Edit tour

Windows Analysis Report
GB72405.exe

Overview

General Information

Sample name:	GB72405.exe
Analysis ID:	1438236
MD5:	b13e8f3d2779aa2102e2c3db3b2957d2
SHA1:	c15973faef8acbbf35b5b8361d3282bc4f2aaa23
SHA256:	c96632658ed3356d4a3615740999a04f70f77a7cf60263be59b3f2ac28e0eec7
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

PE file has a writeable .text section

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64_ra

GB72405.exe (PID: 5948 cmdline: "C:\Users\user\Desktop\GB72405.exe" MD5: B13E8F3D2779AA2102E2C3DB3B2957D2)

HDFloppyWrite.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe" GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN MD5: D0509B5E9ECFB035B20942C012DE19EC)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448850 CryptAcquireContextW,	0_2_00448850
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448B40 CryptCreateHash,	0_2_00448B40
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00426C76 __EH_prolog3,__CxxThrowException@8,CryptDeriveKey,CryptGenKey,CryptSetKeyParam,	0_2_00426C76
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00449150 CryptHashPublicKeyInfo,	0_2_00449150
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00449130 CryptGetUserKey,	0_2_00449130
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0042721E __EH_prolog3,__CxxThrowException@8,CryptGetKeyParam,CryptSetKeyParam,	0_2_0042721E
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0042742C __EH_prolog3,__CxxThrowException@8,CryptSetKeyParam,	0_2_0042742C
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0042754F CryptGetKeyParam,__CxxThrowException@8,	0_2_0042754F
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_004487F0 CryptGenRandom,	0_2_004487F0
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448870 CryptReleaseContext,	0_2_00448870
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448930 CryptVerifyCertificateSignature,__time64,	0_2_00448930
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448AF0 CryptDestroyHash,	0_2_00448AF0
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448B60 CryptHashData,	0_2_00448B60
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448B00 CryptSetHashParam,	0_2_00448B00
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448B20 CryptGetHashParam,	0_2_00448B20
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448B80 CryptDestroyKey,	0_2_00448B80
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448D60 CryptImportPublicKeyInfo,	0_2_00448D60
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448D30 CryptVerifySignatureW,	0_2_00448D30
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00448D80 _calloc,_calloc,CryptAcquireContextA,CertSetCRLContextProperty,CryptAcquireCertificatePrivateKey,CertSetCRLContextProperty,	0_2_00448D80
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00426F0A __CxxThrowException@8,CryptImportKey,CryptSetKeyParam,	0_2_00426F0A

Source: GB72405.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: d:\DistributionUtility\HDFloppyWrite\HDFloppyWrite\Debug\HDFloppyWrite.pdb( source: HDFloppyWrite.exe
Source:	Binary string: d:\DistributionUtility\HDFloppyWrite\HDFloppyWrite\Debug\HDFloppyWrite.pdb source: HDFloppyWrite.exe

Source: GB72405.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: GB72405.exe	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: GB72405.exe, 00000000.00000003.1039843785.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkware.com/

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_00426F0A __CxxThrowException@8,CryptImportKey,CryptSetKeyParam,

0_2_00426F0A

System Summary

PE file has a writeable .text section

Source: GB72405.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_00418A8E: __CxxThrowException@8,SetFileAttributesW,CreateFileW,DeviceIoControl,CloseHandle,

0_2_00418A8E

Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00441000	0_2_00441000
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00422440	0_2_00422440
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0043F880	0_2_0043F880
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00481061	0_2_00481061
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0043A1D0	0_2_0043A1D0
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_004751E0	0_2_004751E0
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00446190	0_2_00446190
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00474420	0_2_00474420
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00443480	0_2_00443480
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0047A58E	0_2_0047A58E
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_004815A3	0_2_004815A3
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00443970	0_2_00443970
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00438A76	0_2_00438A76
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00481AE5	0_2_00481AE5
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00475B7F	0_2_00475B7F
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0046EC87	0_2_0046EC87
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00482E9C	0_2_00482E9C
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00441F40	0_2_00441F40
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0047BF0F	0_2_0047BF0F

Source: C:\Users\user\Desktop\GB72405.exe	Code function: String function: 004733A0 appears 32 times
Source: C:\Users\user\Desktop\GB72405.exe	Code function: String function: 0047F7CB appears 67 times
Source: C:\Users\user\Desktop\GB72405.exe	Code function: String function: 0041B0F2 appears 31 times
Source: C:\Users\user\Desktop\GB72405.exe	Code function: String function: 00475180 appears 39 times
Source: C:\Users\user\Desktop\GB72405.exe	Code function: String function: 0047F798 appears 235 times

Source: GB72405.exe

Static PE information: Resource name: PKTEXT type: Zip archive data, at least v5.0 to extract, compression method=deflate

Source: GB72405.exe, 00000000.00000002.1615835731.00000000004D2000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePKSFX.exeN vs GB72405.exe
Source: GB72405.exe, 00000000.00000000.1036649689.00000000004CD000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePKSFX.exeN vs GB72405.exe
Source: GB72405.exe	Binary or memory string: OriginalFilenamePKSFX.exeN vs GB72405.exe

Source: GB72405.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus29.winEXE@3/22@0/0

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_004488F0 CertOpenSystemStoreW,

0_2_004488F0

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_00419044 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,GetProcAddress,GetDiskFreeSpaceA,

0_2_00419044

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_0043EAB0 FindResourceW,__CxxThrowException@8,SizeofResource,__CxxThrowException@8,LoadResource,__CxxThrowException@8,LockResource,__CxxThrowException@8,__CxxThrowException@8,_wcscat_s,_wcscat_s,_wcsncpy,_wcsncpy,_malloc,_wcsncpy,_malloc,_wcsrchr,

0_2_0043EAB0

Source: C:\Users\user\Desktop\GB72405.exe

File created: C:\Users\user\Desktop\GB72405

Jump to behavior

Source: C:\Users\user\Desktop\GB72405.exe	Mutant created: \Sessions\1\BaseNamedObjects\/tmp/..PKText.PKSFX.en_US.MUTEX
Source: C:\Users\user\Desktop\GB72405.exe	Mutant created: \Sessions\1\BaseNamedObjects\/tmp/..PKText.PKSFX.en_GB.MUTEX

Source: C:\Users\user\Desktop\GB72405.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\GB72405.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GB72405.exe	String found in binary or memory: set-addPolicy
Source: GB72405.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\GB72405.exe

File read: C:\Users\user\Desktop\GB72405.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GB72405.exe "C:\Users\user\Desktop\GB72405.exe"
Source: C:\Users\user\Desktop\GB72405.exe	Process created: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe "C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe" GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN
Source: C:\Users\user\Desktop\GB72405.exe	Process created: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe "C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe" GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN	Jump to behavior

Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\GB72405.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: GB72405.exe

Static file information: File size 3110227 > 1048576

Source:	Binary string: d:\DistributionUtility\HDFloppyWrite\HDFloppyWrite\Debug\HDFloppyWrite.pdb( source: HDFloppyWrite.exe
Source:	Binary string: d:\DistributionUtility\HDFloppyWrite\HDFloppyWrite\Debug\HDFloppyWrite.pdb source: HDFloppyWrite.exe

Source: initial sample

Static PE information: section where entry point is pointing to: .pklstb

Source: HDFloppyWrite.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xa3370
Source: GB72405.exe	Static PE information: real checksum: 0x8e316 should be: 0x2fe4dc

Source: GB72405.exe	Static PE information: section name: .pklstb
Source: GB72405.exe	Static PE information: section name: .relo2
Source: HDFloppyWrite.exe.0.dr	Static PE information: section name: .textbss

Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_3_007AFA47 push es; iretd	0_3_007AFA52
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_3_007AFA45 push es; retf	0_3_007AFA46
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_3_007B742B push es; ret	0_3_007B742E
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_3_007AF611 push es; ret	0_3_007AFA32
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_3_007BFCB7 pushfd ; ret	0_3_007BFD35
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_3_007BFDCD pushfd ; ret	0_3_007BFE9D
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_3_007B4DC4 pushad ; retf	0_3_007B4EED
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_3_007B719C push es; retf	0_3_007B7286
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_004751C5 push ecx; ret	0_2_004751D8
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0047F870 push ecx; ret	0_2_0047F883
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00416E0B push eax; ret	0_2_00416E12

Source: GB72405.exe

Static PE information: section name: .pklstb entropy: 7.991138007494125

Source: C:\Users\user\Desktop\GB72405.exe

File created: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe

Jump to dropped file

Source: C:\Users\user\Desktop\GB72405.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\GB72405.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-44669

Source: C:\Users\user\Desktop\GB72405.exe

API call chain: ExitProcess graph end node

graph_0-44670

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_0046E052 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0046E052

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_0048332F GetProcessHeap,RtlAllocateHeap,RtlInterlockedPopEntrySList,VirtualAlloc,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList,

0_2_0048332F

Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_0046E052 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0046E052
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00474302 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00474302
Source: C:\Users\user\Desktop\GB72405.exe	Code function: 0_2_00471A99 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00471A99

Source: C:\Users\user\Desktop\GB72405.exe

Process created: C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe "C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe" GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN

Jump to behavior

Source: GB72405.exe

Binary or memory string: %A[open("%1")]open$.^.%0shell\%sshell\%s\commandPROGMAN\/

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_0047E922 cpuid

0_2_0047E922

Source: C:\Users\user\Desktop\GB72405.exe	Code function: GetLocaleInfoW,_wcsncpy,_wcsncpy,_wcsncpy,_malloc,_malloc,CreateMutexW,WaitForSingleObject,_malloc,ReleaseMutex,CloseHandle,_memset,WideCharToMultiByte,ReleaseMutex,CloseHandle,_malloc,_wcsrchr,ReleaseMutex,CloseHandle,CreateFileMappingW,GetLastError,ReleaseMutex,CloseHandle,MapViewOfFile,__CxxThrowException@8,_malloc,_wcsrchr,ReleaseMutex,CloseHandle,	0_2_0043F880
Source: C:\Users\user\Desktop\GB72405.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_004830DA
Source: C:\Users\user\Desktop\GB72405.exe	Code function: GetLocaleInfoA,	0_2_0047F0AA

Source: C:\Users\user\Desktop\GB72405.exe	Queries volume information: C:\Users\user\Desktop\GB72405.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Queries volume information: C:\Users\user\Desktop\GB72405.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Queries volume information: C:\Users\user\Desktop\GB72405.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GB72405.exe	Queries volume information: C:\Users\user\Desktop\GB72405.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_00473B6B GetSystemTimeAsFileTime,__aulldiv,

0_2_00473B6B

Source: C:\Users\user\Desktop\GB72405.exe

Code function: 0_2_00483143 GetVersionExA,InterlockedExchange,

0_2_00483143

Source: C:\Users\user\Desktop\GB72405.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Process Injection	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	35 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	3%	ReversingLabs
C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe	1%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://www.pkware.com/	GB72405.exe, 00000000.00000003.1039843785.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.openssl.org/support/faq.html....................	GB72405.exe	false	high
http://www.openssl.org/support/faq.html	GB72405.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1438236
Start date and time:	2024-05-08 13:57:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GB72405.exe
Detection:	SUS
Classification:	sus29.winEXE@3/22@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 105 Number of non-executed functions: 139
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, evoke-windowsservices-tas.msedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	617472
Entropy (8bit):	5.509625178383621
Encrypted:	false
SSDEEP:	12288:r8gFmR013n1UD3EPPSh5Cr+e+7IumriVDkN:AgFuOn1UDAQIr+tkzGa
MD5:	D0509B5E9ECFB035B20942C012DE19EC
SHA1:	22316B5EFD436411AE0B45E9708953C6D035D622
SHA-256:	1B8649568030B93C83B07DBE8991F3465361ED67EFCCA9D9C6FAA4FF8E2A0D05
SHA-512:	F5FFEDB1476238EFE591B4086F593C9460E96E5859372F0F998E6E6FCE5AD56CDFC8C9206644DBD419C9752B6DE15BB49A9FC38B665556DE53116CE5A204D8F2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.eV].6V].6V].6H.h6E].6H.~6.].6q..6Q].6V].6-].6H.y6.].6H.i6W].6V]j6W].6H.l6W].6RichV].6................PE..L...G..K..........................................@..........................p..................................................P....0..\|1...........................^.............................................. ................................textbss.................................text...t........................... ..`.rdata...k...P...l..................@..@.data...<@..........................@....idata...............(..............@....rsrc...\|1...0...2...:..............@..@........................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\12405001.001

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	1053000
Entropy (8bit):	7.6028349696282715
Encrypted:	false
SSDEEP:	24576:ZJOazTtnZZiN4zcjChQejR+Sl/F2CCxQ9ZuxqEsJG3wh8gX4Q8:ZMmTRS6zcjpejR+CiQ9ZuxqEsJGb
MD5:	81BB9709B9AB1D05A4BF5EECBB4984F1
SHA1:	402B7346E5BCCF96945918FBDD0863D005E0059F
SHA-256:	8AD7AF09DCD186A22A33ECD1BE4CA34386BB557CF1A04931B09D939BE83D5A5C
SHA-512:	0F8C7FA270D8475FA67ECC8481836A91FCB7CD23BC8B703100EDFE1E6A085E979D5699C9CBB711D7CF19ADC0EC302D506ECA08A4C8A508E896C5388EA962165E
Malicious:	false
Reputation:	low
Preview:	H240501#V.... 0202HONEYWELL GB7-2405-001.BIN.....?B.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................D...........]...^.'9'H'H.V .....1.....%..#..}q............g...............................................................z.......".................................................................................................................... .......$..&.............................................................................................................................................................................................................................

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\12405001.HDR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.432825491043181
Encrypted:	false
SSDEEP:	3:yjIxnlNkVM8/ShkQll/lv2El+pmstl:yjIxlyVM8/SmQlX3s
MD5:	EE249DE76B373A5AF8865CEC7731F864
SHA1:	2B74DD8B44C27975E62F2AD3787BDAABA7E5B679
SHA-256:	C9CA0C0B7D39702F922AE17603A41F982E306788924683AD87161B9505EA8214
SHA-512:	FB33275DC35623E81613EDC029C286314730D7227F5F82BD7BB9F5A9F366F867111564793E5C11AF04EEC487792D08FCCD9D6B48B109F6D5ABB4F8FD020C57FA
Malicious:	false
Reputation:	low
Preview:	.Y GB7-2405-001.....F.$.......001GB7240500100001.....001GB7240500100002.+}...001GB7240500100003......001GB7240500100004 ......................./t.......... ..................

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\CONFIG.LDR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.060205518188182
Encrypted:	false
SSDEEP:	3:bqxhFUoc7Nt/JxZ+2RIVlLYxT8yHjYvbVWvwvyHSYVJVWvWYwvHmVbVWvCVyn:GhuNNVJxIPu8KYpWvwaHSwbWvWFHmbWf
MD5:	FD5BEA6091D9ABDE5906291263EDFBC2
SHA1:	9DEA0239BA8B4146F0A2BCF6289EBA22B8F854B7
SHA-256:	805FF040C0E70E9C7ADB35D8FFA2B153B344BC28ECA49B28D92FD28C4E3D0FCF
SHA-512:	18FAAEEE4548792C6BE8C36091075B2C6007DFE28CCC35DFEF029FC7CB4ADD78AAD7E209213FAE1964E938BBE3F6A2BD727AB9F888BB06F5720C19264BDAAF93
Malicious:	false
Reputation:	low
Preview:	lbl=300..TDO = 1..B1D=1h,1L,300,1..T1F=12405001.001,t,520..dsn=1..dtn=4..b2d = 0h,0h,000..b2p = 0..b3d = 0h,0h,000..b3p = 0..b4d = 0h,0h,000..b4p = 0..

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\DISK.DIR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.382641900003363
Encrypted:	false
SSDEEP:	3:vwRFRPhLM/Gb3n:oR1LsGTn
MD5:	5435A7D48F1F3F7D9B0D8B5D3CA84121
SHA1:	C291E62FBE13B8898FC6180DCE0077040BB7F2AB
SHA-256:	FA807CD27C073523B7277C442CA2E426FCA07B8780DD71C5E0D21029FB39CE1B
SHA-512:	F219EA6E513F96B01A6F446D757AB18C41F6C11670DBCB969165860C2F2466E8D77A85EC4E5A15F5E70E0835FCCEC0047BF840266F168D1BD4D93DB7E4ADA828
Malicious:	false
Reputation:	low
Preview:	..16 May 2024 to ...ni GB7-2405-001.....

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\S.N

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1118
Entropy (8bit):	4.447300075378675
Encrypted:	false
SSDEEP:	24:6NInTWWNiEECIxWP3L0zVFI8JVUzwVpIwsS:6UyeiEEwP70zVvywVyS
MD5:	BF58798DC34E50D6F47906FB5D34C25A
SHA1:	6463E202FB889722A7964E93E46160D40E57426B
SHA-256:	D6881ED64244C1C45A49CAE767DE55299D54137FBEBFE2AC90F7788357126976
SHA-512:	45C6E08DDE0BFE000CFBBEC95391CE1FAFF46286318A905B123D4CC866C124A96E82CF66ED0076E412D54BFAD7FD29DD12E4645C27649A0EAB08435CE92A5D31
Malicious:	false
Reputation:	low
Preview:	GB7-2405-001 DISK_1 16 May 2024 to 13 Jun 2024 copy : 0.. -------------------------------Proprietary Notice--------------------------.. This document and the information disclosed herein are the proprietary data.. of Honeywell Inc. Neither this document nor the information contained herin.. shall be reproduced, used, or disclosed to others without the written.. authorization of Honeywell Inc... ----------------------------------------------------------------------------.. ......................NOTICE - FREEDOM OF INFORMATION ACT..................... ..................(5 USC 552) AND DISCLOSURE OF CONFIDENTIAL................... ......................INFORMATION GENERALLY (18 USC 1905)..................... ----------------------------------------------------------------------------.. This document is being furnished in confidence by Honeywell Inc. The Information.. disclosed herein falls within exemption(b)(4) of 5 USC 552 and the prohibitions.. of 18 USC 1905... -----------------------

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\crate.dsf

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	26654
Entropy (8bit):	7.992122471898091
Encrypted:	true
SSDEEP:	768:AF2I7d6OAl5NAPkF37LT1wBm1ZaDPO6dWMBBE:AF16/l5OPktpKD2iK
MD5:	2C479C23A59ECD32BDFDEF985F03FD4B
SHA1:	8CB78D6F6C2FF64C7606F0FA1BB5DC210A8AC7EE
SHA-256:	5501C761C5820FCE997648FBCE84E6D2C0BB16CF1E0255E641FBBB60C69D03CB
SHA-512:	89FD552B6C3E040F2552B12E063F0A8A1E8E5F47C1D43717BF68F99A1DCAFD75C1392BC723E1E4509972BBB260D88CAA8E75237E377E3F331D85F160324084F4
Malicious:	false
Reputation:	low
Preview:	2.0.0............................U..w.j.....WD<7..xB.GRzz..!.A...L....&...u..=..(fc..Uk$Z..d\|..7.m>8.X....J..E.yG../.p#gl=).`.~U....ub.W........k..M....v.U...=...J.....t...c.h.6...X..x.\.w.p....S.5C..[..j%....... .`....6.....FL..]NF.e.q..0.;ApuI._d..9..{&..X....Q.R<....T..3i[AI...\|,YJ.p\|.......&...]...5.q....e...fC..............\|.....f....c.s...N.y.B.."..#d..].1.)..."....ZjUMUY).\..(......../.&.v.u.......ro.Mh.1A..X.,YU.$W....a......C...w8.). .l..z..Q.g.bQ.)14.3. JQ.RgR4.x..~..szD.u...f..).........Hs..D}b.5.&q7dT...N6~.Z\|............L.....Y.\|...G.R.71U..i..$.&p.F..nS.q/.....&A...S.\|.!\?w.$.Jb&.....T...~a..................................+.my.....H.1..}F.w:.P.v.d..;BF..S..?.O0nXjYv.O.'P.[..p$*..&........#).....D.X.M.W...g..b.5s. N.i..s......S.1...g4...,..B.@..J.J]../)..j..o.8.e.CM..R.Kp..ZbXn.g. .....BeG.\|.-..A..............O.U..Bg...=...x...#...].m....D...O`...f:r82... E..IO..A.Ra....#.m....j;.$..\'ox?.[i...:4i.m.1&Q.Fdh....eM.o.}z.....=..4

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\12405001.001

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	1053000
Entropy (8bit):	6.439671074685941
Encrypted:	false
SSDEEP:	12288:m7WYot2ahbMb4891fORjil76yds8i1kCCkbmz5+r9r:f3d89xOYhds8i1kCCz+5
MD5:	647CF8DF0311F92492FF3A45D4ED99E7
SHA1:	7A0FEBBAA39056199CC48A56379C31D3A74BEEAA
SHA-256:	C3387F142AE26E9250AA39D000195C3CC8B125EF4F2328C3A8A8DBF387D89194
SHA-512:	B461943AEC9B3CCE7963C7689B2CD4351480E44CCC8D475D71B92BD42DFCB18536B204A16CFD245E03A8422E2E6C07294014E1620EB54DB002243402A7DD368A
Malicious:	false
Reputation:	low
Preview:	D..........5.0.,.5.0B..5.0.'.5......y.....5.@..<..7.0...1.0Tz.5.0...5.0.,.5.0B..5.0.'.5.......y.....5.@?.<..7.0?..1.0Tz.5.0...5.0.,.5.0B..5.0.'.5...........2.0...5..>7...>.L...2.0...5..Rp...y.....5.@..<..7.0...1.0...5.0...5.0!..5..!...y.....5.@..<..7.0...1.0...5.0...5.0!..5..!....y.....5.@?.<..7.0?..1.0...5.0...5.0!..5..!...y.....5.@..<..7.0...1.0...5.0...5.0!..5..!...y.....5.@..<..7.0...1.0...5.0...5.0!..5..!....y.....5.@?.<..7.0?..1.0...5.0...5.0!..5..!...d.(#...2.0!..5...5...._...2.0!..5.......y...5.@..D.......<..7.0...1.0...5..=.....y...5.@..<..7.0...1.0...5..=.....y...5.@?.<..7.0?..1.0...5..=.....y...5.@..<..7.0...1.0...5..=.....y...5.@..<..7.0...1.0...5..=.....y...5.@?.<..7.0?..1.0...5..=....-.%...2.0=..5.0. .5...Y..rQxF...2.0=..5.0.z.5......g.....02.`E6......05.P.b.... 5.Pb..... 5.P.. ... 5.... C.... ......2.03. 5.@.q.005.`5.... ..05..E6.........e.W...2.0.. 5.@LF.005.`.... ..05..E6........Zz.....2.0.. 5.@LF.005.`.... ..05..E6........]......2.0.9...0...7.........

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\CONFIG.LDR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.0673599252176915
Encrypted:	false
SSDEEP:	3:bqxhFUoc7Nt/JxZ+2RIVlLY4IyHjYvbVWvwvyHSYVJVWvWYwvHmVbVWvCVyn:GhuNNVJxIPDIKYpWvwaHSwbWvWFHmbWf
MD5:	843A2A40BA4AEB30857EB61FEB7FC7B4
SHA1:	DACC5EE7552912E7BA3E27A01A9A9A92D250EFEB
SHA-256:	086A7AA1804FFFFBECA7B28D87AFB9DE394B31AF459529F3D31DBC8BCFF77347
SHA-512:	C18F994636D83430CFA78C6A6F2AC5D6628D957A3754F5ED319CA6BB55B6A069AB3CA13D34DCA90E35526428928FDE42589A87C759E2AFC9D4C02A4CA33DD668
Malicious:	false
Reputation:	low
Preview:	lbl=300..TDO = 1..B1D=1h,1L,300,1..T1F=12405001.001,t,520..dsn=2..dtn=4..b2d = 0h,0h,000..b2p = 0..b3d = 0h,0h,000..b3p = 0..b4d = 0h,0h,000..b4p = 0..

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\DISK.DIR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.3350228523843155
Encrypted:	false
SSDEEP:	3:vwRFRMh9D7b3n:oRorD7Tn
MD5:	6E1F5D3DF48356738C1AF805427932B2
SHA1:	91FB3AF2B2D6132918251022A4E18D0161ED3148
SHA-256:	BA4E1FD61753E624B0DE8CEF28567439841F92665B8EB4D1D7D09AC8C1F2C6FE
SHA-512:	60531EB32DEEB98E515904DF43089A64F7227C89B87DBECD6E999B5473D148338AE2765056BCAB321CA225E17F61DBEE3B15DB4FC314EEF94DC36813B62C48FD
Malicious:	false
Reputation:	low
Preview:	..16 May 2024 to ..... GB7-2405-001.....

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\S.N

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1118
Entropy (8bit):	4.4469946725251
Encrypted:	false
SSDEEP:	24:TNInTWWNiEECIxWP3L0zVFI8JVUzwVpIwsS:TUyeiEEwP70zVvywVyS
MD5:	F81C607922D69450A42C79C5186C066E
SHA1:	CDAEB1CEA7EA1E5101575DB9E48526AA3347E79B
SHA-256:	A2C2C8B266F3463C0A97A489E368276017288843FE6E67B7B9B7DCC4519360F8
SHA-512:	3593851BA200C6EC5A2571D4140202860F4D28AD159D0170E2382E7388CFE2A5A7AE26FF6C858B1129FC059A6F156A97B02966A0E24789FE08FEECEA8D81F322
Malicious:	false
Reputation:	low
Preview:	GB7-2405-001 DISK_2 16 May 2024 to 13 Jun 2024 copy : 0.. -------------------------------Proprietary Notice--------------------------.. This document and the information disclosed herein are the proprietary data.. of Honeywell Inc. Neither this document nor the information contained herin.. shall be reproduced, used, or disclosed to others without the written.. authorization of Honeywell Inc... ----------------------------------------------------------------------------.. ......................NOTICE - FREEDOM OF INFORMATION ACT..................... ..................(5 USC 552) AND DISCLOSURE OF CONFIDENTIAL................... ......................INFORMATION GENERALLY (18 USC 1905)..................... ----------------------------------------------------------------------------.. This document is being furnished in confidence by Honeywell Inc. The Information.. disclosed herein falls within exemption(b)(4) of 5 USC 552 and the prohibitions.. of 18 USC 1905... -----------------------

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\crate.dsf

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	26296
Entropy (8bit):	7.992987192648561
Encrypted:	true
SSDEEP:	768:/IMKiCBWQDP2kqIXrGs2pnGtg37MgpsKL4U20A:/IJb2WaHpnUA1pdW
MD5:	09AA58F1E2BD3B1C78C3F60B05F1537A
SHA1:	7408DFC7C4299876EFF9D739AD16A74466D4C60B
SHA-256:	17FDF943E96EA2B4AB14A458375F29C428B1A3A44E58157972A9BBB84F2EA55D
SHA-512:	5126DAD53324B54ACC3FD48FC9713C63843349BA3A4ACC85EF1344E6E392E8E577367249B3C7FA8589AC8CDE5794F6D0F5B7226AE86BD78D2FDD52A9AFC11A67
Malicious:	false
Reputation:	low
Preview:	2.0.0...................................#d.f.."...3q.....a~.9.. .#l...._....-..2Q.7:..u.0.....6...Z.W.]...{..,.~Fh...7../.n.v.R......._'.....[!2...B...%\o..V.U....~AH.\|.8R=...H......+{./.[\|.m..-..D6(.sN.....{I}.PZ.l.II}.[..R.....;..R..6..{o..#.C.f~g..]...\o{..p...._f.[).;............&._.........r..C&).Y..xG..1...%ir/...UxI.6.....y\|.....&.H.iv._...Yo.....[n...gs.c....A.H.....1.*...mu.}....!..!.fw> SE...g.....J/a....(h=.....7V.P.2...=.}...U.u#.v...:B.....ow.da@.H..6....Z...q..^........o..'B...N..q3.dcE.~.a. $.8[.H.;.J.0.....Y....t.}I........kb.SG.Lw~.5..b......9....P0{...j.k.0,..q.O.......Uw.}.Y.o.:..`...............................E.. .V"....\...'...@.....?.p...+....o.W.Bg.A.`.f.J....Ad.9F.....[..(`.....L^...U.X..Ym.A.....5&...y.7.(A.9%.V.(./\|..Mp...H.UPO..%C/...,w...d}....Xv_.i..I...1...h.qL.....:\.a....{.7x...a9&..o@.P...XF.y.t.R.s.v.5.T.Z..oZ@..)@....-/J..P.A.d..<.iB.w...H..... .bCk.+l.H.0...M\|...Ee...6...&Wg..a.._is.i[J.1.t.ux^c}...VG.=+..?.

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\12405001.001

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	1053000
Entropy (8bit):	7.007585228940397
Encrypted:	false
SSDEEP:	12288:x/+cbPvcaNKJqhS43pYhfsFr3Xs9P+bywjuSDs+54xN7gU8V9PP0xQs+fhZ5kTHb:x/+9a3hS432kyw3ENXO10iVcH7epw
MD5:	24FDB638895EE77CEF1273A27F628C82
SHA1:	60C91CB6F705A40F848CA3BFE58C31E8024391B3
SHA-256:	0B133A35E5A0B79B862533BFB2CAF70FCA5C98275F70D123ADA408CF877DBB02
SHA-512:	1B9FB9BB06ABE1C2227A113B5F257848EA42C311820D3F79B5638CE0B51163C0B0E51C5A92BDADCD94A708DA17D9E71E3D63A001F8C466ADCBC06DC3B2915FF6
Malicious:	false
Reputation:	low
Preview:	D........5.@.....5.@..}$...@..>.2......D.AZ.H0m:d...02.p..q.......05.`........ 5.`....D...5.@.....5.@..}$...@..>.2......D.BZ.H0m:d...02.p..q.......05.`........ 5.`....D...5.@.....5.@..}$...@..>.2......D..X.8P<4M.....2.@..H..5.@...'05.p.....0J!.. 5....0.0...X.8 ..}.....2.@..]..5.@.....5.@....05.p.....0J!.. 5....0.0...X.8H.4.....02.p.....0J!.. 5....0.0......1m:d.... 2.`..0.... 5....q.. ..#..H1m:d.... 2.`..q.. .. 5.`..'.LD...5.@.......@...".2........!..H1m:d.... 2.`..q.. .. 5.`..'.LD...5.@.......@...".2....D..........."..H1m:d.... 2.`..q.. .. 5.`..'.LD...5.@.......@...".2........C..H1m:d)... 2.`..q.. ..05.`........ 5.`....D...5.@.....5.@..}$...@..>.2......D.A..H1m:d)... 2.`..q.. ..05.`........ 5.`....D...5.@.....5.@..}$...@..>.2......D.B..H1m:d)... 2.`..q.. ..05.`........ 5.`....D...5.@.....5.@..}$...@..>.2......D....8P<4M.....2.@..H..5.@...' 5.`.....0.. 5....0.......8 ..}.....2.@..]..5.@.....5.@.... 5.`.....0.. 5....0.......8H.4..... 2.`.....0.. 5....0.....X.....y....

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\CONFIG.LDR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.0673599252176915
Encrypted:	false
SSDEEP:	3:bqxhFUoc7Nt/JxZ+2RIVlLYvvBRwyHjYvbVWvwvyHSYVJVWvWYwvHmVbVWvCVyn:GhuNNVJxIPOBqKYpWvwaHSwbWvWFHmbu
MD5:	55295A6DECEECF4C2F82E6AF89EA160F
SHA1:	29424290877DFFDCD1ADBF733D4269019CEAF9D0
SHA-256:	6B7D1BC9065F694630304F7171E5F5CB6359B6FA86D14B6F47A764D0A2C00695
SHA-512:	B6CD096C394FFBA633C2C10DD28C389AE4BA3D672066265DBDE18C658D9C976BB78FD3CEFE9C8C3B1F03CD4854323899561B3A59F7ACA1AC51E504E2C4B4F767
Malicious:	false
Reputation:	low
Preview:	lbl=300..TDO = 1..B1D=1h,1L,300,1..T1F=12405001.001,t,520..dsn=3..dtn=4..b2d = 0h,0h,000..b2p = 0..b3d = 0h,0h,000..b3p = 0..b4d = 0h,0h,000..b4p = 0..

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\DISK.DIR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.43026094762241
Encrypted:	false
SSDEEP:	3:vwRFRNhrFGb3n:oRPr0Tn
MD5:	AC293C6DC875131E0A719D066712F977
SHA1:	69B2C4A67C91FAC3EDBF92F011176897F6D2AC07
SHA-256:	303BFDFD243758937052615A8C02B2963BF21024A770DEDD2965021CABFC8308
SHA-512:	C4C46E1DC1D3018E72379416587C6E17282F4A739809E0E0F3D51720CEA6B321D9F0D1C3E22CC39C1B7C3774E67185030C05122FCB65421D83102190F742FEEB
Malicious:	false
Reputation:	low
Preview:	..16 May 2024 to ..... GB7-2405-001.....

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\S.N

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1118
Entropy (8bit):	4.449400715401569
Encrypted:	false
SSDEEP:	24:0NInTWWNiEECIxWP3L0zVFI8JVUzwVpIwsS:0UyeiEEwP70zVvywVyS
MD5:	332F0079BD0E0AC086D0A2AFFB8C1C14
SHA1:	D86D8F45D411855F78C8C80BA1D1CF40D14D8665
SHA-256:	5A6D7C2FBC164E2AD470E94D94D5257B70783CA674792AD5524C2AB11FBD6AFE
SHA-512:	D3DAC137A302D6539CE1E31FB6483910929258160B55F03ED0F338BEDEE201F5E90024C6E2E1375B0FD8E0857263149E5584B1A5EF5958C4A637C7AC49185CC7
Malicious:	false
Preview:	GB7-2405-001 DISK_3 16 May 2024 to 13 Jun 2024 copy : 0.. -------------------------------Proprietary Notice--------------------------.. This document and the information disclosed herein are the proprietary data.. of Honeywell Inc. Neither this document nor the information contained herin.. shall be reproduced, used, or disclosed to others without the written.. authorization of Honeywell Inc... ----------------------------------------------------------------------------.. ......................NOTICE - FREEDOM OF INFORMATION ACT..................... ..................(5 USC 552) AND DISCLOSURE OF CONFIDENTIAL................... ......................INFORMATION GENERALLY (18 USC 1905)..................... ----------------------------------------------------------------------------.. This document is being furnished in confidence by Honeywell Inc. The Information.. disclosed herein falls within exemption(b)(4) of 5 USC 552 and the prohibitions.. of 18 USC 1905... -----------------------

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\crate.dsf

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	26296
Entropy (8bit):	7.991145685839193
Encrypted:	true
SSDEEP:	768:hViQLn2D4zRRYdkDBOHyrLZrFVQWFsUfKjrwnHM9QxO:mQT2D4zzYwLL9jQWF9fKjcHM9GO
MD5:	613390EF593C9486963AD231268D4721
SHA1:	D748BBFE5C6C57149061808D737B97CDE15EC94D
SHA-256:	784D516AF910DE387DE64225D290C3608DC353BADA5D252325048D8C81097784
SHA-512:	180689DDD9B3D5C893890F3B09C27A63EC6D3F64E4AF7C73DA61082100837D8AB3AAA682BAA9B57705993A8A4EE3A655839126F0E9C6A45B7B7AC4D85E271350
Malicious:	false
Preview:	2.0.0...........................L...........\..\|.1.M.X..$.G""Sx.h-`.........l....6#.=..........U........XA8F...eJ..nO,.W....G.x...-)..f-.k...-\|W....2.%G;.....:8.`....L6..2.2.>...H.q1.Ul.l..............`...?$..Kr...I...~...Tk2k_."E....]`.....Z....8....K.....x...........T.^..De..?...yl....a..8...=..m............N......]...8.fG...$..$.N6.qf".8....p....-P...=..t-....h...3Vx<...}I...?...."...".LN.....y..e..a."#..S.......yR...%.....lD.Q.O.........a4..5.......).!4..[5......Q.'TmQ.... .8.mjW.<o..s.cd`.....W.W}.i.4(...'..".U..8......A........{....hc].zH...Y1G.Y...4..,....P6.E..H3.[...Q.4.Ekm....$..P{ndu.@.,.7l.fv..`..............................;.o@&.u....m...}.Y81....M....7....F..;.4...-..k......BM...Qw.lo.D...U+.w..6.rYuS.j.n.1..p..T81.....~?......iJ^.l).......j<.(.J..8>Aw..{....(.R..jf...~...C......~.9.}.\2.m.t.s..T..U).N..N..s-i......z....(&>....@j.)h...0`.:.+,0..@~l0.w@..`.^........1...N......7P@.~sx.M3..e..UO.u,...u.=.q..k....B..o.).....\K

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\12405001.001

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	1052480
Entropy (8bit):	6.90960363208856
Encrypted:	false
SSDEEP:	24576:Cz3BPm1xEd1TF0cV9CH1qTkvimvpAf+A3an4414t+Z:aItckqQKQm+ka4I40
MD5:	0E493DC717260A752C115A46DC35D6B6
SHA1:	8806DA76BF88D673643BB41DC70FF0CB83458B41
SHA-256:	7D0E451E76833009CF0FA2112F493B81B4CEA9A9D462415BB167B21C87FFF7FB
SHA-512:	0840990ED23868BBC72B794205C7E5D2E7586FB28BB4341B21F99426FC95E87EF04CD62021F1EE39C4BB2914787EE97274D55A85CEB7E83169AC53D6713C39D2
Malicious:	false
Preview:	D........,..r......,........-....[...C$.6.[.....dk.!....-.......-........-.......-..9.E...-...qF...-.......}.(..j...t .a ......-.........-...^....-..UU.....-....^....-...8.....-...^....-..r......-..9.^....-.........-...q^....-.......-..r......-........I&........8.....[...<&....[......:..[.........[...!./`4w...I&.........!........8.......8...-....8...ww....8...l.....8...a.....8...UU....8...J.....8...?....8...33....8...(}....8.........8.........8....[....8.........8.........8....8....8........8.D...............8.........8...`....8.......8........8...>....8.......8...}.....8...r.....8...ff....8...[.....8...P.....8...DD....8...9.....8.........8..."" ...8....l!...8....."...8.....#...8....I$...8....%...8.....&...8....'E...8....qF...8.....#......j.&.?%..H.jR&.!...0j.&.[.U.....-.8.........8....^...8...UU../.8.....^./.8....8..0.8...^.0.8...r...1.8...9.^.1.8.......2.8....q^.2.8.....3.8...UU..3.8...J...3.8...?.6.3.8...(}^.3.8......3.8.......3.8....[..3.8...

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\CONFIG.LDR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.080604958330274
Encrypted:	false
SSDEEP:	3:bqxhFUoc7Nt/JxZ+2DeSoLYOTYRyHjYvbVWvwvyHSYVJVWvWYwvHmVbVWvCVyn:GhuNNVJxI135IKYpWvwaHSwbWvWFHmbu
MD5:	F27FC8D933A5F89B09D65046EFF240F5
SHA1:	002AF94078AC5E84801010D7DCB13506321924C3
SHA-256:	EBF15C7B0D86F63AF5984DB68F5219EA1DC4496CF7A211D48F85B3D21FE620F9
SHA-512:	5A468896DDCF25440617C196956FDB0A9AF42D7E8CD6EFAD8EA973F9C76EAC81800B97BF64902E31E65DC5F24B6C9DF9D3076EA25657321D36F49823E695A6ED
Malicious:	false
Preview:	lbl=300..TDO = 1..B1D=1h,1L,300,1..T1F=12405001.001,f,520..dsn=4..dtn=4..b2d = 0h,0h,000..b2p = 0..b3d = 0h,0h,000..b3p = 0..b4d = 0h,0h,000..b4p = 0..

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\DISK.DIR

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.382641900003363
Encrypted:	false
SSDEEP:	3:vwRFRKh0SIb3n:oRuySITn
MD5:	4FC3011D49E59DED3A1C4E1B6D55568C
SHA1:	C1FF0312A33BA489A9ADE6FA32B468848F011334
SHA-256:	E3C85227E54B8A695D64C0EB547322DF0C25BA7B48BA3D1AB068FFE6BB2542F0
SHA-512:	BA0D62CC983A0137A24AC573B76F10A4FA6340FA728F6DE7A583A92C02CD76FED667AA480FF92322A624560177D96D0D48D5E767941ADADAB650BD63BD3B7282
Malicious:	false
Preview:	..16 May 2024 to ..... GB7-2405-001.....

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\S.N

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1118
Entropy (8bit):	4.44770113174335
Encrypted:	false
SSDEEP:	24:NNInTWWNiEECIxWP3L0zVFI8JVUzwVpIwsS:NUyeiEEwP70zVvywVyS
MD5:	4DEA28C12D74C13C12D1173F30C3487B
SHA1:	B6BFA31854135E2826C5F35BFFE9C7E4C7DFE71E
SHA-256:	E017D37DAB8DCD1C6AFBDEE76DD74F36B47B53C5E228BDAB66DD537B329F9516
SHA-512:	D9F61175834E55C7CB2C06559C3AB37AE2B330EFDAC443FE4CC20CCD7614F73882F1AB513E96F40EB3A7FFD48D7B88E259ADED997A84F18B54423D93831FDD8D
Malicious:	false
Preview:	GB7-2405-001 DISK_4 16 May 2024 to 13 Jun 2024 copy : 0.. -------------------------------Proprietary Notice--------------------------.. This document and the information disclosed herein are the proprietary data.. of Honeywell Inc. Neither this document nor the information contained herin.. shall be reproduced, used, or disclosed to others without the written.. authorization of Honeywell Inc... ----------------------------------------------------------------------------.. ......................NOTICE - FREEDOM OF INFORMATION ACT..................... ..................(5 USC 552) AND DISCLOSURE OF CONFIDENTIAL................... ......................INFORMATION GENERALLY (18 USC 1905)..................... ----------------------------------------------------------------------------.. This document is being furnished in confidence by Honeywell Inc. The Information.. disclosed herein falls within exemption(b)(4) of 5 USC 552 and the prohibitions.. of 18 USC 1905... -----------------------

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\crate.dsf

Download File

Process:	C:\Users\user\Desktop\GB72405.exe
File Type:	data
Category:	dropped
Size (bytes):	26296
Entropy (8bit):	7.9929993592679
Encrypted:	true
SSDEEP:	768:xyyOWT+t9x5bFRvTIFXgQEbDiGMV0Jsfde:xy5WT+t9F5TIVGmGMBde
MD5:	021AB084A95561E884AEBB9E8EE5A5E2
SHA1:	88B91114B5E0D5B418F3DFA949BE47DC1ACC4DE1
SHA-256:	9A1D7F71834CDEDF146547E6A31715A5DF2FBA682ED50E947707630FC14E066D
SHA-512:	B1EF4D200D3439C7D46E5499585B9F710BD2B8757FFA83F4C9E23EFCB8D9FBAA5D9FD2CCECAC96B6157C8C42F7A5A929C7D2B08968C5CE05A9D261549D2BD478
Malicious:	false
Preview:	2.0.0...........................J....7..]@.Q......;....aY.g...QY...o.....$..).g..Q2D..a,AG...s.z=/..q".....xukR]...;g....]~Sz%.~....;.0+.OP.1.'..]...u.AX.e&...;..1.W....X.:CK...H+....)....M.D...)t..v..v...%t..-..\.b......c..UhOj.>..a.....E.U..a..0>.F).[.a.y.PAb^hjk.....0..J"..X..Ey......1...+\..z".v. .[!noRb.v...V.:..<.5..c..\..J.r.M..c.:tz-.D..y..\./......K.w......`.i.V@...x..n.Kmd+...!g.....!._...X..P.HD8......^..w.."...27h.=..+.2{\a Ju.3]..... ..........`..q.~....6.A.<^.D.^:h...eb'pUT.+!.:.?)...I;.;..../.(ci..H.......?.\|...........q$.]\|.....H>}Vn. ....G-!H..J.......<.`Bfa.&q,![.?....57 .g.y..`...............................u..&......7.[J$V..6..1....U.@D&k..a.3Y]..,.P....I...6......Py\|."....N+.nj+.d..Z.;b.F....;.RUQ..$.....w.v.O."+.Yz.L&...E.k.B....$.".jf..!.r..Ac..\|w.T.f.PB#\./.i.:...b.^..P..y.....]f%r-.K.....[...>.N.u..\|^..IO..q.>NSq.[.`...+.. .........QU........vh.....8....M.L..l...{.2......h.!@..j..6.9IF.6.HY.....Y..8....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.946658322764787
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	GB72405.exe
File size:	3'110'227 bytes
MD5:	b13e8f3d2779aa2102e2c3db3b2957d2
SHA1:	c15973faef8acbbf35b5b8361d3282bc4f2aaa23
SHA256:	c96632658ed3356d4a3615740999a04f70f77a7cf60263be59b3f2ac28e0eec7
SHA512:	34a0e812c1055444db8c744346b290ae8a972cad8f2112ac44889794ddb318f1001f395cf8f4337260544c82a4349fa14ce53a866c4bdce3c6f422eea05391d7
SSDEEP:	49152:JTYaVuY9Rrux2tTbcKdHili63l+1czHlpTLXaOPmYlvpzY9uZouyNDLS939:bVa2tTbc4Cli61Nrz3t7UCK6N9
TLSH:	72E523253B90F5ABD279043288E6F6EC1123B5383FDA41FBB6A7930EDD255E01E39590
File Content Preview:	MZ......................@.......PK00....................................!..L.!This program cannot be run in DOS mode....$.........Vk..88..88..88..F8..88..E8..88..C8..88..98..88..U8..88..V8..88..J8..88..D8..88..@8..88Rich..88........PE..L.....$I...........

File Icon


Icon Hash:	6c171670b2f63706

Static PE Info

General

Entrypoint:	0x4d4000
Entrypoint Section:	.pklstb
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4924DF97 [Thu Nov 20 03:55:03 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d48e0557e81f1974982e52a9aab79b46

Entrypoint Preview

Instruction
push 004D4080h
push 0052624Dh
push 00000000h
call 00007F5DE884A2AEh
jmp 00007F5DE879500Dh
inc eax
sub byte ptr [ebx], ah
sub dword ptr [eax+4Bh], edx
dec esp
dec ecx
push esp
inc ebp
xor esi, dword ptr [edx]
and byte ptr [ebx+6Fh], al
jo 00007F5DE87F80EBh
jc 00007F5DE87F80DBh
push 39312074h
cmp dword ptr [eax], edi
and byte ptr [eax+4Bh], dl
push edi
inc ecx
push edx
inc ebp
and byte ptr [ecx+6Eh], cl
arpl word ptr [esi], bp
sub al, 20h
inc ecx
insb
insb
and byte ptr [edx+69h], dl
push 52207374h
jnc 00007F5DE87F80D8h
jc 00007F5DE87F80E8h
and byte ptr fs:[eax], ch
and al, 52h
jbe 00007F5DE87F80DCh
jnc 00007F5DE87F80DBh
outsd
outsb
cmp ah, byte ptr [eax]
and al, 29h
add byte ptr [eax+4Bh], dl
dec esp
push esp
xor esi, dword ptr [edx]
add byte ptr [eax], al
adc byte ptr [ecx], al
add byte ptr [eax], al
cmp eax, CC4E53E5h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
inc esp
xor esp, dword ptr [edx]
adc dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc esp
xor esp, dword ptr [edx]
adc dword ptr [edi+ecx], esi
add byte ptr [eax], al
sbb byte ptr [ecx], bl
add byte ptr [eax], al
call 00007F5DDF7F8D9Bh
add al, 00h
add byte ptr [ebp+1C685B57h], bh
push ebp
sbb dh, bh
jbe 00008046h
pop ecx
xlatb
sbb byte ptr [ebx-2Dh], ah
stosb
mov ch, 5Eh
push esi
stosb
bound ecx, dword ptr [ecx]
pop esi
dec eax
adc dword ptr [ecx-13644B4Bh], ecx

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[IMP] VS2005 build 50727
[ C ] VS2005 build 50727
[C++] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb51f0	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcd000	0x661c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12b000	0x3c	.relo2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x5a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b733	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x8d000	0x2a1c2	0x2b000	66289573eda3292ab9772c8f6b413c88	False	0.4083621002906977	data	5.515523844107394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb8000	0x14e08	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xcd000	0x661c	0x6000	5a3adee0c83718d01de281dfb0f8a2c4	False	0.5048828125	data	5.2904653302795825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pklstb	0xd4000	0x57000	0x53000	1034945e66373f90783860c013b839c7	False	0.9877488469503012	data	7.991138007494125	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.relo2	0x12b000	0x3c	0x1000	d1c60badcb3f2be38f15e735e0bb65fc	False	0.0224609375	data	0.14178970673358426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PKTEXT	0xcd3b4	0x1b9a	Zip archive data, at least v5.0 to extract, compression method=deflate	English	United States	0.95810925559015
RT_ICON	0xcef50	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.45564516129032256
RT_ICON	0xcf238	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	United States	0.5743243243243243
RT_ICON	0xcf360	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.22174840085287847
RT_ICON	0xd0208	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5938628158844765
RT_ICON	0xd0ab0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4421965317919075
RT_ICON	0xd1018	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152, 16 important colors	English	United States	0.36341463414634145
RT_ICON	0xd1680	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.3602150537634409
RT_ICON	0xd1968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.24193548387096775
RT_ICON	0xd1c50	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.23521505376344087
RT_DIALOG	0xd26e8	0x11a	data	English	United States	0.04609929078014184
RT_DIALOG	0xd2804	0x5c0	data	English	United States	0.01358695652173913
RT_DIALOG	0xd2dc4	0x20e	data	English	United States	0.026615969581749048
RT_DIALOG	0xd2fd4	0x14c	data	English	United States	0.2727272727272727
RT_DIALOG	0xd3120	0x26a	empty	English	United States	0
RT_DIALOG	0xd338c	0x18a	empty	English	United States	0
RT_DIALOG	0xd3518	0xd8	empty	English	United States	0
RT_STRING	0xd35f0	0x2c	empty	English	United States	0
RT_GROUP_ICON	0xd1f38	0x5a	data	English	United States	0.7777777777777778
RT_GROUP_ICON	0xd1f94	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xd1fa8	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xd1fbc	0x14	data	English	United States	1.25
RT_VERSION	0xd1fd0	0x410	data	English	United States	0.43653846153846154
RT_MANIFEST	0xd23e0	0x168	ASCII text, with CRLF line terminators	English	United States	0.6444444444444445

Imports

DLL	Import
CRYPT32.dll	CertGetNameStringW, CertGetCertificateContextProperty, CertGetIntendedKeyUsage, CertNameToStrW, CryptImportPublicKeyInfo, CryptVerifyCertificateSignature, CertEnumCertificatesInStore, CertOpenSystemStoreW, CertDeleteCertificateFromStore, CertDuplicateCertificateContext, CertOpenStore, CryptAcquireCertificatePrivateKey, CertSetCertificateContextProperty, CryptHashPublicKeyInfo, CertFreeCertificateContext, CertCloseStore
KERNEL32.dll	GetDriveTypeW, GetTempFileNameA, MoveFileExA, GetDiskFreeSpaceW, GetFullPathNameW, GetShortPathNameW, GetFullPathNameA, GetVolumeInformationA, LoadLibraryA, GetTempPathW, MoveFileExW, GetShortPathNameA, GetTempFileNameW, MoveFileA, DeleteFileW, Sleep, CreateDirectoryW, CreateDirectoryA, GetTempPathA, SetFileAttributesW, CreateFileA, GetDiskFreeSpaceA, DeleteFileA, GetVolumeInformationW, GetVersionExW, GetCurrentDirectoryW, DeviceIoControl, GetFileAttributesA, GetFileAttributesExA, GetFileAttributesW, MoveFileW, SetFileTime, GetCurrentDirectoryA, GetFileInformationByHandle, SetFilePointer, GetFileType, SetEndOfFile, ReadFile, FlushFileBuffers, GetStringTypeExA, UnmapViewOfFile, GetLocaleInfoW, GetUserDefaultUILanguage, MapViewOfFile, CreateFileMappingW, ReleaseMutex, CreateMutexW, GetLocaleInfoA, GetDateFormatA, GetDateFormatW, FileTimeToSystemTime, GetProcAddress, GetNumberFormatW, CompareFileTime, GetVersion, GetStdHandle, QueryPerformanceCounter, GetCurrentProcessId, GlobalMemoryStatus, GetVersionExA, VirtualFree, VirtualAlloc, CompareStringW, CompareStringA, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetStartupInfoA, SetHandleCount, GetCommandLineW, GetCommandLineA, SetFileAttributesA, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetModuleFileNameA, HeapSize, HeapCreate, HeapDestroy, ExitProcess, GetModuleHandleA, RtlUnwind, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, GetProcessHeap, CreateThread, ExitThread, HeapAlloc, HeapReAlloc, HeapFree, LoadLibraryExW, SizeofResource, GetStringTypeA, GetModuleHandleW, GetTickCount, GetStringTypeW, SetCurrentDirectoryA, LCMapStringA, LCMapStringW, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, GetThreadLocale, InterlockedCompareExchange, IsProcessorFeaturePresent, lstrcmpiW, SetCurrentDirectoryW, FreeLibrary, MultiByteToWideChar, WideCharToMultiByte, GlobalUnlock, GetCurrentThreadId, GlobalLock, LeaveCriticalSection, GlobalAlloc, EnterCriticalSection, lstrlenW, GetModuleFileNameW, SetLastError, LockResource, InitializeCriticalSection, LoadResource, FindResourceW, InterlockedIncrement, DeleteCriticalSection, MulDiv, lstrcmpW, GetLastError, GlobalFree, GlobalHandle, InterlockedDecrement, CloseHandle, CreateFileW, WriteFile, GetFileAttributesExW, GetDriveTypeA, LocalFileTimeToFileTime, FileTimeToLocalFileTime, DosDateTimeToFileTime, FileTimeToDosDateTime, GetSystemTimeAsFileTime, SetThreadPriority, WaitForSingleObject, SetEvent, ResetEvent, CreateEventW, GetEnvironmentStringsW, InterlockedExchange, RaiseException, FlushInstructionCache, GetCurrentProcess, GetNumberFormatA
USER32.dll	DestroyMenu, TrackPopupMenu, CreatePopupMenu, CreateAcceleratorTableW, GetActiveWindow, DialogBoxParamW, IsWindowVisible, LoadImageW, GetWindowTextA, GetCursorPos, MsgWaitForMultipleObjects, PeekMessageW, DdeCreateStringHandleW, IsDialogMessageW, TranslateMessage, DispatchMessageW, DestroyIcon, IsDlgButtonChecked, GetClassInfoExW, ReleaseDC, GetDlgItemTextW, RegisterClassExW, LoadCursorW, ClientToScreen, MessageBoxW, CharNextW, MoveWindow, InsertMenuW, GetSystemMenu, DestroyAcceleratorTable, EnableWindow, GetDesktopWindow, GetSysColor, DdeConnect, DdeDisconnect, DdeFreeStringHandle, DdeUninitialize, DdeClientTransaction, DdeGetLastError, GetUserObjectInformationW, GetProcessWindowStation, MessageBoxA, DdeInitializeW, CheckDlgButton, DialogBoxIndirectParamW, SetCapture, RegisterWindowMessageW, ReleaseCapture, IsChild, GetFocus, GetWindowTextLengthW, SetWindowContextHelpId, ShowWindow, PostMessageW, InvalidateRect, LoadStringW, RedrawWindow, FillRect, InvalidateRgn, SetCursor, GetDC, MapDialogRect, SetWindowPos, DrawTextW, SetDlgItemTextW, GetSystemMetrics, GetWindow, GetWindowTextW, SetWindowTextW, SetForegroundWindow, EndDialog, SetWindowLongW, SystemParametersInfoW, DestroyWindow, GetWindowRect, GetClientRect, GetWindowLongW, SendMessageW, ScreenToClient, DefWindowProcW, GetParent, CallWindowProcW, EndPaint, DrawIcon, BeginPaint, MapWindowPoints, CreateWindowExW, GetDlgItem, IsWindow, SetFocus, GetClassNameW, UnregisterClassA
GDI32.dll	DeleteDC, DeleteObject, GetStockObject, GetDeviceCaps, GetTextExtentPoint32W, GetObjectW, CreateCompatibleBitmap, CreateCompatibleDC, CreateSolidBrush, BitBlt, SelectObject
ADVAPI32.dll	RegSetValueExW, RegisterEventSourceA, ReportEventA, DeregisterEventSource, CryptGetUserKey, CryptAcquireContextA, CryptVerifySignatureW, CryptDestroyKey, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptSetHashParam, CryptDestroyHash, CryptReleaseContext, CryptAcquireContextW, CryptGenRandom, CryptDecrypt, RegDeleteValueW, RegCreateKeyExW, RegOpenKeyExW, RegDeleteKeyW, RegCloseKey, RegQueryInfoKeyW, RegEnumKeyExW, RegCreateKeyW, RegSetValueW, CryptGetProvParam, CryptImportKey, CryptGetKeyParam, CryptGenKey, CryptDeriveKey, CryptSetKeyParam
SHELL32.dll	SHGetFolderPathW, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteW, SHGetFileInfoW
ole32.dll	CoCreateGuid, CoTaskMemRealloc, CoUninitialize, CoInitialize, CoTaskMemFree, OleUninitialize, CoGetClassObject, StringFromGUID2, CoCreateInstance, CoTaskMemAlloc, OleLockRunning, OleInitialize, CLSIDFromString, CLSIDFromProgID, CreateStreamOnHGlobal
OLEAUT32.dll	VariantInit, VarUI4FromStr, SysStringLen, SysAllocString, SysStringByteLen, LoadTypeLib, LoadRegTypeLib, OleCreateFontIndirect, VariantClear, SysAllocStringLen, SysFreeString
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Create, ImageList_Destroy, InitCommonControlsEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	13:58:03
Start date:	08/05/2024
Path:	C:\Users\user\Desktop\GB72405.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GB72405.exe"
Imagebase:	0x400000
File size:	3'110'227 bytes
MD5 hash:	B13E8F3D2779AA2102E2C3DB3B2957D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:59:01
Start date:	08/05/2024
Path:	C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe" GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN
Imagebase:	0x400000
File size:	617'472 bytes
MD5 hash:	D0509B5E9ECFB035B20942C012DE19EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 1%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	45

Executed Functions

Function 0043F880 Relevance: 64.0, APIs: 29, Strings: 7, Instructions: 1043COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNELBASE(?), ref: 0043F9C6
_wcsncpy.LIBCMT ref: 0043FAFB

Strings

.MUTEX, xrefs: 0043FD82
SECURE, xrefs: 0043F961
en_US, xrefs: 0043FA6E, 0043FADF, 0043FAF9, 0043FAFA, 0043FB48, 0043FB9F, 0043FBF7
RSA, xrefs: 0043F927
-SECURE, xrefs: 0043FB6C, 0043FC1C
-RSA, xrefs: 0043FB1C
/tmp/..PKText., xrefs: 0043FC8B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: InfoLocale_wcsncpy
String ID: -RSA$-SECURE$.MUTEX$/tmp/..PKText.$RSA$SECURE$en_US
API String ID: 940669412-3505281648
Opcode ID: 4a1024305c15e102c8b9219a2ef01b3e1ddde0e36b69676182df8cd09f271724
Instruction ID: 5acca7fe00b406a7f80ea77396577d8f33f98f7d67d292d92bac8947ca1b5112
Opcode Fuzzy Hash: 4a1024305c15e102c8b9219a2ef01b3e1ddde0e36b69676182df8cd09f271724
Instruction Fuzzy Hash: 6A82F371E002059FDB24DFA8CC51BAFB7B1AF98304F18816EE9059B391E738AE45CB55

Function 00426C76 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00426C7D
__CxxThrowException@8.LIBCMT ref: 00426CA2

Part of subcall function 00426920: __EH_prolog3_GS.LIBCMT ref: 0042692A

CryptDeriveKey.ADVAPI32(00000000,?,00000000,00000011,00000010), ref: 00426DD5

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

CryptGenKey.ADVAPI32(00000000,?,00000011,00000010), ref: 00426DDF
CryptSetKeyParam.ADVAPI32(00000010,00000013,00000028,00000000), ref: 00426E67

Strings

(, xrefs: 00426E55

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Crypt$Exception@8Throw$DeriveH_prolog3H_prolog3_Param
String ID: (
API String ID: 1982271541-3887548279
Opcode ID: 24b363fc8a1e6a64c8c4c151047eaaeb8951b23d619a2c26852ac00ac805031b
Instruction ID: 99f36b1f62fc716bf29f26525d508c159c8386659eb6f7c449594aa5302ae4c9
Opcode Fuzzy Hash: 24b363fc8a1e6a64c8c4c151047eaaeb8951b23d619a2c26852ac00ac805031b
Instruction Fuzzy Hash: 6A61F2703003199FDB14EF61D885AAF77A9FF44304F51882EF4528B251DB38EE458B69

Function 0048332F Relevance: 10.6, APIs: 7, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,00402304,0040242D,?,004022E3,?,?,004017F3), ref: 004832B0
RtlAllocateHeap.NTDLL(00000000), ref: 004832B7

Part of subcall function 004831CD: IsProcessorFeaturePresent.KERNEL32(0000000C,00000000,0048329E,00402304,0040242D,?,004022E3,?,?,004017F3), ref: 004831D0

RtlInterlockedPopEntrySList.NTDLL(004C86F4), ref: 004832C4
VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040), ref: 004832D9
RtlInterlockedPopEntrySList.NTDLL(?), ref: 004832F2
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00483306
RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 0048331D

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: EntryInterlockedList$HeapVirtual$AllocAllocateFeatureFreePresentProcessProcessorPush
String ID:
API String ID: 1137860932-0
Opcode ID: 8d5bff0c96ff1517d682cc256b2dff928bd53f1f8e5f39fbbe3eed62ad44fdf2
Instruction ID: fcf170cc3a69c753ddc6a3f7aeb580dbc219c92687fd0bb244c5d784c1580884
Opcode Fuzzy Hash: 8d5bff0c96ff1517d682cc256b2dff928bd53f1f8e5f39fbbe3eed62ad44fdf2
Instruction Fuzzy Hash: 01118E31700222A7DBA12F68BC09F6F2759AB40B52F11087AF901D6291CE69CD01979C

Function 00418A8E Relevance: 7.6, APIs: 5, Instructions: 73fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00418AC2

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 00418AB3

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 00418AF8
DeviceIoControl.KERNEL32(00000000,0009C040,00000001,00000002,00000000,00000000,?,00000000), ref: 00418B1B
CloseHandle.KERNEL32(00000000,?,C0000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 00418B22

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: File$AttributesCloseControlCreateDeviceExceptionException@8H_prolog3_catchHandleRaiseThrow
String ID:
API String ID: 1009827949-0
Opcode ID: f71cb0975ed40d78350e2c4f455491f2fd756bbffade5c202e61384598a5ff62
Instruction ID: 50a448b9711fae2cfeba7cc515209b954b7f8bbcc18326bed44ac68616f8a36d
Opcode Fuzzy Hash: f71cb0975ed40d78350e2c4f455491f2fd756bbffade5c202e61384598a5ff62
Instruction Fuzzy Hash: 9811B4B15002087BEB109BA9CC89FEF77ACDF05354F04842BF911A6190DA7C9D858769

Function 00422440 Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 1085COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0042244A
__CxxThrowException@8.LIBCMT ref: 004224B4

Part of subcall function 00413299: __CxxThrowException@8.LIBCMT ref: 004132C8

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Strings

`lJ, xrefs: 0042287A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrow
String ID: `lJ
API String ID: 1118002619-3906444823
Opcode ID: 59a6d72704918c19faeed85af14b94b9c92b5c598a64a22546094777aa3411c0
Instruction ID: c35e26a00393e5b2e2c59434b8311ea082406818776b7c1d045db45c09da61d8
Opcode Fuzzy Hash: 59a6d72704918c19faeed85af14b94b9c92b5c598a64a22546094777aa3411c0
Instruction Fuzzy Hash: E9925D30B00229DFCF14DFA5D998AEEBBB1BF44304F5440AEE406AB291DB789E45CB55

Function 00441000 Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 1004COMMON

Download Yara Rule

APIs

_strtol.LIBCMT ref: 004412B3

Strings

tJJ, xrefs: 00441061

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _strtol
String ID: tJJ
API String ID: 4256861632-807802527
Opcode ID: fc4399413733df451c08193ba6b54023f5fb80ef45a88cb499f4aabe45ee2039
Instruction ID: f4f1d69f7e46b4a95c8140b364bcd7da591f30c1aca902dca42a9d2a105dfec9
Opcode Fuzzy Hash: fc4399413733df451c08193ba6b54023f5fb80ef45a88cb499f4aabe45ee2039
Instruction Fuzzy Hash: DD927070D04259CBEB24CF99C8806EDB7F1BF54314F24452BD84AAB360E779A9C1CB59

Function 00448850 Relevance: 1.5, APIs: 1, Instructions: 12encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00000018,00000018,00000018,004A64E8,?,0041B79D,?,?,?,004A64E8,00000018,?), ref: 00448869

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 537166bf61c26e19ad15ea249327eedf0e3ddff59d2f59a484c545b55d54971e
Instruction ID: 8dde9eaa2dea11f858e6fe3bbc794718fdc2df540c0962b3956480ff6c93141a
Opcode Fuzzy Hash: 537166bf61c26e19ad15ea249327eedf0e3ddff59d2f59a484c545b55d54971e
Instruction Fuzzy Hash: BED0C5B5618342AF9B08CF58D994D3BB7E9BBC8750F044D4CB59583250C720E849CB66

Function 00448B40 Relevance: 1.5, APIs: 1, Instructions: 12encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(004C1E84,004C1E84,004C1E84,?,?,0042866E,?,00000000,?,?,?,?,00000000,?,?,?), ref: 00448B59

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CreateCryptHash
String ID:
API String ID: 4184778727-0
Opcode ID: 0dc450ab19c6d24eac68c715404478ac477747c1c57092f1fbd937f4f75f0f0d
Instruction ID: 1f3e2a125cdd6bddad7707eab018d9df9611b54367dc21938e6e3d5120c85b57
Opcode Fuzzy Hash: 0dc450ab19c6d24eac68c715404478ac477747c1c57092f1fbd937f4f75f0f0d
Instruction Fuzzy Hash: D2D0C5B5A19342AF9B08CF58D994C3BB7E9BBD8700F044D0CBA9583250C720E809CB66

Function 00403C16 Relevance: 67.2, APIs: 37, Strings: 1, Instructions: 719
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00403C1D
GetDlgItem.USER32(?,000003F6), ref: 00403C90
SendMessageW.USER32(00000000,00000406,00000000,00000000), ref: 00403C9F
CheckDlgButton.USER32(00000002,000003F7,00000000), ref: 00403EA2
CheckDlgButton.USER32(00000002,000003F7,00000001), ref: 00403ED7
SetDlgItemTextW.USER32(00000002,000003F7,?,?,?,?,00000002,000003F7), ref: 00403F2B
SetWindowTextW.USER32(00000000,004C87B8), ref: 00403CED

Part of subcall function 0040695C: __CxxThrowException@8.LIBCMT ref: 00406977

Strings

$AJ, xrefs: 00403F05

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ButtonCheckItemText$Exception@8H_prolog3_catch_MessageSendThrowWindow
String ID: $AJ
API String ID: 645776859-3211715044
Opcode ID: ecc380cf9a27106fbfef7a67af6f0ae335075b5fc88e495500b1016c2f6cebf3
Instruction ID: 5bd5780b562722fce59a59976ad0dbf48ca961e02b0d0c2e106d9794dd83aeea
Opcode Fuzzy Hash: ecc380cf9a27106fbfef7a67af6f0ae335075b5fc88e495500b1016c2f6cebf3
Instruction Fuzzy Hash: 2D429270A40205BFEB116F61DC4AFAE7B79FF08709F10443AF601B61E2DBB669509B58

Function 00404D00 Relevance: 54.8, APIs: 28, Strings: 3, Instructions: 558
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00404D07
LoadCursorW.USER32(00000000,00007F02), ref: 00404D17
SetCursor.USER32(00000000,?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,0040E24F,00000001), ref: 00404D21
GetDlgItem.USER32(?,000003E8), ref: 00404D4E
GetDlgItem.USER32(?,00000408), ref: 00404D66
GetDlgItem.USER32(?,00000001), ref: 00404D86
KiUserCallbackDispatcher.NTDLL(00000000,00000000,?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,0040E24F), ref: 00404D8E
GetDlgItem.USER32(00000001,000003E8), ref: 00404E69
GetDlgItem.USER32(00000001,00000408), ref: 00404E7C
GetDlgItem.USER32(00000001,00000001), ref: 00404E8C
SetCursor.USER32(?), ref: 00404EA2
RtlEnterCriticalSection.NTDLL(004CBA3C), ref: 00404ECC
RtlLeaveCriticalSection.NTDLL(004CBA3C), ref: 00404EDA
GetDlgItem.USER32(?,000003EC), ref: 00405015
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00405023
IsDlgButtonChecked.USER32(?,000003F7), ref: 00405056
SetDlgItemTextW.USER32(?,0000040D,00000000), ref: 004050FE
SetDlgItemTextW.USER32(00000002,00000402,?), ref: 00405173
SetDlgItemTextW.USER32(00000002,00000403,?), ref: 004051A2
SetDlgItemTextW.USER32(00000003,0000040D,004A4124), ref: 0040544A
SetDlgItemTextW.USER32(00000003,0000040E,004A4124), ref: 00405459
GetDlgItem.USER32(00000003,000003E8), ref: 00405478
EnableWindow.USER32(00000000,00000001), ref: 00405481
GetDlgItem.USER32(00000003,00000408), ref: 0040548F
EnableWindow.USER32(00000000,00000001), ref: 00405498
GetDlgItem.USER32(00000003,00000001), ref: 004054AC
KiUserCallbackDispatcher.NTDLL(00000000,00000001), ref: 004054B5

Strings

PMJ, xrefs: 00405233, 0040523E
AJ, xrefs: 004051D7
$AJ, xrefs: 0040543C

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Item$Text$Cursor$CallbackCriticalDispatcherEnableSectionUserWindow$ButtonCheckedEnterH_prolog3_catchLeaveLoadMessageSend
String ID: AJ$$AJ$PMJ
API String ID: 2824313723-3613703201
Opcode ID: c1194afb56763b27e3c0913e7928a4600311631e291c06c6fe45b60898154e75
Instruction ID: 396c25243df7174e6f7b2191e46bd83bc840df2e0e16bfe39eed935e81bc7eae
Opcode Fuzzy Hash: c1194afb56763b27e3c0913e7928a4600311631e291c06c6fe45b60898154e75
Instruction Fuzzy Hash: DF2282B0A00606FBDB15AF64CC89EAEBB75FF04304F10423EF519A62E1D7796950CB99

Function 00405A61 Relevance: 53.4, APIs: 29, Strings: 1, Instructions: 930
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,?), ref: 00405AA7
GetWindowRect.USER32(00000000,00000010), ref: 00405B98
GetWindowRect.USER32(00000000,00000010), ref: 00405BFA
GetWindowRect.USER32(00000000,00000010), ref: 00405E42
GetWindowRect.USER32(00000000,00000010), ref: 00405EA4
GetWindowRect.USER32(00000000,?), ref: 00405F18
GetWindowRect.USER32(00000000,?), ref: 00405F5F
GetWindowRect.USER32(00000000,?), ref: 00405FA1
GetWindowRect.USER32(00000000,?), ref: 00405FE9
GetWindowRect.USER32(00000000,?), ref: 00405C69

Part of subcall function 00402621: SetWindowPos.USER32(00401BF7,00000000,?,?,?,?,00401BF7,0048D550,00401BF7,?,00000204), ref: 00402641

GetWindowRect.USER32(00000000,00000010), ref: 00405E00

Part of subcall function 00412F06: GetSystemMetrics.USER32(0000002D), ref: 00412F38
Part of subcall function 00412F06: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00412F50
Part of subcall function 00412F06: SelectObject.GDI32(00000000,00000000), ref: 00412F6C
Part of subcall function 00412F06: GetDlgItem.USER32(?,?), ref: 00412FB1
Part of subcall function 00412F06: GetWindowTextW.USER32(00000000,?,00000104), ref: 00412FD2
Part of subcall function 00412F06: DrawTextW.USER32(?,?,000000FF,?,00000400), ref: 0041300B
Part of subcall function 00412F06: GetWindowRect.USER32(?,?), ref: 0041303A

GetWindowRect.USER32(00000000,?), ref: 00406068
GetWindowRect.USER32(00000000,?), ref: 004060CA
GetWindowRect.USER32(00000000,?), ref: 004060E9
GetWindowRect.USER32(00000000,?), ref: 00406192
GetWindowRect.USER32(00000000,00000010), ref: 004061D1
GetWindowRect.USER32(00000000,00000010), ref: 0040620A
GetWindowRect.USER32(00000000,?), ref: 00406298
GetWindowRect.USER32(00000000,?), ref: 004062D9
GetWindowRect.USER32(00000000,?), ref: 00406316
GetWindowRect.USER32(00000000,?), ref: 0040634E
GetWindowRect.USER32(00000000,?), ref: 00406386
GetWindowRect.USER32(00000000,?), ref: 004063BE
GetWindowRect.USER32(00000000,?), ref: 004063F9
GetWindowRect.USER32(00000000,?), ref: 00406431
GetWindowRect.USER32(00000000,?), ref: 00406469
GetWindowRect.USER32(00000000,?), ref: 004064A1
GetWindowRect.USER32(00000000,00000010), ref: 004064DA
GetWindowRect.USER32(00000000,00000010), ref: 00406513

Strings

@, xrefs: 00406544

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$Rect$Text$ClientDrawItemMessageMetricsObjectSelectSendSystem
String ID: @
API String ID: 1058199426-3462622714
Opcode ID: 0074e38aea86320cb437e2c5dcea833835fb11b1c2508931ec4a8516e385ebaf
Instruction ID: fe2b512ab4957cdd5fd6f8fe6799f06a52e5b0e2ec557918b26a83687bda9168
Opcode Fuzzy Hash: 0074e38aea86320cb437e2c5dcea833835fb11b1c2508931ec4a8516e385ebaf
Instruction Fuzzy Hash: 2582C5B1C10219AFDF01DFE4DD85AEEBBB8FF08308F10452AE505B6291EB759A458B58

Function 00403E4B Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 499
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

CheckDlgButton.USER32(00000002,000003F7,00000000), ref: 00403EA2
CheckDlgButton.USER32(00000002,000003F7,00000001), ref: 00403ED7
GetDlgItem.USER32 ref: 00403EED
EnableWindow.USER32(00000000,00000000), ref: 00403EF6
SetDlgItemTextW.USER32(00000002,000003F7,?,?,?,?,00000002,000003F7), ref: 00403F2B
GetDlgItem.USER32(00000002,000003EC), ref: 00403FAC
SendMessageW.USER32(00000000,00000143,00000000,00000000), ref: 00403FDD
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 00404025
CheckDlgButton.USER32(00000000,000003ED,00000000), ref: 0040405D
CheckDlgButton.USER32(00000000,000003EE,00000000), ref: 00404095
CheckDlgButton.USER32(00000000,000003EF,00000000), ref: 004040EB
CheckDlgButton.USER32(00000000,000003F0,00000000), ref: 0040411B
CheckDlgButton.USER32(00000000,000003F0,00000001), ref: 00404152
CheckDlgButton.USER32(00000000,000003F1,00000000), ref: 004041B1

Strings

$AJ, xrefs: 00403F05

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ButtonCheck$Item$MessageSend$EnableException@8TextThrowWindow
String ID: $AJ
API String ID: 4055839377-3211715044
Opcode ID: e50aef4fae1687a96313e5c1810a88aa849b0d5749f5d8890ef535e2def92831
Instruction ID: 567c9efb15b6208acf5a416f099e7898b6aed22a4861f4b3882e7cc027a6fa8d
Opcode Fuzzy Hash: e50aef4fae1687a96313e5c1810a88aa849b0d5749f5d8890ef535e2def92831
Instruction Fuzzy Hash: A10260B0A41206BFEB116B61DC4BFAA7B79EF08708F104439F705750F2DBB669209B48

Function 0040663B Relevance: 19.8, APIs: 13, Instructions: 277
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 004066B9
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004066CD
GetDlgItem.USER32(?,0000E801), ref: 004066DF
IsWindow.USER32(00000000), ref: 004066E9
GetClientRect.USER32(?,?), ref: 00406742
GetDlgItem.USER32(?,0000E801), ref: 00406760
GetWindowRect.USER32(?,00000000), ref: 004067C3
MapWindowPoints.USER32(00000000,?,00000001,00000002), ref: 004067D4
GetClientRect.USER32(?,00000000), ref: 00406820
GetWindowRect.USER32(?,00000000), ref: 00406834
GetDlgItem.USER32(004A3ED8,?), ref: 004068D7
GetWindowRect.USER32(00000000,00000000), ref: 004068F0
MapWindowPoints.USER32(00000000,004A3ED8,00000000,00000002), ref: 00406901

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$Rect$Item$ClientMessagePointsSend
String ID:
API String ID: 460500065-0
Opcode ID: e03cd42a0ad12a8fb2044d6ad8a3fc72757034612023ac55f33c47fb891111e0
Instruction ID: 063f54cab224d1604ff4cff24add58beac2080b174d32fddc3656c35009e6039
Opcode Fuzzy Hash: e03cd42a0ad12a8fb2044d6ad8a3fc72757034612023ac55f33c47fb891111e0
Instruction Fuzzy Hash: 22B15B71D01208EFDB10DFA8C885AAEBBF5FF48314F10896AE516E72A0D734A915CF65

Function 00418DE5 Relevance: 19.7, APIs: 13, Instructions: 209
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBCMT ref: 00418DA4
CreateFileW.KERNEL32(?,C0000000,?,?,00000003,02000000), ref: 00418E16
CreateFileW.KERNELBASE(?,C0000000,?,?,00000003), ref: 00418E3A
GetLastError.KERNEL32(?,?,00000003), ref: 00418E4B
CreateFileA.KERNEL32(?,C0000000,?,?,00000003), ref: 00418EB0
CloseHandle.KERNEL32(00000000,?,?,00000003), ref: 00418F81
GetLastError.KERNEL32(?,?,00000003), ref: 00418EBD

Part of subcall function 00423BB6: __EH_prolog3.LIBCMT ref: 00423BBD

SetFileTime.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000003), ref: 00418F43
GetLastError.KERNEL32(?,?,00000003), ref: 00418F4D
CloseHandle.KERNEL32(00000000,?,?,00000003), ref: 00418F56
GetLastError.KERNEL32 ref: 00418FB6
SetFileAttributesA.KERNEL32(?,00000000), ref: 00418FE8
GetLastError.KERNEL32 ref: 00418FF2

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorFileLast$Create$CloseHandle$AttributesException@8H_prolog3ThrowTime
String ID:
API String ID: 2515593622-0
Opcode ID: 2fa891edb10b705373014e6233f2a26ef0def1d2a46c2f7ea401291a813f639e
Instruction ID: 9a45595e3e7a9c8c0cd253e2721d571ded31bcd1aacbdc17babf5d531431bde0
Opcode Fuzzy Hash: 2fa891edb10b705373014e6233f2a26ef0def1d2a46c2f7ea401291a813f639e
Instruction Fuzzy Hash: 0371D171508304AFD700AF65DC45FEFBBE8AF95358F04092EF88592191DB38DE868B5A

Function 00405293 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E726: __EH_prolog3.LIBCMT ref: 0040E72D
Part of subcall function 0040E726: RtlEnterCriticalSection.NTDLL(004CBA3C), ref: 0040E73B
Part of subcall function 0040E726: RtlLeaveCriticalSection.NTDLL(004CBA3C), ref: 0040E7B8

ShellExecuteW.SHELL32(00000000,004A40B8,004A3D5C,00000000,?,00000001), ref: 00405352
SetDlgItemTextW.USER32(00000003,0000040D,004A4124), ref: 0040544A
SetDlgItemTextW.USER32(00000003,0000040E,004A4124), ref: 00405459
GetDlgItem.USER32(00000003,000003E8), ref: 00405478
EnableWindow.USER32(00000000,00000001), ref: 00405481
GetDlgItem.USER32(00000003,00000408), ref: 0040548F
EnableWindow.USER32(00000000,00000001), ref: 00405498
GetDlgItem.USER32(00000003,00000001), ref: 004054AC
KiUserCallbackDispatcher.NTDLL(00000000,00000001), ref: 004054B5

Strings

$AJ, xrefs: 0040543C

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Item$CriticalEnableSectionTextWindow$CallbackDispatcherEnterExecuteH_prolog3LeaveShellUser
String ID: $AJ
API String ID: 1360408901-3211715044
Opcode ID: 6465061a009a0ec1f165e10c720493b0376893c269b7a3d717db58596d669d88
Instruction ID: d54f6ab5fe4abb7b99c39a706a31713da796bb708a617f0d7d6b80e7058d8424
Opcode Fuzzy Hash: 6465061a009a0ec1f165e10c720493b0376893c269b7a3d717db58596d669d88
Instruction Fuzzy Hash: 5521A1B1A42A01BBEB116B60DC4AE9E7F26FF00315F00853EF619765E1C7796860CF88

Function 00405437 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextW.USER32(00000003,0000040D,004A4124), ref: 0040544A
SetDlgItemTextW.USER32(00000003,0000040E,004A4124), ref: 00405459
GetDlgItem.USER32(00000003,000003E8), ref: 00405478
EnableWindow.USER32(00000000,00000001), ref: 00405481
GetDlgItem.USER32(00000003,00000408), ref: 0040548F
EnableWindow.USER32(00000000,00000001), ref: 00405498
GetDlgItem.USER32(00000003,00000001), ref: 004054AC
KiUserCallbackDispatcher.NTDLL(00000000,00000001), ref: 004054B5

Strings

$AJ, xrefs: 0040543C

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Item$EnableTextWindow$CallbackDispatcherUser
String ID: $AJ
API String ID: 2696626827-3211715044
Opcode ID: cc26c0cbd20857cd62b4d6e7ac42fd54c6dc4b8969927003568e648502c8600e
Instruction ID: 8b872ead0b00ffba9c830c78e4dfac1d9e036f15556611f0be09068e564ba389
Opcode Fuzzy Hash: cc26c0cbd20857cd62b4d6e7ac42fd54c6dc4b8969927003568e648502c8600e
Instruction Fuzzy Hash: AC0144B1941611BBEB111BA0DD0EF5ABB26FB04706F044539F715B64E0C7756864CB88

Function 00419A0F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 00419A67

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

GetDriveTypeW.KERNELBASE ref: 00419AD6
GetDriveTypeA.KERNEL32(?,?,?,?,?,?), ref: 00419B25
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00419B3E

Strings

:, xrefs: 00419AC3
\, xrefs: 00419B1C
\, xrefs: 00419ACA
:, xrefs: 00419B17

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: DriveType$ErrorExceptionException@8H_prolog3_catchLastRaiseThrow
String ID: :$:$\$\
API String ID: 3854800999-1058066849
Opcode ID: 4c760bba74eb229388ae64d7cf50427bf50217fc9c7441f1965a68369dfcc430
Instruction ID: 53bf8c9af4326a236e710e979cbfb1824660317f15b7df1c7c16a8be661f2931
Opcode Fuzzy Hash: 4c760bba74eb229388ae64d7cf50427bf50217fc9c7441f1965a68369dfcc430
Instruction Fuzzy Hash: 1841687190C3859BC710DF298890AABBBE8FF95744F00092EF5A583351D778AD48CB9B

Function 0040E941 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 436
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 0040E960
CoInitialize.OLE32(00000000), ref: 0040E96E

Part of subcall function 00411517: __EH_prolog3_catch.LIBCMT ref: 0041151E
Part of subcall function 00411517: GetCurrentThreadId.KERNEL32 ref: 00411549

OleInitialize.OLE32(00000000), ref: 0040E9CF
GetModuleFileNameW.KERNEL32(?,00000208,00000000,00000000), ref: 0040EA82
OleUninitialize.OLE32 ref: 0040EE72

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

GetActiveWindow.USER32 ref: 0040ED03

Part of subcall function 004026CF: __EH_prolog3.LIBCMT ref: 004026D6

Strings

pKJ, xrefs: 0040EC05

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catchInitialize$ActiveCurrentFileH_prolog3ModuleNameThreadUninitializeWindow_malloc
String ID: pKJ
API String ID: 3283072954-775196418
Opcode ID: d5f3f34658e0a2fd40fddb22d6404a12f8d072bccd3267c70a5c854cba997be7
Instruction ID: cea124af61918145e0805589546f5ad82bf60f539c4fc55fd5412af6ac70ee2d
Opcode Fuzzy Hash: d5f3f34658e0a2fd40fddb22d6404a12f8d072bccd3267c70a5c854cba997be7
Instruction Fuzzy Hash: 1B029270901249DFDB04DFA9C889ADDBBF5FF09304F24846EE105AB2A1DB789E44CB65

Function 0043E860 Relevance: 10.7, APIs: 7, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00438209: __EH_prolog3.LIBCMT ref: 00438210

__CxxThrowException@8.LIBCMT ref: 0043E91A

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

__CxxThrowException@8.LIBCMT ref: 0043E94F
__CxxThrowException@8.LIBCMT ref: 0043E97E
__CxxThrowException@8.LIBCMT ref: 0043E9AF
__CxxThrowException@8.LIBCMT ref: 0043E9DE
__CxxThrowException@8.LIBCMT ref: 0043EA0B

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0043EA3C

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$ExceptionH_prolog3H_prolog3_catchRaise
String ID:
API String ID: 2801973587-0
Opcode ID: 7a441900a4b0b971e52ff753fce674d7a770bca8e64521d368561511d821d5f9
Instruction ID: 90f48602222dcfe3679d74dc5af3a4b94a7bd68a35e94539c2c1691fc6e34ba7
Opcode Fuzzy Hash: 7a441900a4b0b971e52ff753fce674d7a770bca8e64521d368561511d821d5f9
Instruction Fuzzy Hash: 1F61B1712083019FD308EF66C881FABB7E5BF98704F104A1EF195972A1DB78E908CB56

Function 00412F06 Relevance: 10.6, APIs: 7, Instructions: 104
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(0000002D), ref: 00412F38
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00412F50
SelectObject.GDI32(00000000,00000000), ref: 00412F6C
GetDlgItem.USER32(?,?), ref: 00412FB1
GetWindowTextW.USER32(00000000,?,00000104), ref: 00412FD2
DrawTextW.USER32(?,?,000000FF,?,00000400), ref: 0041300B
GetWindowRect.USER32(?,?), ref: 0041303A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: TextWindow$DrawItemMessageMetricsObjectRectSelectSendSystem
String ID:
API String ID: 2923810944-0
Opcode ID: a2dcba06c28804b7c8fb79d498b85bdce8ce725cdba0ff15885e23aec943cb85
Instruction ID: 890aeb46277cf9fd0c59b883598e8b5ed34d3efea8ee03d74ad14775f27a34db
Opcode Fuzzy Hash: a2dcba06c28804b7c8fb79d498b85bdce8ce725cdba0ff15885e23aec943cb85
Instruction Fuzzy Hash: 9C41B7B1D01228AFCB609FA9DC88ADDBBB4FB48715F1001EAE509E6260D7749EC0CF14

Function 00404582 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_calloc.LIBCMT ref: 004045A8

Part of subcall function 0046EAD1: __calloc_impl.LIBCMT ref: 0046EAE4

GetDlgItem.USER32(?,0000040E), ref: 004045EF
GetClientRect.USER32(00000000,?), ref: 004045FA
GetTextExtentPoint32W.GDI32(?,004A40B0,00000001,?), ref: 00404611
MapDialogRect.USER32(?,?), ref: 0040461E
SetDlgItemTextW.USER32(?,0000040E,?,?), ref: 00404664

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ItemRectText$ClientDialogExtentPoint32__calloc_impl_calloc
String ID:
API String ID: 2218667647-0
Opcode ID: d355e2f4535ea7005b6b435d79862b31c6e448c7c8c3b4b00229b1119ec2458e
Instruction ID: fa428ca1f354786f4970aa55eec2edfa3586de264a2abbba1d2837a5c566276f
Opcode Fuzzy Hash: d355e2f4535ea7005b6b435d79862b31c6e448c7c8c3b4b00229b1119ec2458e
Instruction Fuzzy Hash: C631B072900205EFDB119F65CC85A9DBBF9FF44310F14807AEE09AF1A6D775A841CB64

Function 0041A575 Relevance: 7.7, APIs: 5, Instructions: 168fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0041A5A8

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 0041A5ED
GetLastError.KERNEL32 ref: 0041A605
GetLastError.KERNEL32 ref: 0041A6B3
GetLastError.KERNEL32 ref: 0041A74A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorLast$ExceptionException@8FileH_prolog3_catchRaiseThrowWrite
String ID:
API String ID: 2278084019-0
Opcode ID: 4709282939f679912a13f822686c6b40476ab88d03355a9ffe5f9f12efd9ce0c
Instruction ID: dcb6842e009b9fd6157710ffdc78ce2bdb119982a935604beb239f85be5bcd37
Opcode Fuzzy Hash: 4709282939f679912a13f822686c6b40476ab88d03355a9ffe5f9f12efd9ce0c
Instruction Fuzzy Hash: 1B518D31509304AFD710EF60C8819AFB7E9AF90354F10092FF89696691D738EE99CB5B

Function 004129B0 Relevance: 7.6, APIs: 5, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004129B7

Part of subcall function 00413423: __EH_prolog3_catch.LIBCMT ref: 0041342A

Part of subcall function 0041368B: __EH_prolog3.LIBCMT ref: 00413692

_wcschr.LIBCMT ref: 00412A25
_wcschr.LIBCMT ref: 00412A3B
_wcschr.LIBCMT ref: 00412A76
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,004A4124,00000001), ref: 00412AA0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _wcschr$H_prolog3_catch$ExecuteH_prolog3Shell
String ID:
API String ID: 2785434109-0
Opcode ID: d5722f9bd5115906ba0d106bd0108e895e06dcfc5c98233c6cb354cacf2ddec3
Instruction ID: 3729c90b1ea7e110c5177ab14da75043370f1d71ab658095aa1277d58ab6a922
Opcode Fuzzy Hash: d5722f9bd5115906ba0d106bd0108e895e06dcfc5c98233c6cb354cacf2ddec3
Instruction Fuzzy Hash: 3231B432D017169ACF309F918A817EF6260EF50B55F28402BE904E6281E7FC99E18399

Function 00417F59 Relevance: 7.6, APIs: 5, Instructions: 80fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417F60
CreateFileW.KERNELBASE(?,0041A3AE,?,00000000,FFFF7FFF,00000080,00000000,00000008,0041AEAE,00000000,?,?,?,?), ref: 00417F9F
DeviceIoControl.KERNEL32(00000000,0009C040,FFFF7FFF,00000002,00000000,00000000,00000800,00000000), ref: 00417FE0
CreateFileA.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,?,00000000,?), ref: 0041801B
GetLastError.KERNEL32 ref: 0041802F

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CreateFile$ControlDeviceErrorH_prolog3Last
String ID:
API String ID: 2214164888-0
Opcode ID: 986b343a0a71acedcbcf38880e5fbe3e85a3038258cea0092275c93a37953772
Instruction ID: 15dfaf5dbb29a395e17e2ddd84dce7610fb2c92da1d7c4ae14c6765335d090eb
Opcode Fuzzy Hash: 986b343a0a71acedcbcf38880e5fbe3e85a3038258cea0092275c93a37953772
Instruction Fuzzy Hash: 95316B7150020AEFCF009FA5CC858EF3BB5FF18359F10452EF911912A1DB388AA6DB99

Function 0041ABDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNELBASE(000000FF,?), ref: 0041ACB9

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0041AC0B

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Strings

, xrefs: 0041AD4B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8FileH_prolog3_catchHandleInformationRaiseThrow
String ID:
API String ID: 618899945-3916222277
Opcode ID: c3f5a41f59c9788cab057b6e8e59073dff5a5218b94f2fad81bca5e5ad666a9a
Instruction ID: 19391ad17a79fe40d044eb091133a4a1fea4d49a57a2a42173d2ecb32d9b7755
Opcode Fuzzy Hash: c3f5a41f59c9788cab057b6e8e59073dff5a5218b94f2fad81bca5e5ad666a9a
Instruction Fuzzy Hash: 5F5101715097449BD321DF65C449BCBB7E8BF40318F044A2FF89182691E7BCE898CB9A

Function 0040DFCF Relevance: 6.3, APIs: 4, Instructions: 266windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EB), ref: 0040E038
SendMessageW.USER32(00000000,0000004E,000003EB,?), ref: 0040E045
SetCurrentDirectoryW.KERNEL32(?), ref: 0040E2B7
SetCurrentDirectoryW.KERNEL32(?), ref: 0040E308

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CurrentDirectory$ItemMessageSend
String ID:
API String ID: 1716510259-0
Opcode ID: 5fb1af1cf1d4054b933ce20860c49b36836c0f19f32cde997d71b0d55fa31e64
Instruction ID: 25529834b9ce85092d5ca32059093937ccff041e1d4f09fbaadc1c3b48572fd3
Opcode Fuzzy Hash: 5fb1af1cf1d4054b933ce20860c49b36836c0f19f32cde997d71b0d55fa31e64
Instruction Fuzzy Hash: 2291C070600211CBDB359F22C845A6B77A5AB90314F140C7FEA56B72E1C7BCAC629B5E

Function 004316EC Relevance: 6.3, APIs: 4, Instructions: 260timeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004316F6
__CxxThrowException@8.LIBCMT ref: 0043172D
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 004318A1
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004318B9

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Time$File$DateException@8H_prolog3_LocalThrow
String ID:
API String ID: 1027347510-0
Opcode ID: 9a4948e6dab8fbd8911730a87df8ed46847bc7b3d74e848c81abf99d85ba2ced
Instruction ID: 747fae880f3af45b3f3ac8203462707f5ab069ba106f4edfb0ba5721a91e5f4d
Opcode Fuzzy Hash: 9a4948e6dab8fbd8911730a87df8ed46847bc7b3d74e848c81abf99d85ba2ced
Instruction Fuzzy Hash: E4B1BFB4D0427A9BCB20AF25CC547E9BBB0FF09301F0401DAE499A7691D7389B95DF94

Function 0040CFD6 Relevance: 6.2, APIs: 4, Instructions: 237windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000407,?,?), ref: 0040D025
PostMessageW.USER32(?,00000402,00000000,?), ref: 0040D21E
PostMessageW.USER32(000000FF,00000405,00000000,00000000), ref: 0040D2A6
PostMessageW.USER32(000000FF,00000405,00000000,00000000), ref: 0040D33B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7ef9103c2a33b67720c6a539dc46c5008c65773f498c75f6abd4b842f8f26930
Instruction ID: b85a8cc4a2728fd7a3df72168a934cb4cd85e721a26b9e6699c4fdf503820afc
Opcode Fuzzy Hash: 7ef9103c2a33b67720c6a539dc46c5008c65773f498c75f6abd4b842f8f26930
Instruction Fuzzy Hash: 6F815531504701AFC724AFA1C885E6B7BA4EF44324F10472FF525A31E1EB39E859CB9A

Function 0041A31D Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041A324
__CxxThrowException@8.LIBCMT ref: 0041A37D
_wcsrchr.LIBCMT ref: 0041A3C6
GetLastError.KERNEL32(?,00000000,?), ref: 0041A425

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorException@8H_prolog3LastThrow_malloc_wcsrchr
String ID:
API String ID: 1305422554-0
Opcode ID: 666d4f0a2411d13ab90b722b83f37e771a17d503a3af2f513f7d3de07e5cb1a8
Instruction ID: 4155375336981527f0855876f272c2dfbf065001d37791404ff87fd28dabcaf0
Opcode Fuzzy Hash: 666d4f0a2411d13ab90b722b83f37e771a17d503a3af2f513f7d3de07e5cb1a8
Instruction Fuzzy Hash: 1241A07190120A9FDF10AFA4C885AEEB7B5FF44308B10442EF905A7251CB789DA0CB9A

Function 0040C7DE Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040C7E5
LoadStringW.USER32(FFFF0000,00000000,00000100,00000010), ref: 0040C84B
LoadStringW.USER32(?,00000000,00000100,00000010), ref: 0040C8D0
MessageBoxW.USER32(?,FFFF0000,?,00000000), ref: 0040C8E9

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: LoadString$H_prolog3_catchMessage_malloc
String ID:
API String ID: 1361368681-0
Opcode ID: 22bb444a03d39b7c0ee066ae92295d7513bea9f40bdb2c0e9ab221b49b584d90
Instruction ID: 9be3febe98fb7fb77b741aca86aebf61eb27a0c0c060aac534c7846279f0970d
Opcode Fuzzy Hash: 22bb444a03d39b7c0ee066ae92295d7513bea9f40bdb2c0e9ab221b49b584d90
Instruction Fuzzy Hash: EC313872900115EBDB14AF569C45BBE77B4EF04725F20812FF815B62D0EB788A01DB9D

Function 00470B05 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00470B40
CreateThread.KERNELBASE(?,?,00470A85,00000000,?,?), ref: 00470B84
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00470B8E
__dosmaperr.LIBCMT ref: 00470BA6

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr
String ID:
API String ID: 84609068-0
Opcode ID: 7090922797ff008642ac43f4d93457999a5854a682840e9b33b91c2012be7d92
Instruction ID: 50393bd67de6869381daddfdeb40aa4cc8a92a70972f5a31fdedcb647c88b131
Opcode Fuzzy Hash: 7090922797ff008642ac43f4d93457999a5854a682840e9b33b91c2012be7d92
Instruction Fuzzy Hash: E611E772502305EFDB21BFE5DC428DF77A5EF00368B20853FF549A2191E739AA018B69

Function 0041237C Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,?), ref: 004123B1
TranslateMessage.USER32(?), ref: 004123BF
DispatchMessageW.USER32(?), ref: 004123C9
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004123D8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: b35ae216d1b9e23c56625099fbd878101384a3ee5b2998eceb53f95eb43c5f79
Instruction ID: f09366d009cfa1f446d30a27da72d4cec1a49fff74f943752758d316882c2c3f
Opcode Fuzzy Hash: b35ae216d1b9e23c56625099fbd878101384a3ee5b2998eceb53f95eb43c5f79
Instruction Fuzzy Hash: 5F010C7290121DEFDF109FF48D84DEE77ACEB09344B14442BE911E2250E67DD9A0DB69

Function 0042945C Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 539COMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 004294C6

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Strings

, xrefs: 004295AB
IA, xrefs: 0042982B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8H_prolog3_catchRaiseThrow
String ID: $IA
API String ID: 10698533-2342638154
Opcode ID: e38794d406b2eddb291373c5ffc5134c7ffc202fab973c57931850196f100d08
Instruction ID: f40d085412eb65a231bb9e1e14745c7a7fda35d41b6b2ab9c6a47184a0afe9e5
Opcode Fuzzy Hash: e38794d406b2eddb291373c5ffc5134c7ffc202fab973c57931850196f100d08
Instruction Fuzzy Hash: DC229A312083518BC725DF25D484B6FBBE4AF84704F44491EF88A9B2A1DB78DD44CB9A

Function 0042AA62 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 406COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042AA6C
__CxxThrowException@8.LIBCMT ref: 0042AAF9

Part of subcall function 0040695C: __CxxThrowException@8.LIBCMT ref: 00406977

Part of subcall function 0041A31D: __EH_prolog3.LIBCMT ref: 0041A324
Part of subcall function 0041A31D: __CxxThrowException@8.LIBCMT ref: 0041A37D
Part of subcall function 0041A31D: _wcsrchr.LIBCMT ref: 0041A3C6
Part of subcall function 0041A31D: GetLastError.KERNEL32(?,00000000,?), ref: 0041A425

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Strings

IA, xrefs: 0042AE9D, 0042AEBC, 0042AEA0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3$ErrorH_prolog3_catchLast_wcsrchr
String ID: IA
API String ID: 477051573-2205123733
Opcode ID: 52c4e53ff887eff544127104373643a3a0096c0d36fc2b173680036ed763b9b1
Instruction ID: 012109d81497d45fe9d621877cc67c39a4e5a19494660486c862d02993b1ffd2
Opcode Fuzzy Hash: 52c4e53ff887eff544127104373643a3a0096c0d36fc2b173680036ed763b9b1
Instruction Fuzzy Hash: 23F19C70A00219EFDB24EF90D949FEEB7B5EF44304F64805EE805AB250D778AE54CB66

Function 0042A644 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 296COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042A675

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

__EH_prolog3_catch.LIBCMT ref: 0042A64E

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Strings

IA, xrefs: 0042AA13, 0042A925, 0042A995

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch$ExceptionException@8RaiseThrow
String ID: IA
API String ID: 1279188806-2205123733
Opcode ID: b9bbdf0e9c3f880a628d15602da91aaf5a0186a68fa4e950379ad425d20bdecb
Instruction ID: 2b323d0e73ded7a06de12cc6d1cee396ca1806feeb76f9d93ba5c94edb95cc0a
Opcode Fuzzy Hash: b9bbdf0e9c3f880a628d15602da91aaf5a0186a68fa4e950379ad425d20bdecb
Instruction Fuzzy Hash: EDB1AB70B00219AFDF14EFA5D848BAEBBB5AF44304F14805EF845AB291D738DD91CB69

Function 00429DB4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00429DBE
__CxxThrowException@8.LIBCMT ref: 00429DE0

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Part of subcall function 00429B4E: __EH_prolog3.LIBCMT ref: 00429B58

Part of subcall function 0040695C: __CxxThrowException@8.LIBCMT ref: 00406977

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

Strings

IA, xrefs: 00429FD1, 00429F38, 00429F9F, 00429F3B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3_catch$H_prolog3
String ID: IA
API String ID: 3361668480-2205123733
Opcode ID: 92795cb2d6040e38ee05e90ac78aaeced2d394780de6b57cebd0fbc511d1fa64
Instruction ID: 670281e41e37c3c63f277be8103ae209c679b44b4545ac7f2b44740383e93e06
Opcode Fuzzy Hash: 92795cb2d6040e38ee05e90ac78aaeced2d394780de6b57cebd0fbc511d1fa64
Instruction Fuzzy Hash: 88A16A70A00219DFCF04DF65C585AAEBBB1BF48304F15809AF806AB391DB39DD41CBA4

Function 0041B02F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041B036

Part of subcall function 00448740: _calloc.LIBCMT ref: 00448744

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

__CxxThrowException@8.LIBCMT ref: 0041B0B1

Part of subcall function 0041B492: _memset.LIBCMT ref: 0041B4B8

Strings

TcJ, xrefs: 0041B079

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw_calloc_malloc_memset
String ID: TcJ
API String ID: 2270223088-1278070676
Opcode ID: e6c441af22b186494026a3dd25901817265d02348140e93569bc2a26913ec0e3
Instruction ID: d7927bbaea9c64b1a6f6e38c53727ad18b9790175f88bda44534bb8695ac18ab
Opcode Fuzzy Hash: e6c441af22b186494026a3dd25901817265d02348140e93569bc2a26913ec0e3
Instruction Fuzzy Hash: 4621C070E002069FCB10EFA5C8816EEBBA5EF08704F25842EF55567381DB7D9E418BD9

Function 0041244C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0041249A

Strings

PMJ, xrefs: 00412465

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorLast
String ID: PMJ
API String ID: 1452528299-1076063844
Opcode ID: 0a4b789971eb61b4087ad8969b835b3e9b9eac5c541c2cad44e6052a217bd4b7
Instruction ID: 2ccd80dcb499d4d23e67b02b0c567398850f1eb0e34ce8282daaf7e67e6afb1e
Opcode Fuzzy Hash: 0a4b789971eb61b4087ad8969b835b3e9b9eac5c541c2cad44e6052a217bd4b7
Instruction Fuzzy Hash: BA014570701604AF8330AF695A808BFBBE8AF14314304487FF047C7742CAACCD9887AA

Function 00412945 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041294C
MessageBoxW.USER32(?,00000000,004C87B8,?), ref: 00412994

Strings

$AJ, xrefs: 0041296A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3Message
String ID: $AJ
API String ID: 2898835920-3211715044
Opcode ID: d1df3f5d84ddd0707963270fe337b755905e55c3b9368e71b4a26880082bbac7
Instruction ID: 6ed40c58867c246328745ceb5b3a8f6ef175dc1dfb090ac58cae5dbfe2746f98
Opcode Fuzzy Hash: d1df3f5d84ddd0707963270fe337b755905e55c3b9368e71b4a26880082bbac7
Instruction Fuzzy Hash: 6CF062B090010AAFCF44EFA4DD059EE3BB5FF08305F50442EF415E6161EB789A14CB65

Function 00402467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,00000000,?,?,?,?,?,?,9!@,00000000,?), ref: 004024A3

Strings

9!@, xrefs: 0040248C
@6L, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CreateWindow
String ID: 9!@$@6L
API String ID: 716092398-2636683330
Opcode ID: da5cc8270a66887f14ef0a5282fcab83851fd5b264a040756d0169632323746a
Instruction ID: 0565b7b5fa63ccecfa25acdb5100231b8cfc8b1d1906464ebef507b631db2d4f
Opcode Fuzzy Hash: da5cc8270a66887f14ef0a5282fcab83851fd5b264a040756d0169632323746a
Instruction Fuzzy Hash: 8BF0DA76200119AFDB11CF98DD09EAB7BAAEB88750F158169FD049B260D771EC20DB94

Function 0040F1F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 0040241F: GetCurrentProcess.KERNEL32(00000000,0000000D,?,004022E3,?,?,004017F3), ref: 00402453
Part of subcall function 0040241F: FlushInstructionCache.KERNEL32(00000000), ref: 0040245A

SetLastError.KERNEL32(0000000E,00000000,?,00000000,0040ED12,00000000), ref: 0040F20B
DialogBoxParamW.USER32(?,00000000,VA,00000000,00000000), ref: 0040F233

Strings

VA, xrefs: 0040F223

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CacheCurrentDialogErrorFlushInstructionLastParamProcess
String ID: VA
API String ID: 2229644096-1642038470
Opcode ID: a45dda8d53333fe66f0568ebb043e916602d31057ef07022ed8f0c4da8a0e3d5
Instruction ID: 9559283ad2d04dfaca2de445fe73d6985b466a1ba89c1f88deefba8f1c5ac094
Opcode Fuzzy Hash: a45dda8d53333fe66f0568ebb043e916602d31057ef07022ed8f0c4da8a0e3d5
Instruction Fuzzy Hash: D3E09236240120E6D6202FA5AD45B6A3694AB44B20F10053BFB01F50D1DB758846C36A

Function 0041A838 Relevance: 4.7, APIs: 3, Instructions: 216COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0041A86B
SetFilePointer.KERNELBASE(?,00000000,?,00000002), ref: 0041A8FA

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0041AA6C

Part of subcall function 00414B6E: __CxxThrowException@8.LIBCMT ref: 00414B96

Part of subcall function 00423BB6: __EH_prolog3.LIBCMT ref: 00423BBD

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8FilePointerThrow$H_prolog3H_prolog3_catch
String ID:
API String ID: 564545149-0
Opcode ID: ae018a6e080c2f1472f2c1b71d2f2bb4bbe3e90be679bd278c14870b44380469
Instruction ID: faf76b4dc3451e06f8b59066a96079757423da0957bd58858a060bd6dca9a4f9
Opcode Fuzzy Hash: ae018a6e080c2f1472f2c1b71d2f2bb4bbe3e90be679bd278c14870b44380469
Instruction Fuzzy Hash: 1471D37060A7009BC724DF15CA81AEBB3E5BF80720F540A1FF4A693690D738E995CB5B

Function 0040CC82 Relevance: 4.7, APIs: 3, Instructions: 200windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E726: __EH_prolog3.LIBCMT ref: 0040E72D
Part of subcall function 0040E726: RtlEnterCriticalSection.NTDLL(004CBA3C), ref: 0040E73B
Part of subcall function 0040E726: RtlLeaveCriticalSection.NTDLL(004CBA3C), ref: 0040E7B8

PostMessageW.USER32(000000FF,00000406,00000000,00000000), ref: 0040CD91

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3LeaveMessagePost
String ID:
API String ID: 3175935150-0
Opcode ID: d7cb4ce009ef32d75ba312334faea9ec910638784ad1f1917426f9c52efe2799
Instruction ID: 3d272078be0d4ce3293dfff81503de6a0bc9bd03953f91bf1b1e9b966b9915c4
Opcode Fuzzy Hash: d7cb4ce009ef32d75ba312334faea9ec910638784ad1f1917426f9c52efe2799
Instruction Fuzzy Hash: 93718D71108345DFC724DF25D881A9BBBE5FB88314F204A2FF495E32D1DB3899948B9A

Function 0043F110 Relevance: 4.7, APIs: 3, Instructions: 199COMMON

Download Yara Rule

APIs

Part of subcall function 00438209: __EH_prolog3.LIBCMT ref: 00438210

__CxxThrowException@8.LIBCMT ref: 0043F225
_memset.LIBCMT ref: 0043F267
_memset.LIBCMT ref: 0043F275

Part of subcall function 0043E860: __CxxThrowException@8.LIBCMT ref: 0043E91A
Part of subcall function 0043E860: __CxxThrowException@8.LIBCMT ref: 0043E94F
Part of subcall function 0043E860: __CxxThrowException@8.LIBCMT ref: 0043E97E

Part of subcall function 00413380: __CxxThrowException@8.LIBCMT ref: 004133B2

Part of subcall function 0043E860: __CxxThrowException@8.LIBCMT ref: 0043E9AF
Part of subcall function 0043E860: __CxxThrowException@8.LIBCMT ref: 0043E9DE
Part of subcall function 0043E860: __CxxThrowException@8.LIBCMT ref: 0043EA0B
Part of subcall function 0043E860: __CxxThrowException@8.LIBCMT ref: 0043EA3C

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$_memset$H_prolog3
String ID:
API String ID: 207774560-0
Opcode ID: 4e56ef19818853e72e2f5ea7bca8464686239c5c3be10aec92a7e4a0cb42781c
Instruction ID: 368b8b33959c909da0f9c6cf1e581ba302ff01b66a9dfc3135aa430fd509b45c
Opcode Fuzzy Hash: 4e56ef19818853e72e2f5ea7bca8464686239c5c3be10aec92a7e4a0cb42781c
Instruction Fuzzy Hash: 1E71A5712083419FD324DF55C891FABB7E9AFC8704F00491EF68997281DBB4A908CB66

Function 004028E8 Relevance: 4.7, APIs: 3, Instructions: 175fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004028EF
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402995
CloseHandle.KERNEL32(?), ref: 00402ADF

Part of subcall function 0040695C: __CxxThrowException@8.LIBCMT ref: 00406977

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CloseCreateException@8FileH_prolog3_catchHandleThrow
String ID:
API String ID: 2346817456-0
Opcode ID: c245294e2bcda2f12943e785d1547e892bcb5fecdb033e02fb15f7d0a211dadb
Instruction ID: acedb010e216129685f30b46a229072d1c308362973a27a2ebf8ceaf5b333c07
Opcode Fuzzy Hash: c245294e2bcda2f12943e785d1547e892bcb5fecdb033e02fb15f7d0a211dadb
Instruction Fuzzy Hash: 0F51E4707003059FDB24EB65C659B7EBBA5BF04318F10452EF452A76E2DBB8AD40CB58

Function 00402D76 Relevance: 4.6, APIs: 3, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00402D80

Part of subcall function 00402C12: __EH_prolog3_catch_GS.LIBCMT ref: 00402C1C
Part of subcall function 00402C12: SHGetFolderPathW.SHELL32(00000000,00000020,00000000,00000000,?), ref: 00402C5D

__itow_s.LIBCMT ref: 00402E88
__itow_s.LIBCMT ref: 00402F08

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch___itow_s$FolderPath
String ID:
API String ID: 277952429-0
Opcode ID: 5fa32c8e2db902f3d7b9d52cc579dda7f2185d70c2c00d741beb866ab4ca7ae5
Instruction ID: ccc4dd78bc4ef78c24c744b31f5c47ca2a94bc3493f41e908b813847148bf41b
Opcode Fuzzy Hash: 5fa32c8e2db902f3d7b9d52cc579dda7f2185d70c2c00d741beb866ab4ca7ae5
Instruction Fuzzy Hash: CD41C4319001286ACB20FB5ACD49FEEB7B8DF84315F1001AFB91DB21D1DAB84F848A59

Function 00412AE6 Relevance: 4.6, APIs: 3, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00412AED

Part of subcall function 00413299: __CxxThrowException@8.LIBCMT ref: 004132C8

Part of subcall function 0047210B: __lock.LIBCMT ref: 00472119
Part of subcall function 0047210B: __getdcwd_nolock.LIBCMT ref: 0047212B

__chdir.LIBCMT ref: 00412B53
__chdir.LIBCMT ref: 00412C56

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: __chdir$Exception@8H_prolog3_catchThrow__getdcwd_nolock__lock
String ID:
API String ID: 11999470-0
Opcode ID: 958c6469eb277bcb97f09388e58a2cf532ae65dc3ff00154c8d4a52c72c89ebb
Instruction ID: 943d9ad838e67a6bcf09ea14dfdab3609c6d8846c2772a43b279d0d54d69e4ad
Opcode Fuzzy Hash: 958c6469eb277bcb97f09388e58a2cf532ae65dc3ff00154c8d4a52c72c89ebb
Instruction Fuzzy Hash: A041E6B1A00245AFDF15AF55C945BFD7B61AF04314F04405AFA14AB3E2DBBD8EA1C788

Function 00418445 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNELBASE(?,?,00000104), ref: 004184FA
GetShortPathNameW.KERNEL32(?,?,00000000), ref: 0041853B
GetLastError.KERNEL32 ref: 004185FC

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: NamePathShort$ErrorLast
String ID:
API String ID: 1928201977-0
Opcode ID: bacf834ef753a2b15f22f3efdee30cbd29e7bfc72c6b7562124496df5a55f83f
Instruction ID: 19b5036c2e85718d93b3f04773cf975d59e2d0596d52e79ef856e1f13a85bc04
Opcode Fuzzy Hash: bacf834ef753a2b15f22f3efdee30cbd29e7bfc72c6b7562124496df5a55f83f
Instruction Fuzzy Hash: 47319072108344AFC711EF51C8849EFB7E9EF98704F10092FF58693251DE799E898B5A

Function 0041A47F Relevance: 4.6, APIs: 3, Instructions: 85fileCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0041A4AD
ReadFile.KERNELBASE(000000FF,?,?,?,00000000), ref: 0041A4F1

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

GetLastError.KERNEL32 ref: 0041A505

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorException@8FileH_prolog3_catchLastReadThrow
String ID:
API String ID: 656740654-0
Opcode ID: 5d362d325d00b20671f1ba4708242913eb17bcdced3be72a598a50baea4167b5
Instruction ID: 98047d25e2c2e2dabcee81b4345894e90f8bac1eab8b908a32007ae4b7402c44
Opcode Fuzzy Hash: 5d362d325d00b20671f1ba4708242913eb17bcdced3be72a598a50baea4167b5
Instruction Fuzzy Hash: E231F471509301ABC710EF65C8849EB77E8BB94328F400A2FF48192191D778EE98CB5B

Function 004189B0 Relevance: 4.6, APIs: 3, Instructions: 70COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?), ref: 00418A25

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 004189F9

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

GetFileAttributesA.KERNEL32(?), ref: 00418A54

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: AttributesFile$ExceptionException@8H_prolog3_catchRaiseThrow
String ID:
API String ID: 4287634551-0
Opcode ID: 4bb57909b7254184b756bfa995905a98894d291872315dde0f544ddb4eb7f4ef
Instruction ID: a25aea8dbab080c7969770944d8c3d4a1a9a62e37b7fff5326475da43880e2c1
Opcode Fuzzy Hash: 4bb57909b7254184b756bfa995905a98894d291872315dde0f544ddb4eb7f4ef
Instruction Fuzzy Hash: 4921B571408345EFC710DF14C841A9ABBE4FF55768F004A2EF894532A1DB799948CB9A

Function 0041819F Relevance: 4.6, APIs: 3, Instructions: 51COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,?,00418149,?,?,?,004C1E84), ref: 004181B4
GetFileAttributesW.KERNEL32(?,?,00000000,?,00418149,?,?,?,004C1E84), ref: 004181C0
_wcsrchr.LIBCMT ref: 004181D7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: AttributesCreateDirectoryFile_wcsrchr
String ID:
API String ID: 399696544-0
Opcode ID: 53be16dad5141dffbae7f302eb0638049b0fe732d234d315afe7e58e22040ae0
Instruction ID: f782a97c459d683dc23ab2a7a31aa8f69e2c7ad6b4bf85ca451c9d6403e5a076
Opcode Fuzzy Hash: 53be16dad5141dffbae7f302eb0638049b0fe732d234d315afe7e58e22040ae0
Instruction Fuzzy Hash: ECF04932182302B9E2251B25AC45FFB739CAF82710F14061FF590672D0DF749842922D

Function 0046E918 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000001,0046E9AC,?,?,00402F28,00000003,00000000,?), ref: 0046E953
GetLastError.KERNEL32 ref: 0046E95E
__dosmaperr.LIBCMT ref: 0046E965

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: AttributesErrorFileLast__dosmaperr
String ID:
API String ID: 1932490781-0
Opcode ID: b237afc6b04f3a4a8ff1c04ef640850ee86595bed9698047690a3120a4c8c800
Instruction ID: 7dc8b3d29dac383926a124a257b207e6ee6ba645ff5930ba47bab9b880a2563f
Opcode Fuzzy Hash: b237afc6b04f3a4a8ff1c04ef640850ee86595bed9698047690a3120a4c8c800
Instruction Fuzzy Hash: 0001A270404300CEDAB22BB6A8053EB77A09F82734F01854FF5A8562E6E77C48458B9B

Function 00404695 Relevance: 4.5, APIs: 3, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000402,?), ref: 0040470D
GetDlgItem.USER32(?,000003F6), ref: 0040471D
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00404746

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Item$MessageSendText
String ID:
API String ID: 3392263854-0
Opcode ID: 5768a14d3bee01b2159072ccdd0782c8dc0692ee2edc7eee15560909a4d4e2f6
Instruction ID: c7f80f697d9223a497c6a56c394f647aa94f8fad6dc2d0830a07e7d0db9cd25c
Opcode Fuzzy Hash: 5768a14d3bee01b2159072ccdd0782c8dc0692ee2edc7eee15560909a4d4e2f6
Instruction Fuzzy Hash: B6111870501A01AFD7649F34DD4ABA7B7E5BB48705F00882EF29BA21A1D7706811DB08

Function 0040E8E3 Relevance: 4.5, APIs: 3, Instructions: 42windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000080,00000001,00000000,?,?,?,0040323C), ref: 0040E90C
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0040E914
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0040E937

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: MessageSend$ImageLoad
String ID:
API String ID: 2074947779-0
Opcode ID: e03014aa9771f799a0a8d4b5993d75c587954ce357068e3857e9a513740ceaff
Instruction ID: 1e20208807c255a55d4fef9e30b93bdc4796badb17ea4da51b3e9164a9714b9f
Opcode Fuzzy Hash: e03014aa9771f799a0a8d4b5993d75c587954ce357068e3857e9a513740ceaff
Instruction Fuzzy Hash: 20F019716811547BF6211796DC4BF6B3F2DD785F65F010035F704990E0C6E22854CB79

Function 00417525 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0041754F

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Strings

PK, xrefs: 0041758F

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8H_prolog3_catchRaiseThrow
String ID: PK
API String ID: 10698533-2811355336
Opcode ID: 2e0f8a69ac6e1fa6090477a811d43803611d70f31ae8d063e1a34e1e722a2ff1
Instruction ID: ffb067b86a0b2212f06d82e6127039bab16a5430b308f835b19b7287b577a7a0
Opcode Fuzzy Hash: 2e0f8a69ac6e1fa6090477a811d43803611d70f31ae8d063e1a34e1e722a2ff1
Instruction Fuzzy Hash: B931C0B0E042099BCF14DBA8C8516FEBBB1EF58304F50405FE012E7281E7789A46CB59

Function 0041252A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00412531

Strings

PMJ, xrefs: 00412578

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch
String ID: PMJ
API String ID: 3886170330-1076063844
Opcode ID: 61c2bebd7f5d4d17b773d9ffea6322ca9dcce0c582edd0616fac4e4a92e615a2
Instruction ID: dbfdd7d263ffff981fd512ad6b87acc54b9be45b106cbed291a37e746d0955fc
Opcode Fuzzy Hash: 61c2bebd7f5d4d17b773d9ffea6322ca9dcce0c582edd0616fac4e4a92e615a2
Instruction Fuzzy Hash: 7FF0A034A004119BCB15EFA9C255AADB7A1AF04315F21801EE592EB391CB788E409B9E

Function 0041A2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041A2DE

Part of subcall function 0041A78C: FindCloseChangeNotification.KERNELBASE(?), ref: 0041A7B2

Strings

bJ, xrefs: 0041A2F5

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ChangeCloseFindH_prolog3Notification
String ID: bJ
API String ID: 800261803-636695863
Opcode ID: 0c11619ca29bc89cfe7afd088f488acf4230a359b798a33d2368ae84177744bb
Instruction ID: e9386a2567e807a7c1d019143b2eea29c1838896c6742d198328058bb268f7d9
Opcode Fuzzy Hash: 0c11619ca29bc89cfe7afd088f488acf4230a359b798a33d2368ae84177744bb
Instruction Fuzzy Hash: B6E0B6B1405B158AC720FF92C44538DBBE0AB11308BA5C95FE0A95B691DBFC95888B9E

Function 00421F83 Relevance: 3.4, APIs: 2, Instructions: 393COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00421FE7

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Part of subcall function 0043288C: __EH_prolog3_GS.LIBCMT ref: 00432893
Part of subcall function 0043288C: __CxxThrowException@8.LIBCMT ref: 004328ED
Part of subcall function 0043288C: _memset.LIBCMT ref: 0043299B

__EH_prolog3.LIBCMT ref: 00421F91

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$ExceptionH_prolog3H_prolog3_H_prolog3_catchRaise_memset
String ID:
API String ID: 2620095835-0
Opcode ID: ea63ec662c2a09735638e391880718a320e09b2af2d9e1d3158154fa5394eef9
Instruction ID: c0ce61d56cc1fbdff1453cf23609231f921b5062471a4bce8e755c1f20f47739
Opcode Fuzzy Hash: ea63ec662c2a09735638e391880718a320e09b2af2d9e1d3158154fa5394eef9
Instruction Fuzzy Hash: DAF19D30600258EFCF18EF64D995AED7BB1BF04304F9440AEF90697261CBB9AE48CB55

Function 0042080E Relevance: 3.3, APIs: 2, Instructions: 335COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00420815
__CxxThrowException@8.LIBCMT ref: 0042085A

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

Part of subcall function 00421F83: __EH_prolog3.LIBCMT ref: 00421F91
Part of subcall function 00421F83: __CxxThrowException@8.LIBCMT ref: 00421FE7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3
String ID:
API String ID: 2680013047-0
Opcode ID: 9cc28248653f84474046394b51f5714594729ae89a7d2767eb49d59c943749e4
Instruction ID: 8b84ead9e399a6b5bd2ece47825663cd0ea88ee0e2a0d2e31627cc727a3e9d58
Opcode Fuzzy Hash: 9cc28248653f84474046394b51f5714594729ae89a7d2767eb49d59c943749e4
Instruction Fuzzy Hash: D7D18130B00259CFDF14DFA8D488BAEBBF1AF45308F54809AE416AB362C779AD45CB55

Function 00420D3B Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00420D46
__CxxThrowException@8.LIBCMT ref: 00420D9B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrow
String ID:
API String ID: 1118002619-0
Opcode ID: 3daf157df03edefee782decd1a3cdff6d9c9561e22c32cdc5a7041d8f8304361
Instruction ID: cc09aae82967f229efb4f4d17df12dff814bccd9121c39190fc7382b92b16a19
Opcode Fuzzy Hash: 3daf157df03edefee782decd1a3cdff6d9c9561e22c32cdc5a7041d8f8304361
Instruction Fuzzy Hash: FBB15C30701268DFCB24DF69C998AAD7BE1BF48704F55405AF9018B3A2DBB9EC45CB94

Function 0042C502 Relevance: 3.2, APIs: 2, Instructions: 215COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0042C50C
__CxxThrowException@8.LIBCMT ref: 0042C535

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3_catchH_prolog3_catch_Throw
String ID:
API String ID: 629799809-0
Opcode ID: 38f6a3a8a443334dcfd0fc8e595f12cd3a25921b3b217fbcea394292a45bf767
Instruction ID: 3f168f874f590c8cf1cfba12062848884aaf22955e119d93706aa23469400c3b
Opcode Fuzzy Hash: 38f6a3a8a443334dcfd0fc8e595f12cd3a25921b3b217fbcea394292a45bf767
Instruction Fuzzy Hash: 84816B70A00218ABDB14EFA4E8C0FEDB7B5AF48310F60456AF516A7290DB34AD85CF58

Function 0042BF1C Relevance: 3.2, APIs: 2, Instructions: 192COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0042BF26

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

__CxxThrowException@8.LIBCMT ref: 0042C00D

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3_catch
String ID:
API String ID: 3079028488-0
Opcode ID: 730e00fdb59bda0cd0ea370be8ba2bc17c0091b0684c606fce7cbfbe9f855047
Instruction ID: 63ce5696c7e71dbe0d6ca65d92db31f3c51012c7abf241bf558f410658bb8fdc
Opcode Fuzzy Hash: 730e00fdb59bda0cd0ea370be8ba2bc17c0091b0684c606fce7cbfbe9f855047
Instruction Fuzzy Hash: 0C719970600309DFDB24DFA5C885BAFBBB5BF88304F10845EF416A7291DB78A944CB65

Function 004210D4 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004210DF

Part of subcall function 0042C48A: __CxxThrowException@8.LIBCMT ref: 0042C4B3

__CxxThrowException@8.LIBCMT ref: 0042119B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3_catch
String ID:
API String ID: 3079028488-0
Opcode ID: 7d363b83de8df479b15af33fe03bfd538125fd7293d99d2461ce91b5845e8551
Instruction ID: f591134e972e6411dd43f1d536b8f5381d3b9f92d4ba1a16f63659c7a6069052
Opcode Fuzzy Hash: 7d363b83de8df479b15af33fe03bfd538125fd7293d99d2461ce91b5845e8551
Instruction Fuzzy Hash: C941DD70700264AFCB14EF65DC81DBE77A8FF29704B50006FF656972A2CB78AC45C6A9

Function 00423C01 Relevance: 3.1, APIs: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00423C08

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 00423C3B

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8H_prolog3H_prolog3_catchRaiseThrow
String ID:
API String ID: 2149902277-0
Opcode ID: da3c351590c0544504d7dc87a091de39e9073b218e9f9aa28b6b9ad8b2195b84
Instruction ID: 56e8503fa7af7d7d62bbe2e17babfb86348854fe846e5e0a7c3ae5e282672be2
Opcode Fuzzy Hash: da3c351590c0544504d7dc87a091de39e9073b218e9f9aa28b6b9ad8b2195b84
Instruction Fuzzy Hash: 27411B71A0023ACFCB15DF56D9814AEBB75BF44B12B95845BF811A7350C7789A40CB98

Function 00402C12 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00402C1C

Part of subcall function 00413423: __EH_prolog3_catch.LIBCMT ref: 0041342A

SHGetFolderPathW.SHELL32(00000000,00000020,00000000,00000000,?), ref: 00402C5D

Part of subcall function 00414BA7: __EH_prolog3.LIBCMT ref: 00414BAE

Part of subcall function 004233E1: __CxxThrowException@8.LIBCMT ref: 00423406

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8FolderH_prolog3H_prolog3_catchH_prolog3_catch_PathThrow
String ID:
API String ID: 1587153336-0
Opcode ID: e2482dd5cf100e295a5f15607fbd2933340e0dec1d39e069ea60cd3115cc91b7
Instruction ID: a5d84b43a8dfd52a88ef7551e7e0a2c87f14fc3ed0c0dada9d046cd692a94ac5
Opcode Fuzzy Hash: e2482dd5cf100e295a5f15607fbd2933340e0dec1d39e069ea60cd3115cc91b7
Instruction Fuzzy Hash: 0B31A9319041189ADB24EB65DD8DAAEB7B4AF94305F2000EEF009A72D1DB7C9F84CB19

Function 004179E3 Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004179EA

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 00417A0D

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Part of subcall function 00417881: __EH_prolog3.LIBCMT ref: 00417888
Part of subcall function 00417881: __CxxThrowException@8.LIBCMT ref: 004178BF

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw$ExceptionH_prolog3_catchRaise
String ID:
API String ID: 795541548-0
Opcode ID: a4a564cfb586fecd50bd250f400aa7c00a466bc98f5104ce0b313b1e1e3aefe9
Instruction ID: a1ed90696a826cd3f8cfde2eb044a2e0fd6f2e67fe07d5432d0ea59ef78840bd
Opcode Fuzzy Hash: a4a564cfb586fecd50bd250f400aa7c00a466bc98f5104ce0b313b1e1e3aefe9
Instruction Fuzzy Hash: 08418A7090424ADFCF01EFA4C588AEEBBB5BF04308F54809EF9056B251C7799E54CBA2

Function 0042A1AB Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0042A1B5
__CxxThrowException@8.LIBCMT ref: 0042A1E3

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch$Exception@8Throw
String ID:
API String ID: 3876760537-0
Opcode ID: 1606ac711c2a1e7476dc7c4349cd91976c903e3b114306e002ac0511ddd36462
Instruction ID: 8f26fbc08fa0a211d0ab33d77271e97b1538d4d1ec1d94337c0bfbf2edbf0974
Opcode Fuzzy Hash: 1606ac711c2a1e7476dc7c4349cd91976c903e3b114306e002ac0511ddd36462
Instruction Fuzzy Hash: 133127B0A00219EFDF14EF64C945BEEB7B5AB48304F50445AF915A3290C738AE64CBA6

Function 0042C399 Relevance: 3.1, APIs: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042C3A0

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0042C3BF

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8H_prolog3H_prolog3_catchRaiseThrow
String ID:
API String ID: 2149902277-0
Opcode ID: b856afc062d4361a3e8bff779cdad3e1be44c520000ac64f3d6ad638465a100e
Instruction ID: 005e8f89653f74949a8f3efda301919feee3d22f16df967404fd978835c0f254
Opcode Fuzzy Hash: b856afc062d4361a3e8bff779cdad3e1be44c520000ac64f3d6ad638465a100e
Instruction Fuzzy Hash: 0D313E70B0011A9FCF14EFA5D8D18BEBBB6AF44314BA0892EE411E7291CB385D458B59

Function 0041F4B2 Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041F4B9
_sprintf.LIBCMT ref: 0041F522

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3__sprintf
String ID:
API String ID: 1186671347-0
Opcode ID: a67aa062ba6c705841afbb9b465d29afe7fd7acacfcdb892caf2c0159fd8df58
Instruction ID: 20e45eb758d73c69dc2130fbe7718ba0a30d41f7e57bc634e7084ed86d93275d
Opcode Fuzzy Hash: a67aa062ba6c705841afbb9b465d29afe7fd7acacfcdb892caf2c0159fd8df58
Instruction Fuzzy Hash: 00218F71A00308AFCB14EFA5C5849DEB7B5BF48304B54492EF446D7252EB38A989CB59

Function 0042D0AD Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042D0B4
__CxxThrowException@8.LIBCMT ref: 0042D151

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 4bcd770cf81edb24eaf7abfb78f8d1bb3763ac5753f45da94ee0e0553744d4ee
Instruction ID: 0e29c5e2d7dd6592e012710f17f6c182d5bb040da9291e3bc4ee8d19e9c48485
Opcode Fuzzy Hash: 4bcd770cf81edb24eaf7abfb78f8d1bb3763ac5753f45da94ee0e0553744d4ee
Instruction Fuzzy Hash: 2F21B670A00215ABCF21EF59CC40AEEB7E4EF81320F50862FB826672D1DB789E00CB55

Function 0042E854 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042E85B
__CxxThrowException@8.LIBCMT ref: 0042E884

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: e5a349900beca6e73132496a8048a6e3c9c389494e1da8bdb5e6f066cd0934e9
Instruction ID: c228c06f0a500609c708a8e14c0fa28feaf46d111c2155c451d606f7570d2cf7
Opcode Fuzzy Hash: e5a349900beca6e73132496a8048a6e3c9c389494e1da8bdb5e6f066cd0934e9
Instruction Fuzzy Hash: 11216FB0904714DFD710EF6BD481A9EFBF4BF08704B90856EE5C997640D738AA05CB99

Function 0041B51F Relevance: 3.0, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041B526

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

__CxxThrowException@8.LIBCMT ref: 0041B588

Part of subcall function 004267C2: __EH_prolog3.LIBCMT ref: 004267C9
Part of subcall function 004267C2: _memset.LIBCMT ref: 0042684E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw_malloc_memset
String ID:
API String ID: 4266494698-0
Opcode ID: 076822bc63e951edc5137cfff718b2a6b58cf882896a50130bdd229f0a2c33a3
Instruction ID: 6d2983792fc90951365db0d8202271ca61c37deca622b554a124821c120a70ec
Opcode Fuzzy Hash: 076822bc63e951edc5137cfff718b2a6b58cf882896a50130bdd229f0a2c33a3
Instruction Fuzzy Hash: 6511A170A00219AFCB00FFB689818DEBB71FF04704BA0842EF514A7251C7388E44C799

Function 00425FED Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00425FF4

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

__CxxThrowException@8.LIBCMT ref: 00426056

Part of subcall function 00425E86: __EH_prolog3.LIBCMT ref: 00425E8D
Part of subcall function 00425E86: _memset.LIBCMT ref: 00425EF0
Part of subcall function 00425E86: _memset.LIBCMT ref: 00425EFC

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_memset$Exception@8Throw_malloc
String ID:
API String ID: 71305810-0
Opcode ID: d62b0e5b17cc750cc353af8fe0903c3040f4331c0f70bbe6c8b109fc1b8d0da1
Instruction ID: c9d7616007c0b4ea645452564d7665aa198ff26faab3780205df36c03d007bca
Opcode Fuzzy Hash: d62b0e5b17cc750cc353af8fe0903c3040f4331c0f70bbe6c8b109fc1b8d0da1
Instruction Fuzzy Hash: 87019270A01229DFCB00EFB6D8814AEBB71BF08344BA1846FF545A7251CB789F04D799

Function 0040CF11 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E726: __EH_prolog3.LIBCMT ref: 0040E72D
Part of subcall function 0040E726: RtlEnterCriticalSection.NTDLL(004CBA3C), ref: 0040E73B
Part of subcall function 0040E726: RtlLeaveCriticalSection.NTDLL(004CBA3C), ref: 0040E7B8

GetTickCount.KERNEL32 ref: 0040CF39
PostMessageW.USER32(000000FF,00000404,?,?), ref: 0040CF60

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CriticalSection$CountEnterH_prolog3LeaveMessagePostTick
String ID:
API String ID: 902659623-0
Opcode ID: 17bb4ac220bc16c453bb809503de9b0df2a2c469d52765fd5d9fb3f4092ad272
Instruction ID: 1fc15d8dd098f0712301b2cdf5af36504c46272a80d8516582cfbfa6eced7039
Opcode Fuzzy Hash: 17bb4ac220bc16c453bb809503de9b0df2a2c469d52765fd5d9fb3f4092ad272
Instruction Fuzzy Hash: 3BF04F71904702DFCB309F20A84491B77E2AB08720F104F3FE5D6A26E1C334E8999B5A

Function 0040C8B5 Relevance: 3.0, APIs: 2, Instructions: 29windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000000,00000100,00000010), ref: 0040C8D0
MessageBoxW.USER32(?,FFFF0000,?,00000000), ref: 0040C8E9

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: LoadMessageString
String ID:
API String ID: 2284331267-0
Opcode ID: 5ea80c5d67dfd9a457b00ee36eaac2431e43a7066256ae32d18674ad3bde4af9
Instruction ID: 92cb40cdd438783a95d38fda28d2d4e3a982d1d89df7fc8964cd4518b3c4e5a0
Opcode Fuzzy Hash: 5ea80c5d67dfd9a457b00ee36eaac2431e43a7066256ae32d18674ad3bde4af9
Instruction Fuzzy Hash: 6CF08C76900015EBCF216F92EC04CBE7BB5FB44714B10002DF904A3260EB399D11DBA9

Function 00404C31 Relevance: 3.0, APIs: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FC), ref: 00404C46
IsWindowVisible.USER32(00000000), ref: 00404C4D

Part of subcall function 004054D6: EnableWindow.USER32(00000000,00000001), ref: 004054FB

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$EnableItemVisible
String ID:
API String ID: 3179577904-0
Opcode ID: e5fe5341df8deea63e15f9a418874fffe333d908d86689bf442d5db36648b3c8
Instruction ID: 1d380391180e94702158bcdc1dbe5eceb9e43365457af9d35a118de67c146997
Opcode Fuzzy Hash: e5fe5341df8deea63e15f9a418874fffe333d908d86689bf442d5db36648b3c8
Instruction Fuzzy Hash: CCF0E571409211AFE71277749D08BDB77A8AF91350F11083FF245B21D1D7B95441C769

Function 00473415 Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 00473419

Part of subcall function 004733EF: GetModuleHandleA.KERNEL32(0049FE64,0047341E,?,0046EB98,000000FF,0000001E,00000001,00000000,00000000,?,00476CBD,?,00000001,?,0047559B,00000018), ref: 004733F4
Part of subcall function 004733EF: GetProcAddress.KERNEL32(00000000,0049FE54), ref: 00473404

ExitProcess.KERNEL32 ref: 00473423

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 14eb083e35f6364d08b2ac1a1a8d834447263dfa64e1ef2edbd8a1f1fa7a8ee2
Instruction ID: 96eb407eff61599f0e6197c5d89557b7fdb8966d636ba0c19b8806f24d474684
Opcode Fuzzy Hash: 14eb083e35f6364d08b2ac1a1a8d834447263dfa64e1ef2edbd8a1f1fa7a8ee2
Instruction Fuzzy Hash: 87B00231446100AFD6553F21DD4B85D7B71EF80716F51D86DF449440719F769D50FB05

Function 004212F4 Relevance: 2.0, APIs: 1, Instructions: 531COMMON

Download Yara Rule

APIs

Part of subcall function 0042D66A: __EH_prolog3.LIBCMT ref: 0042D671

__CxxThrowException@8.LIBCMT ref: 0042187F

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3H_prolog3_catchThrow
String ID:
API String ID: 1377961577-0
Opcode ID: 98ce4e8d5d8ce6e9ccf69134d40c44145906b832385dd2dab3b475b358ccd965
Instruction ID: c157ddba6125bd2fbb8c4aea638792d81f5cb727ddafb1e582675989179e5d8e
Opcode Fuzzy Hash: 98ce4e8d5d8ce6e9ccf69134d40c44145906b832385dd2dab3b475b358ccd965
Instruction Fuzzy Hash: 3322BA706083908FC724EF25C494B6FBBE1BFA5314F54095EF4969B2A1CB38E944CB5A

Function 00421A03 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 00422440: __EH_prolog3_catch.LIBCMT ref: 0042244A
Part of subcall function 00422440: __CxxThrowException@8.LIBCMT ref: 004224B4

__CxxThrowException@8.LIBCMT ref: 00421BF2

Part of subcall function 00436C6D: __EH_prolog3.LIBCMT ref: 00436C74
Part of subcall function 00436C6D: __CxxThrowException@8.LIBCMT ref: 00436C9F

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3H_prolog3_catch
String ID:
API String ID: 147245295-0
Opcode ID: b06723d6c08be06d622efba5370b4e48d55d3a29ea96aa3663499a0a6adb2569
Instruction ID: df7943c4d440d36bc6b65e240c01ba4f8feea3c78fb6a9084c06bcfa05047222
Opcode Fuzzy Hash: b06723d6c08be06d622efba5370b4e48d55d3a29ea96aa3663499a0a6adb2569
Instruction Fuzzy Hash: 40D1AC70B00159DFCF00DF69D5889AEBBB5BF58304FA4409DE442AB3A1DB38AE44CB95

Function 00416F69 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 00416FB4

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8H_prolog3_catchRaiseThrow
String ID:
API String ID: 10698533-0
Opcode ID: 86cee1c1591adf85e74a12855fff85297003917c4fb68bc08f6928af155b5f4c
Instruction ID: 3f0ac09e1fc9e481467947a718130bbaff2a168ff55593c3c4362fe956b0e449
Opcode Fuzzy Hash: 86cee1c1591adf85e74a12855fff85297003917c4fb68bc08f6928af155b5f4c
Instruction Fuzzy Hash: AE818E7140C302ABC714DF21C8809ABBBF4EF99754F10495FF89597252E738DA89CB9A

Function 00431422 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00431455

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrow
String ID:
API String ID: 1118002619-0
Opcode ID: 3eb0f081616814b3a255ec83abaa1a23546e4b1d44e52272734cde1c615a14d9
Instruction ID: 43bc7df1168460dfa546dc802f3bdd82839f6689be3b6e0291bf76b08113ee2e
Opcode Fuzzy Hash: 3eb0f081616814b3a255ec83abaa1a23546e4b1d44e52272734cde1c615a14d9
Instruction Fuzzy Hash: 6C4126B06083516BC724EB15C8A2BBB77E0EF95711F54095EF4E2C72D1D65CE908CB26

Function 0040ED4C Relevance: 1.6, APIs: 1, Instructions: 106comCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

OleUninitialize.OLE32 ref: 0040EE72

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8ThrowUninitialize
String ID:
API String ID: 2763929932-0
Opcode ID: 423805a3989e8900a989bd0114cb8db1ccbc8f3c75d8de4ef337972d40b873bc
Instruction ID: 7c4349e42636df5b76b6454630ac277bdd24cfb33b3762a66c3e650af91542e7
Opcode Fuzzy Hash: 423805a3989e8900a989bd0114cb8db1ccbc8f3c75d8de4ef337972d40b873bc
Instruction Fuzzy Hash: 88415030A00149DFCB14DFA9C599AADBBF1FF45304F6484BEE006AB6A1CB39AD44CB55

Function 0042E91F Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0042E94F

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Part of subcall function 004233E1: __CxxThrowException@8.LIBCMT ref: 00423406

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$ExceptionH_prolog3_catchRaise
String ID:
API String ID: 1579435050-0
Opcode ID: 3f7a2697ad1b2de9c94b48936b3449c1dba3106993cacb602b28ec74e0cdf029
Instruction ID: 1622bd294cd5a1aa970fcacac5e25fd4f5bc09fd0e5c06f3033079bf5ee04675
Opcode Fuzzy Hash: 3f7a2697ad1b2de9c94b48936b3449c1dba3106993cacb602b28ec74e0cdf029
Instruction Fuzzy Hash: 17313771600B009FD724DF26D484A6BB7E5FF88324B504A2EE88A87B50DB34F945CB59

Function 00438209 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00438210

Part of subcall function 004398F9: __EH_prolog3.LIBCMT ref: 00439900
Part of subcall function 004398F9: __CxxThrowException@8.LIBCMT ref: 00439968

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: c6da8f854f696a60e98cef740e7ea5e0b9baa7ec032b82b4baf69956bca79f4c
Instruction ID: b91d7a1731915dfd7e20b9003c0f716b9467842518b016cf237ba2ce0c141435
Opcode Fuzzy Hash: c6da8f854f696a60e98cef740e7ea5e0b9baa7ec032b82b4baf69956bca79f4c
Instruction Fuzzy Hash: 4F419170A01254DFCB04EFA4D44AAAEBBB1BF08704F24409EF445AB391CF799E45CB99

Function 00436D2C Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00413299: __CxxThrowException@8.LIBCMT ref: 004132C8

__CxxThrowException@8.LIBCMT ref: 00436DA1

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3_catch
String ID:
API String ID: 3079028488-0
Opcode ID: a39bc56b61647ddd0558c6e4ad0680310257ea97606451a12b4a961b0fdde63a
Instruction ID: 60ebe2fe2bdd85122e83344e5b15f2a643190aa7d3f722c3f1bc9f9480d765cd
Opcode Fuzzy Hash: a39bc56b61647ddd0558c6e4ad0680310257ea97606451a12b4a961b0fdde63a
Instruction Fuzzy Hash: AE214C71700206ABCB28EF19CCD1DAB7794DF84304F11556FF91297281EA34EC88C7A9

Function 0042123A Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042119B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 5031bd4297e21299e38231e9ded398e0e775ed5d66497724478d1d208ae64f37
Instruction ID: b1b903bdf5491526673bdfcd4a594faa121901db7dbf9d897150191a60585aaf
Opcode Fuzzy Hash: 5031bd4297e21299e38231e9ded398e0e775ed5d66497724478d1d208ae64f37
Instruction Fuzzy Hash: 1E214130700224EBCB18EF25CC95EEE7768BF28710F50055AF516A72A1CB79AD05C698

Function 004135AD Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00413622

Part of subcall function 00413299: __CxxThrowException@8.LIBCMT ref: 004132C8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw_wcscpy
String ID:
API String ID: 615372805-0
Opcode ID: a65043e78d02826527e2ae73efecf60425080491347efb6c807070d8cf6898e4
Instruction ID: 3bbba3cffa1090fd260cf3a623354248c8b3e17e2b7a121d6d20ab679e733063
Opcode Fuzzy Hash: a65043e78d02826527e2ae73efecf60425080491347efb6c807070d8cf6898e4
Instruction Fuzzy Hash: 8911A271608340ABC320DF1AD881E5BBBE8FB88B54F100A1FF45493391DB389904CB6A

Function 004362C7 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004362F7

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Part of subcall function 004233E1: __CxxThrowException@8.LIBCMT ref: 00423406

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3_catch
String ID:
API String ID: 3079028488-0
Opcode ID: c61774dd3c6ce3833f7637fb02329f2ce651c227fa78301ac36a57cdbfb8fb8a
Instruction ID: 72e35242c4c991529b85b3908210b785de8b7a1e3218b41c161903e1c0bf0562
Opcode Fuzzy Hash: c61774dd3c6ce3833f7637fb02329f2ce651c227fa78301ac36a57cdbfb8fb8a
Instruction Fuzzy Hash: 2511B631604305AFC710EE25C88085FB3E5FF88314B518A2FE89687551DB34FD45CA99

Function 0040EE1D Relevance: 1.6, APIs: 1, Instructions: 58comCOMMON

Download Yara Rule

APIs

OleUninitialize.OLE32 ref: 0040EE72

Part of subcall function 0040C7DE: __EH_prolog3_catch.LIBCMT ref: 0040C7E5

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catchUninitialize
String ID:
API String ID: 1964057109-0
Opcode ID: 8af4b50604ae465e1b773c693c35aeaf9aaa700bf0c4ec6c18ed685f66159f9d
Instruction ID: 5dcf38cf1c9a861615dad2de3e8d8acd475e3f51853252acce2a057d3d9df221
Opcode Fuzzy Hash: 8af4b50604ae465e1b773c693c35aeaf9aaa700bf0c4ec6c18ed685f66159f9d
Instruction Fuzzy Hash: 7E118C71A00208DFCB149FA9D896AADBBF1EF08314F24447EE106A76E1CB396C048B49

Function 0040EE4A Relevance: 1.6, APIs: 1, Instructions: 56comCOMMON

Download Yara Rule

APIs

OleUninitialize.OLE32 ref: 0040EE72

Part of subcall function 0040C7DE: __EH_prolog3_catch.LIBCMT ref: 0040C7E5

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catchUninitialize
String ID:
API String ID: 1964057109-0
Opcode ID: 62c626df1f7651c8423c1f14d70c1c975590f78bb611ca233df07f6fd43e0b76
Instruction ID: f4cce21bd3f2775f668416c2e2ff4a890e338e15d138506d62f7c1401cc69d67
Opcode Fuzzy Hash: 62c626df1f7651c8423c1f14d70c1c975590f78bb611ca233df07f6fd43e0b76
Instruction Fuzzy Hash: 88117C71A00208DFCB149FA9D896AAD7BF1EF08314F24457EE106A77E1CB396C04CB59

Function 0042AF4A Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0042AF51

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: d73b0af1b0a54a9095c7c31b0f714690d902665fa08f74152b1061aeb950926b
Instruction ID: 9666f9794b2e32f220d40e99f08e87b8c4fda535c1307ccadf4d61886444afe4
Opcode Fuzzy Hash: d73b0af1b0a54a9095c7c31b0f714690d902665fa08f74152b1061aeb950926b
Instruction Fuzzy Hash: 6F11A271E006268BCB20EFAAD94149EB7B0EF40324B51825FE86467292C73CAD41CBD9

Function 00437093 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004370C1

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrow
String ID:
API String ID: 1118002619-0
Opcode ID: 6534d6601eafc99a31fc58ea76f534ddb62cbe6536ef74379d8b5522d21e9a3c
Instruction ID: c1f5f656240cfa2e3c5d373c7eeb2ef4d0f81b65c8d4bcfe5fca001b1621c0c9
Opcode Fuzzy Hash: 6534d6601eafc99a31fc58ea76f534ddb62cbe6536ef74379d8b5522d21e9a3c
Instruction Fuzzy Hash: 530196706097055BD738EE21C802B9AB3F5AF44320F10862FA896865D1EB78EA48C699

Function 00402870 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

__CxxThrowException@8.LIBCMT ref: 004028AA

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$H_prolog3_catch
String ID:
API String ID: 3079028488-0
Opcode ID: f524ed10fac511200b4b8886e1ba6a2be53eadaefe8a951e07362324d34db654
Instruction ID: 3ab37715b6169fdfb8da5162cedeff76e446bfd53bd04e838598e82032ef3e61
Opcode Fuzzy Hash: f524ed10fac511200b4b8886e1ba6a2be53eadaefe8a951e07362324d34db654
Instruction Fuzzy Hash: 550192326143049FD214EB26C845CA6B3E9EF94320B04CA6FF055976D1EBB9F904CB95

Function 0041AE73 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(00000001,00000000,?,?,?,?,00000000,00000000,?,0041A3AE,?,00000000,?), ref: 0041AEB6

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 24f9cf09ea1e282c5891b88deed683e072a523d4fa5a75776751b66c2fda45b6
Instruction ID: 6554ae7c301d7033a01e3ac451fb057afff33f1846c4be60ff6dca7da4aa5776
Opcode Fuzzy Hash: 24f9cf09ea1e282c5891b88deed683e072a523d4fa5a75776751b66c2fda45b6
Instruction Fuzzy Hash: DD01D631604B059BCB314F69C888B67F7E9BF19325F500A1EF586829A1D778F8A4CB4D

Function 0042D803 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0042D832

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8H_prolog3_catchRaiseThrow
String ID:
API String ID: 10698533-0
Opcode ID: 57a3fd43e8a9eb875da5a4e9152977eec1e4d7590e11909682caa80d767f591d
Instruction ID: c91e9ca122a0eace671fa54960ec99a1ea19814b649ddc3d61a496d690ec8378
Opcode Fuzzy Hash: 57a3fd43e8a9eb875da5a4e9152977eec1e4d7590e11909682caa80d767f591d
Instruction Fuzzy Hash: 02F02431B002146BCB11BE61CC46F9AF764EF04360F40826BBC689B290DB34DA04C6D9

Function 00413299 Relevance: 1.5, APIs: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004132C8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 8c7ad7995e5c132b0c7dd5c5394e3b6922c9fc7270fe216ae44dc82053568bed
Instruction ID: 6e34f21a0551632e0e8e4dabe96544958f090a0be38087a1dbd82e486cf895e3
Opcode Fuzzy Hash: 8c7ad7995e5c132b0c7dd5c5394e3b6922c9fc7270fe216ae44dc82053568bed
Instruction Fuzzy Hash: 76F090706003046ADB10BF698C46FEA77AC9B14709F14846BB845E2190EA7CDA84C769

Function 00436E5F Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00436E66

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 7687d081fd9b88195d0cde50ddb3ae6c54b93962abf71d681aff4c1798934e00
Instruction ID: 2192e1bf9266705f84c99f13945725a597744201149cf610c9fc1e76c1700b77
Opcode Fuzzy Hash: 7687d081fd9b88195d0cde50ddb3ae6c54b93962abf71d681aff4c1798934e00
Instruction Fuzzy Hash: E4018638900B16DFCB21DF65C5022AAF7F0AF88711F21C92FE84167200D33A9A49CB99

Function 0042CD25 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0042CD57

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8H_prolog3_catchRaiseThrow
String ID:
API String ID: 10698533-0
Opcode ID: 87df34f3edceb563161f266ad3e43a3f53861e5ff50f87cb94d9728a0c09e4dc
Instruction ID: 5480022eda4e163a5361cabdf7a3b230a80a25ff99cfae8d462d0aba4fe64e74
Opcode Fuzzy Hash: 87df34f3edceb563161f266ad3e43a3f53861e5ff50f87cb94d9728a0c09e4dc
Instruction Fuzzy Hash: 64F0BE31604208ABCB14EF14DC46EDA3BA9EF48320F10466ABC66971E1DB71EA24CA95

Function 0041505D Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00415064

Part of subcall function 0041B02F: __EH_prolog3.LIBCMT ref: 0041B036
Part of subcall function 0041B02F: __CxxThrowException@8.LIBCMT ref: 0041B0B1

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 28e2c2f5f0ae462868cc308a9180aa06206ca24044676f580f0c37f73472feb5
Instruction ID: f8c01e5902bc39a08e1eca52d1ab4341130e1281a4fbd024d0b58ddc78a9c670
Opcode Fuzzy Hash: 28e2c2f5f0ae462868cc308a9180aa06206ca24044676f580f0c37f73472feb5
Instruction Fuzzy Hash: 39F03A71601605CBEF18EFA5C8457EE7BB0AF84316F24456EE1158B291CB7D89848B49

Function 0041B649 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041B650

Part of subcall function 00425FED: __EH_prolog3.LIBCMT ref: 00425FF4
Part of subcall function 00425FED: __CxxThrowException@8.LIBCMT ref: 00426056

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 1c0e6686deb9f27b6602a7971467607e4aeeed7acef43f29e98ef7338364a578
Instruction ID: 83110dc141c630e96383bb3c6b73da411e3aeae7d8786496fb5bfcbe224a906f
Opcode Fuzzy Hash: 1c0e6686deb9f27b6602a7971467607e4aeeed7acef43f29e98ef7338364a578
Instruction Fuzzy Hash: 72F01271A00118ABCB08EF95C848BAEBBA0FF54714F01805AF9199B250D7758A14DB99

Function 0041A78C Relevance: 1.5, APIs: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00414B6E: __CxxThrowException@8.LIBCMT ref: 00414B96

FindCloseChangeNotification.KERNELBASE(?), ref: 0041A7B2

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ChangeCloseException@8FindNotificationThrow
String ID:
API String ID: 232429529-0
Opcode ID: 4c605ec3864a69814c29becc33027a1a4d8175bf33afb8a88c02e11be5def074
Instruction ID: 451cdefb32f8189353133a9e87c97b8ae50ff43db2ec81161e5c2e3efaacf9fb
Opcode Fuzzy Hash: 4c605ec3864a69814c29becc33027a1a4d8175bf33afb8a88c02e11be5def074
Instruction Fuzzy Hash: 1AF0E931A09B044BC3306A28C44976AB7F5AF95735F04074ED8A342AE1A778F8D4869D

Function 004056DA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000001,00000001), ref: 0040572A

Part of subcall function 0040C7DE: __EH_prolog3_catch.LIBCMT ref: 0040C7E5

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CallbackDispatcherH_prolog3_catchUser
String ID:
API String ID: 3863802795-0
Opcode ID: 98ae18fe33376905254b8726dce63c21a499277e19750a2b599032caddb53b1d
Instruction ID: 7c81c659ffa54fa47bc721bf4b7a33451fb19cf326e9e52985c76779e4e27455
Opcode Fuzzy Hash: 98ae18fe33376905254b8726dce63c21a499277e19750a2b599032caddb53b1d
Instruction Fuzzy Hash: 0CF0A0B0941600FADB252F10AC0BF3B77E2EB18B04F10842EF246662E0E7B65850AA59

Function 00414BF2 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 00414C1C

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionException@8H_prolog3_catchRaiseThrow
String ID:
API String ID: 10698533-0
Opcode ID: c110d39d29d070af397ed674a9ca35ab71fb00b1be40822fb8a00e0a9c2bf14b
Instruction ID: 6ecc956058c42a226bcb70142e273368549f0aa2bc1aae361d18a44a08edb313
Opcode Fuzzy Hash: c110d39d29d070af397ed674a9ca35ab71fb00b1be40822fb8a00e0a9c2bf14b
Instruction Fuzzy Hash: 67E0E530504308BBDB00FE24CC46F993398DB40314F00892ABD68960D0EA759B64CB9A

Function 00470A44 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00476816: __amsg_exit.LIBCMT ref: 00476824

__endthreadex.LIBCMT ref: 00470A60

Part of subcall function 00470A0B: __freeptd.LIBCMT ref: 00470A33
Part of subcall function 00470A0B: RtlExitUserThread.NTDLL(?,00470A65,00000000), ref: 00470A3D

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExitThreadUser__amsg_exit__endthreadex__freeptd
String ID:
API String ID: 2189681956-0
Opcode ID: ecd1cdd82a0748d1465db30b5a0917c3a442c6f0c0b52e0d411cc4e5e81cc3bd
Instruction ID: f8fd3b2bb74170a00711d5cfb4fba7c6c501b37fd7d81666cca1b8a8c0d9c712
Opcode Fuzzy Hash: ecd1cdd82a0748d1465db30b5a0917c3a442c6f0c0b52e0d411cc4e5e81cc3bd
Instruction Fuzzy Hash: 3FE08671900B04DFDB18BBA1C906FAD3765DF04705F21804EF0025B2A2CA785840DF25

Function 00413423 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041342A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: e3a816553bf95b76909096924c19bff87c1db4e017f839241c52c2c92c8295a7
Instruction ID: 4fc9d95be371b9de0100f721527ea9a6f3d4bc80830673bd7d43aea88af875f1
Opcode Fuzzy Hash: e3a816553bf95b76909096924c19bff87c1db4e017f839241c52c2c92c8295a7
Instruction Fuzzy Hash: B1E08C709042049ECB01EFA9880079C79E0AB04724F20857FB0ADE7281E7788A4487AA

Non-executed Functions

Function 0043EAB0 Relevance: 40.8, APIs: 17, Strings: 6, Instructions: 523COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,00000001,00000000), ref: 0043EADB
__CxxThrowException@8.LIBCMT ref: 0043EAFD

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

SizeofResource.KERNEL32(?,00000000,00000000), ref: 0043EB05
__CxxThrowException@8.LIBCMT ref: 0043EB27
LoadResource.KERNEL32(?,00000000), ref: 0043EB2E
__CxxThrowException@8.LIBCMT ref: 0043EB4E
LockResource.KERNEL32(00000000), ref: 0043EB54
__CxxThrowException@8.LIBCMT ref: 0043EB74

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 0043EBA8
_wcscat_s.LIBCMT ref: 0043ED1D
_wcscat_s.LIBCMT ref: 0043ED32
_wcsncpy.LIBCMT ref: 0043EDD0
_malloc.LIBCMT ref: 0043EEAD
_wcsncpy.LIBCMT ref: 0043EFD0
_malloc.LIBCMT ref: 0043F086
_wcsrchr.LIBCMT ref: 0043F0B4

Strings

SECURE, xrefs: 0043EC79
en_US, xrefs: 0043ED45, 0043EDB5, 0043EDCE, 0043EE22
RSA, xrefs: 0043EC41
-SECURE, xrefs: 0043EE4C, 0043EFFD
-RSA, xrefs: 0043EDF1
/tmp/..PKText., xrefs: 0043EEC3

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$Resource$_malloc_wcscat_s_wcsncpy$ExceptionFindH_prolog3_catchLoadLockRaiseSizeof_wcsrchr
String ID: -RSA$-SECURE$/tmp/..PKText.$RSA$SECURE$en_US
API String ID: 1852084083-3042125614
Opcode ID: 295ccecc3a6df165448770d3e72cb576c06b743ebeac2d4d86a06d393e304b2a
Instruction ID: 995a74277dc8c3dc47ae54e626eb9112986f5c5b317a9b785083c7ec75e95179
Opcode Fuzzy Hash: 295ccecc3a6df165448770d3e72cb576c06b743ebeac2d4d86a06d393e304b2a
Instruction Fuzzy Hash: 7F0224719012069BCB24EF69CC52AFB73B5EF58314F48452EE906973D0E738AA44CB99

Function 00446190 Relevance: 9.5, APIs: 3, Strings: 1, Instructions: 2487COMMON

Download Yara Rule

Strings

1, xrefs: 004473A0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: cd7c9a879657591d89dbb2497890ee273223b6bd46ca5314e8bcf680ba94e73d
Instruction ID: 449eec2199e24c0ddde907247afa93b54a42915fd9372da1ad1459d01598c202
Opcode Fuzzy Hash: cd7c9a879657591d89dbb2497890ee273223b6bd46ca5314e8bcf680ba94e73d
Instruction Fuzzy Hash: AE435A70904389CFDB24CF19C884699B7E1BF89328F15866EF8989B3A1D378D946CF45

Function 00448D80 Relevance: 9.3, APIs: 6, Instructions: 317COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 00448E0F

Part of subcall function 00448810: SetLastError.KERNEL32(00000000,00448F6E,?,10000001,00000000,00000000,?,?,00000018,00000000), ref: 00448827

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorLast_calloc
String ID:
API String ID: 112881490-0
Opcode ID: e24d9625c2744b0ac7ff0e0bba43e84216c528a6dbf3790d2224e08badbb98d6
Instruction ID: 52d882e2011405198b06d63806439dca90e6e2fce18c2a6e905b5480130d151c
Opcode Fuzzy Hash: e24d9625c2744b0ac7ff0e0bba43e84216c528a6dbf3790d2224e08badbb98d6
Instruction Fuzzy Hash: CAB19170604301ABE720DF55CC85F6FB7E9AF99B04F00481EF54596281EBB8E845CBAA

Function 00419044 Relevance: 7.6, APIs: 5, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(004A50C8,004C1E84), ref: 00419099
GetProcAddress.KERNEL32(00000000,004A50E4), ref: 004190AE
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 004190FB
GetProcAddress.KERNEL32(?,004A50F8), ref: 00419145
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00419199

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: AddressDiskFreeProcSpace$HandleModule
String ID:
API String ID: 3170346035-0
Opcode ID: 3830142c5dd7e46fbe217adc478f402e7a394b6e3f11da4a678fd2fb18a09b8f
Instruction ID: 5497ab3bbd6eed2e3b7b5c9b9ef4492f351fc30b5dccdcf47b018996dfd2da00
Opcode Fuzzy Hash: 3830142c5dd7e46fbe217adc478f402e7a394b6e3f11da4a678fd2fb18a09b8f
Instruction Fuzzy Hash: 4B51F6B2508306AFC700CF55C99499BBBE8FB98314F504A2EF5A5D3290DB34EA49CB56

Function 0046E052 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004750A1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004750B6
UnhandledExceptionFilter.KERNEL32(0049FE7C), ref: 004750C1
GetCurrentProcess.KERNEL32(C0000409), ref: 004750DD
TerminateProcess.KERNEL32(00000000), ref: 004750E4

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 99edcdadb9f6060f588b0f0a23a1dda3f86d60f484279f8841b1b7a65418791e
Instruction ID: 6c020a528ecf3f614b36576944aeeddcdb90374ce3f56d346728d2633e4ecb94
Opcode Fuzzy Hash: 99edcdadb9f6060f588b0f0a23a1dda3f86d60f484279f8841b1b7a65418791e
Instruction Fuzzy Hash: E721B2B88193069FE790DF69FD85A483BB4BB18315F10407AE408873B1EBB85981CF0D

Function 00426F0A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

__CxxThrowException@8.LIBCMT ref: 00426F36

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

CryptImportKey.ADVAPI32(00000000,?,?,?,004ADB04,00000067), ref: 00426F95
CryptSetKeyParam.ADVAPI32(?,00000013,00000028,00000000,?,00000009,?,00000004,?,?,00000007,?,?), ref: 0042714B

Strings

(, xrefs: 00427139

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Crypt$ExceptionException@8H_prolog3_catchImportParamRaiseThrow
String ID: (
API String ID: 2621123518-3887548279
Opcode ID: 8cbcfa60ee139175652427f39220e5151c613236db955dfcd770ccce6fcf6e6f
Instruction ID: 56ab016f183b750fe7a675bc16c14a4233f4c5ba60cecda8efbe2d51aca430d7
Opcode Fuzzy Hash: 8cbcfa60ee139175652427f39220e5151c613236db955dfcd770ccce6fcf6e6f
Instruction Fuzzy Hash: 0581E030B04229DFDF10EF51D845AEEBBB1EF44314F61809AF405AB291DB399D46CBA9

Function 0042742C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00427433
__CxxThrowException@8.LIBCMT ref: 00427458
CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000,0000004C,00427B60,00000000,?,?,00000000,?,00000000,?,?,?,?), ref: 0042751A

Strings

L`{B, xrefs: 00427447, 00427454

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptException@8H_prolog3ParamThrow
String ID: L`{B
API String ID: 2108181948-3964171064
Opcode ID: b7091b61bfd1a9eb50b001e6717b484a46494e830e892c26abd2feb6b571088e
Instruction ID: 5ec3be7f13064ef990f071b7c44de806198eda34ad17e84081d195ea71d01733
Opcode Fuzzy Hash: b7091b61bfd1a9eb50b001e6717b484a46494e830e892c26abd2feb6b571088e
Instruction Fuzzy Hash: CF31B270B04215ABCF20BF61D881AEE7B35AF50308F50842FF5155A251DB389E85CB99

Function 0042721E Relevance: 6.1, APIs: 4, Instructions: 96encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00427225
__CxxThrowException@8.LIBCMT ref: 0042724D
CryptGetKeyParam.ADVAPI32(?,00000002,00000000,00000000,00000000), ref: 004272C8
CryptSetKeyParam.ADVAPI32(?,00000002,00000000,00000000), ref: 0042730C

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptParam$Exception@8H_prolog3Throw
String ID:
API String ID: 4141549210-0
Opcode ID: 95141cd2ebc51d218297c09eb0b6c55d22e66a76079190dfbe03b54b85258cf0
Instruction ID: 7415b722127bf9ce7e232593f25978fb88b50e58753557ad6b703dbbb1000724
Opcode Fuzzy Hash: 95141cd2ebc51d218297c09eb0b6c55d22e66a76079190dfbe03b54b85258cf0
Instruction Fuzzy Hash: F0319270A04215DBDB10EFA1D885AAEB775FF50304F50496FF51196290D7389D84CBA9

Function 004830DA Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 004830ED
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 004830FF
GetACP.KERNEL32 ref: 00483128

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 0b08b179bdd681c75d3c344f20efd59639db1957a1e5803db69788c590e10491
Instruction ID: 94abf74e269da27a78635814050ac3395c23e21c68cfbcc7b736e67a2caaf6c2
Opcode Fuzzy Hash: 0b08b179bdd681c75d3c344f20efd59639db1957a1e5803db69788c590e10491
Instruction Fuzzy Hash: D9F0FC31D012286BDB11DF74D9196EF77F49F05F01B0045ADDC42E7380D664AE0587D9

Function 00448D60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10encryptionCOMMON

Download Yara Rule

APIs

CryptImportPublicKeyInfo.CRYPT32()yC,)yC,?,?), ref: 00448D74

Strings

)yC, xrefs: 00448D68, 00448D6D, 00448D72, 00448D73

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptImportInfoPublic
String ID: )yC
API String ID: 2874360361-3656742632
Opcode ID: 4c709916d8f060749b24e53f2ea473778a700c5a0eef390fb618c313fa072c10
Instruction ID: dd111e720e5dbbdfc42d44f7bdea282b660318f252865a61b5e44ede9b32e673
Opcode Fuzzy Hash: 4c709916d8f060749b24e53f2ea473778a700c5a0eef390fb618c313fa072c10
Instruction Fuzzy Hash: A8C002B9608301BF9A04DF54D988D2BB3E9EBC8710F008D0CB599C3240C630EC45CB32

Function 00448930 Relevance: 3.2, APIs: 2, Instructions: 170encryptionCOMMON

Download Yara Rule

APIs

CryptVerifyCertificateSignature.CRYPT32(00000000,00000001,00000007,?,?), ref: 004489C0
__time64.LIBCMT ref: 00448A0E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CertificateCryptSignatureVerify__time64
String ID:
API String ID: 4012319449-0
Opcode ID: 4f658cf496740bfed60b8a18405546ac28a2322c522e892baf13deccd6b59b31
Instruction ID: 786ec52e64b4b758ddef11d0efa0c19169e62188822d67b1af89d80e0a1272b0
Opcode Fuzzy Hash: 4f658cf496740bfed60b8a18405546ac28a2322c522e892baf13deccd6b59b31
Instruction Fuzzy Hash: BC5188B56002009FE714DA19CC81F6B73E8EF88714F08851EEC499B352EB78E8058B64

Function 0042754F Relevance: 3.1, APIs: 2, Instructions: 69encryptionCOMMON

Download Yara Rule

APIs

CryptGetKeyParam.ADVAPI32(?,00000008,?,?,00000000), ref: 004275C1
__CxxThrowException@8.LIBCMT ref: 004275E4

Part of subcall function 0041B0F2: __CxxThrowException@8.LIBCMT ref: 0041B117

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$CryptParam
String ID:
API String ID: 3199611575-0
Opcode ID: ca3790b6e9f7818aa31613f5e3e7ad641502825d07e872c74aa51b45d5c21f1c
Instruction ID: 7ee02b4c02df75ff85f4d6b86539b8d0647ec8713d06b115104b30c3bfc587f6
Opcode Fuzzy Hash: ca3790b6e9f7818aa31613f5e3e7ad641502825d07e872c74aa51b45d5c21f1c
Instruction Fuzzy Hash: E811B471708612ABC704EF66A88496BB799FB84304F80092EF151C7691DB78ED8586DA

Function 00483143 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 00483167
InterlockedExchange.KERNEL32(004C32C0,Function_000820DA), ref: 0048318F

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ExchangeInterlockedVersion
String ID:
API String ID: 2700998522-0
Opcode ID: c66dbd1ba8659a9332d37dd55daf52ad703295dc1d6eda4524b029a622aeb3f6
Instruction ID: a908f7d6ee9de0a4dc6fd4472c7f7fce9f6b7d08c7b8289ac35d811e09623387
Opcode Fuzzy Hash: c66dbd1ba8659a9332d37dd55daf52ad703295dc1d6eda4524b029a622aeb3f6
Instruction Fuzzy Hash: 29F01234900208DBDB50AF64D949B9DB7B4AB05B06F5084BAD40A92251CF749F899B09

Function 0043A1D0 Relevance: 1.7, APIs: 1, Instructions: 218COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043A1E8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: b1e180048686500ded05c80034bc845663e8ebbe3c2713e51d61249f8e561f17
Instruction ID: 31e24599129a93c58670bd3ef50ac6ee54e4b3bf211ff1702e1469a3d4b0b59d
Opcode Fuzzy Hash: b1e180048686500ded05c80034bc845663e8ebbe3c2713e51d61249f8e561f17
Instruction Fuzzy Hash: 8791E071A046028FD318CF28D880796F7E2FF98304F14C67ED8A987795E735A918CB86

Function 00449150 Relevance: 1.5, APIs: 1, Instructions: 16encryptionCOMMON

Download Yara Rule

APIs

CryptHashPublicKeyInfo.CRYPT32(?,?,?,?,?,00000000,?), ref: 00449173

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptHashInfoPublic
String ID:
API String ID: 2789653980-0
Opcode ID: 8f1d966697275e34ddda3dbfde2cfcea62703256df0cd3ceeb873015d24baced
Instruction ID: 000574ad9318d0b7f3f66081656891bc02af9e0a5d323d27bfa701cdbbcd9224
Opcode Fuzzy Hash: 8f1d966697275e34ddda3dbfde2cfcea62703256df0cd3ceeb873015d24baced
Instruction Fuzzy Hash: ECD067B1608202EF8604CF88C884C5BBBFDFBDC340F00890CB585C3261C630E84ACBA6

Function 00448D30 Relevance: 1.5, APIs: 1, Instructions: 14encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureW.ADVAPI32(?,?,?,?,?,?,00428701,?,?,?,00000005,?,00000000,00000000), ref: 00448D4E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: 10f458eb7a491af95f2728cb6eb2c534ab195342ad98642c833abe3310bd22dd
Instruction ID: 5d87076019a20fa1f806224936221887d2f571cb3ec68574b85bfacaa1d92215
Opcode Fuzzy Hash: 10f458eb7a491af95f2728cb6eb2c534ab195342ad98642c833abe3310bd22dd
Instruction Fuzzy Hash: 14D0C2B5618202AF9A04CF58EA94D2BB7F9EBCCB10F10890CB585D3254D630EC49DB77

Function 00448B20 Relevance: 1.5, APIs: 1, Instructions: 12encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(00000004,00000004,00000004,?,?,004263C6,?,?,00000004,?,?,00000000), ref: 00448B39

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptHashParam
String ID:
API String ID: 1839025277-0
Opcode ID: 0fd56d70436e0ac293aa000b556dd2e3aa6a0e97767fe9d1a05291a944a4ce45
Instruction ID: 3ea1d14a431731d2fd0f67f1d6e5fc1599c86b04ff6f1d7e918df93bcaa2f282
Opcode Fuzzy Hash: 0fd56d70436e0ac293aa000b556dd2e3aa6a0e97767fe9d1a05291a944a4ce45
Instruction Fuzzy Hash: 38D0C5B5A19342AF9B08CF58D994D3BB7E9BBC8710F044D0CB59583250C720E849CB66

Function 00448B60 Relevance: 1.5, APIs: 1, Instructions: 10encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(00000000,00000000,?,?,004262AD,?,?,?,?,00000000), ref: 00448B74

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptDataHash
String ID:
API String ID: 4245837645-0
Opcode ID: 1377647b4c373e9a0b997905398301d12f75a4c3ee681afd3fedc345a05ebc6e
Instruction ID: 567f83e4737d6d1248e8f435c0de9951d192f3bbea2f7b6a8adea9cd6fac02ac
Opcode Fuzzy Hash: 1377647b4c373e9a0b997905398301d12f75a4c3ee681afd3fedc345a05ebc6e
Instruction Fuzzy Hash: 78C0EAB9A09301AF9A04CF54D988D2BB3E9ABC8610F10890CB59583240C630E8058B22

Function 00448B00 Relevance: 1.5, APIs: 1, Instructions: 10encryptionCOMMON

Download Yara Rule

APIs

CryptSetHashParam.ADVAPI32(00000002,00000002,?,?,004286A0,?,?,00000002,?,00000000,?,?,004C1E84), ref: 00448B14

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptHashParam
String ID:
API String ID: 1839025277-0
Opcode ID: bf42dc855319f8df7cedf984019026b40a180bb66e1168ab87d6faec8f20b674
Instruction ID: f74a242ebea010c38bf6a9144a4d193c81cb18a9423990b1e17cb5ddf2931e78
Opcode Fuzzy Hash: bf42dc855319f8df7cedf984019026b40a180bb66e1168ab87d6faec8f20b674
Instruction Fuzzy Hash: 0EC002B9A09301AF9A04DF54D988C2BB3E9EBC8710F00CD0CF59583244C630EC05CB36

Function 00449130 Relevance: 1.5, APIs: 1, Instructions: 8encryptionCOMMON

Download Yara Rule

APIs

CryptGetUserKey.ADVAPI32(?,?,?,00437B13,?,00000000,00000001,?,00000030,00425AC8,?,?,?,00000000), ref: 0044913F

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptUser
String ID:
API String ID: 2634466780-0
Opcode ID: 44715708332843823cdf99dbbaa1d64fa8c293458d3a94428e730a8f8df9770f
Instruction ID: cd38d0bacca55b0b150f757869f1c80b0d384a277d7627e60182e0fb6d2e8fd3
Opcode Fuzzy Hash: 44715708332843823cdf99dbbaa1d64fa8c293458d3a94428e730a8f8df9770f
Instruction Fuzzy Hash: DFC048B8608301AF9A04CF10C888C2BB7A9FBC8200F208D0CB8A583250C630E801DB22

Function 004487F0 Relevance: 1.5, APIs: 1, Instructions: 8encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(?,00000000,00000068,0041BB87,?,00000000,?,?,00000000,004ADB04,00000068,00000000), ref: 004487FF

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 8391f690961e555caef315ccef4634a1ee3e19ebf3d3f594dc75ca1a5e942aeb
Instruction ID: 6fe72d11f8e26a00f3967ea73b019eea79ce8a6e13e8456df54cde2521045598
Opcode Fuzzy Hash: 8391f690961e555caef315ccef4634a1ee3e19ebf3d3f594dc75ca1a5e942aeb
Instruction Fuzzy Hash: 44C048B8608301AFDA08DB14C888C2BB7B9EBC8240F00CD0CB89582250C630E801CB26

Function 00448870 Relevance: 1.5, APIs: 1, Instructions: 6encryptionCOMMONLIBRARYCODE

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(004A6704,?,0041B507,?,?,00000000,0041AF6E,?,0041AF3E), ref: 0044887A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 3a8baaaba969db941432796355c728a12e673a59fd9f4bee2f53c1c8f2864f48
Instruction ID: 6c989825a0d476403b511b66bf2186f0dc1944b5e11c182fe1bab489d7645450
Opcode Fuzzy Hash: 3a8baaaba969db941432796355c728a12e673a59fd9f4bee2f53c1c8f2864f48
Instruction Fuzzy Hash: FAB012B4605200BFCE08CB14C944C2FB7B8EBC4340F008C0CB94986150C630D800CB11

Function 004488F0 Relevance: 1.5, APIs: 1, Instructions: 6encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreW.CRYPT32(?,?), ref: 004488FA

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CertOpenStoreSystem
String ID:
API String ID: 4293387918-0
Opcode ID: 13323f454ddabd1906e5856c51f17e8016b5d639c0e7ccd9e9cbec913e3b4c2f
Instruction ID: 5fc1950f2031c65a586e4fcf2c0a3258ea4d4a4bf9b3fdfc6385a9a9cc70b24e
Opcode Fuzzy Hash: 13323f454ddabd1906e5856c51f17e8016b5d639c0e7ccd9e9cbec913e3b4c2f
Instruction Fuzzy Hash: 8DB012B4608200BFCE04CB10C944C2FB7A9EFC5304F008C0CB94982150C630D800CB12

Function 00448AF0 Relevance: 1.5, APIs: 1, Instructions: 4encryptionCOMMONLIBRARYCODE

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?,0042871C,?,?,?), ref: 00448AF5

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptDestroyHash
String ID:
API String ID: 174375392-0
Opcode ID: c9096b6c78df546fdb07a1b9e3b1919d0b4a692b6e83e8289305274da7af0159
Instruction ID: 6a034fceaa275ddad8911de1b03fb0d3643b0f48f816e64688ee5639507e61c9
Opcode Fuzzy Hash: c9096b6c78df546fdb07a1b9e3b1919d0b4a692b6e83e8289305274da7af0159
Instruction Fuzzy Hash: D7A00275D16201ABCE04DFE8D94CD4E7BB8BB85385F204C58B145C3060C634D441CB15

Function 00448B80 Relevance: 1.5, APIs: 1, Instructions: 4encryptionCOMMONLIBRARYCODE

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(0041CA3C,0042849B,?,?,00000000,?,0041CA3C,?,00000000,0041C22A,004C1E84), ref: 00448B85

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptDestroy
String ID:
API String ID: 1712904745-0
Opcode ID: 9a433633f865ab1f78d51061ebf519ba02e09da577a7eedc7a6419de85e53049
Instruction ID: 9b55852d3fc15b7710bcb3054011af21b9588c2a2fcfacdbd231fc1e48dd2fb0
Opcode Fuzzy Hash: 9a433633f865ab1f78d51061ebf519ba02e09da577a7eedc7a6419de85e53049
Instruction Fuzzy Hash: BAA00275D05201EBCE10EFA4D94C84EBBA9AB89345F008C58B145C2160C634D442DB2E

Function 00438A76 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

, xrefs: 00438C04

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5c0c71d5ba31fd5428659d05093c7a16a2f954e173f9f136741ca66b15c64779
Instruction ID: 9809bcb2ba52f81bec9b3a67878ec693f4aa428ee989ef16a33ba8426099ed1b
Opcode Fuzzy Hash: 5c0c71d5ba31fd5428659d05093c7a16a2f954e173f9f136741ca66b15c64779
Instruction Fuzzy Hash: 3161B431B101518BD764CF6EFDC05067BE2A7CE390B18CA39EE44D3279C6B8A561DAD8

Function 00441F40 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

2NB, xrefs: 00441F4A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID:
String ID: 2NB
API String ID: 0-780577499
Opcode ID: c240bcb451ea328e1fcd2893349d3bb913c2850b0b9f0b2c2149d20511b957e1
Instruction ID: c5d33d0ffda30c75c2d616c73b19e8d36e381478fa310a04d6583db2b2a881fe
Opcode Fuzzy Hash: c240bcb451ea328e1fcd2893349d3bb913c2850b0b9f0b2c2149d20511b957e1
Instruction Fuzzy Hash: 951104335280B606D740AE29DC003367397DFC6216F1D817AE79082656D57FEA1BE614

Function 00443970 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b76f8d3d959ce82158e74a2a3c35e9490128c568c793866194d94ad790bb565
Instruction ID: b026a84a377fa7176136738dfdd2dfab089dd20b8c980ead729dbe9ff9f31768
Opcode Fuzzy Hash: 3b76f8d3d959ce82158e74a2a3c35e9490128c568c793866194d94ad790bb565
Instruction Fuzzy Hash: 1B128BB1504B408FE324CF1AC490667B7F1FF90716F148A2EE4D687B92D638B949CBA5

Function 00443480 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a81de7e5a40aa19bf7e4aeec4d0038f55b5d51a368278fa6f701c93ae711430
Instruction ID: 0c5b515875aff2df521e34fc7e86470525128dfcc257a026ee7409dfc785c2be
Opcode Fuzzy Hash: 3a81de7e5a40aa19bf7e4aeec4d0038f55b5d51a368278fa6f701c93ae711430
Instruction Fuzzy Hash: D2F158B59043108FD718CF05C0D4A66BBA1FF88725F1A46AED9961B3A2C334EE45CF96

Function 00474420 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: c410edb38c2724a3410d0d5d340838a013d3a7e1467055b3590f00ddf13298e7
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6B1108B720018243D605CA2DD8B47F7A399EAD532572DC36BD0994B754D32A9946F908

Function 00440770 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 223timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(00000000), ref: 0044081B
FileTimeToLocalFileTime.KERNEL32(00000000,?), ref: 00440834
FileTimeToSystemTime.KERNEL32(?,?), ref: 0044084C
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000028), ref: 0044087D
__CxxThrowException@8.LIBCMT ref: 004408A4

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

GetLastError.KERNEL32 ref: 00440887

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

GetDateFormatA.KERNEL32(00000400,00000000,?,00000000,?,00000028), ref: 004408CB
GetLastError.KERNEL32 ref: 004408D5
__CxxThrowException@8.LIBCMT ref: 004408F2

Strings

%1!2lu!%2!s!, xrefs: 00440984
%1!2lu!, xrefs: 0044098B, 00440995
PM, xrefs: 00440940, 00440990, 00440994, 004409B9, 004409E3
%1!2lu!:%2!02lu!:%3!02lu!%4!s!, xrefs: 004409D7
%1!2lu!:%2!02lu!%3!s!, xrefs: 004409AD
%1!2lu!:%2!02lu!:%3!02lu!, xrefs: 004409DE, 004409F4
AM, xrefs: 00440961
%1!2lu!:%2!02lu!, xrefs: 004409B4, 004409C4

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Time$File$DateErrorException@8FormatLastSystemThrow$ExceptionH_prolog3_catchLocalRaise
String ID: AM$ PM$%1!2lu!$%1!2lu!%2!s!$%1!2lu!:%2!02lu!$%1!2lu!:%2!02lu!%3!s!$%1!2lu!:%2!02lu!:%3!02lu!$%1!2lu!:%2!02lu!:%3!02lu!%4!s!
API String ID: 268419-1666400798
Opcode ID: 4577f7ac29e9e067e54b0d9665c6fb9ac2ce88c1fe6b77e20bf30f3ff2516ca9
Instruction ID: 5466cf82c099800ce1ad84ff48fc5b4ec6f2f5fbc5170893623e439d89129da2
Opcode Fuzzy Hash: 4577f7ac29e9e067e54b0d9665c6fb9ac2ce88c1fe6b77e20bf30f3ff2516ca9
Instruction Fuzzy Hash: 187193B1605300AAF324EB15CC45FAB73E8EF94714F044A2EFA95922D1E77C9944C7AA

Function 0040B87C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 205comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B883
OleUninitialize.OLE32 ref: 0040B8F4
OleInitialize.OLE32(00000000), ref: 0040B902
GetWindowTextLengthW.USER32(?), ref: 0040B90B
__freea.LIBCMT ref: 0040B953

Strings

`-u, xrefs: 0040B9F3, 0040BA4F, 0040BA99

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_InitializeLengthTextUninitializeWindow__freea
String ID: `-u
API String ID: 2315625283-2606764580
Opcode ID: d1f3dd5069a0c72aa9de983a6b3004ede786ff1ed0e27763247f4dea60500bc4
Instruction ID: bdcfb97abbdfd0872cb31c5e0707d13120898c846af59684949713203d7ae998
Opcode Fuzzy Hash: d1f3dd5069a0c72aa9de983a6b3004ede786ff1ed0e27763247f4dea60500bc4
Instruction Fuzzy Hash: 25718E71A01209EFCF01AFA4CC489AE7BB9EF44304F24446AF501F62E1C7799E41DBA9

Function 0040EEF2 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 270windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0040EF70
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0040EF84
GetDlgItem.USER32(?,0000E801), ref: 0040EF96
IsWindow.USER32(00000000), ref: 0040EFA0
GetClientRect.USER32(?,?), ref: 0040EFF9
GetDlgItem.USER32(?,0000E801), ref: 0040F017
GetWindowRect.USER32(?,00000000), ref: 0040F07A
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 0040F08B
GetClientRect.USER32(?,?), ref: 0040F0D7
GetWindowRect.USER32(?,?), ref: 0040F0EB
GetDlgItem.USER32(?,?), ref: 0040F170
GetWindowRect.USER32(00000000,00000000), ref: 0040F189
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 0040F19A

Strings

<JJ, xrefs: 0040F0F7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$Rect$Item$ClientMessagePointsSend
String ID: <JJ
API String ID: 460500065-1320143591
Opcode ID: 6ceed0f065abc9ca3c18d420356e2d7e24cda0936ec9d182922c1bfb38d8fe93
Instruction ID: edbc47477151b5beffb1d4a6967dbe5d02541fc3cf6a85a0bd0beb682b587da4
Opcode Fuzzy Hash: 6ceed0f065abc9ca3c18d420356e2d7e24cda0936ec9d182922c1bfb38d8fe93
Instruction Fuzzy Hash: 59B14771900209EFDB10CFA8CD85AAEBBF5EF48314F10897AE525EB2A1D734A905CF55

Function 00406CCF Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 303memoryCOMMON

Download Yara Rule

APIs

LockResource.KERNEL32(00000000), ref: 00406D39
LockResource.KERNEL32(00000000), ref: 00406D68
GetWindow.USER32(?,00000005), ref: 00406DAE
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00406E2F
GlobalFix.KERNEL32(00000000), ref: 00406E40
GlobalUnWire.KERNEL32(00000000), ref: 00406E56
MapDialogRect.USER32(?,?), ref: 00406F2A
SetWindowContextHelpId.USER32(00000000,00000000), ref: 00406F90
SetWindowPos.USER32(00000000,?,00000000,00000000,00000000,00000000,00000013,?,?,00000000,?,004A4314,?,?,00000000,00000000), ref: 00406FCF
SysFreeString.OLEAUT32(00000000), ref: 00406FE8
GetWindow.USER32(00000000,00000002), ref: 00407010
SysFreeString.OLEAUT32(00000000), ref: 00407057

Part of subcall function 0040BB9F: GetLastError.KERNEL32(00407077), ref: 0040BB9F

Strings

`-u, xrefs: 00406FE8, 00407057

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$Global$FreeLockResourceString$AllocContextDialogErrorHelpLastRectWire
String ID: `-u
API String ID: 4076213876-2606764580
Opcode ID: 02886fcc4d003e9a18a331cb69696ecb4119dd3668a631e2b7462330e04eba06
Instruction ID: 5dcf519c3656d5c1f15957809b5befcd5b06c81bcd49c84b126c542450426bde
Opcode Fuzzy Hash: 02886fcc4d003e9a18a331cb69696ecb4119dd3668a631e2b7462330e04eba06
Instruction Fuzzy Hash: 99B1BC719083119BC710DF15C884A2BBBF4FF84711F15092EF886AA2E0D738ED51DBAA

Function 0047630A Relevance: 22.7, APIs: 15, Instructions: 156fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 00476376
__invoke_watson.LIBCMT ref: 00476387
GetModuleFileNameA.KERNEL32(00000000,004C8031,00000104), ref: 004763A3
_strcpy_s.LIBCMT ref: 004763B8
__invoke_watson.LIBCMT ref: 004763CB
_strlen.LIBCMT ref: 004763D4
_strlen.LIBCMT ref: 004763E1
__invoke_watson.LIBCMT ref: 0047640E
_strcat_s.LIBCMT ref: 00476421
__invoke_watson.LIBCMT ref: 00476432
_strcat_s.LIBCMT ref: 00476443
__invoke_watson.LIBCMT ref: 00476454
GetStdHandle.KERNEL32(000000F4,?,?,00000000,0048D288,00000003,004764D6,000000FC,0046EB87,00000001,00000000,00000000,?,00476CBD,?,00000001), ref: 00476473
_strlen.LIBCMT ref: 00476494
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00476CBD,?,00000001,?,0047559B,00000018,004AD628,0000000C,0047562A,?), ref: 0047649E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
String ID:
API String ID: 1879448924-0
Opcode ID: b37ac1ed7c9732053dda87c029f18af61fc9b2577930bfc8fbd2f67129fed16d
Instruction ID: 4dcdb55767719c7f89cb6526135c3844c26ec52b958c823b0702a4f345c496c5
Opcode Fuzzy Hash: b37ac1ed7c9732053dda87c029f18af61fc9b2577930bfc8fbd2f67129fed16d
Instruction Fuzzy Hash: 5A3129A25016117AE62032765C46FFF260D9B16754F16C12FFD0DA12D3FA5EC94181FE

Function 0043E0A0 Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 366COMMON

Download Yara Rule

APIs

_wcsrchr.LIBCMT ref: 0043E0C2
_wcsrchr.LIBCMT ref: 0043E0DB

Strings

_PO, xrefs: 0043E440
_JP, xrefs: 0043E380
_FR, xrefs: 0043E19C
_US, xrefs: 0043E13C
en_US, xrefs: 0043E453, 0043E4A2, 0043E4C4
_BIG5, xrefs: 0043E31C
_ES, xrefs: 0043E2BC
_DE, xrefs: 0043E25C
_KO, xrefs: 0043E3E0
_IT, xrefs: 0043E1FC

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _wcsrchr
String ID: _BIG5$_DE$_ES$_FR$_IT$_JP$_KO$_PO$_US$en_US
API String ID: 1752292252-2149996867
Opcode ID: 06bcba9adeccfcbf4df3f1cb29f48e2f3b4ce4b86e89e4e223871a1b17d5ed3b
Instruction ID: fd1458dc5c20a67c1d338a82697c2bb055d03f71d96dc29bb0ace306cb760a1a
Opcode Fuzzy Hash: 06bcba9adeccfcbf4df3f1cb29f48e2f3b4ce4b86e89e4e223871a1b17d5ed3b
Instruction Fuzzy Hash: 68C1E321602112CADB246F2AC80277733A2EF7C764F5596A6D916CB3E9F33ADD41C748

Function 0040F4E2 Relevance: 21.3, APIs: 14, Instructions: 292COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000000), ref: 0040F507
GetWindowRect.USER32(00000000,00000000), ref: 0040F515
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 0040F531
InvalidateRect.USER32(00000001,00000000,00000001), ref: 0040F7D7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: RectWindow$InvalidateItemPoints
String ID:
API String ID: 1963248746-0
Opcode ID: 740d688458b002204211c38e7be27138eec25aac5af91a3bc2e2af9a862a4747
Instruction ID: be9ce48ddb9cac475982a234001f4ee51c1ca76db749d328e7aea871952c4d3d
Opcode Fuzzy Hash: 740d688458b002204211c38e7be27138eec25aac5af91a3bc2e2af9a862a4747
Instruction Fuzzy Hash: F5C14E71A0020AAFDB14CFB8C989A9EBBF5FF08300F148939E915E7694D734E915CB95

Function 00408574 Relevance: 21.1, APIs: 14, Instructions: 131COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00408597
GetClientRect.USER32(?,?), ref: 004085AF
CreateSolidBrush.GDI32(?), ref: 004085BB
FillRect.USER32(?,?,00000000), ref: 004085CF
DeleteObject.GDI32(?), ref: 004085D6
EndPaint.USER32(?,?), ref: 004085E3
BeginPaint.USER32(?,?), ref: 00408605
GetClientRect.USER32(?,?), ref: 0040861F
SelectObject.GDI32(00000000,?), ref: 00408652
CreateSolidBrush.GDI32(?), ref: 00408665
FillRect.USER32(00000000,?,00000000), ref: 00408678
DeleteObject.GDI32(?), ref: 00408681
SelectObject.GDI32(00000000,?), ref: 004086BF
DeleteDC.GDI32(00000000), ref: 004086C6

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ObjectRect$DeletePaint$BeginBrushClientCreateFillSelectSolid
String ID:
API String ID: 216606842-0
Opcode ID: 38fa92bffd7d5ef07d2bfd0aeeefd0c8b6b157411ec734fbb9923d22944bdbcb
Instruction ID: 65d72420b55b39e40cc8a526593d9fe4d7ad338412b7a8e769e56c34a48a8f39
Opcode Fuzzy Hash: 38fa92bffd7d5ef07d2bfd0aeeefd0c8b6b157411ec734fbb9923d22944bdbcb
Instruction Fuzzy Hash: 1D410671901208AFCB119FE4DD88DAFBBBEFB49704B14492EF556E61A0DB759801CB28

Function 004069C6 Relevance: 19.8, APIs: 13, Instructions: 270windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00406A44
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00406A58
GetDlgItem.USER32(?,0000E801), ref: 00406A6A
IsWindow.USER32(00000000), ref: 00406A74
GetClientRect.USER32(?,?), ref: 00406ACD
GetDlgItem.USER32(?,0000E801), ref: 00406AEB
GetWindowRect.USER32(004032DA,00000000), ref: 00406B4E
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 00406B5F
GetClientRect.USER32(?,000000FF), ref: 00406BAB
GetWindowRect.USER32(?,000000FF), ref: 00406BBF
GetDlgItem.USER32(?,?), ref: 00406C44
GetWindowRect.USER32(00000000,00000000), ref: 00406C5D
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 00406C6E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$Rect$Item$ClientMessagePointsSend
String ID:
API String ID: 460500065-0
Opcode ID: ad8bd326f17306fffe741dcf3a9bdbdc17d806794986f503a8a956f2968bd8e6
Instruction ID: 7c70ee46a80eef9e9a0cbcf0f9db370b4ae249821450ddcd706c2b54fe48c5a5
Opcode Fuzzy Hash: ad8bd326f17306fffe741dcf3a9bdbdc17d806794986f503a8a956f2968bd8e6
Instruction Fuzzy Hash: 7CB14A71E00208EFDB10DFA8C985AAEBBF5EF48314F10896AE556F72A0D734A911CF55

Function 00401FD1 Relevance: 19.8, APIs: 13, Instructions: 270windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0040204F
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00402063
GetDlgItem.USER32(?,0000E801), ref: 00402075
IsWindow.USER32(00000000), ref: 0040207F
GetClientRect.USER32(?,?), ref: 004020D8
GetDlgItem.USER32(?,0000E801), ref: 004020F6
GetWindowRect.USER32(00000000,00000000), ref: 00402159
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 0040216A
GetClientRect.USER32(?,?), ref: 004021B6
GetWindowRect.USER32(?,?), ref: 004021CA
GetDlgItem.USER32(?,?), ref: 0040224F
GetWindowRect.USER32(00000000,00000000), ref: 00402268
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 00402279

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$Rect$Item$ClientMessagePointsSend
String ID:
API String ID: 460500065-0
Opcode ID: dda19549c3c67d2ba16f85b3906886b1af2c798d955c11c9bd88db2800a58d7e
Instruction ID: 68c445f563e12df8f9e5f957ccc53fa54f01e1f96ac6823402a7eb691fb53a7d
Opcode Fuzzy Hash: dda19549c3c67d2ba16f85b3906886b1af2c798d955c11c9bd88db2800a58d7e
Instruction Fuzzy Hash: 33B12871D00208AFDB10DFA8C989AAEBBF5FF48314F10896AE515E72E0D774A905CF65

Function 004011C3 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004011CD
_wcscpy.LIBCMT ref: 00401346
_wcscpy.LIBCMT ref: 0040137E
SetWindowTextW.USER32(00000001,?), ref: 0040138F
_wcscpy.LIBCMT ref: 004013AE
_wcscpy.LIBCMT ref: 004013E5
_wcscpy.LIBCMT ref: 0040152B
_wcscpy.LIBCMT ref: 00401657
GetDlgItem.USER32(00000003,00000001), ref: 00401695
SetFocus.USER32(00000000), ref: 0040169C

Strings

, xrefs: 00401242

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _wcscpy$FocusH_prolog3_catch_ItemTextWindow
String ID:
API String ID: 2446610563-3916222277
Opcode ID: a59c1dc16c2c8931ca5dc34082e1b2743c6e34df09038a90c3a69e1dd44e22ca
Instruction ID: 762adf9caf617a478f58e4a35671fcbaa1b59caad470a189e77939213df3d8ac
Opcode Fuzzy Hash: a59c1dc16c2c8931ca5dc34082e1b2743c6e34df09038a90c3a69e1dd44e22ca
Instruction Fuzzy Hash: 00D184F19012189ADB21AF11DC82FEA7779EB04308F4044AFF649B61A2EB355E94DF1D

Function 0040B639 Relevance: 18.2, APIs: 12, Instructions: 185comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B640
OleUninitialize.OLE32 ref: 0040B6B1
OleInitialize.OLE32(00000000), ref: 0040B6BF
GetWindowTextLengthW.USER32(?), ref: 0040B6C8
__freea.LIBCMT ref: 0040B710

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_InitializeLengthTextUninitializeWindow__freea
String ID:
API String ID: 2315625283-0
Opcode ID: 39949fd269ab3bbf0ebd366a40237fc52937ac0c804a1062ca0107c0637c7bba
Instruction ID: fa31d1c51260f74ce1b453a14d1db7e5a1e895c2272c71bfb0bd8c99371ec3a0
Opcode Fuzzy Hash: 39949fd269ab3bbf0ebd366a40237fc52937ac0c804a1062ca0107c0637c7bba
Instruction Fuzzy Hash: C0619E71901105EFCF11AFA4CC889AE7BB9EF45304B24486AF405F72E1C7798D41CBA9

Function 00411DE7 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00411DF1
GetParent.USER32(00000002), ref: 00411E3C
SetCapture.USER32(00000000,?,?), ref: 00411E45
LoadCursorW.USER32(00000000,00007F02), ref: 00411E51
SetCursor.USER32(00000000,?,?), ref: 00411E58
SendMessageW.USER32(00000002,00001132,00000000,?), ref: 00411FD8
ReleaseCapture.USER32 ref: 0041202B
LoadCursorW.USER32(00000000,00007F00), ref: 00412037
SetCursor.USER32(00000000,?,?), ref: 0041203E

Strings

g, xrefs: 00411EF2

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Cursor$CaptureLoad$H_prolog3_MessageParentReleaseSend
String ID: g
API String ID: 1438968526-30677878
Opcode ID: 7d00f1df952c71a4990ee6c7e79cd7431b0cadf64db684ad84eb41881c152917
Instruction ID: b96624654f648c9c81085ea282519aa59d86c6f6fba0ab3f794861fee08e6f1d
Opcode Fuzzy Hash: 7d00f1df952c71a4990ee6c7e79cd7431b0cadf64db684ad84eb41881c152917
Instruction Fuzzy Hash: FB614A75901229AFDB20DF94DC88B9DBBB4BF48704F1085DAE909EB291C774AE81CF54

Function 004089A1 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 106windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004089FB
GetDlgItem.USER32(?,?), ref: 00408A6E
SendMessageW.USER32(?,?,?), ref: 00408ACC

Strings

-, xrefs: 004089B8
+, xrefs: 004089AE
N, xrefs: 004089A7
,, xrefs: 004089B3
/, xrefs: 004089C3
9, xrefs: 004089CC

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID: +$,$-$/$9$N
API String ID: 799199299-2228603680
Opcode ID: ea4c56f6e40d1d59ae5492e14c41e2503e24899145ab07937a21cdebb6128db9
Instruction ID: 6ab51ce13942d03a43e0931da9e15c2242913b0c0aa3069aa842584c54ec217e
Opcode Fuzzy Hash: ea4c56f6e40d1d59ae5492e14c41e2503e24899145ab07937a21cdebb6128db9
Instruction Fuzzy Hash: 67314B30700605EFDB245A14CA84B6B77A4EB04350F14852FE896A6AE0CB39EC91EF99

Function 00413164 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002D), ref: 00413171

Part of subcall function 00412F06: GetSystemMetrics.USER32(0000002D), ref: 00412F38
Part of subcall function 00412F06: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00412F50
Part of subcall function 00412F06: SelectObject.GDI32(00000000,00000000), ref: 00412F6C
Part of subcall function 00412F06: GetDlgItem.USER32(?,?), ref: 00412FB1
Part of subcall function 00412F06: GetWindowTextW.USER32(00000000,?,00000104), ref: 00412FD2
Part of subcall function 00412F06: DrawTextW.USER32(?,?,000000FF,?,00000400), ref: 0041300B
Part of subcall function 00412F06: GetWindowRect.USER32(?,?), ref: 0041303A

Part of subcall function 004130AA: GetDlgItem.USER32(00000000,00000000), ref: 004130D0

Part of subcall function 00413140: GetClientRect.USER32(00000000,00000000), ref: 0041314D

GetDlgItem.USER32(00000000,?), ref: 004131BD
GetWindowRect.USER32(00000000), ref: 004131C4
ScreenToClient.USER32(00000000,?), ref: 004131E2
GetDlgItem.USER32(00000000,?), ref: 0041320F
SetWindowPos.USER32(00000000,00000000,ne@,?,00000000,?,00000014), ref: 00413237
GetWindowRect.USER32(00000000,?), ref: 00413242

Strings

ne@, xrefs: 00413260
ne@, xrefs: 00413183, 00413231, 00413194

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$ItemRect$ClientMetricsSystemText$DrawMessageObjectScreenSelectSend
String ID: ne@$ne@
API String ID: 3925786290-1163931223
Opcode ID: cca1bf03fd59ef2b81e3847e7ecd5c94451b0a947cec40eed2904262bdeca261
Instruction ID: d2dcd41ff8467e63e9be2dfec510964a7c6be246f3b4a848738bc7a95c82abf8
Opcode Fuzzy Hash: cca1bf03fd59ef2b81e3847e7ecd5c94451b0a947cec40eed2904262bdeca261
Instruction Fuzzy Hash: 8A3106B5D01209BFDF01EFA8D8449EEBBB9FF08315F10846AF911A7250D7389A50CBA4

Function 004049ED Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00404A2C
GetWindowTextLengthW.USER32(00000000), ref: 00404A39
_malloc.LIBCMT ref: 00404A4A

Part of subcall function 0046EB5F: __FF_MSGBANNER.LIBCMT ref: 0046EB82
Part of subcall function 0046EB5F: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,00476CBD,?,00000001,?,0047559B,00000018,004AD628,0000000C,0047562A,?), ref: 0046EBD7

GetWindowTextW.USER32(?,00000000,00000001), ref: 00404A5E
_memset.LIBCMT ref: 00404A6F
SHBrowseForFolderW.SHELL32(?), ref: 00404AC7
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00404AD9
SetWindowTextW.USER32(?,?), ref: 00404B00

Strings

u, xrefs: 00404AA7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: TextWindow$AllocateBrowseFolderFromHeapItemLengthListPath_malloc_memset
String ID: u
API String ID: 3000514250-4067256894
Opcode ID: ed4fe9c0dd718e060a53297d42692da1d7f22e0db733bc9461e86d63ff4eebab
Instruction ID: f70debdb50084d2f0a9569a2798ad76bd1778b31d15f83575291fb4895c84f26
Opcode Fuzzy Hash: ed4fe9c0dd718e060a53297d42692da1d7f22e0db733bc9461e86d63ff4eebab
Instruction Fuzzy Hash: ED3134B5D41218ABDB209F65DC8DB9EB7B8FB48704F1005AAE509E2190EB749E84CF58

Function 00419DD6 Relevance: 15.1, APIs: 10, Instructions: 143fileCOMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(?,?,00000000,?,?), ref: 00419E4B
GetLastError.KERNEL32(?,?,?), ref: 00419E5E
MoveFileW.KERNEL32(?,?), ref: 00419E82
SetLastError.KERNEL32(00000011,?,?), ref: 00419E93
MoveFileExA.KERNEL32(?,?,00000000), ref: 00419F07
GetLastError.KERNEL32(?), ref: 00419F1A
MoveFileA.KERNEL32(?,?), ref: 00419F3E
SetLastError.KERNEL32(00000011), ref: 00419F4F

Part of subcall function 00419D57: __EH_prolog3.LIBCMT ref: 00419D5E

GetLastError.KERNEL32 ref: 00419F72
__CxxThrowException@8.LIBCMT ref: 00419F9B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorLast$FileMove$Exception@8H_prolog3Throw
String ID:
API String ID: 2554593795-0
Opcode ID: 0d40c40dcb70d2bea61d3d10af5c5a60233070a8551e310fed72f89b08397fa0
Instruction ID: e17f511c7f2f97a75cba9afb91b2a3c588ba70f962a86179bd598286967eb046
Opcode Fuzzy Hash: 0d40c40dcb70d2bea61d3d10af5c5a60233070a8551e310fed72f89b08397fa0
Instruction Fuzzy Hash: C8519F7150C345AFDB009F25DC45A8EBFE8BF84718F004A2EF498921A1DB35DE899B4B

Function 0043EBB0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 0043F880: GetLocaleInfoW.KERNELBASE(?), ref: 0043F9C6

_wcscat_s.LIBCMT ref: 0043ED1D
_wcscat_s.LIBCMT ref: 0043ED32
_wcsncpy.LIBCMT ref: 0043EDD0
_wcsncpy.LIBCMT ref: 0043EE24
_malloc.LIBCMT ref: 0043EEAD
_malloc.LIBCMT ref: 0043F086
_wcsrchr.LIBCMT ref: 0043F0B4

Strings

SECURE, xrefs: 0043EC79
en_US, xrefs: 0043ED45, 0043EDB5, 0043EDCE, 0043EE22
RSA, xrefs: 0043EC41
-RSA, xrefs: 0043EDF1

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _malloc_wcscat_s_wcsncpy$InfoLocale_wcsrchr
String ID: -RSA$RSA$SECURE$en_US
API String ID: 2423020765-255005049
Opcode ID: 14b9f3e0189fa4fafeda4439610c2ebe6d1cede6a45102906d1231cc1cdd2510
Instruction ID: 290ca32cb2870313211fb343b20684d56a3e0cfda8b2b46223f38311388f5879
Opcode Fuzzy Hash: 14b9f3e0189fa4fafeda4439610c2ebe6d1cede6a45102906d1231cc1cdd2510
Instruction Fuzzy Hash: 6781217290124A9ADB34EF59CC41AFF37B5EF28710F88442BD9059B3C0E7399A44CB98

Function 00440530 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00440568
__CxxThrowException@8.LIBCMT ref: 004405B3
__CxxThrowException@8.LIBCMT ref: 004405E5
__CxxThrowException@8.LIBCMT ref: 0044063D
__CxxThrowException@8.LIBCMT ref: 00440682

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

__CxxThrowException@8.LIBCMT ref: 004406B4
__CxxThrowException@8.LIBCMT ref: 00440707

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Strings

0, xrefs: 0044070E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw$ExceptionH_prolog3_catchRaiseVersion
String ID: 0
API String ID: 2419471778-4108050209
Opcode ID: 8a2c50e2fe517853e2e6ee847e227250b5585f532abc1506989a006a58ad54a2
Instruction ID: 0b65c462272f7319cab2c5eab4fbdaea24944b21242a5cae7b2307713ea178ef
Opcode Fuzzy Hash: 8a2c50e2fe517853e2e6ee847e227250b5585f532abc1506989a006a58ad54a2
Instruction Fuzzy Hash: B451DAB1208341AFF324DB21CC42FEB73E4AF90B04F41481EF695961D0D7B8A955CBAA

Function 0040933C Relevance: 13.8, APIs: 9, Instructions: 319COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004093A4
GetSysColor.USER32(00000005), ref: 004093E2

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ColorWindow
String ID:
API String ID: 4045458706-0
Opcode ID: 083c085ce6d4984db9017f1d533f347404641dc0924897450a2d91c5289017d4
Instruction ID: 72ce73c0c981400bd4317e341ca59d9c44a467f2cc618a4c888562956d9a0f1e
Opcode Fuzzy Hash: 083c085ce6d4984db9017f1d533f347404641dc0924897450a2d91c5289017d4
Instruction Fuzzy Hash: EAC19C71508342AFDB10DF65C884A6B77E9EF88314F40492EF885A72D2C739EC45CB5A

Function 004017B1 Relevance: 13.6, APIs: 9, Instructions: 143COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000416), ref: 004017E0
GetDlgItem.USER32(?,00000419), ref: 004017FB
_wcscpy.LIBCMT ref: 00401829

Part of subcall function 0043E620: _malloc.LIBCMT ref: 0043E6CF
Part of subcall function 0043E620: __swprintf.LIBCMT ref: 0043E6FC
Part of subcall function 0043E620: _malloc.LIBCMT ref: 0043E732

_wcscpy.LIBCMT ref: 00401847
_wcscpy.LIBCMT ref: 00401865
_wcscpy.LIBCMT ref: 00401883

Part of subcall function 004011C3: __EH_prolog3_catch_GS.LIBCMT ref: 004011CD
Part of subcall function 004011C3: _wcscpy.LIBCMT ref: 00401346
Part of subcall function 004011C3: _wcscpy.LIBCMT ref: 0040137E
Part of subcall function 004011C3: SetWindowTextW.USER32(00000001,?), ref: 0040138F
Part of subcall function 004011C3: _wcscpy.LIBCMT ref: 004013AE

MapDialogRect.USER32(?,?), ref: 004018F4
GetWindowRect.USER32(?,?), ref: 00401900

Part of subcall function 0040197E: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004019B3
Part of subcall function 0040197E: SelectObject.GDI32(00000000,00000000), ref: 004019CC
Part of subcall function 0040197E: GetSystemMetrics.USER32(0000002D), ref: 00401A91
Part of subcall function 0040197E: GetWindowTextW.USER32(00000000,?,00000104), ref: 00401AD2

SetForegroundWindow.USER32(?), ref: 0040196E

Part of subcall function 00402621: SetWindowPos.USER32(00401BF7,00000000,?,?,?,?,00401BF7,0048D550,00401BF7,?,00000204), ref: 00402641

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _wcscpy$Window$ItemRectText_malloc$DialogForegroundH_prolog3_catch_MessageMetricsObjectSelectSendSystem__swprintf
String ID:
API String ID: 162573731-0
Opcode ID: 2fd9de70c446c8e59b843f8b728ad4f37a842a14b7769d653cb86e5286cf9499
Instruction ID: 5d5bc8ddd2ee55e6cedf02d315d3cb62d53b123e7d18268d17adffbd1f471ac7
Opcode Fuzzy Hash: 2fd9de70c446c8e59b843f8b728ad4f37a842a14b7769d653cb86e5286cf9499
Instruction Fuzzy Hash: 9C51B6B5601605BFEB05AF65DC46FEEB769FF04308F00052EF604A21E2DB756954CB98

Function 00412D6D Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00412D7D
_strlen.LIBCMT ref: 00412D9A
IsDialogMessageW.USER32(00412ED5,?), ref: 00412DBA
TranslateMessage.USER32(?), ref: 00412DC8
DispatchMessageW.USER32(?), ref: 00412DD2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00412DE1
DdeClientTransaction.USER32(00000001,00000001,00000000,00000001,00004050,00001388,00000000), ref: 00412E01
DdeGetLastError.USER32(00000001), ref: 00412E0F
_strlen.LIBCMT ref: 00412E46

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Message$_strlen$ClientDialogDispatchErrorLastPeekTransactionTranslate
String ID:
API String ID: 3755878689-0
Opcode ID: 5a0ac031f8cb865b26c113acb448c05818d8f8624f6f80168fa92a5c67164f37
Instruction ID: b87cf77f3605f5675e9a281c20427728469610cca946a307ae8d9233a2b892d0
Opcode Fuzzy Hash: 5a0ac031f8cb865b26c113acb448c05818d8f8624f6f80168fa92a5c67164f37
Instruction Fuzzy Hash: D7218DB1801209BADF219F91DD85DDE7BACEF04349F14402BF600E2191E3B89AD58B68

Function 00453AC0 Relevance: 13.6, APIs: 9, Instructions: 80registrywindowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,00453C4B,00495EB8,00495E74,000001E0,00495EF0,0000014B), ref: 00453ADA
GetFileType.KERNEL32(00000000), ref: 00453AE5
_vfprintf.LIBCMT ref: 00453B08

Part of subcall function 004742E6: _vfprintf_helper.LIBCMT ref: 004742F9

__vsnprintf.LIBCMT ref: 00453B3F
GetVersion.KERNEL32 ref: 00453B4F
RegisterEventSourceA.ADVAPI32(00000000,00495EB0), ref: 00453B6D
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00453B91
DeregisterEventSource.ADVAPI32(00000000), ref: 00453B98
MessageBoxA.USER32(00000000,?,00495EA0,00000010), ref: 00453BC2

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportTypeVersion__vsnprintf_vfprintf_vfprintf_helper
String ID:
API String ID: 1665902462-0
Opcode ID: b0ba3cb9d00c493287e85ddb2f6ce40ec3b7105f4b7e89b541c6885e32f278b8
Instruction ID: b0366dc6c26dc34716eb39a9559f4e34c010145fa5819d3deae9b7e3ba73cfac
Opcode Fuzzy Hash: b0ba3cb9d00c493287e85ddb2f6ce40ec3b7105f4b7e89b541c6885e32f278b8
Instruction Fuzzy Hash: F121B571A043006BE720AB21CC46FEF77D8AF94745F84492EB689861C1EEF99A44875B

Function 00412668 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 176registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412672

Part of subcall function 00413423: __EH_prolog3_catch.LIBCMT ref: 0041342A

Part of subcall function 0041368B: __EH_prolog3.LIBCMT ref: 00413692

RegCreateKeyW.ADVAPI32(80000000,?,?), ref: 00412743
RegCreateKeyW.ADVAPI32(?,?,?), ref: 004127B6
RegSetValueW.ADVAPI32(?,00000000,00000001,00000000,?), ref: 004127E4
RegCreateKeyW.ADVAPI32(?,?,?), ref: 0041282C
RegSetValueW.ADVAPI32(?,00000000,00000001,?,?), ref: 0041285C

Strings

>u, xrefs: 004126E0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Create$Value$H_prolog3H_prolog3_catchH_prolog3_catch_
String ID: >u
API String ID: 333081038-4124531162
Opcode ID: 30d8965fcea660d6c405f0932e2395643ee678c143ae29b1eb1fbf7317d13f10
Instruction ID: e35806359c35bf33f8406e688deb07ce4fe15fe4c790a931028675c32a2d185f
Opcode Fuzzy Hash: 30d8965fcea660d6c405f0932e2395643ee678c143ae29b1eb1fbf7317d13f10
Instruction Fuzzy Hash: C051A532D01129ABCB21AB50DD45BEE73B4FF09714F14019AE809E6150D7789ED1CF58

Function 0040BBB4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040BBD3
SysStringLen.OLEAUT32(00000000), ref: 0040BC4B
SysFreeString.OLEAUT32(00000000), ref: 0040BC5B
SysAllocStringLen.OLEAUT32(00000000,?), ref: 0040BC6C
_memset.LIBCMT ref: 0040BC8F
SysFreeString.OLEAUT32(00000000), ref: 0040BCBA

Strings

`-u, xrefs: 0040BC5B, 0040BCBA

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: String$Free$AllocH_prolog3_memset
String ID: `-u
API String ID: 940057595-2606764580
Opcode ID: 1cb313c091d2c1bfb1119476f3ae24280be130568bda6311e1da58c9fa242929
Instruction ID: 37d153cde60fbe64fdfce4bde9ac5843fd1e4c16e10141d7f5d1ad9ee85a11ac
Opcode Fuzzy Hash: 1cb313c091d2c1bfb1119476f3ae24280be130568bda6311e1da58c9fa242929
Instruction Fuzzy Hash: A2518E7190010A9FEB15DF94CC89EBEB3B8EF14314F50452EE515E7280EB789E05CB99

Function 0040BE22 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 0040B494: RtlEnterCriticalSection.NTDLL(004C8740), ref: 0040B4AA
Part of subcall function 0040B494: GetClassInfoExW.USER32(004A42A4,00000001), ref: 0040B4EB
Part of subcall function 0040B494: LoadCursorW.USER32 ref: 0040B526
Part of subcall function 0040B494: RegisterClassExW.USER32 ref: 0040B549
Part of subcall function 0040B494: _memset.LIBCMT ref: 0040B576
Part of subcall function 0040B494: GetClassInfoExW.USER32(004A4314,?), ref: 0040B593
Part of subcall function 0040B494: LoadCursorW.USER32 ref: 0040B5D4
Part of subcall function 0040B494: RegisterClassExW.USER32 ref: 0040B5F7

DialogBoxIndirectParamW.USER32(004C8708,00000000,?,VA,00000000), ref: 0040BE96
GetLastError.KERNEL32 ref: 0040BEA9
GlobalHandle.KERNEL32(00000000), ref: 0040BEB8
GlobalFree.KERNEL32(00000000), ref: 0040BEBF
GetLastError.KERNEL32 ref: 0040BEC7
SetLastError.KERNEL32(00000000), ref: 0040BEDC

Strings

VA, xrefs: 0040BE89

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Class$ErrorLast$CursorGlobalInfoLoadRegister$CriticalDialogEnterFreeHandleIndirectParamSection_memset
String ID: VA
API String ID: 2178949580-1642038470
Opcode ID: 3217834449eb634cf41ba65d3a5f2af458a9c0dc5a5f2017745f8f6368e901b3
Instruction ID: 9840f43a1941360ee5c1058c7379fce352124f045e18367f36700b91047ed208
Opcode Fuzzy Hash: 3217834449eb634cf41ba65d3a5f2af458a9c0dc5a5f2017745f8f6368e901b3
Instruction Fuzzy Hash: 80118E71505305AFE611AB35DC88F6F779CEF84325F104A3DF550A22D1DB7898018BAE

Function 00401C99 Relevance: 12.3, APIs: 8, Instructions: 280windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00401CB8
SelectObject.GDI32(00000000,00000000), ref: 00401CD1
GetSystemMetrics.USER32(0000002D), ref: 00401D74
DrawTextW.USER32(?,?,000000FF,00000000,00000400), ref: 00401DB5
DrawTextW.USER32(?,?,000000FF,00000000,00000400), ref: 00401DF5
DrawTextW.USER32(?,?,000000FF,00000000,00000400), ref: 00401E37
DrawTextW.USER32(?,?,000000FF,00000000,00000400), ref: 00401E79
GetClientRect.USER32(?,?), ref: 00401F04

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: DrawText$ClientMessageMetricsObjectRectSelectSendSystem
String ID:
API String ID: 36606085-0
Opcode ID: 885f2ee23460ca3c7abb748c6ff297923a0c929aed1baffab00a58ea0c2e3dcb
Instruction ID: 7b4a3d9cae3f6679446846cbe1aa30f7292649be873b65f001402955fe349831
Opcode Fuzzy Hash: 885f2ee23460ca3c7abb748c6ff297923a0c929aed1baffab00a58ea0c2e3dcb
Instruction Fuzzy Hash: 45C1F6B1D01209AFDB10CFE8C985ADEBBF9EF48314F10842AE915F72A1D774AA45CB54

Function 0041931E Relevance: 12.2, APIs: 8, Instructions: 183sleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004193CE
GetTempPathW.KERNEL32(00000104,?), ref: 004193E0
Sleep.KERNEL32(000000C8,00000104,00000000), ref: 00419472
_memset.LIBCMT ref: 004194A2
GetTempPathA.KERNEL32(00000104,?), ref: 004194B4
Sleep.KERNEL32(000000C8), ref: 004194D3
GetLastError.KERNEL32 ref: 0041952B
__CxxThrowException@8.LIBCMT ref: 00419550

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: PathSleepTemp_memset$ErrorException@8LastThrow
String ID:
API String ID: 1439999958-0
Opcode ID: 8a808d6885ee2bcccf189b034b0968c74ec1010f33aa2038ff8289af3b18731d
Instruction ID: a10042c87d764e87b82f5b044183807258073902f3271897d7cbbb00f76e3718
Opcode Fuzzy Hash: 8a808d6885ee2bcccf189b034b0968c74ec1010f33aa2038ff8289af3b18731d
Instruction Fuzzy Hash: 4661BFB1908341AFD710DF55C88599BBBE8FF84718F00092FF59592291D7749E88CB9B

Function 004024D4 Relevance: 12.1, APIs: 8, Instructions: 140COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004024FE
GetWindow.USER32(?,00000004), ref: 0040250A
GetWindowRect.USER32(?,?), ref: 00402518
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040254A
GetWindowRect.USER32(00000000,?), ref: 00402565
GetParent.USER32(?), ref: 0040256F
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00402593
SetWindowPos.USER32(40000000,00000000,?,?,000000FF,000000FF,00000015), ref: 00402614

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Window$ParentRect$InfoParametersPointsSystem
String ID:
API String ID: 1942744303-0
Opcode ID: c8ca9315839b38fe14f64c8e064d650eef50a42611338bbbcaa55aa98dbb3795
Instruction ID: ddcbb1b933a011f3d8f1d7b47b3064f311f2c3575ecce8aa473777e5e0853355
Opcode Fuzzy Hash: c8ca9315839b38fe14f64c8e064d650eef50a42611338bbbcaa55aa98dbb3795
Instruction Fuzzy Hash: 1B417231A00119AFDB10DFB8DD88AAEBBB9AB48314F150535F501F32D4D674AD058B58

Function 0040B494 Relevance: 12.1, APIs: 8, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004C8740), ref: 0040B4AA
GetClassInfoExW.USER32(004A42A4,00000001), ref: 0040B4EB
LoadCursorW.USER32 ref: 0040B526
RegisterClassExW.USER32 ref: 0040B549
_memset.LIBCMT ref: 0040B576
GetClassInfoExW.USER32(004A4314,?), ref: 0040B593
LoadCursorW.USER32 ref: 0040B5D4
RegisterClassExW.USER32 ref: 0040B5F7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Class$CursorInfoLoadRegister$CriticalEnterSection_memset
String ID:
API String ID: 1515370940-0
Opcode ID: 01d0908fce3a9a10e8c38f2e23fcd58a806e83938dd499cd54d27d8e76ea1cee
Instruction ID: c2741b319b3ab99108611d662b00f2aaca944efccb0cb0d64010e22bbe0aa471
Opcode Fuzzy Hash: 01d0908fce3a9a10e8c38f2e23fcd58a806e83938dd499cd54d27d8e76ea1cee
Instruction Fuzzy Hash: 13412CB580A310AFC340DF59D844A5FBBE8EB88B54F50892FF58492290D77899448F9A

Function 00410AAC Relevance: 10.8, APIs: 7, Instructions: 280stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410E10: lstrcmpiW.KERNEL32(?,?,00410B30,?,?,004C1E84,?,00000000,00000000), ref: 00410E7A

lstrlenW.KERNEL32(?,004C1E84,?,00000000,00000000), ref: 00410B8A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: lstrcmpilstrlen
String ID:
API String ID: 3649823140-0
Opcode ID: 1a76944f2524fd8664a064d1f94d6bbc51914eae7d75264753dddd838a3a91c0
Instruction ID: 874660f40bb97b12bd92aae88fe681e3cd47da4552cd5ef132a0fd15508d4650
Opcode Fuzzy Hash: 1a76944f2524fd8664a064d1f94d6bbc51914eae7d75264753dddd838a3a91c0
Instruction Fuzzy Hash: 08A1B571900149DBCB20EFA4DD85AEE77B8EF04314F10452BEA49D7290E7B8AAC5CB59

Function 0040197E Relevance: 10.7, APIs: 7, Instructions: 211windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004019B3
SelectObject.GDI32(00000000,00000000), ref: 004019CC
GetSystemMetrics.USER32(0000002D), ref: 00401A91
GetWindowTextW.USER32(00000000,?,00000104), ref: 00401AD2
DrawTextW.USER32(?,?,000000FF,?,00000400), ref: 00401AF9
GetWindowTextW.USER32(00000000,?,00000104), ref: 00401B2F
DrawTextW.USER32(?,?,000000FF,?,00000400), ref: 00401B56

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Text$DrawWindow$MessageMetricsObjectSelectSendSystem
String ID:
API String ID: 3426369399-0
Opcode ID: b73d99dbd2c32fcbf67a9ad51413a122805548baada65bfeb4ce4dfd8fd87735
Instruction ID: 686c93203a91fd3f751c8ee63b0bee1e665ebfe6b0dc4cad534b70c83d8564d6
Opcode Fuzzy Hash: b73d99dbd2c32fcbf67a9ad51413a122805548baada65bfeb4ce4dfd8fd87735
Instruction Fuzzy Hash: B1811EB1901129AFDB11EFA4DD8DEDDB7B8EF08304F0045FAA109A2191EB756E94CF58

Function 0040359A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 004035A4
CharNextW.USER32 ref: 004035F1
CharNextW.USER32 ref: 0040363C
lstrlenW.KERNEL32(?), ref: 0040364D

Strings

\, xrefs: 004035D0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CharNextlstrlen
String ID: \
API String ID: 2279410217-2967466578
Opcode ID: 6ef370e53a1594b386a492182b18380e8a96b6047c10da5bb3472928e86111ba
Instruction ID: 905179f8acba5fbfab78a04d309a7c3534609fc0cb58fba56d98443669b7831f
Opcode Fuzzy Hash: 6ef370e53a1594b386a492182b18380e8a96b6047c10da5bb3472928e86111ba
Instruction Fuzzy Hash: 6C41F7B0900115BADB206FA58C859BF7BBCEB11745B90083FE841B7381E37D4B419769

Function 0040D5E9 Relevance: 10.6, APIs: 7, Instructions: 127windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040D608
GetDlgItem.USER32(?,0000040C), ref: 0040D662
SetFocus.USER32(00000000), ref: 0040D669
IsDlgButtonChecked.USER32(?,00000412), ref: 0040D67F
GetWindowTextA.USER32(00000000,?,00000106), ref: 0040D6E2

Part of subcall function 0040C7DE: __EH_prolog3_catch.LIBCMT ref: 0040C7E5

_strlen.LIBCMT ref: 0040D73C
EndDialog.USER32(?,00000002), ref: 0040D76F

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch$ButtonCheckedDialogFocusItemTextWindow_strlen
String ID:
API String ID: 3754905632-0
Opcode ID: 6e58e1f97af74c08203e785dcbd6c0079c21f42399cc9d736db82d69dbcbe209
Instruction ID: e4f5632a6b2954952dcd2a285b083b04a8e5511aab076f690a3eab58ad6b02ca
Opcode Fuzzy Hash: 6e58e1f97af74c08203e785dcbd6c0079c21f42399cc9d736db82d69dbcbe209
Instruction Fuzzy Hash: B641E5B0901204EFDB24AF64DC06BAE7BB5EB04704F10483FF64AAA2D1D77A5944CB59

Function 0047E5E5 Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0047E5FC

Part of subcall function 0047554E: __FF_MSGBANNER.LIBCMT ref: 0047556A

__lock.LIBCMT ref: 0047E610
__lock.LIBCMT ref: 0047E659
___crtInitCritSecAndSpinCount.LIBCMT ref: 0047E674
RtlEnterCriticalSection.NTDLL(00000115), ref: 0047E69A
RtlLeaveCriticalSection.NTDLL(00000115), ref: 0047E6A7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CriticalSection__lock$CountCritEnterInitLeaveSpin___crt__mtinitlocknum
String ID:
API String ID: 2236623020-0
Opcode ID: be951a22827a56b269a246950802b1a1e6cde46d0d8213b22f99529a7a8e649e
Instruction ID: f0731ecfe263e5ef36ce55c583c9046757c92abd98a7a7e1fad3054aae77e8be
Opcode Fuzzy Hash: be951a22827a56b269a246950802b1a1e6cde46d0d8213b22f99529a7a8e649e
Instruction Fuzzy Hash: 3441F6309007058ADB249F6AC8457EE77B5AF29328F64C39FE0299B2D1CB7C99418B5D

Function 0040FDFD Relevance: 10.6, APIs: 7, Instructions: 124libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040FE1C
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 0040FE53
FindResourceW.KERNEL32(00000000,?,?,?,00000000,00000002), ref: 0040FE71
FreeLibrary.KERNEL32(?,?,?,?,00000000,00000002), ref: 0040FF5F

Part of subcall function 0040BB9F: GetLastError.KERNEL32(00407077), ref: 0040BB9F

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Library$ErrorFindFreeH_prolog3_catchLastLoadResource
String ID:
API String ID: 1376058422-0
Opcode ID: e3106c134bd6e30c34021087c98d903b78e634e123e22e0603928d7f878cf484
Instruction ID: 334b670e31df6f0e70b485a0a82ce42061a73c2fa3d94837eff320d729fdec90
Opcode Fuzzy Hash: e3106c134bd6e30c34021087c98d903b78e634e123e22e0603928d7f878cf484
Instruction Fuzzy Hash: 06418D71900249EBCB20EF64C9449EEBBB9FB48714F10843BF505E72A1D7789E49CB99

Function 004031D8 Relevance: 10.6, APIs: 7, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 00403203

Part of subcall function 0043E620: _malloc.LIBCMT ref: 0043E6CF
Part of subcall function 0043E620: __swprintf.LIBCMT ref: 0043E6FC
Part of subcall function 0043E620: _malloc.LIBCMT ref: 0043E732

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00403220
GetDlgItem.USER32(?,00000413), ref: 0040322D

Part of subcall function 0040E8E3: LoadImageW.USER32(00000080,00000001,00000000,?,?,?,0040323C), ref: 0040E90C
Part of subcall function 0040E8E3: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0040E914
Part of subcall function 0040E8E3: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0040E937

DestroyCursor.USER32(?), ref: 00403280
DestroyCursor.USER32(00000000), ref: 004032AA
SendMessageW.USER32(?,00001109,00000000,?), ref: 004032BE
GetParent.USER32(?), ref: 004032C6

Part of subcall function 004024D4: GetParent.USER32(?), ref: 004024FE
Part of subcall function 004024D4: GetWindowRect.USER32(?,?), ref: 00402518
Part of subcall function 004024D4: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040254A
Part of subcall function 004024D4: SetWindowPos.USER32(40000000,00000000,?,?,000000FF,000000FF,00000015), ref: 00402614

Part of subcall function 004069C6: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00406A44
Part of subcall function 004069C6: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00406A58
Part of subcall function 004069C6: GetDlgItem.USER32(?,0000E801), ref: 00406A6A
Part of subcall function 004069C6: IsWindow.USER32(00000000), ref: 00406A74
Part of subcall function 004069C6: GetClientRect.USER32(?,?), ref: 00406ACD

Part of subcall function 004032EA: __EH_prolog3.LIBCMT ref: 004032F1
Part of subcall function 004032EA: GetDlgItem.USER32(?,00000413), ref: 00403394
Part of subcall function 004032EA: SendMessageW.USER32(00000000,00001101,00000000,FFFF0000), ref: 004033A6

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: MessageSend$ItemWindow$CursorDestroyParentRectText_malloc$ClientH_prolog3ImageInfoLoadParametersSystem__swprintf
String ID:
API String ID: 2090155264-0
Opcode ID: f9a8183f31455d70666a6ccb25ec908374510adefc6630db41f96a932b4ceaa2
Instruction ID: fba445c204d38a42e3cb3af36b91eb05bbe74eacbbbad9f62a21b1ed31f6445c
Opcode Fuzzy Hash: f9a8183f31455d70666a6ccb25ec908374510adefc6630db41f96a932b4ceaa2
Instruction Fuzzy Hash: 1F21A071641300BBEB212F65EC4BF5E3B79EB49B15F00093DF355A90F2DAB268109B18

Function 00412595 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,80000000,?, >u), ref: 004125CF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00010008,?), ref: 004125E5
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412608
RegDeleteKeyW.ADVAPI32(?,?), ref: 00412636
RegCloseKey.ADVAPI32(?), ref: 00412641

Strings

>u, xrefs: 004125B0, 00412641

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CloseDeleteEnumOpenlstrlen
String ID: >u
API String ID: 160701936-4124531162
Opcode ID: 836ff7478878600e23e2d2bb11e81635d2ac434998d07edbf4e6f903592c658b
Instruction ID: f808c3369eb5063c7d2e9eeaa03fb713166c292ff102550507cd4e8c83cf1201
Opcode Fuzzy Hash: 836ff7478878600e23e2d2bb11e81635d2ac434998d07edbf4e6f903592c658b
Instruction Fuzzy Hash: 8E2190329001589FEB309F65DD84DEEBBB8EB89300F10012EE855E3251DA744D458B64

Function 004766E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0049DB1C,004AD668,0000000C,004767F1,00000000,00000000,?,00000000,00474D55,004734BB,00000001,004764FE,?,00000000), ref: 004766F1
InterlockedIncrement.KERNEL32(004C2548), ref: 00476757
__lock.LIBCMT ref: 0047675F
___addlocaleref.LIBCMT ref: 0047677E

Strings

H%L, xrefs: 0047674E
x*L, xrefs: 00476773

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: HandleIncrementInterlockedModule___addlocaleref__lock
String ID: H%L$x*L
API String ID: 2801583907-1163462079
Opcode ID: 9a422cd0c7cb9052f2a059e449ccdd3a64512767ec3cd155349bd4de413b34c9
Instruction ID: 1e9727ec866cde342c27babbe2234c29fd87bda87f883ee6d7a9ea6281a3c883
Opcode Fuzzy Hash: 9a422cd0c7cb9052f2a059e449ccdd3a64512767ec3cd155349bd4de413b34c9
Instruction Fuzzy Hash: 76114270900B059FD7209F76C845B9ABBE0AF04314F50892EE899D7291D7B8E901CF1D

Function 00407CA2 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00407CA9

Part of subcall function 00407FBF: GetSysColor.USER32(00000008), ref: 0040802A

Strings

lEJ, xrefs: 00407CF3
dDJ, xrefs: 00407CD0
PEJ, xrefs: 00407CEC
4DJ, xrefs: 00407CC9
4EJ, xrefs: 00407CE5

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ColorH_prolog3
String ID: 4DJ$4EJ$PEJ$dDJ$lEJ
API String ID: 647181964-3196544244
Opcode ID: 97a05e25a9f4e941d0f4adb325448bf3e95f3f52d74258277fc979c04f1c2707
Instruction ID: 48000464bb64bf3f1338033b2e24ee77df612b4d230ae96bda49c0d97c00ac9c
Opcode Fuzzy Hash: 97a05e25a9f4e941d0f4adb325448bf3e95f3f52d74258277fc979c04f1c2707
Instruction Fuzzy Hash: 6F01AEB0411B409FC760DF55C54824ABBE0BBEA718BA0C91ED29A0BA41C7F9E408CF89

Function 00418697 Relevance: 9.2, APIs: 6, Instructions: 238COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00000000,004C1E84), ref: 00418827

Part of subcall function 00417EBE: __EH_prolog3.LIBCMT ref: 00417EC5

GetFullPathNameW.KERNEL32(?,00000001,?,?,00000000), ref: 0041886D
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 004188BC
GetFullPathNameA.KERNEL32(?,00000001,?,?), ref: 0041890B
GetLastError.KERNEL32 ref: 00418940
__CxxThrowException@8.LIBCMT ref: 00418965

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: FullNamePath$ErrorException@8H_prolog3LastThrow
String ID:
API String ID: 1840748137-0
Opcode ID: 6cace96fbc35fe8647347ff7a678127190821239a48a6c6aab444bc8753e5c81
Instruction ID: d5b430a2f49182e89e43d810ed16e0f672decd8abbfb175b9c5e984bc8ed27b1
Opcode Fuzzy Hash: 6cace96fbc35fe8647347ff7a678127190821239a48a6c6aab444bc8753e5c81
Instruction Fuzzy Hash: 2A917CB1508340AFC711EF55C881EAFBBE8EF88718F40091EF58993251DB789A85CB5B

Function 0041F82B Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 460COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041F835

Part of subcall function 00413461: __EH_prolog3_catch.LIBCMT ref: 00413468

_sprintf.LIBCMT ref: 0041F8AC
_sprintf.LIBCMT ref: 0041F8BE

Strings

c, xrefs: 0041F9C8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _sprintf$H_prolog3_H_prolog3_catch
String ID: c
API String ID: 1286158073-112844655
Opcode ID: 846d7d9eb0b6557fd5ddf940c8a357a7efbdb32cbaabf05e96a3e14187676adc
Instruction ID: 2ae840c9afd43059bc8dec764e726a722c457161aac441be8424b0dac88a16b1
Opcode Fuzzy Hash: 846d7d9eb0b6557fd5ddf940c8a357a7efbdb32cbaabf05e96a3e14187676adc
Instruction Fuzzy Hash: 07128370A00248DFCF10EFE4C584AEDBBB6BF05308F54806EE546AB255D7785E8ACB59

Function 004054D6 Relevance: 9.2, APIs: 6, Instructions: 199windowCOMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000001), ref: 004054FB
EnableWindow.USER32(00000000,00000001), ref: 0040565A

Part of subcall function 00411811: __EH_prolog3.LIBCMT ref: 00411830

SetDlgItemTextW.USER32(?,000003E9,?), ref: 00405681
PostMessageW.USER32(?,00000111,000003EA,00000000), ref: 00405696
SetFocus.USER32(00000000), ref: 004056A4
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004056D0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: EnableItemTextWindow$FocusH_prolog3MessagePost
String ID:
API String ID: 3655392979-0
Opcode ID: 4ebb0ff1432de3b3685ec2109b4f4a9658e2afadca82573336cd2dc11c8018fc
Instruction ID: 3afb20b26c218187ded281ee60cd3f67e4c33204fbe39fa483316569d3424203
Opcode Fuzzy Hash: 4ebb0ff1432de3b3685ec2109b4f4a9658e2afadca82573336cd2dc11c8018fc
Instruction Fuzzy Hash: BD515CB058074C7BE9223772DD4BE1F7E5DDF81B89F028824B255654F0CBB6ED109A28

Function 00411811 Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00411830
SHGetMalloc.SHELL32(?), ref: 0041185F

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3Malloc
String ID:
API String ID: 138677435-0
Opcode ID: 6309dcc795e9841a6e919f3215c80a7ec857788630c7c5ae183f0f706aa2f895
Instruction ID: 21a8cb39ded925691f2b7eae5e9973e9a3b641d8fc64b64478ef1fac0ca500f4
Opcode Fuzzy Hash: 6309dcc795e9841a6e919f3215c80a7ec857788630c7c5ae183f0f706aa2f895
Instruction Fuzzy Hash: CE515D71E0024ADFCB14EFA4C8949AEB7B5FF08314F24492EE616E7290D778AE45CB54

Function 004100FA Relevance: 9.1, APIs: 6, Instructions: 133stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00410101
lstrlenW.KERNEL32(?,00000060,0040FFFD,00000000,00000000,?,?,0040FF5A,?,?,00000000,?,?,?,00000000,00000002), ref: 00410121
CharNextW.USER32(00000000,?,00000060,0040FFFD,00000000,00000000,?,?,0040FF5A,?,?,00000000,?,?,?,00000000), ref: 0041018B
CharNextW.USER32(?,00000000,?,00000060,0040FFFD,00000000,00000000,?,?,0040FF5A,?,?,00000000,?,?), ref: 004101AF
lstrlenW.KERNEL32(00000000,?,?,?,00000000,00000002), ref: 0041022C
CharNextW.USER32(?,00000000,?,?,?,00000000,00000002), ref: 00410252

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CharNext$lstrlen$H_prolog3_
String ID:
API String ID: 1069818642-0
Opcode ID: 6c01e1b9253c58b832eeb862fb30e04a91b35388742aa7b57ffa6092e9c49630
Instruction ID: 647183be00b101d6b666e80fa8bc49ef3e2289c562b985678fc4af141010fa62
Opcode Fuzzy Hash: 6c01e1b9253c58b832eeb862fb30e04a91b35388742aa7b57ffa6092e9c49630
Instruction Fuzzy Hash: D5416C71D01219EBDB21AFA4CC4879E7BB4AF04714F20856BE805EB294D7BD8CC58B5D

Function 0040D4BC Relevance: 9.1, APIs: 6, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0040D4E5

Part of subcall function 0043E620: _malloc.LIBCMT ref: 0043E6CF
Part of subcall function 0043E620: __swprintf.LIBCMT ref: 0043E6FC
Part of subcall function 0043E620: _malloc.LIBCMT ref: 0043E732

GetDlgItem.USER32(?,0000040C), ref: 0040D587
SendMessageW.USER32(00000000,000000C5,00000105,00000000), ref: 0040D59A
GetParent.USER32(?), ref: 0040D5B4

Part of subcall function 004024D4: GetParent.USER32(?), ref: 004024FE
Part of subcall function 004024D4: GetWindowRect.USER32(?,?), ref: 00402518
Part of subcall function 004024D4: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0040254A
Part of subcall function 004024D4: SetWindowPos.USER32(40000000,00000000,?,?,000000FF,000000FF,00000015), ref: 00402614

Part of subcall function 0040EEF2: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0040EF70
Part of subcall function 0040EEF2: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0040EF84
Part of subcall function 0040EEF2: GetDlgItem.USER32(?,0000E801), ref: 0040EF96
Part of subcall function 0040EEF2: IsWindow.USER32(00000000), ref: 0040EFA0
Part of subcall function 0040EEF2: GetClientRect.USER32(?,?), ref: 0040EFF9

GetDlgItem.USER32(?,0000040C), ref: 0040D5CF
SetFocus.USER32(00000000), ref: 0040D5D6

Part of subcall function 0040E8E3: LoadImageW.USER32(00000080,00000001,00000000,?,?,?,0040323C), ref: 0040E90C
Part of subcall function 0040E8E3: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0040E914
Part of subcall function 0040E8E3: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0040E937

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: MessageSend$Window$Item$ParentRect_malloc$ClientFocusImageInfoLoadParametersSystemText__swprintf
String ID:
API String ID: 3980130718-0
Opcode ID: 132cae373669715f15d5c8d738359de52b03f3566e283ecc7dafe9538f1a2ede
Instruction ID: 68e650414d397323596333c2c178e122ee48f5a6351adbb8d5ae4ebe9dae7e69
Opcode Fuzzy Hash: 132cae373669715f15d5c8d738359de52b03f3566e283ecc7dafe9538f1a2ede
Instruction Fuzzy Hash: 2F2130B1A41214BBEB113B65EC4BF1B3F29EB05714F004536B704780F3DAB628249B89

Function 00409EE2 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bbe792d6f44cbb7c02dee2f180b0b479fd9048a9291aca34b75e7617e0280c
Instruction ID: 7ce99e08f9a5d6ba82cc501f0fc9c95f57aaaed071c58271a4e31e9025138942
Opcode Fuzzy Hash: a3bbe792d6f44cbb7c02dee2f180b0b479fd9048a9291aca34b75e7617e0280c
Instruction Fuzzy Hash: A5213B71A0424BAFDB11DF68DD48B6E7BA8BF04344F14083AE946E22E2D7799C508B58

Function 00408573 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00408597
GetClientRect.USER32(?,?), ref: 004085AF
CreateSolidBrush.GDI32(?), ref: 004085BB
FillRect.USER32(?,?,00000000), ref: 004085CF
DeleteObject.GDI32(?), ref: 004085D6
EndPaint.USER32(?,?), ref: 004085E3
BeginPaint.USER32(?,?), ref: 00408605
GetClientRect.USER32(?,?), ref: 0040861F
SelectObject.GDI32(00000000,?), ref: 00408652
CreateSolidBrush.GDI32(?), ref: 00408665
FillRect.USER32(00000000,?,00000000), ref: 00408678
DeleteObject.GDI32(?), ref: 00408681
SelectObject.GDI32(00000000,?), ref: 004086BF
DeleteDC.GDI32(00000000), ref: 004086C6

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ObjectRect$DeletePaint$BeginBrushClientCreateFillSelectSolid
String ID:
API String ID: 216606842-0
Opcode ID: 929a8ec678a41cd8a24d19c213e62a7de725452e97d9ad32991541218255a463
Instruction ID: c6711224098611453d39135df24e22262671ffd01ae83f63c64d7b350495ef8c
Opcode Fuzzy Hash: 929a8ec678a41cd8a24d19c213e62a7de725452e97d9ad32991541218255a463
Instruction Fuzzy Hash: E0112971901208EFCB119FA4DD89CAFBBB9FB49305B10483EE547E65A1DB719805CB28

Function 0040C203 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138registryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004C8740), ref: 0040C263

Part of subcall function 0040AA73: RtlLeaveCriticalSection.NTDLL(00000066), ref: 0040AA7E

LoadCursorW.USER32(?,?), ref: 0040C317
GetClassInfoExW.USER32(?,00000000,?), ref: 0040C361
RegisterClassExW.USER32(?), ref: 0040C371

Strings

0, xrefs: 0040C29E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ClassCriticalSection$CursorEnterInfoLeaveLoadRegister
String ID: 0
API String ID: 2383212399-4108050209
Opcode ID: c8c2664dad3f88e85d3a00fa94e388bd2367190c4c3e051bce509fa59ee01aa4
Instruction ID: a9e4f14c1c1aa49688c2b4b0195fb56dfc87877696b5cdf38115f9497be56f07
Opcode Fuzzy Hash: c8c2664dad3f88e85d3a00fa94e388bd2367190c4c3e051bce509fa59ee01aa4
Instruction Fuzzy Hash: 5C516875915300DBCB54DF64C8C0A6ABBE4FB48B10F10866EFD459B291EB34EC44CBAA

Function 0040CBA1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040CBA8
CreatePopupMenu.USER32 ref: 0040CBDE
TrackPopupMenu.USER32(?,00000102,000000FB,?,00000000,000000FB,00000000), ref: 0040CC16
DestroyMenu.USER32(?), ref: 0040CC56

Strings

$, xrefs: 0040CC31

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Menu$Popup$CreateDestroyH_prolog3Track
String ID: $
API String ID: 2421160092-3993045852
Opcode ID: 3a97377fe910f50c5ff05663caa7aceab3419564134aa39b1c860442209bbba9
Instruction ID: aeb14ba48ff06a30253bb47ac3cd2a4db17db9dda034c5750002d53e9380bf95
Opcode Fuzzy Hash: 3a97377fe910f50c5ff05663caa7aceab3419564134aa39b1c860442209bbba9
Instruction Fuzzy Hash: 7831E770901219EFDF10DF95C8889AEBBB9FF89B10B10851AF519EB290C7758A41DFA4

Function 00478EDA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00476816: __amsg_exit.LIBCMT ref: 00476824

__amsg_exit.LIBCMT ref: 00478F06
__lock.LIBCMT ref: 00478F16
InterlockedDecrement.KERNEL32(?), ref: 00478F33
InterlockedIncrement.KERNEL32(004C2970), ref: 00478F5E

Strings

H%L, xrefs: 00478F3D

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__lock
String ID: H%L
API String ID: 4129207761-374462518
Opcode ID: 51925dd63e8a7f616d899ba07040354b15dd2898642096341d48935f38abc5df
Instruction ID: 9366ed5bd4eef3bd10d2e0458bc3bc2a64b8d4add10168dac2f8a49c094d8805
Opcode Fuzzy Hash: 51925dd63e8a7f616d899ba07040354b15dd2898642096341d48935f38abc5df
Instruction Fuzzy Hash: 6601A131E41B10ABC760BF658809BDE7762AB04B21F01811FE80CA7281CFBC6942CBDD

Function 00471852 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 00471864
___removelocaleref.LIBCMT ref: 0047186F
___freetlocinfo.LIBCMT ref: 00471883

Part of subcall function 00471600: ___free_lconv_mon.LIBCMT ref: 00471643
Part of subcall function 00471600: ___free_lconv_num.LIBCMT ref: 00471664
Part of subcall function 00471600: ___free_lc_time.LIBCMT ref: 004716E9

Strings

x*L, xrefs: 0047187A
x*L, xrefs: 00471861

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: x*L$x*L
API String ID: 4212647719-476844600
Opcode ID: 979c59f73acd43532b963028e56f35fade1da0dad4e7e895a6b89fb27a73f15f
Instruction ID: c125c352a562c86d4336b6be23a076a9a2df391d41ea13cbcb74382bf031f224
Opcode Fuzzy Hash: 979c59f73acd43532b963028e56f35fade1da0dad4e7e895a6b89fb27a73f15f
Instruction Fuzzy Hash: 48E04F36921520058B3D391D6440AEB929C4FC17D6B2B866FF81CA7370DB6C9C4042DF

Function 0041449B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004144A2

Strings

,NJ, xrefs: 004144B1
$OJ, xrefs: 004144DB
`RJ, xrefs: 004144E2
<NJ, xrefs: 004144AA

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3
String ID: $OJ$,NJ$<NJ$`RJ
API String ID: 431132790-1426473954
Opcode ID: c5f3e81c65837bb060c1064fd913bb1c044bc9afebc6c1c3aa892870d8b28c61
Instruction ID: 4a23bbae2aae1b451a93a596b199f30ccbf741f8128be5f2371994872c43803b
Opcode Fuzzy Hash: c5f3e81c65837bb060c1064fd913bb1c044bc9afebc6c1c3aa892870d8b28c61
Instruction Fuzzy Hash: B801D6B0501B80CEC760DF69C14424BBBE0BBA6718B50D85ED1EA8BE41D3B9A548CB59

Function 00473836 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00473896
_memcpy_s.LIBCMT ref: 00473909
__filbuf.LIBCMT ref: 00473994
_memset.LIBCMT ref: 004739DA
_memset.LIBCMT ref: 00473A05

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _memset$__filbuf_memcpy_s
String ID:
API String ID: 2885843685-0
Opcode ID: 332679774952cc2b2840c2b63c4b968fdb0d406d7013722e504c3fa6425a820e
Instruction ID: b56701194ac086c645d56ab8be7003cfa8c54b8d74b9d26d0ceed2bd0061e70e
Opcode Fuzzy Hash: 332679774952cc2b2840c2b63c4b968fdb0d406d7013722e504c3fa6425a820e
Instruction Fuzzy Hash: FB5117B1900205EBCB209FAA88445DFBBB5EF41325F10C61BF46D622D0E7789F41EB5A

Function 0047ED8C Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

__flsbuf.LIBCMT ref: 0047EE5A
__flsbuf.LIBCMT ref: 0047EE87
_wctomb_s.LIBCMT ref: 0047EEEA
__flsbuf.LIBCMT ref: 0047EF1F
__flswbuf.LIBCMT ref: 0047EF54

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: __flsbuf$__flswbuf_wctomb_s
String ID:
API String ID: 3257920507-0
Opcode ID: 18542aaea77e8ec99a2b41c231f5293b5ab5b848949b69ad69a5f5dc75aae5ff
Instruction ID: 79472097b3daf3dc509ec7925b24e73f84473b3f48018e101c2488e35481c2f3
Opcode Fuzzy Hash: 18542aaea77e8ec99a2b41c231f5293b5ab5b848949b69ad69a5f5dc75aae5ff
Instruction Fuzzy Hash: D7510731114515EEC7359B3AD842AEA3BA4DE1A3243248B9FF0ADC72D1EB2CD905C79D

Function 0040A87F Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040A89E
RtlEnterCriticalSection.NTDLL(004C8784), ref: 0040A8CB
GetModuleFileNameW.KERNEL32(004C4426,00000104), ref: 0040A928
LoadTypeLib.OLEAUT32(?,?), ref: 0040A94C
LoadRegTypeLib.OLEAUT32(004C4420,004C4424,004C4426,?,?), ref: 0040A961

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: LoadType$CriticalEnterFileH_prolog3ModuleNameSection
String ID:
API String ID: 3289395776-0
Opcode ID: e0893c89a82e94f588334a775c9c2e606fb0cf09a7f5d8aa40d63130ecc39e27
Instruction ID: 8136287b3794e7bd71a94dbec156d4d84a8d4cb1b3e056579054f2f1adafff73
Opcode Fuzzy Hash: e0893c89a82e94f588334a775c9c2e606fb0cf09a7f5d8aa40d63130ecc39e27
Instruction Fuzzy Hash: 6851AFB1A003499FCB10DFA8DD84AAE77B5EB88304F24443EE502E7291D7389D55CB6A

Function 00440A60 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetNumberFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000028), ref: 00440AE5
__CxxThrowException@8.LIBCMT ref: 00440B05

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8FormatNumberThrow
String ID:
API String ID: 2847879890-0
Opcode ID: c1fa97963ba0795aace6b9711f6caa9883a81f8136265a22b952e7d012cd3e68
Instruction ID: cafa7f60ba1b07d56b0bbf19d394c44ff336b1125650d3745989df954fb31113
Opcode Fuzzy Hash: c1fa97963ba0795aace6b9711f6caa9883a81f8136265a22b952e7d012cd3e68
Instruction Fuzzy Hash: 5E31BF706043406AF724EB618C42FBFB3A9AF90714F54491EF655961C1EBB8A908C76A

Function 00413D71 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00413DCD
_wcsncpy.LIBCMT ref: 00413DF2
_wcsncpy.LIBCMT ref: 00413E29
__CxxThrowException@8.LIBCMT ref: 00413E4F

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _wcsncpy$Exception@8Throw
String ID:
API String ID: 1648291542-0
Opcode ID: 6b3d8ca8c68c819bd32475d6184865d82369eda5f8d853b76b1c0a6ab655bcdf
Instruction ID: 55a0bad7bc6786bb0ffe3d2f7993a9632895052c1209a12d338020f062ae18df
Opcode Fuzzy Hash: 6b3d8ca8c68c819bd32475d6184865d82369eda5f8d853b76b1c0a6ab655bcdf
Instruction Fuzzy Hash: 0421B432900208BBCF20AFA5C841CDE77BDEF44315B10842AFD4997111E739AF81CBA8

Function 004539E0 Relevance: 7.6, APIs: 5, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004539FA
GetProcessWindowStation.USER32(?,00453B61), ref: 00453A00
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00453B61), ref: 00453A1B
GetLastError.KERNEL32(?,00453B61), ref: 00453A25
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00453B61), ref: 00453A56

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: InformationObjectUserWindow$DesktopErrorLastProcessStation
String ID:
API String ID: 1078967293-0
Opcode ID: 8543481c051dd35678ffaf6717fd4153e2d20fce5f493edd77a1a99f3cdb0ff4
Instruction ID: c7a9732a0852c0b3ef0a2679792b0b3204aeeefaa9ff1b23790ea0e76a89222a
Opcode Fuzzy Hash: 8543481c051dd35678ffaf6717fd4153e2d20fce5f493edd77a1a99f3cdb0ff4
Instruction Fuzzy Hash: 36210732A00509ABDB10DFA9DC46BAEB7B8EF40716F50012AFD09E71D2DB74AE048759

Function 00418280 Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004182CB

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

SetFileAttributesW.KERNEL32(00000000,00000000,?,?,004C1E84), ref: 004182F3
DeleteFileW.KERNEL32(?,?,?,004C1E84), ref: 004182FD

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

SetFileAttributesA.KERNEL32(?,00000000), ref: 0041832F
DeleteFileA.KERNEL32(?), ref: 00418339

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: File$AttributesDelete$ExceptionException@8H_prolog3_catchRaiseThrow
String ID:
API String ID: 239994385-0
Opcode ID: 1207d5d66e18bb98f29070d9dd5feb716c1c72401d3db9d5be83f8425b499743
Instruction ID: 1605004fd649a5301e4786177d959da0f90d1aaf5f22e3bf634dff4cdcaad484
Opcode Fuzzy Hash: 1207d5d66e18bb98f29070d9dd5feb716c1c72401d3db9d5be83f8425b499743
Instruction Fuzzy Hash: ED21D1725083459FC700DF25DC81A8FBBE8FF94754F004A2EF495921B0DB399948CB9A

Function 004831CD Relevance: 7.6, APIs: 5, Instructions: 70memorylibraryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00000000,0048329E,00402304,0040242D,?,004022E3,?,?,004017F3), ref: 004831D0
LoadLibraryA.KERNEL32(004A0EF8,?,00402304), ref: 004831EA
RtlAllocateHeap.NTDLL(00000000), ref: 00483246
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0048325A
HeapFree.KERNEL32(00000000), ref: 00483269

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Heap$AllocateCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
String ID:
API String ID: 354369530-0
Opcode ID: 1420f4dcaf2e8086d469e2375173fe20180e8696df490954f6ee8001b8263c74
Instruction ID: e2d00a6ed990fa81d5e3b824908c432cd3b774069f7d371b6789a2cbc6d53789
Opcode Fuzzy Hash: 1420f4dcaf2e8086d469e2375173fe20180e8696df490954f6ee8001b8263c74
Instruction Fuzzy Hash: 33119672A02259AFC650AFB5AC48E2F7768FB45B52B1148BEE416C3250DB35D800CB5C

Function 00408878 Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040887F
GetFocus.USER32 ref: 004088ED
IsChild.USER32(?,00000000), ref: 004088F7
GetWindow.USER32(?,00000005), ref: 00408906
SetFocus.USER32(00000000), ref: 0040890D

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Focus$ChildH_prolog3Window
String ID:
API String ID: 3907702801-0
Opcode ID: 1fd88288ccc867b00189ebb92ac83d81cb5004854d053f1453239cff226f87a0
Instruction ID: 084fa251b8f3d6ece27a3bda28c1bf534a3ce952c5fe438fe950279aa7dc16b7
Opcode Fuzzy Hash: 1fd88288ccc867b00189ebb92ac83d81cb5004854d053f1453239cff226f87a0
Instruction Fuzzy Hash: 5F219070900704AFCB24AF64CD49E6FBBB5BF45B04F10892DF5A6972E1CB34A900CB14

Function 0046E18D Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0046E1AB

Part of subcall function 00475611: __mtinitlocknum.LIBCMT ref: 00475625
Part of subcall function 00475611: __amsg_exit.LIBCMT ref: 00475631
Part of subcall function 00475611: RtlEnterCriticalSection.NTDLL(?), ref: 00475639

___sbh_find_block.LIBCMT ref: 0046E1B6
___sbh_free_block.LIBCMT ref: 0046E1C5
HeapFree.KERNEL32(00000000,?,004AD298,0000000C,004755F2,00000000,004AD628,0000000C,0047562A,?,?,?,0046EA34,00000004,004AD2D8,0000000C), ref: 0046E1F5
GetLastError.KERNEL32(?,0046EA34,00000004,004AD2D8,0000000C,00476D03,?,?,00000000,00000000,00000000,004767C8,00000001,00000214,?,00000000), ref: 0046E206

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 6295375addfb81661c60097f9127dee52a17b0b2d213b31b6f98caef2632c43a
Instruction ID: aec01e89df9d97a7da8feaaab120638bcd8b1cd08d9b8c05b570a0e9e0c143dc
Opcode Fuzzy Hash: 6295375addfb81661c60097f9127dee52a17b0b2d213b31b6f98caef2632c43a
Instruction Fuzzy Hash: 2A01A735C41305AADB207BB39C06BDF7BA4AF01729F10415FF508AA191EF7D89419A9E

Function 0040D918 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040D923
SetLastError.KERNEL32(0000000E,00000000,?,000000FF,?,00000000,00000000,?,?,0000005C), ref: 0040DA9A

Strings

VA, xrefs: 0040DAAE

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorH_prolog3_catchLast
String ID: VA
API String ID: 3263087082-1642038470
Opcode ID: 49ce29932d576e9fa1033b9193b3281163f3e93ec50be934a62b9d2de3267b4f
Instruction ID: 342f7239788af2aed94830051151916fb5642c3ad324d89cafbfd0e39198f1f8
Opcode Fuzzy Hash: 49ce29932d576e9fa1033b9193b3281163f3e93ec50be934a62b9d2de3267b4f
Instruction Fuzzy Hash: 0251AD71904288DBCF14EFA9C982BDD7BA0BF04314F10422EF915A72D1D7B99A48CB59

Function 0043288C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00432893
__CxxThrowException@8.LIBCMT ref: 004328ED
_memset.LIBCMT ref: 0043299B

Strings

$sJ, xrefs: 00432943

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3_Throw_memset
String ID: $sJ
API String ID: 1687654391-1377744277
Opcode ID: 8c772706ca49529efaf618128299ea980776c85c8a18ea311e3f72059286609c
Instruction ID: ade055a668180c9aa55e7cac48f3fa5530e5cb699a794a5590b423f29fc9fdd6
Opcode Fuzzy Hash: 8c772706ca49529efaf618128299ea980776c85c8a18ea311e3f72059286609c
Instruction Fuzzy Hash: 70518EB0A00209EFDB24EF99C98099EB7F4BF0C314F50462EF555A7280C778AD45CBA9

Function 004572B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004572CB
_memset.LIBCMT ref: 004572EF

Strings

VUUU, xrefs: 00457302

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _memset
String ID: VUUU
API String ID: 2102423945-2040033107
Opcode ID: 013968bf22de99eb1b4cac1b54b7fe305d405f08eaf88a3e2599a3076b80ba30
Instruction ID: 4379af66f3d4e0263e8c62554abae1483e2c376b94b48db76877a3901187584d
Opcode Fuzzy Hash: 013968bf22de99eb1b4cac1b54b7fe305d405f08eaf88a3e2599a3076b80ba30
Instruction Fuzzy Hash: 5C21F7B6740210A7DB105A2EAC82B16B7999BC0715F188077FE08DF786F665980891A9

Function 00411CDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00411CE6
SendMessageW.USER32(?,?,?,?), ref: 00411D77
SendMessageW.USER32(?,00001115,00000000,?), ref: 00411D9E

Strings

P, xrefs: 00411D6D

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: MessageSend$H_prolog3
String ID: P
API String ID: 1885053084-3110715001
Opcode ID: e0aa8337514313086312fa08b9bd708b2517b97b590f4e5bbd28bee0ab426d95
Instruction ID: 5f6ecf15f3d87088fafef70db28925b435234fec307c347ff068f23d30c59191
Opcode Fuzzy Hash: e0aa8337514313086312fa08b9bd708b2517b97b590f4e5bbd28bee0ab426d95
Instruction Fuzzy Hash: 19312B71A00609AFCB10DF99C8849EEBBF5FF88314B14851AE615AB760C774AA41CB64

Function 00425E86 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00425E8D
_memset.LIBCMT ref: 00425EF0
_memset.LIBCMT ref: 00425EFC

Strings

4mJ, xrefs: 00425EAA

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _memset$H_prolog3
String ID: 4mJ
API String ID: 2144794740-2591631674
Opcode ID: 17b231591c110f6e18ca039f0b14e1cae69e4a6bd40c5a85cdb15a30e9503c21
Instruction ID: 206f3e49ebfd1640e50c036722f92717eb44e7b9ac6130db204573f096603ef2
Opcode Fuzzy Hash: 17b231591c110f6e18ca039f0b14e1cae69e4a6bd40c5a85cdb15a30e9503c21
Instruction Fuzzy Hash: 28113CB0A00240DFCB04EF29C4C5B4ABFE4AF59304F55849EE9599F386E778D904CBA5

Function 0040493B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00404942

Part of subcall function 0040241F: GetCurrentProcess.KERNEL32(00000000,0000000D,?,004022E3,?,?,004017F3), ref: 00402453
Part of subcall function 0040241F: FlushInstructionCache.KERNEL32(00000000), ref: 0040245A

SetLastError.KERNEL32(0000000E,00000000,?,?,?,?,00000020,0040E1E0), ref: 00404979
DialogBoxParamW.USER32(00000064,?,VA,00000000,00000000), ref: 0040499D

Strings

VA, xrefs: 0040498D

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CacheCurrentDialogErrorFlushH_prolog3InstructionLastParamProcess
String ID: VA
API String ID: 1868203950-1642038470
Opcode ID: c3ddafcf2e3ebc9df420bbaaffe8d22a5e9a4f6447e25d79e2ca9dadc50f622b
Instruction ID: 383be8fb53ff1a15e91496cfef524ed82f47d2ebaf1b19c30553d055c12d4fbb
Opcode Fuzzy Hash: c3ddafcf2e3ebc9df420bbaaffe8d22a5e9a4f6447e25d79e2ca9dadc50f622b
Instruction Fuzzy Hash: 040129B1D00209DBCF10EFAACD869DEBBB0BB48304F50853EE614B7291C7745A459BA9

Function 00405825 Relevance: 6.2, APIs: 4, Instructions: 219COMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000000), ref: 00405862
SetDlgItemTextW.USER32(?,000003FC,?), ref: 004058B5

Part of subcall function 0040695C: __CxxThrowException@8.LIBCMT ref: 00406977

EnableWindow.USER32(00000000,00000000), ref: 00405A1A
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00405A37

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: EnableItemTextWindow$Exception@8Throw
String ID:
API String ID: 64772302-0
Opcode ID: 2df26cb8d458879efe37cba9293533cf1993ac604591bef03262208728a68aa6
Instruction ID: efc9df2da6f181069804370d5ddc6876386a11285677a07bfbaab5e8a54c342d
Opcode Fuzzy Hash: 2df26cb8d458879efe37cba9293533cf1993ac604591bef03262208728a68aa6
Instruction Fuzzy Hash: 9B51207054074CBFEA213B72DD4AE1F7E6DEF81B88F024928F255954E0CA76EC109A28

Function 004341BF Relevance: 6.2, APIs: 4, Instructions: 170COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 004341F0
__CxxThrowException@8.LIBCMT ref: 00434205
std::_String_base::_Xlen.LIBCPMT ref: 0043423F

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8String_base::_ThrowXlen_mallocstd::_std::exception::exception
String ID:
API String ID: 1448684856-0
Opcode ID: 08303dbb31f02d7f78b91ffb59ec22f82edc9ec75921ccf380081c50e3eeec99
Instruction ID: 2da4e12ef89ae6e72916830a7fa297acad81cbdb35a555dd9f925f43826d5383
Opcode Fuzzy Hash: 08303dbb31f02d7f78b91ffb59ec22f82edc9ec75921ccf380081c50e3eeec99
Instruction Fuzzy Hash: 9751D4717006119B9B14EE79C9815AEB3E5EBDC354B14852EF82BD7780EB38FD018719

Function 0041368B Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413692
_wcsncpy.LIBCMT ref: 004136F7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_wcsncpy
String ID:
API String ID: 3631406028-0
Opcode ID: cf002ac7881a8443fe72953b50b18029b965d1b897690571fb6ed95f418c5609
Instruction ID: 35b6b2378c3acb2b84884d249eb53533ed8557b6f81bbb9f65af8bc2117128d8
Opcode Fuzzy Hash: cf002ac7881a8443fe72953b50b18029b965d1b897690571fb6ed95f418c5609
Instruction Fuzzy Hash: CF4199B59002099BDF14EF95C8819EEB7B5EF84315B25801BF914A7391DB38AF818798

Function 0047EF80 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0047EFB0
__isleadbyte_l.LIBCMT ref: 0047EFE4
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,0047C0D0,?,?,00000002), ref: 0047F015
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,0047C0D0,?,?,00000002), ref: 0047F083

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 36d4938860b6286b02424e4b8dfc0526069400e9eebaf43141031eb1b6182ac6
Instruction ID: ef95beaa7d1727e3fa1f1fc9b992d879c3c5f12e0b5b9718c08f936dc4be3b5b
Opcode Fuzzy Hash: 36d4938860b6286b02424e4b8dfc0526069400e9eebaf43141031eb1b6182ac6
Instruction Fuzzy Hash: AC31F230900285EFDB20DFA5C8809FE3BA5BF05310F15C6BAF4588B292D334D940DB59

Function 0040DB81 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040DBA0
_memset.LIBCMT ref: 0040DC1B
SHBrowseForFolderW.SHELL32(?), ref: 0040DC56
SHGetPathFromIDListW.SHELL32(00000000), ref: 0040DC65

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: BrowseFolderFromH_prolog3_catchListPath_memset
String ID:
API String ID: 2630463573-0
Opcode ID: ced486493d1651e5aa0f848fa405b95b4e627b5da99c2f44287b2c7e366d9978
Instruction ID: 3755a1695373dfeff28de1e59e6ed9139c6fa7d7fdc8b71aedae7bac033d59ff
Opcode Fuzzy Hash: ced486493d1651e5aa0f848fa405b95b4e627b5da99c2f44287b2c7e366d9978
Instruction Fuzzy Hash: F4312AB5D01218EFDB10DF95DC85AEEBBB8FF08700F10412AE905A7291E7789A04CF99

Function 00411A3D Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(?,00000000,?), ref: 00411A76
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004209), ref: 00411A93
_memset.LIBCMT ref: 00411AA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00411B0A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: FileFolderInfoLocationMessageSendSpecial_memset
String ID:
API String ID: 739237996-0
Opcode ID: 15e7ac1d0bf121494d007b64fec5638476bbb541812db91fb3beae743e530ead
Instruction ID: 223abd343cd0b6a17f1aaf86b6376c5c115899682f24741b051e750050ca058c
Opcode Fuzzy Hash: 15e7ac1d0bf121494d007b64fec5638476bbb541812db91fb3beae743e530ead
Instruction Fuzzy Hash: 52214BB1E01208AFDF10DFA5DC88ADEBBB8EF08714F10442AE905AB291E7759945CF64

Function 0047E27F Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0047E2A3

Part of subcall function 0047E0CE: __fltout2.LIBCMT ref: 0047E0F8

__cftog_l.LIBCMT ref: 0047E2C9
__cftoe_l.LIBCMT ref: 0047E2FB

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 3589a40de246327b8b38eab0d075d331fd76a19ef79ec7d470414db1ff8d8e0a
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: B1014532400149BBCF125E95CC45CEE3F27BF1D358B548996FE1C59131D23AD9B1AB89

Function 0047679F Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00474D55,004734BB,00000001,004764FE,?,00000000,?,?,?,?,00476610,?,00470A8B), ref: 004767A1

Part of subcall function 00476658: TlsGetValue.KERNEL32(?,00470A8B), ref: 0047665F
Part of subcall function 00476658: TlsSetValue.KERNEL32(00000000,00470A8B), ref: 00476680

__calloc_crt.LIBCMT ref: 004767C3

Part of subcall function 00476CF0: __calloc_impl.LIBCMT ref: 00476CFE
Part of subcall function 00476CF0: Sleep.KERNEL32(00000000), ref: 00476D15

Part of subcall function 004766E0: GetModuleHandleA.KERNEL32(0049DB1C,004AD668,0000000C,004767F1,00000000,00000000,?,00000000,00474D55,004734BB,00000001,004764FE,?,00000000), ref: 004766F1
Part of subcall function 004766E0: InterlockedIncrement.KERNEL32(004C2548), ref: 00476757
Part of subcall function 004766E0: __lock.LIBCMT ref: 0047675F
Part of subcall function 004766E0: ___addlocaleref.LIBCMT ref: 0047677E

GetCurrentThreadId.KERNEL32 ref: 004767F3
SetLastError.KERNEL32(00000000,?,00000000,00474D55,004734BB,00000001,004764FE,?,00000000,?,?,?,?,00476610,?,00470A8B), ref: 0047680B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ErrorLastValue$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
String ID:
API String ID: 3041053630-0
Opcode ID: 868f59d04322a0c47a184755dc87f93c3b8aace411aed979733103cb3d619a3c
Instruction ID: 640fc63fb16c4eddb338274c11ce1d8878b9ac885501e1b43a66ce08e3b76368
Opcode Fuzzy Hash: 868f59d04322a0c47a184755dc87f93c3b8aace411aed979733103cb3d619a3c
Instruction Fuzzy Hash: 49F0F932902A2257C63537756C069CF2A52AF107B5723493EF849951E1DE29C40146AE

Function 004016D7 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 004016FA
GetClientRect.USER32(?,?), ref: 00401710
DrawIcon.USER32(00000000,?,?,?), ref: 0040171E
EndPaint.USER32(?,?), ref: 0040172E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Paint$BeginClientDrawIconRect
String ID:
API String ID: 2317380574-0
Opcode ID: 860fcd9affd01deadcbf6b4b2823435128dc2059d1ff3c6e0a6776557443cc05
Instruction ID: 786fc2017c8680b4ec13f4c48f45ecf702a639c2aff0a92996e8e53a98ef3fae
Opcode Fuzzy Hash: 860fcd9affd01deadcbf6b4b2823435128dc2059d1ff3c6e0a6776557443cc05
Instruction Fuzzy Hash: 2701C971902209AFDB109FE9DD44DEFBBB9EF48304F00082AF502D2161DA70A945DB14

Function 00401744 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00401767
GetClientRect.USER32(?,?), ref: 0040177D
DrawIcon.USER32(00000000,?,?,?), ref: 0040178B
EndPaint.USER32(?,?), ref: 0040179B

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Paint$BeginClientDrawIconRect
String ID:
API String ID: 2317380574-0
Opcode ID: 508a363ca3677548b73b82f4403330ba5cb86bba82526f4e3afe6d08527a22c2
Instruction ID: 991ac2a51a3abee54e5a461290b6b9e29acc1dd1effa6d80139f4b85f8907175
Opcode Fuzzy Hash: 508a363ca3677548b73b82f4403330ba5cb86bba82526f4e3afe6d08527a22c2
Instruction Fuzzy Hash: 7901C971902209AFDB109FE9DD84DAFBBB9FF88304F50082AE506E2161DA75A9059B14

Function 004140D4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 235COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00414121

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Strings

, xrefs: 0041434E
, xrefs: 0041435D

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrow
String ID: $
API String ID: 1118002619-227171996
Opcode ID: a26cd78281f51ac5f7adad3b18db1148346b4182d2ef86ad0e2bbe994d4d456f
Instruction ID: 2dc23a1751ccce63407b9181d50e7509d92104cf5f56dcd4888625cfca52b7fa
Opcode Fuzzy Hash: a26cd78281f51ac5f7adad3b18db1148346b4182d2ef86ad0e2bbe994d4d456f
Instruction Fuzzy Hash: 9091BF706083428AD724DF15C484BABB7E1FFD5348F14491FF895862A1D7B88ACAC79B

Function 00433385 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0043338C

Part of subcall function 00433AE6: __EH_prolog3.LIBCMT ref: 00433AED

__CxxThrowException@8.LIBCMT ref: 00433401

Strings

0, xrefs: 004333C8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3H_prolog3_Throw
String ID: 0
API String ID: 3648411918-4108050209
Opcode ID: bc35f773780d6a94c80edfe6d1e6d923dc5c449006d13e02a3d5f312cdbfea56
Instruction ID: 2dbdecb52633d5ab5c14a76018d32d59c17bb7d3aff43d7961e0d3b0201bd8d3
Opcode Fuzzy Hash: bc35f773780d6a94c80edfe6d1e6d923dc5c449006d13e02a3d5f312cdbfea56
Instruction Fuzzy Hash: DA916030A00148AFCF15EFE5C895ADDBBB1AF18305F64405EF016AB2A1DB799E45CB08

Function 00423742 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00423749
std::_String_base::_Xlen.LIBCPMT ref: 0042379B

Strings

Y4B, xrefs: 00423862

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catchString_base::_Xlenstd::_
String ID: Y4B
API String ID: 2420811286-3218349926
Opcode ID: 45c9f176eac3cdeba29f5942030d543e4c59c1fed136f3c470672e8f15de222a
Instruction ID: b7c2b2bb7140b962cc239912de869457c9498bade08f4cbc1afb4561726467d0
Opcode Fuzzy Hash: 45c9f176eac3cdeba29f5942030d543e4c59c1fed136f3c470672e8f15de222a
Instruction Fuzzy Hash: 866182B1B0022A9FCF14DF69D5804ADF7B0BF04305B608A2EE916E7640D77CAE85CB94

Function 0043783A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00437841
__CxxThrowException@8.LIBCMT ref: 00437865

Part of subcall function 00448D60: CryptImportPublicKeyInfo.CRYPT32()yC,)yC,?,?), ref: 00448D74

Strings

CZB, xrefs: 004378FE, 004378A3

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CryptException@8H_prolog3ImportInfoPublicThrow
String ID: CZB
API String ID: 20819536-1427865577
Opcode ID: bd9358ad951e51fc5e0d69da13e262fac60b2bb90e3aeac69479e7caa30d9982
Instruction ID: 83865830c3d6f8f24134e9bf328192e89739eeb7635a9588e11922eed0c87db7
Opcode Fuzzy Hash: bd9358ad951e51fc5e0d69da13e262fac60b2bb90e3aeac69479e7caa30d9982
Instruction Fuzzy Hash: 1251BDB190021AEFDF21EF81CC81EEEBB74FF18714F10411AF818AA252D7349A54CBA5

Function 0040DCE8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040DCEF
_memset.LIBCMT ref: 0040DD83

Strings

xJJ, xrefs: 0040DE86

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_memset
String ID: xJJ
API String ID: 2828583354-960294907
Opcode ID: 5e187a4a2ede105c37f323a69bc1fe5259987010ec7bda6afb45ba71d7d387d4
Instruction ID: 40e32720dbc7efdcdc637dd38eee10bdfabf71e777f2cf484a312185681509dd
Opcode Fuzzy Hash: 5e187a4a2ede105c37f323a69bc1fe5259987010ec7bda6afb45ba71d7d387d4
Instruction Fuzzy Hash: DF71D5B0901B41CFC720DF6AC188A9AFBF0BF59304FA4896ED09E9B761C735A944CB45

Function 0043401E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00434052
_memmove_s.LIBCMT ref: 0043415C

Part of subcall function 00434411: _memmove_s.LIBCMT ref: 0043442C

Strings

7C, xrefs: 0043401E

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: _memmove_s$String_base::_Xlenstd::_
String ID: 7C
API String ID: 515076537-2403488387
Opcode ID: c2250a31e29501baeab7648fb0303bd1b43fac1e8513d87072ba16bcbebb2f25
Instruction ID: f1de1440acb70f513aed52d6f2595501d9cafa4b31351bf5dda2bc57c465a5fa
Opcode Fuzzy Hash: c2250a31e29501baeab7648fb0303bd1b43fac1e8513d87072ba16bcbebb2f25
Instruction Fuzzy Hash: 6541B0717006118B8F14EE29C9854AEB7E5ABDC314B14852EE96AD7740EB38FD428B09

Function 00403888 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 00401744: BeginPaint.USER32(?,?), ref: 00401767
Part of subcall function 00401744: GetClientRect.USER32(?,?), ref: 0040177D
Part of subcall function 00401744: DrawIcon.USER32(00000000,?,?,?), ref: 0040178B
Part of subcall function 00401744: EndPaint.USER32(?,?), ref: 0040179B

EndDialog.USER32(?,00000002), ref: 00403951
SelectObject.GDI32(?,?), ref: 00403977

Strings

$, xrefs: 004039F9

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Paint$BeginClientDialogDrawIconObjectRectSelect
String ID: $
API String ID: 2785432872-3993045852
Opcode ID: fde9f22c5dc691fcf4b970cd5cd45946b66130b7ba6da8fe9bb645ef16887aae
Instruction ID: c84cb775f50ac7e167f993fff0f5a3f46e40b1e05b8f86170e66a7c0e8ea54c6
Opcode Fuzzy Hash: fde9f22c5dc691fcf4b970cd5cd45946b66130b7ba6da8fe9bb645ef16887aae
Instruction Fuzzy Hash: 5B41B0B160020A9FCF20AF24C84176B3FA8EB11316F50453BF856A63D1D779DE51DB5A

Function 004115A1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

e, xrefs: 0041162A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: e59a4fce4c09f7421d55ebebc88a4dcd6e7ad3b41b04b74a3b1ee95aef8c47f8
Instruction ID: 90f5f5c8bc5f9834f2f676af3a4d23133068a21f15780965f71a8ba502ff5fab
Opcode Fuzzy Hash: e59a4fce4c09f7421d55ebebc88a4dcd6e7ad3b41b04b74a3b1ee95aef8c47f8
Instruction Fuzzy Hash: F54191706003059FDF218F15C881AEB77A5EB543A5F14852AFA618A3E0D779DCC2CFA9

Function 0040ABF6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040ABFD
SysStringLen.OLEAUT32(?), ref: 0040AD10

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

Strings

`-u, xrefs: 0040ACC0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catchString_malloc
String ID: `-u
API String ID: 1174315209-2606764580
Opcode ID: 599caf1de7dd9065a09676d2a16d7e00549fdeaac9b50badec1f0821c6dfcc51
Instruction ID: 48dd9dc584a7c1661126400373986d2d492beadf1d1bd7d99aebe04e23b3950b
Opcode Fuzzy Hash: 599caf1de7dd9065a09676d2a16d7e00549fdeaac9b50badec1f0821c6dfcc51
Instruction Fuzzy Hash: 17414975A00209EFDB04CFA4C984AAEBBF4EF08315F21456AE905FB2A1D338D951CF65

Function 00410F86 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,?,?,00000000,00000000), ref: 00410FCC
RegDeleteKeyW.ADVAPI32(?,?), ref: 0041109B

Strings

>u, xrefs: 00410FD2

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: DeleteOpen
String ID: >u
API String ID: 3632437661-4124531162
Opcode ID: b8e11e60510ab50ca69d23f04f3eb6c94dafc9ada6b30e2f4555d6f48c151bb9
Instruction ID: 85ef5c00cb95659e2b3307e91c65d4eb82d1e36d6484e5d567a4a21994f79b23
Opcode Fuzzy Hash: b8e11e60510ab50ca69d23f04f3eb6c94dafc9ada6b30e2f4555d6f48c151bb9
Instruction Fuzzy Hash: 76411B71D4112CABCB309B55DC88ADEBBB8FB59750F0005EAE509E2220D7B09EC5CFA5

Function 0042FA92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042FACB

Part of subcall function 00472749: RaiseException.KERNEL32(?,?,004ADB04,00000065,?,?,004132CD,?,004ADB04,00000065,00000000,?,?,?,0041361B,?), ref: 00472789

__EH_prolog3_catch.LIBCMT ref: 0042FA9C

Part of subcall function 004143FB: __EH_prolog3_catch.LIBCMT ref: 00414402

Strings

@, xrefs: 0042FB6A

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_catch$ExceptionException@8RaiseThrow
String ID: @
API String ID: 1279188806-2766056989
Opcode ID: aa0375ba90ab8c7c4a7eee67b8ce33922ce07e1937c1b681bfcc504a64eb2292
Instruction ID: e2baa52e3b427f91199307e59e6d565985f4942427299d0f94d6b50587b96690
Opcode Fuzzy Hash: aa0375ba90ab8c7c4a7eee67b8ce33922ce07e1937c1b681bfcc504a64eb2292
Instruction Fuzzy Hash: A9316B30A002299FCF01DFA5D885AEF7BB5EF09304F90842AF505AB251DB789D59CB99

Function 00436C6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00436C74
__CxxThrowException@8.LIBCMT ref: 00436C9F

Strings

|vJ, xrefs: 00436CD1

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: |vJ
API String ID: 3670251406-1304837848
Opcode ID: 4b7e2174a5d56c449b975ee3e24f1adf93b8c8e61e86e639ba4688488e6f4de4
Instruction ID: 607adcab112be8cdb784832fade7096590c284dc7dc9f750559bfa36b6317f1a
Opcode Fuzzy Hash: 4b7e2174a5d56c449b975ee3e24f1adf93b8c8e61e86e639ba4688488e6f4de4
Instruction Fuzzy Hash: C82190B0601222AFCB209F9AC8849AD7BB4FF0DB14F12D06BF1459F351C7B98840CB99

Function 0042E4FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042E503
__CxxThrowException@8.LIBCMT ref: 0042E52C

Strings

4pJ, xrefs: 0042E556

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: 4pJ
API String ID: 3670251406-1695892774
Opcode ID: d4878bd06daaac75ddaab5c14fb1aecd4e2fba56f7c8ee44934772a0744db8b9
Instruction ID: ed1e61b93bd7ba0a80382eb0767e716639704a827b7a5a6bd1544b02537ea2ad
Opcode Fuzzy Hash: d4878bd06daaac75ddaab5c14fb1aecd4e2fba56f7c8ee44934772a0744db8b9
Instruction Fuzzy Hash: 72219370B11321EFCB20AFA6D84499E7BA4EF09704B51846BF1059F251E7B98980CB99

Function 004374A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004374AB
__CxxThrowException@8.LIBCMT ref: 004374D0

Strings

<wJ, xrefs: 004374F8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: <wJ
API String ID: 3670251406-608666201
Opcode ID: d1c8f9233b935756cf9a663e314a743396ff003301831cbb47d1e8d5187395bf
Instruction ID: 54b97233dcd44cbec6641ff787d61b33db6d5b17d3810547d84081dc0ef2b29b
Opcode Fuzzy Hash: d1c8f9233b935756cf9a663e314a743396ff003301831cbb47d1e8d5187395bf
Instruction Fuzzy Hash: 1E1181B0904714EFCB34AF65C8845AEBBF0BF18704F50982FE0C697A40D778A9448B99

Function 0043569B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004356A2
__CxxThrowException@8.LIBCMT ref: 004356CB

Strings

TtJ, xrefs: 004356E7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: TtJ
API String ID: 3670251406-1236159234
Opcode ID: b7616204388bd5a8b69b56162b92bfb736196c1dc723b013f16e689360ff5b0f
Instruction ID: 242e758b9e4fdd15fb208c68dc9790ed8f06edfe7fcee7d40240d1b9405fba2a
Opcode Fuzzy Hash: b7616204388bd5a8b69b56162b92bfb736196c1dc723b013f16e689360ff5b0f
Instruction Fuzzy Hash: EB119E70A10621EFCB10AF66C8459AD7FA4FF0DB10F51846BF1049B291CBB88940CB99

Function 0040C44A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 0040241F: GetCurrentProcess.KERNEL32(00000000,0000000D,?,004022E3,?,?,004017F3), ref: 00402453
Part of subcall function 0040241F: FlushInstructionCache.KERNEL32(00000000), ref: 0040245A

SetLastError.KERNEL32(0000000E,00000000,?,?,?,0040C1FE,?,004A41B8,00CF0000,00000000,?,?), ref: 0040C463
CreateWindowExW.USER32(004A41B8,0040C1FE,00000000,00CF0000,?,?,?,?,00000000,?,00000000,00000000), ref: 0040C4C5

Strings

@6L, xrefs: 0040C494

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CacheCreateCurrentErrorFlushInstructionLastProcessWindow
String ID: @6L
API String ID: 852167079-2041432092
Opcode ID: 4315c95f899bf9437bd5831d127894ea97db90b2634a97ca9d1f5476b426bceb
Instruction ID: 6bfa25fa0a49e2d67b8ba839042cb74da8e4b87f57a371a318036555407618fb
Opcode Fuzzy Hash: 4315c95f899bf9437bd5831d127894ea97db90b2634a97ca9d1f5476b426bceb
Instruction Fuzzy Hash: 97117932600115EFCB118F65DC89EAB3BA5EB88750F05863AFD05A72A0D774DC61DBA4

Function 004130AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000000), ref: 004130D0
GetWindowRect.USER32(00000000,?), ref: 004130EC

Strings

ne@, xrefs: 004130B8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ItemRectWindow
String ID: ne@
API String ID: 3212065781-3546210634
Opcode ID: 3d087ffc15f7993b062a266fa0ac5ae51414e08387dc36101f43aea3d742e938
Instruction ID: 1ca461459963dc5bd94aa33a927bed2786e89f70316d48182500dd3e9cd539d0
Opcode Fuzzy Hash: 3d087ffc15f7993b062a266fa0ac5ae51414e08387dc36101f43aea3d742e938
Instruction Fuzzy Hash: 68010571900219EBCB10EFA9C9459EEBBB8EB08316F10846AE94592280E3749E81DB54

Function 004267C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004267C9
_memset.LIBCMT ref: 0042684E

Strings

LmJ, xrefs: 004267E6

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3_memset
String ID: LmJ
API String ID: 2828583354-3231387858
Opcode ID: 68c2e80a19f8fc707472493696bb2775204221c29abe4238ec756c25efa56879
Instruction ID: a504bb576c2fd05ed8fd067c98cb175676faada43e9d58b141d0f6a9f86a6664
Opcode Fuzzy Hash: 68c2e80a19f8fc707472493696bb2775204221c29abe4238ec756c25efa56879
Instruction Fuzzy Hash: 731106B5A01700CFC320DF6AC194A9AFBF1BF09304F95C86ED19A8B761D778A908CB55

Function 004203E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004203EE

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

__CxxThrowException@8.LIBCMT ref: 00420461

Strings

xlJ, xrefs: 00420420

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw_malloc
String ID: xlJ
API String ID: 1631339918-4209143007
Opcode ID: 4edd2edab5ef812bfad1aa9d3e3f4b4009671a99ddc49bc3af3d134ed368068c
Instruction ID: c0f13f8293575015a4e51e9256168e60f5f6285e3429672feb986e432c466390
Opcode Fuzzy Hash: 4edd2edab5ef812bfad1aa9d3e3f4b4009671a99ddc49bc3af3d134ed368068c
Instruction Fuzzy Hash: 7A1161B0A41214DFCB00EF66D98489DBBF0FF45304BE5C8AFD1489B252C7788A44CB59

Function 00403503 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00403560
SendMessageW.USER32(00000000,00001132,00000000,?), ref: 00403572

Strings

g, xrefs: 0040350C

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: ItemMessageSend
String ID: g
API String ID: 3015471070-30677878
Opcode ID: e8a5f7a7e99c7956e7873a18c194a8ae005c58d32b9699203ae21df9a21e4884
Instruction ID: 2dc80ed5200b91463cfec6a187398e3e0ca38e866e00323d7d3864de57bff562
Opcode Fuzzy Hash: e8a5f7a7e99c7956e7873a18c194a8ae005c58d32b9699203ae21df9a21e4884
Instruction Fuzzy Hash: 520108B2D00209EFCF00DFE5D809ADEBFF5EB04314F10842AE515AB285E3B49655CB90

Function 004398F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00439900

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

__CxxThrowException@8.LIBCMT ref: 00439968

Strings

zJ, xrefs: 0043992C

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8H_prolog3Throw_malloc
String ID: zJ
API String ID: 1631339918-2228594176
Opcode ID: 385cf4502c38c73c44f0c6090f36cb62fba4de33cd117601f8aaca89b8f26a82
Instruction ID: bceaf083ca85f7d0676c180118836613ebfe5daa5bab85397b153d8cde14492a
Opcode Fuzzy Hash: 385cf4502c38c73c44f0c6090f36cb62fba4de33cd117601f8aaca89b8f26a82
Instruction Fuzzy Hash: F80184B0A11225DFCB10EF52C944A9EBBA4BF09710F55C45BF0049B3A1C7F88940CBC9

Function 00411517 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041151E
GetCurrentThreadId.KERNEL32 ref: 00411549

Strings

QK, xrefs: 00411523

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CurrentH_prolog3_catchThread
String ID: QK
API String ID: 765742432-2795462801
Opcode ID: 11d944e48e9f9d2fe0167292c52bd89465e565096a9c68fa64a17c1e9b4907ac
Instruction ID: 28cc6167a4ef19d308a151f2df719ef5a2a2ad93348c0dfd32a2083f744beddc
Opcode Fuzzy Hash: 11d944e48e9f9d2fe0167292c52bd89465e565096a9c68fa64a17c1e9b4907ac
Instruction Fuzzy Hash: 1901A7B0D05600DFD7809F2A9946B94BBE2FBC4300B61447BD246CB271E779C4818F8E

Function 00471890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00476816: __amsg_exit.LIBCMT ref: 00476824

__amsg_exit.LIBCMT ref: 004718C1
__lock.LIBCMT ref: 004718D1

Strings

x*L, xrefs: 004718DE

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: __amsg_exit$__lock
String ID: x*L
API String ID: 3452092475-3047301481
Opcode ID: fb8b45c4536bcca50191475644e11dc8582e9887176ae9e8d0311245dce903b4
Instruction ID: d298a74d400104751bd68718b614f5098f5bbc1d7cc4242ac7cb0c3c861d4430
Opcode Fuzzy Hash: fb8b45c4536bcca50191475644e11dc8582e9887176ae9e8d0311245dce903b4
Instruction Fuzzy Hash: 5BF06D31900B009BD720BF698502BD973A1AB00725F52C15FE459AB2E2CBBC6A498B5F

Function 004239B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 004239E4
__CxxThrowException@8.LIBCMT ref: 004239F9

Part of subcall function 0046E4C8: _malloc.LIBCMT ref: 0046E4E0

Strings

Y4B, xrefs: 004239E1, 004239EE, 004239F1

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: Y4B
API String ID: 4063778783-3218349926
Opcode ID: 9ea1e6f3d1b12ba4ff8cf8393c8dae36dd6886c9427db544f86923dd2c6252c1
Instruction ID: 1fb8ab08a65d611c3882879e13b1034832604306939fdd28bfaf2a1455f0e31a
Opcode Fuzzy Hash: 9ea1e6f3d1b12ba4ff8cf8393c8dae36dd6886c9427db544f86923dd2c6252c1
Instruction Fuzzy Hash: C3E02BB1A0011C56DB0CE6B9DD01BAE727C6B05715F504A2FE022E20C2EBF8D708416C

Function 0043969C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004396A3

Strings

<NJ, xrefs: 004396AB
yJ, xrefs: 004396D8

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: H_prolog3
String ID: <NJ$yJ
API String ID: 431132790-616207120
Opcode ID: a0381d29217f7a075a9afb4b1eef2e8cc59b68936c819186348fce08d86b0340
Instruction ID: c3c64462e948b1802ad965b207e3aef2e35f3db6f7e1dffb8f7e83f6ea85ebbe
Opcode Fuzzy Hash: a0381d29217f7a075a9afb4b1eef2e8cc59b68936c819186348fce08d86b0340
Instruction Fuzzy Hash: F9F049F0501B00DFCB20EF61C80465ABBE0BF66308B10C85F94DA5B741D3B9A948CB8C

Function 0040697D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 0040241F: GetCurrentProcess.KERNEL32(00000000,0000000D,?,004022E3,?,?,004017F3), ref: 00402453
Part of subcall function 0040241F: FlushInstructionCache.KERNEL32(00000000), ref: 0040245A

SetLastError.KERNEL32(0000000E,00000000,?,?,?,004ADB04,00000066,00000000), ref: 00406993
DialogBoxParamW.USER32(000000D3,?,VA,00000000,00000000), ref: 004069BB

Strings

VA, xrefs: 004069A7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: CacheCurrentDialogErrorFlushInstructionLastParamProcess
String ID: VA
API String ID: 2229644096-1642038470
Opcode ID: dd3e19932c0718e9510397d4bb359f96272169f1f06c88ab384444d32b532ef4
Instruction ID: 2ed1c27b95a281d472931602778b9b3f264198f167ba3478a546c9c8460f2fe5
Opcode Fuzzy Hash: dd3e19932c0718e9510397d4bb359f96272169f1f06c88ab384444d32b532ef4
Instruction Fuzzy Hash: 88E0DF32240210E6D6202B64AD06B8A36919B44B30F110A3BB706B60E1CF748816C26E

Function 00471F9F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?,?,00471FEB,?,00000000,00000007,00000007,?,00472130,00000000,?,?,004AD3E0,0000000C,00412B37,?), ref: 00471FC3

Strings

\, xrefs: 00471FBB
:, xrefs: 00471FB7

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: DriveType
String ID: :$\
API String ID: 338552980-1166558509
Opcode ID: d918d2c20a329ee8163d1b5e9d759b65d392d9d5fd1e2d65f7ba73f2a9013282
Instruction ID: ccb232e9e9f75700f4b595d094cc9d6d24d74b393041ee0fc80d437557cf2d0e
Opcode Fuzzy Hash: d918d2c20a329ee8163d1b5e9d759b65d392d9d5fd1e2d65f7ba73f2a9013282
Instruction Fuzzy Hash: 81E048307183885DEF118A7998447DB3FDC9B12699F08C067E84CCE241E235D655839A

Function 0040B3DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0040B3F0
SysAllocString.OLEAUT32(00000000), ref: 0040B401

Part of subcall function 004024BC: __CxxThrowException@8.LIBCMT ref: 004024CE

Strings

`-u, xrefs: 0040B3F0

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: String$AllocException@8FreeThrow
String ID: `-u
API String ID: 1688122297-2606764580
Opcode ID: a5d71367f228fc6ae404f97f61856b428f6bc4b588f8c2f592f61f9038df6859
Instruction ID: ff61bf2f13c673af4d7aeff02cc522d228b6e298d7f673cbf9b1e8601118b739
Opcode Fuzzy Hash: a5d71367f228fc6ae404f97f61856b428f6bc4b588f8c2f592f61f9038df6859
Instruction Fuzzy Hash: 86E01A31914300EFD710AB35D808B5BB7E4EB44325F40CC3EE499A2292D7789880CF69

Function 004122D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 004122DB
ResetEvent.KERNEL32(?,?,00412474,?,?,?,0040286C), ref: 004122EB

Strings

PMJ, xrefs: 004122D6

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: EventIncrementInterlockedReset
String ID: PMJ
API String ID: 2582803691-1076063844
Opcode ID: 6876ecc2938f380de47b20ce4dba3264e432e10fe25b8f9fc24210632f0f590b
Instruction ID: 8b06d99bb3b4e9e598122329d1b07bf14d068142ed80a935b427c8ecb5246a09
Opcode Fuzzy Hash: 6876ecc2938f380de47b20ce4dba3264e432e10fe25b8f9fc24210632f0f590b
Instruction Fuzzy Hash: A6D0C77AA016105B87101729FD4848E77D996C9531305497AFD16D3610D6709C454754

Function 004122F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 004122FE
SetEvent.KERNEL32(?,?,00412497), ref: 0041230D

Strings

PMJ, xrefs: 004122F9

Memory Dump Source

Source File: 00000000.00000002.1615536038.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_401000_GB72405.jbxd

Similarity

API ID: DecrementEventInterlocked
String ID: PMJ
API String ID: 988228665-1076063844
Opcode ID: 0871c366d651a92c07b7a95fe2c53122664957be6fdcf871dd7c6ca975e2dfa4
Instruction ID: 566f26dbd03874fcf8e00b65623561c6175d86a30fe61314d7bfcfd6e5981bd2
Opcode Fuzzy Hash: 0871c366d651a92c07b7a95fe2c53122664957be6fdcf871dd7c6ca975e2dfa4
Instruction Fuzzy Hash: A8D0C97B601A119B97215769FD0888A37AAEBC4621305093EAD56D3260DBA8DC458764

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GB72405.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\HDFloppyWrite.exe

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\12405001.001

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\12405001.HDR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\CONFIG.LDR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\DISK.DIR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\S.N

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media1\crate.dsf

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\12405001.001

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\CONFIG.LDR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\DISK.DIR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\S.N

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media2\crate.dsf

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\12405001.001

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\CONFIG.LDR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\DISK.DIR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\S.N

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media3\crate.dsf

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\12405001.001

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\CONFIG.LDR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\DISK.DIR

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\S.N

C:\Users\user\Desktop\GB72405\GB72405_AHDF.001\OM_LOCAL_FLOPPY_1.44MB_S520_v1_1_DBSIGN\media4\crate.dsf

Static File Info

Windows Analysis Report
GB72405.exe

Function 00426C76 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191
encryptionCOMMON

Function 0048332F Relevance: 10.6, APIs: 7, Instructions: 59
memoryCOMMON

Function 00403C16 Relevance: 67.2, APIs: 37, Strings: 1, Instructions: 719
windowCOMMON

Function 00404D00 Relevance: 54.8, APIs: 28, Strings: 3, Instructions: 558
windowCOMMON

Function 00405A61 Relevance: 53.4, APIs: 29, Strings: 1, Instructions: 930
COMMON

Function 00403E4B Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 499
windowCOMMON

Function 0040663B Relevance: 19.8, APIs: 13, Instructions: 277
windowCOMMON

Function 00418DE5 Relevance: 19.7, APIs: 13, Instructions: 209
filetimeCOMMON

Function 00405293 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73
COMMON

Function 00405437 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 44
COMMON

Function 00419A0F Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 121
COMMON

Function 0040E941 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 436
comCOMMON

Function 0043E860 Relevance: 10.7, APIs: 7, Instructions: 190
COMMON

Function 00412F06 Relevance: 10.6, APIs: 7, Instructions: 104
windowCOMMON

Function 00404582 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON