false, xrefs: 00338176
true, xrefs: 00338160

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 9fa7a4904ea06a6d7d0b5480ec11b8b5e7720fe8182bc0e9c51ec66b51e163a4
Instruction ID: 79bfc7d77b7c86d768843905c52debb6e6bd6964e76b2be193e421a8122a6349
Opcode Fuzzy Hash: 9fa7a4904ea06a6d7d0b5480ec11b8b5e7720fe8182bc0e9c51ec66b51e163a4
Instruction Fuzzy Hash: 17216031D14709AFDF06DFA8D8D29EEB3B9EF48300F118829F551FB150DA3499468B21

Uniqueness

Uniqueness Score: -1.00%

Function 0034C060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0034C106

Part of subcall function 00347740: HeapFree.KERNEL32(00000000,00000000), ref: 00347756
Part of subcall function 00347740: GetLastError.KERNEL32(00000596,?,0034D7FA,00000596,00000000,00000596,00000000,?,0034DA9E,00000596,00000007,00000596,?,0034DFB6,00000596,00000596), ref: 00347768

Strings

&6, xrefs: 0034C0FE
HGv, xrefs: 0034C0E8, 0034C0F9, 0034C113

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID: HGv$&6
API String ID: 1353095263-2649336136
Opcode ID: d7359d6b12621be6a9d32b50011e0ff417e68a1e780a62deddeb8fe4ffdeefe5
Instruction ID: 47c0add27055344fb865fd5ba26ab9d11e0213109d54a05f7f44667b4254bf71
Opcode Fuzzy Hash: d7359d6b12621be6a9d32b50011e0ff417e68a1e780a62deddeb8fe4ffdeefe5
Instruction Fuzzy Hash: F621AD786006009FD316DF1DD881E9677E8EB5E314B128599F685CB3B2D7B1EC80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00355FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 00356057
CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 00356082

Strings

_5, xrefs: 00356043, 00356090

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: _5
API String ID: 1214770103-2895911498
Opcode ID: 130b9209cea1b585b9eb77869db592e2f77686691eeea6a2e997b124ff64cc46
Instruction ID: 697674c5cea1703b6a62c3897145f1c13ade494b5ee3978e5b4573451baa59dc
Opcode Fuzzy Hash: 130b9209cea1b585b9eb77869db592e2f77686691eeea6a2e997b124ff64cc46
Instruction Fuzzy Hash: 2021EA7690122CDFCF22DF64DD55ADEB7B8BB09314F004599F909A7290D670AE94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00320216 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0032021D

Strings

false, xrefs: 00320272
true, xrefs: 00320284

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: H_prolog3
String ID: false$true
API String ID: 431132790-2658103896
Opcode ID: d08a7406b6fd0512b6628ce8eae5992b60d9c94a1e6ca649752076fe6bafcac8
Instruction ID: 4f2cad904a1dc8e605f4f164a0a7c4ade4fbdd9170f33851430817ddc72e4be8
Opcode Fuzzy Hash: d08a7406b6fd0512b6628ce8eae5992b60d9c94a1e6ca649752076fe6bafcac8
Instruction Fuzzy Hash: 8411C8B5D01744AFC716EFB4D48199BBBF8AF08300B00CC1AF5A5DB652E774AA488F61

Uniqueness

Uniqueness Score: -1.00%

Function 0033787D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(00000007,00000000,0000000C,00000014), ref: 003378C9

Strings

@ 6, xrefs: 003378DD
Microsoft trusted cert, xrefs: 003378E5

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID: @ 6$Microsoft trusted cert
API String ID: 3930008701-3802765229
Opcode ID: 3ab4444217898ca264403c60dbae6398fb334ab5ae6fa309e6261cb064b48b76
Instruction ID: cf09f29c01cdbb3f46df4cb452150528557902892f0bf307094062918d1e0047
Opcode Fuzzy Hash: 3ab4444217898ca264403c60dbae6398fb334ab5ae6fa309e6261cb064b48b76
Instruction Fuzzy Hash: E801D671A0060CEFDF16CFA8C846BEEF7F8AF08704F008019D001A7180D7B89A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00339B5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00339B6F
GetSystemInfo.KERNEL32(?), ref: 00339B8A

Strings

D, xrefs: 00339B7E

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 8966f2e3609f1fdff8112dd245e9a130d4f8517a0febfe3a4ae4656f77c1125d
Instruction ID: ce587d9f02447fbb2a20555c17a122bcac326f2f95f2b7393916dae79b8a543e
Opcode Fuzzy Hash: 8966f2e3609f1fdff8112dd245e9a130d4f8517a0febfe3a4ae4656f77c1125d
Instruction Fuzzy Hash: 6B01F772600109ABDF14DE29DC45BDD7BAEAFC4328F0DC221ED19D7254D674D9018680

Uniqueness

Uniqueness Score: -1.00%

Function 00355F50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 00355FA1
BeginUpdateResourceA.KERNEL32(?,?), ref: 00355FB0

Strings

_5, xrefs: 00355F8D, 00355FBE

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: BeginErrorLastResourceUpdate
String ID: _5
API String ID: 2525094188-2895911498
Opcode ID: 53251fbc4f12d26fdb59fe19b79a79690f872876142d77b3edb4ce4be7ed9759
Instruction ID: cf300b34e2da6b50b0629424095664e6e837cae2a62e6795b86358cf589cf43f
Opcode Fuzzy Hash: 53251fbc4f12d26fdb59fe19b79a79690f872876142d77b3edb4ce4be7ed9759
Instruction Fuzzy Hash: E6018F7690211CEFCB12EF25DD55DDEB7BCAB89315F0144A8A806A7290DA70BF49CF60

Uniqueness

Uniqueness Score: -1.00%

Function 003560C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 0035610F
DeleteFileA.KERNEL32(?), ref: 0035611D

Strings

_5, xrefs: 003560F3

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: _5
API String ID: 2018770650-2895911498
Opcode ID: 876494cf5b29e0cd718f9b0bbe165fd6b695fc8c81cc83d44493a9e992d06d9d
Instruction ID: 8aa4b20d89c3e83911251e0382260a88378a49e89fc8e442377cbad61b1ac470
Opcode Fuzzy Hash: 876494cf5b29e0cd718f9b0bbe165fd6b695fc8c81cc83d44493a9e992d06d9d
Instruction Fuzzy Hash: DE01A27690211C9BCB11EF24DD95DEE77BCAB49301F0104A9E906A7151DA70AF49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0031FD19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0031FD20
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0031FD73

Part of subcall function 0031D7C5: __EH_prolog3.LIBCMT ref: 0031D7CC
Part of subcall function 0031D7C5: std::_Lockit::_Lockit.LIBCPMT ref: 0031D7D9
Part of subcall function 0031D7C5: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0031D816

Strings

1, xrefs: 0031FD5B

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: std::_$H_prolog3$LocinfoLocinfo::_Locinfo::~_Locinfo_ctorLockitLockit::_
String ID: 1
API String ID: 750191490-1195958421
Opcode ID: f632065bcca9693d49e5421b72289b0e1e9da1add35b7fb8da07a92ab6bd0afc
Instruction ID: 3a579ca426f87459065d4268821dba027455329e4b94ec82ac54398f8b1f5f03
Opcode Fuzzy Hash: f632065bcca9693d49e5421b72289b0e1e9da1add35b7fb8da07a92ab6bd0afc
Instruction Fuzzy Hash: 71F0C2719017168FD72BEF94D4927EEB370BF08B21F61462DA4856F285DB705E81C780

Uniqueness

Uniqueness Score: -1.00%

Function 00347C9E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,YQ4,00000000,00000001,?,?,00345159,?,?,?,?,00000004), ref: 00347CEA

Strings

IsValidLocaleName, xrefs: 00347CAF, 00347CB9
YQ4, xrefs: 00347CE1, 00347CCE

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$YQ4
API String ID: 1901932003-85807621
Opcode ID: b1ca3109f01123c2e00b9d17db4152849a2881c234b5bcd3bc1a352f5de1aace
Instruction ID: 4dcb062b19aa51646a766aeda1880c798cc68230f1aa2b3ae579f3d03aed694b
Opcode Fuzzy Hash: b1ca3109f01123c2e00b9d17db4152849a2881c234b5bcd3bc1a352f5de1aace
Instruction Fuzzy Hash: E8F0BE30A45608B7CE13AB609C06FAFBBA9DB05B10F014566FE067E2D1CAB16D0186C4

Uniqueness

Uniqueness Score: -1.00%

Function 0031664D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00318146: LoadLibraryW.KERNEL32(mscoree.dll), ref: 0031815B
Part of subcall function 00318146: GetLastError.KERNEL32(?,?,0031665E,00000000), ref: 00318167

GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 0031666C
GetLastError.KERNEL32 ref: 00316678

Strings

CLRCreateInstance, xrefs: 00316664

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: CLRCreateInstance
API String ID: 1866314245-2576948145
Opcode ID: e207a8358b781e36cd3c5955f822cde60611b5ac9736e5eb3dc77cbacb11a75a
Instruction ID: b5620392a3de328dd23d6b991062be1a1bdfbbff6caa2eb707dae4de5297a9c5
Opcode Fuzzy Hash: e207a8358b781e36cd3c5955f822cde60611b5ac9736e5eb3dc77cbacb11a75a
Instruction Fuzzy Hash: 21F08C35600229BBCF176BA5CC0ABDE7B6DAF047A5F114021FC05E5160CB75DA80EAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00333765 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00333777
DeleteObject.GDI32(?), ref: 0033378A

Strings

83, xrefs: 0033376C

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: DeleteObject
String ID: 83
API String ID: 1531683806-1866678815
Opcode ID: b8b05b96022834d09348321a9bf5bf1f4f7eaefa3a2207315830851197fc7450
Instruction ID: 15d20781459e8825d10d6b99559579b8009e94e8d4f9e2f98a6ab8a748d14c6e
Opcode Fuzzy Hash: b8b05b96022834d09348321a9bf5bf1f4f7eaefa3a2207315830851197fc7450
Instruction Fuzzy Hash: 3AE0BD71021B10CBDB324F15E88A352BAF4AF00716F114A2DD086048A4C3B4AADCDAD2

Uniqueness

Uniqueness Score: -1.00%

Function 00357C49 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000), ref: 00357CDF
GetLastError.KERNEL32 ref: 00357CED
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00357D48

Memory Dump Source

Source File: 00000000.00000002.365656032.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true

Associated: 00000000.00000002.365638888.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365707495.0000000000362000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365741113.0000000000365000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365776012.0000000000367000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.365810335.0000000000368000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_300000_aMail_Ver1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1c94f30a569363839726a0e2f90e930165bd1e9ec911840f14a100eac7bb94c1
Instruction ID: 03457830aafc58c9ed6e11ccff890c04cb34a3da276c92b74f2312242e4e3a9b
Opcode Fuzzy Hash: 1c94f30a569363839726a0e2f90e930165bd1e9ec911840f14a100eac7bb94c1
Instruction Fuzzy Hash: 5241C735508206AFDB238F68E848FBA7BF4EF01312F154169EC595B1B1D7719D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aMail_Ver1.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vstor_redist[1].exe

C:\Users\user\AppData\Local\Temp\VSD1758.tmp\VSTOR40\vstor_redist.exe

C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe

C:\Users\user\AppData\Local\Temp\VSD1758.tmp\aMail_Ver1.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\VSD1758.tmp\install.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
aMail_Ver1.exe

Function 0033404B Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 200
COMMON

Function 00336EA3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 83
libraryloaderCOMMON

Function 00338277 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 251
registryCOMMON

Function 00337225 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 300
COMMON

Function 00324070 Relevance: 23.3, APIs: 11, Strings: 2, Instructions: 573
COMMON

Function 00334515 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 119
COMMON

Function 00333A44 Relevance: 21.1, APIs: 14, Instructions: 115
COMMON

Function 0032A6E7 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 312
COMMON

Function 0031CE27 Relevance: 16.6, APIs: 11, Instructions: 100
COMMON

Function 0031BBA8 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 212
COMMON

Function 00325781 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134
registryCOMMON

Function 00328E89 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 134
COMMON

Function 00323FCF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65
COMMON

Function 003342EF Relevance: 13.6, APIs: 9, Instructions: 131
windowCOMMON