Play interactive tour

Edit tour

Analysis Report aEdlObiYav

Overview

General Information

Sample Name:	aEdlObiYav (renamed file extension from none to exe)
Analysis ID:	376365
MD5:	ae03a6f8fb74d401b403647d28e21574
SHA1:	6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256:	1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Emotet e-Banking trojan

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

aEdlObiYav.exe (PID: 5064 cmdline: 'C:\Users\user\Desktop\aEdlObiYav.exe' MD5: AE03A6F8FB74D401B403647D28E21574)

aEdlObiYav.exe (PID: 5528 cmdline: --79fd8b32 MD5: AE03A6F8FB74D401B403647D28E21574)

picturerus.exe (PID: 6084 cmdline: C:\Windows\SysWOW64\picturerus.exe MD5: AE03A6F8FB74D401B403647D28E21574)

picturerus.exe (PID: 4228 cmdline: --b743c2a4 MD5: AE03A6F8FB74D401B403647D28E21574)

svchost.exe (PID: 5536 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2376 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4504 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 804 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 1228 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5540 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5048 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA ED 00 85 C0 0x50d4:$snippet6: 33 C0 21 05 EC 10 EE 00 A3 E8 10 EE 00 39 05 A0 E3 ED 00 74 18 40 A3 E8 10 EE 00 83 3C C5 A0 E3 ...
00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA E2 00 85 C0 0x50d4:$snippet6: 33 C0 21 05 EC 10 E3 00 A3 E8 10 E3 00 39 05 A0 E3 E2 00 74 18 40 A3 E8 10 E3 00 83 3C C5 A0 E3 ...
00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x5a13:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 19 02 85 C0 0x50d4:$snippet6: 33 C0 21 05 EC 10 1A 02 A3 E8 10 1A 02 39 05 A0 E3 19 02 74 18 40 A3 E8 10 1A 02 83 3C C5 A0 E3 ...
00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x5a13:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x5a13:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 2D 02 85 C0 0x50d4:$snippet6: 33 C0 21 05 EC 10 2E 02 A3 E8 10 2E 02 39 05 A0 E3 2D 02 74 18 40 A3 E8 10 2E 02 83 3C C5 A0 E3 ...
00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x5a13:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.aEdlObiYav.exe.22c053f.2.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
0.2.aEdlObiYav.exe.22c053f.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.aEdlObiYav.exe.22c053f.2.unpack	Emotet	Emotet Payload	kevoreilly	0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
3.2.picturerus.exe.e1053f.2.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
3.2.picturerus.exe.e1053f.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.picturerus.exe.e1053f.2.unpack	Emotet	Emotet Payload	kevoreilly	0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
1.2.aEdlObiYav.exe.218053f.1.raw.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
1.2.aEdlObiYav.exe.218053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.aEdlObiYav.exe.218053f.1.raw.unpack	Emotet	Emotet Payload	kevoreilly	0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x54d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
1.2.aEdlObiYav.exe.218053f.1.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ... 0xb23e:$generate_filename_v1: 56 57 33 C0 BF 08 16 41 00 57 50 50 6A 1C 50 FF 15 68 04 41 00 BA 9A DB 40 5A B9 60 EE 40 00 E8 ...
3.2.picturerus.exe.e1053f.2.raw.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
3.2.picturerus.exe.e1053f.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.picturerus.exe.e1053f.2.raw.unpack	Emotet	Emotet Payload	kevoreilly	0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x54d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
3.2.picturerus.exe.e1053f.2.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ... 0xb23e:$generate_filename_v1: 56 57 33 C0 BF 08 16 41 00 57 50 50 6A 1C 50 FF 15 68 04 41 00 BA 9A DB 40 5A B9 60 EE 40 00 E8 ...
0.2.aEdlObiYav.exe.22c053f.2.raw.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
0.2.aEdlObiYav.exe.22c053f.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.aEdlObiYav.exe.22c053f.2.raw.unpack	Emotet	Emotet Payload	kevoreilly	0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x54d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
0.2.aEdlObiYav.exe.22c053f.2.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ... 0xb23e:$generate_filename_v1: 56 57 33 C0 BF 08 16 41 00 57 50 50 6A 1C 50 FF 15 68 04 41 00 BA 9A DB 40 5A B9 60 EE 40 00 E8 ...
4.2.picturerus.exe.60053f.1.raw.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
4.2.picturerus.exe.60053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.picturerus.exe.60053f.1.raw.unpack	Emotet	Emotet Payload	kevoreilly	0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x54d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
4.2.picturerus.exe.60053f.1.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ... 0xb23e:$generate_filename_v1: 56 57 33 C0 BF 08 16 41 00 57 50 50 6A 1C 50 FF 15 68 04 41 00 BA 9A DB 40 5A B9 60 EE 40 00 E8 ...
4.2.picturerus.exe.60053f.1.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
4.2.picturerus.exe.60053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.picturerus.exe.60053f.1.unpack	Emotet	Emotet Payload	kevoreilly	0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
1.2.aEdlObiYav.exe.218053f.1.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
1.2.aEdlObiYav.exe.218053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.aEdlObiYav.exe.218053f.1.unpack	Emotet	Emotet Payload	kevoreilly	0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
Click to see the 23 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: aEdlObiYav.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: aEdlObiYav.exe

ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: aEdlObiYav.exe

Joe Sandbox ML: detected

Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.picturerus.exe.e1053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.picturerus.exe.60053f.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0219207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	1_2_0219207B
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0219215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	1_2_0219215A
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02191F11 CryptExportKey,	1_2_02191F11
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02191F56 CryptGetHashParam,	1_2_02191F56
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02191F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,	1_2_02191F75
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02191FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	1_2_02191FFC
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	4_2_00ED207B
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	4_2_00ED1FFC
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,	4_2_00ED1F75
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED1F11 CryptExportKey,	4_2_00ED1F11
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	4_2_00ED215A
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED1F56 CryptGetHashParam,	4_2_00ED1F56

Source: aEdlObiYav.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: aEdlObiYav.exe

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	0_2_0043A377
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,	0_2_0043AE3F
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	1_2_0043A377
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,	1_2_0043AE3F

Source: global traffic	TCP traffic: 192.168.2.5:49717 -> 209.141.41.136:8080
Source: global traffic	TCP traffic: 192.168.2.5:49726 -> 104.236.246.93:8080
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 198.199.114.69:8080
Source: global traffic	TCP traffic: 192.168.2.5:49730 -> 152.89.236.214:8080
Source: global traffic	TCP traffic: 192.168.2.5:49731 -> 87.106.136.232:8080
Source: global traffic	TCP traffic: 192.168.2.5:49732 -> 178.210.51.222:8080

Source: Joe Sandbox View	IP Address: 104.236.246.93 104.236.246.93
Source: Joe Sandbox View	IP Address: 104.236.246.93 104.236.246.93
Source: Joe Sandbox View	IP Address: 87.106.136.232 87.106.136.232

Source: unknown	TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232

Source: C:\Windows\SysWOW64\picturerus.exe

Code function: 4_2_00ED1383 InternetReadFile,

4_2_00ED1383

Source: picturerus.exe, 00000004.00000002.487408684.0000000000199000.00000004.00000001.sdmp	String found in binary or memory: http://178.210.51.222/attrib/glitch/add/merge/
Source: svchost.exe, 00000005.00000002.490559739.000001F634A0F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000005.00000002.490559739.000001F634A0F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000005.00000002.487921047.000001F62F2A0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000005.00000002.491346023.000001F634C00000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.305368398.0000023F57C64000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.305042012.0000023F57C3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_0043814C
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0044C334 GetKeyState,GetKeyState,GetKeyState,	0_2_0044C334
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_004450BA
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	0_2_0042F3FF
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	0_2_00449796
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_00433B4D
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_0043814C
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0044C334 GetKeyState,GetKeyState,GetKeyState,	1_2_0044C334
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	1_2_004450BA
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	1_2_0042F3FF
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	1_2_00449796
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	1_2_00433B4D

E-Banking Fraud:

Detected Emotet e-Banking trojan

Show sources

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0219C11B		1_2_0219C11B
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00EDC11B		4_2_00EDC11B

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02191F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,		1_2_02191F75
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,		4_2_00ED1F75

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 1_2_0219C2E7 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,

1_2_0219C2E7

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 1_2_02191D2B CreateProcessAsUserW,CreateProcessW,

1_2_02191D2B

Source: C:\Windows\SysWOW64\picturerus.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe

File deleted: C:\Windows\SysWOW64\picturerus.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0041CB04	0_2_0041CB04
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_004351C1	0_2_004351C1
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00419288	0_2_00419288
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0041CB04	1_2_0041CB04
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_004351C1	1_2_004351C1
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00419288	1_2_00419288
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_021828C1	1_2_021828C1
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_021830E8	1_2_021830E8
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_021830E4	1_2_021830E4
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_021937A9	1_2_021937A9
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_021937A5	1_2_021937A5
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02192F82	1_2_02192F82
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E130E4	3_2_00E130E4
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E130E8	3_2_00E130E8
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E128C1	3_2_00E128C1
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E237A5	3_2_00E237A5
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E237A9	3_2_00E237A9
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E22F82	3_2_00E22F82
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_006030E4	4_2_006030E4
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_006030E8	4_2_006030E8
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_006028C1	4_2_006028C1
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED37A9	4_2_00ED37A9
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED37A5	4_2_00ED37A5
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED2F82	4_2_00ED2F82

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 00401AB4 appears 46 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 004373E9 appears 31 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 0041C3B9 appears 57 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 004334D7 appears 64 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 0044D589 appears 86 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 00419937 appears 8618 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 0044FB2C appears 32 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 00419918 appears 483 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 0041923C appears 130 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 0041E3BF appears 79 times
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: String function: 0044D5AF appears 37 times

Source: aEdlObiYav.exe, 00000000.00000002.221382669.0000000002280000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs aEdlObiYav.exe
Source: aEdlObiYav.exe, 00000001.00000002.242092910.00000000029F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs aEdlObiYav.exe
Source: aEdlObiYav.exe, 00000001.00000002.242092910.00000000029F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs aEdlObiYav.exe
Source: aEdlObiYav.exe, 00000001.00000002.241858641.0000000002900000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs aEdlObiYav.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: aEdlObiYav.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@15/5@0/8

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_0043F939 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

0_2_0043F939

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,		1_2_0219C3B7
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,		4_2_00EDC3B7

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 1_2_02191943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_02191943

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_00416DE7 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,

0_2_00416DE7

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_004315F6 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

0_2_004315F6

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 1_2_0219C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

1_2_0219C3B7

Source: C:\Users\user\Desktop\aEdlObiYav.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M765E845E
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I765E845E
Source: C:\Windows\SysWOW64\picturerus.exe	Mutant created: \BaseNamedObjects\Global\I765E845E
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3896:120:WilError_01

Source: aEdlObiYav.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\aEdlObiYav.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: aEdlObiYav.exe

ReversingLabs: Detection: 96%

Source: C:\Windows\SysWOW64\picturerus.exe

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Source: unknown	Process created: C:\Users\user\Desktop\aEdlObiYav.exe 'C:\Users\user\Desktop\aEdlObiYav.exe'
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Process created: C:\Users\user\Desktop\aEdlObiYav.exe --79fd8b32
Source: unknown	Process created: C:\Windows\SysWOW64\picturerus.exe C:\Windows\SysWOW64\picturerus.exe
Source: C:\Windows\SysWOW64\picturerus.exe	Process created: C:\Windows\SysWOW64\picturerus.exe --b743c2a4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Process created: C:\Users\user\Desktop\aEdlObiYav.exe --79fd8b32	Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe	Process created: C:\Windows\SysWOW64\picturerus.exe --b743c2a4	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: aEdlObiYav.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: aEdlObiYav.exe

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

0_2_00432655

Source: aEdlObiYav.exe

Static PE information: real checksum: 0x7ffed should be: 0x800e5

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00419277 push ecx; ret	0_2_00419287
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_004193A0 push eax; ret	0_2_004193B4
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_004193A0 push eax; ret	0_2_004193DC
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00419918 push eax; ret	0_2_00419936
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00419277 push ecx; ret	1_2_00419287
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_004193A0 push eax; ret	1_2_004193B4
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_004193A0 push eax; ret	1_2_004193DC
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00419918 push eax; ret	1_2_00419936
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0218E190 push BB276B01h; ret	1_2_0218E1C2
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E1E190 push BB276B01h; ret	3_2_00E1E1C2
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_0060E190 push BB276B01h; ret	4_2_0060E1C2

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\picturerus.exe

Executable created and started: C:\Windows\SysWOW64\picturerus.exe

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe

PE file moved: C:\Windows\SysWOW64\picturerus.exe

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 1_2_0219C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

1_2_0219C3B7

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\aEdlObiYav.exe

File opened: C:\Windows\SysWOW64\picturerus.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	0_2_004121E0
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0043ED39 GetParent,GetParent,IsIconic,GetParent,	0_2_0043ED39
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00412F6C
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	0_2_004415C2
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00449839 IsWindowVisible,IsIconic,	0_2_00449839
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	1_2_004121E0
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0043ED39 GetParent,GetParent,IsIconic,GetParent,	1_2_0043ED39
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect,	1_2_00412F6C
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	1_2_004415C2
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00449839 IsWindowVisible,IsIconic,	1_2_00449839

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\SysWOW64\picturerus.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\aEdlObiYav.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,		1_2_0219C11B
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,		4_2_00EDC11B

Source: C:\Windows\SysWOW64\picturerus.exe

API coverage: 9.5 %

Source: C:\Windows\System32\svchost.exe TID: 6064

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\aEdlObiYav.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	0_2_0043A377
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,	0_2_0043AE3F
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	1_2_0043A377
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,	1_2_0043AE3F

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_00419156 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_00419156

Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000005.00000002.490947713.000001F634A62000.00000004.00000001.sdmp	Binary or memory string: (@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.490862849.000001F634A4C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000005.00000002.487748266.000001F62F229000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`C
Source: svchost.exe, 00000007.00000002.488350000.000001D9ACE64000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.487724636.00000157C782A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000007.00000002.488571936.000001D9AD460000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\picturerus.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\picturerus.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\picturerus.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\picturerus.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

0_2_00432655

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00401B93 mov eax, dword ptr fs:[00000030h]	0_2_00401B93
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00401BA2 mov eax, dword ptr fs:[00000030h]	0_2_00401BA2
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00401B93 mov eax, dword ptr fs:[00000030h]	1_2_00401B93
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00401BA2 mov eax, dword ptr fs:[00000030h]	1_2_00401BA2
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02180467 mov eax, dword ptr fs:[00000030h]	1_2_02180467
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02180C0C mov eax, dword ptr fs:[00000030h]	1_2_02180C0C
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02181743 mov eax, dword ptr fs:[00000030h]	1_2_02181743
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_021912CD mov eax, dword ptr fs:[00000030h]	1_2_021912CD
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_02191E04 mov eax, dword ptr fs:[00000030h]	1_2_02191E04
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E10467 mov eax, dword ptr fs:[00000030h]	3_2_00E10467
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E10C0C mov eax, dword ptr fs:[00000030h]	3_2_00E10C0C
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E11743 mov eax, dword ptr fs:[00000030h]	3_2_00E11743
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E212CD mov eax, dword ptr fs:[00000030h]	3_2_00E212CD
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 3_2_00E21E04 mov eax, dword ptr fs:[00000030h]	3_2_00E21E04
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00600467 mov eax, dword ptr fs:[00000030h]	4_2_00600467
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00600C0C mov eax, dword ptr fs:[00000030h]	4_2_00600C0C
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00601743 mov eax, dword ptr fs:[00000030h]	4_2_00601743
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED12CD mov eax, dword ptr fs:[00000030h]	4_2_00ED12CD
Source: C:\Windows\SysWOW64\picturerus.exe	Code function: 4_2_00ED1E04 mov eax, dword ptr fs:[00000030h]	4_2_00ED1E04

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 1_2_021914F2 GetProcessHeap,RtlAllocateHeap,

1_2_021914F2

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00420406 SetUnhandledExceptionFilter,	0_2_00420406
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_0042041A SetUnhandledExceptionFilter,	0_2_0042041A
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00420406 SetUnhandledExceptionFilter,	1_2_00420406
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_0042041A SetUnhandledExceptionFilter,	1_2_0042041A

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 1_2_0218C477 cpuid

1_2_0218C477

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoA,_strncpy,	0_2_00426F2A
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_00401069
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_00427449
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	0_2_00427480
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,	0_2_0042755B
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_00427506
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoA,	0_2_00427749
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	0_2_0044D759
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,	0_2_004299EE
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,	0_2_00429AAA
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	0_2_00429B1E
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,	0_2_00429BD1
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoA,_strncpy,	1_2_00426F2A
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	1_2_00401069
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: _strlen,EnumSystemLocalesA,	1_2_00427449
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	1_2_00427480
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,	1_2_0042755B
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: _strlen,EnumSystemLocalesA,	1_2_00427506
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoA,	1_2_00427749
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	1_2_0044D759
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,	1_2_004299EE
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,	1_2_00429AAA
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	1_2_00429B1E
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,	1_2_00429BD1

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\picturerus.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_00420151 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00420151

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_004231DB __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,

0_2_004231DB

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Code function: 0_2_0044A5CB GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterWindowMessageA,

0_2_0044A5CB

Source: C:\Users\user\Desktop\aEdlObiYav.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: aEdlObiYav.exe, 00000000.00000002.221218933.00000000004B0000.00000004.00000020.sdmp	Binary or memory string: Kav.exe
Source: svchost.exe, 0000000B.00000002.487696660.0000020979C3D000.00000004.00000001.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.487727705.0000020979D02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.aEdlObiYav.exe.22c053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.picturerus.exe.e1053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.aEdlObiYav.exe.218053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.picturerus.exe.e1053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.aEdlObiYav.exe.22c053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.picturerus.exe.60053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.picturerus.exe.60053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.aEdlObiYav.exe.218053f.1.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,	0_2_004514EB
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 0_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,	0_2_00451B05
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,	1_2_004514EB
Source: C:\Users\user\Desktop\aEdlObiYav.exe	Code function: 1_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,	1_2_00451B05

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API111	Valid Accounts1	Valid Accounts1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Service Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Windows Service12	Access Token Manipulation1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution12	Logon Script (Mac)	Windows Service12	Software Packing1	NTDS	System Information Discovery47	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection1	DLL Side-Loading1	LSA Secrets	Security Software Discovery51	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Virtualization/Sandbox Evasion3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading121	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Valid Accounts1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion3	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Hidden Files and Directories1	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
aEdlObiYav.exe	96%	ReversingLabs	Win32.Trojan.Emotet
aEdlObiYav.exe	100%	Avira	HEUR/AGEN.1111753
aEdlObiYav.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.aEdlObiYav.exe.22c053f.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.2.picturerus.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
0.2.aEdlObiYav.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
3.2.picturerus.exe.e1053f.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.aEdlObiYav.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
1.2.aEdlObiYav.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
4.2.picturerus.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
3.0.picturerus.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
1.0.aEdlObiYav.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
4.2.picturerus.exe.60053f.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.aEdlObiYav.exe.218053f.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.0.picturerus.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://178.210.51.222/attrib/glitch/add/merge/	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000009.00000003.305027218.0000023F57C45000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000009.00000002.305345104.0000023F57C4E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000009.00000003.283224217.0000023F57C31000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000005.00000002.491346023.000001F634C00000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000009.00000002.305323775.0000023F57C42000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000009.00000002.305368398.0000023F57C64000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000009.00000003.305042012.0000023F57C3A000.00000004.00000001.sdmp	false		high
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000009.00000002.305351605.0000023F57C5C000.00000004.00000001.sdmp	false		high
http://178.210.51.222/attrib/glitch/add/merge/	picturerus.exe, 00000004.00000002.487408684.0000000000199000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000009.00000002.305301146.0000023F57C13000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000009.00000003.304991002.0000023F57C5F000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000009.00000002.305319310.0000023F57C3D000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000007.00000002.488280885.000001D9ACE3E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000009.00000003.305003343.0000023F57C5A000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
152.89.236.214	unknown	Germany	31400	ACCELERATED-ITDE	false
198.199.114.69	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
104.236.246.93	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
178.210.51.222	unknown	Russian Federation	43727	KVANT-TELECOMRU	false
45.33.54.74	unknown	United States	63949	LINODE-APLinodeLLCUS	false
209.141.41.136	unknown	United States	53667	PONYNETUS	false
87.106.136.232	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	376365
Start date:	26.03.2021
Start time:	12:14:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	aEdlObiYav (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@15/5@0/8
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 91.1% Quality standard deviation: 6.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 258
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 20.82.210.154, 40.88.32.150, 13.64.90.137, 52.147.198.201, 13.88.21.125, 104.43.139.144, 95.100.54.203, 51.103.5.186, 20.50.102.62, 23.10.249.43, 23.10.249.26, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/376365/sample/aEdlObiYav.exe

Simulations

Behavior and APIs

Time	Type	Description
12:15:06	API Interceptor	2x Sleep call for process: svchost.exe modified
12:16:21	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.199.114.69	VYHauUUCLr.exe	Get hash	malicious	Browse	198.199.114.69:8080/badge/report/xian/
	http://infraturkey.com/deletecomment/parts_service/daaMnHeDzR/	Get hash	malicious	Browse	198.199.114.69:8080/jit/
	https://newwell.studio/test/DOC/NtnDpOmWbTdPEdBxrLyy/	Get hash	malicious	Browse	198.199.114.69:8080/json/
104.236.246.93	form.doc	Get hash	malicious	Browse	104.236.246.93:8080/hZhNeaDm/dcUDNcyqQW/niVKRU29uscA3Ju/
	UAr7Xz5JWr.exe	Get hash	malicious	Browse	104.236.246.93:8080/ZxZomdMT6G9XK/ghoypfynUN/
	invoice #865119.doc	Get hash	malicious	Browse	104.236.246.93:8080/XzlcYaBSUK0cswU/pzKYcLCk/PbvwO3hXkaN7W/WM9ZNIP/
	XY8707573112TQ.doc	Get hash	malicious	Browse	104.236.246.93:8080/att30xZ/YONUKbuNJ8IOQjL/G34JI8e3LEFl/jaWgrB/
	test-emotet.exe	Get hash	malicious	Browse	104.236.246.93/
45.33.54.74	FA_36802305641_Oct2019.doc	Get hash	malicious	Browse	45.33.54.74:443/loadan/stubs/
87.106.136.232	http://87.106.136.232	Get hash	malicious	Browse	87.106.136.232/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ACCELERATED-ITDE	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	185.245.99.134
	usb	Get hash	malicious	Browse	45.133.9.100
	bin.exe	Get hash	malicious	Browse	84.200.110.123
	run32dll.exe	Get hash	malicious	Browse	45.154.35.214
	Vidoe001mp4.scr signed FAT11 d.o.exe	Get hash	malicious	Browse	45.154.35.218
	OD29081792Y_COVID-19_SARS-CoV-2.doc	Get hash	malicious	Browse	185.245.99.2
	Fakt. - 19 okt., 2020.doc	Get hash	malicious	Browse	185.194.237.65
	liposnejk.exe	Get hash	malicious	Browse	84.200.209.11
	jackpot_http.exe	Get hash	malicious	Browse	213.190.30.57
	http://cumds.com/_vti_log/paclm/02d8rg/2jx860566807ll82z66y0b2bd/	Get hash	malicious	Browse	84.200.5.215
	mb10.exe	Get hash	malicious	Browse	185.245.99.134
	mb10.exe	Get hash	malicious	Browse	185.245.99.134
	https://withered-butterfly-9cd3.tkbizulvc.workers.dev/	Get hash	malicious	Browse	193.135.10.219
	5xcdJCRyWp.exe	Get hash	malicious	Browse	82.211.30.202
	emotet_11.doc	Get hash	malicious	Browse	82.211.30.202
	emotet_11.doc	Get hash	malicious	Browse	82.211.30.202
	emotet.doc	Get hash	malicious	Browse	82.211.30.202
	emotet.doc	Get hash	malicious	Browse	82.211.30.202
	RechnungRechnung.doc	Get hash	malicious	Browse	82.211.30.202
	RechnungRechnung.doc	Get hash	malicious	Browse	82.211.30.202
DIGITALOCEAN-ASNUS	ajESKcIz8f.exe	Get hash	malicious	Browse	138.197.53.157
	Revised Signed Proforma Invoice 000856453553.exe	Get hash	malicious	Browse	134.209.159.22
	rona.exe	Get hash	malicious	Browse	104.248.117.19
	fDFkIEBfpm.exe	Get hash	malicious	Browse	206.189.174.29
	JE74.vbs	Get hash	malicious	Browse	104.248.193.149
	4d86320858effdc2c8bf3fc2ae86080f0f6b449141991.dll	Get hash	malicious	Browse	167.172.240.248
	Rc93GKN1MJ.exe	Get hash	malicious	Browse	138.197.161.207
	tBU1h89Elf.dll	Get hash	malicious	Browse	167.172.240.248
	JbzAir8erB.dll	Get hash	malicious	Browse	167.172.240.248
	5sH546K9WX.dll	Get hash	malicious	Browse	167.172.240.248
	qcxuvc6i7S.dll	Get hash	malicious	Browse	167.172.240.248
	4itHMydujq.dll	Get hash	malicious	Browse	167.172.240.248
	LzYnwzj8zx.dll	Get hash	malicious	Browse	167.172.240.248
	si8zqjtdqI.dll	Get hash	malicious	Browse	167.172.240.248
	5aVrBcmCyl.dll	Get hash	malicious	Browse	167.172.240.248
	8z5iVMz39r.dll	Get hash	malicious	Browse	167.172.240.248
	fXNR9O8fGS.dll	Get hash	malicious	Browse	167.172.240.248
	wdPI7Jq0EV.dll	Get hash	malicious	Browse	167.172.240.248
	SHWUWeV5aB.dll	Get hash	malicious	Browse	167.172.240.248
	XG8kPPiEda.dll	Get hash	malicious	Browse	167.172.240.248
DIGITALOCEAN-ASNUS	ajESKcIz8f.exe	Get hash	malicious	Browse	138.197.53.157
	Revised Signed Proforma Invoice 000856453553.exe	Get hash	malicious	Browse	134.209.159.22
	rona.exe	Get hash	malicious	Browse	104.248.117.19
	fDFkIEBfpm.exe	Get hash	malicious	Browse	206.189.174.29
	JE74.vbs	Get hash	malicious	Browse	104.248.193.149
	4d86320858effdc2c8bf3fc2ae86080f0f6b449141991.dll	Get hash	malicious	Browse	167.172.240.248
	Rc93GKN1MJ.exe	Get hash	malicious	Browse	138.197.161.207
	tBU1h89Elf.dll	Get hash	malicious	Browse	167.172.240.248
	JbzAir8erB.dll	Get hash	malicious	Browse	167.172.240.248
	5sH546K9WX.dll	Get hash	malicious	Browse	167.172.240.248
	qcxuvc6i7S.dll	Get hash	malicious	Browse	167.172.240.248
	4itHMydujq.dll	Get hash	malicious	Browse	167.172.240.248
	LzYnwzj8zx.dll	Get hash	malicious	Browse	167.172.240.248
	si8zqjtdqI.dll	Get hash	malicious	Browse	167.172.240.248
	5aVrBcmCyl.dll	Get hash	malicious	Browse	167.172.240.248
	8z5iVMz39r.dll	Get hash	malicious	Browse	167.172.240.248
	fXNR9O8fGS.dll	Get hash	malicious	Browse	167.172.240.248
	wdPI7Jq0EV.dll	Get hash	malicious	Browse	167.172.240.248
	SHWUWeV5aB.dll	Get hash	malicious	Browse	167.172.240.248
	XG8kPPiEda.dll	Get hash	malicious	Browse	167.172.240.248

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.597889115294713
Encrypted:	false
SSDEEP:	6:bVk1GaD0JOCEfMuaaD0JOCEfMKQmDF1Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bCGaD0JcaaD0JwQQF1Ag/0bjSQJ
MD5:	4E33D805E2A479CEE4D175EDBAE59C11
SHA1:	1EAA684AA38277FA15E860035EB1BDEBCE587FAE
SHA-256:	C9040CEDCAA9BC5392C8A43422B685431F804EF7E2669F45A546DAFEE0512988
SHA-512:	D74D01C1C48F02E7E75DD5BFA2BA0849912165C532A8D62D47BD8D5E2DBC5CD9AD391DB420CDDCA382EB10CC55B0905E164A1739B2C89161DF89A748102308C7
Malicious:	false
Reputation:	low
Preview:	....E..h..(..........yY.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................yY...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x04dffe7c, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09636108144020473
Encrypted:	false
SSDEEP:	6:sEsAzwl/+KRIE11Y8TRXrrFlKGEsAzwl/+KRIE11Y8TRXrrFlK:sFA0+KO4blrrFlKGFA0+KO4blrrFlK
MD5:	CC2B342ACF2A0814B5BCAE5A58DBD2FC
SHA1:	C44E20AB2EA24C9EA9A4C381B6E01B832946E984
SHA-256:	F709D7EA01C60FA0756B3E170EC7FCE60EFD88499230B57C9064D38FC77C63A2
SHA-512:	AA06D2E349B13ADD0C70ADBE8268B0C03B39EC1AA4BDAD6E8CFD1A25F9CB898C9ED653364A1DA03814D8769D111E0DB33DDDFD38E172BD661537642363CD5FE2
Malicious:	false
Reputation:	low
Preview:	...\|... ................e.f.3...w........................&..........w.......yY.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.........................................................................................................................................................................................................................................Z.....yY....................b.....yY.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11086134938174995
Encrypted:	false
SSDEEP:	3:DnSLEvjUOMjSXl/bJdAtixx/CYll:OyPMj8t4O/
MD5:	F88FE82FEE638B48780BE86DCD42F59B
SHA1:	68CEFD6EF8B846506CCBD4615FF9BBE46281EA49
SHA-256:	3C0871C0DD8B3D2A331A974F01A144C665E3476291AB203118C257FEFBB3483D
SHA-512:	9105C803F7A75AFC6D3502A7BC89B9719A32AAB46909C010B3ACA2D408E29E534138946B62DD0EF0DD99EFD8306AE0BED2DFEA4964C5EBFE776098B98A6E1BE5
Malicious:	false
Reputation:	low
Preview:	.......................................3...w.......yY......w...............w.......w....:O.....w.....................b.....yY.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	high, very likely benign file
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.132534585600141
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rYyGljok9+MlWlLehB4yAq7ejCZyGljB:OaqdmuF3roljL+kWReH4yJ7MAljB
MD5:	565473E4D9B99CA298056458A32F5C4A
SHA1:	41B263FB8EF34508A270C1131E851F03AA21152C
SHA-256:	AB279EB907E7309130B86D1709ACA6F349EEDD5AC22FA34388685A2EAC32FDB2
SHA-512:	FC96109E8D6901953C225F7483A935CAF1068F4DD2A10CD8F645FFD84A0C74374D0124F09723001883DFAA86631F56D770301BC043A38515F880C64F3CC09839
Malicious:	false
Reputation:	low
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. M.a.r. .. 2.6. .. 2.0.2.1. .1.2.:.1.6.:.2.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. M.a.r. .. 2.6. .. 2.0.2.1. .1.2.:.1.6.:.2.1.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.625638741868008
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aEdlObiYav.exe
File size:	516346
MD5:	ae03a6f8fb74d401b403647d28e21574
SHA1:	6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256:	1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
SHA512:	ab2a30d32722419c72808032ae01b9443bfb8ea80ec52426aeb42ac21a84f0a2b04dd6f311c13b06bcaa37b7874b4e311ff8dc0c94ccfa42cbf6dcac0e2facab
SSDEEP:	6144:PebeJq15KNVIjux9tE9dVyAhwoajYPNo4ahRFPhpxOtYS0xefNPf+R6axxVccVPo:W5KNgux9t0VyAShUPCRdUi8cVRPw17i
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*1..Db..Db..Dbd..b..Db..]b..Db...b..Db..Kb..Db...ba.Db..cb..Dbd..b..Db..Eb..Db..$b..Db...b..Db...b..Db...b..DbRich..Db.......

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x419b95
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5D9A0326 [Sun Oct 6 15:07:18 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	92bdfd5dfdc574760c27f87d6f10fe98

Entrypoint Preview

Instruction
push 00000060h
push 0045C7A8h
call 00007FD794FDE160h
mov edi, 00000094h
mov eax, edi
call 00007FD794FDE2B8h
mov dword ptr [ebp-18h], esp
mov esi, esp
mov dword ptr [esi], edi
push esi
call dword ptr [004552A0h]
mov ecx, dword ptr [esi+10h]
mov dword ptr [0047B960h], ecx
mov eax, dword ptr [esi+04h]
mov dword ptr [0047B96Ch], eax
mov edx, dword ptr [esi+08h]
mov dword ptr [0047B970h], edx
mov esi, dword ptr [esi+0Ch]
and esi, 00007FFFh
mov dword ptr [0047B964h], esi
cmp ecx, 02h
je 00007FD794FDEACEh
or esi, 00008000h
mov dword ptr [0047B964h], esi
shl eax, 08h
add eax, edx
mov dword ptr [0047B968h], eax
xor esi, esi
push esi
mov edi, dword ptr [00455320h]
call edi
cmp word ptr [eax], 5A4Dh
jne 00007FD794FDEAE1h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007FD794FDEAD4h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007FD794FDEAE1h
cmp eax, 0000020Bh
je 00007FD794FDEAC7h
mov dword ptr [ebp-1Ch], esi
jmp 00007FD794FDEAE9h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007FD794FDEAB4h
xor eax, eax
cmp dword ptr [ecx+000000F8h], esi
jmp 00007FD794FDEAD0h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007FD794FDEAA4h
xor eax, eax
cmp dword ptr [ecx+000000E8h], esi
setne al
mov dword ptr [ebp-1Ch], eax

Rich Headers

Programming Language:

[ASM] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) build 3077
[RES] VS2003 (.NET) build 3077
[EXP] VS2003 (.NET) build 3077
[C++] VS2003 (.NET) build 3077
[ C ] VS2003 (.NET) build 3077

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x68cf0	0x53	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x66224	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x3ebc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x55880	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x60ed0	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x55000	0x878	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x66174	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x53ee9	0x54000	False	0.505048479353	DOS executable (COM)	6.50788658927	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x55000	0x13d43	0x14000	False	0.315026855469	data	5.20395932053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x69000	0x14234	0x11000	False	0.795568129596	data	7.54511629913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x3ebc	0x4000	False	0.259643554688	data	3.45842321085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x7eb68	0x134	data	English	United States
RT_CURSOR	0x7ec9c	0xb4	data	English	United States
RT_CURSOR	0x7ed50	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x7ee84	0x134	data	English	United States
RT_CURSOR	0x7efb8	0x134	data	English	United States
RT_CURSOR	0x7f0ec	0x134	data	English	United States
RT_CURSOR	0x7f220	0x134	data	English	United States
RT_CURSOR	0x7f354	0x134	data	English	United States
RT_CURSOR	0x7f488	0x134	data	English	United States
RT_CURSOR	0x7f5bc	0x134	data	English	United States
RT_CURSOR	0x7f6f0	0x134	data	English	United States
RT_CURSOR	0x7f824	0x134	data	English	United States
RT_CURSOR	0x7f958	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x7fa8c	0x134	data	English	United States
RT_CURSOR	0x7fbc0	0x134	data	English	United States
RT_CURSOR	0x7fcf4	0x134	data	English	United States
RT_BITMAP	0x7fe28	0xb8	data	English	United States
RT_BITMAP	0x7fee0	0x144	data	English	United States
RT_DIALOG	0x80024	0x184	data	English	United States
RT_DIALOG	0x801a8	0xf4	data	English	United States
RT_DIALOG	0x8029c	0x100	data	English	United States
RT_DIALOG	0x8039c	0xe8	data	English	United States
RT_STRING	0x80484	0x44	data	English	United States
RT_STRING	0x804c8	0x48	data	English	United States
RT_STRING	0x80510	0x2c	data	English	United States
RT_STRING	0x8053c	0x38	data	English	United States
RT_STRING	0x80574	0x48	data	English	United States
RT_STRING	0x805bc	0x64	data	English	United States
RT_STRING	0x80620	0x46	data	English	United States
RT_STRING	0x80668	0x82	data	English	United States
RT_STRING	0x806ec	0x2a	data	English	United States
RT_STRING	0x80718	0x192	data	English	United States
RT_STRING	0x808ac	0x4e2	data	English	United States
RT_STRING	0x80d90	0x31a	data	English	United States
RT_STRING	0x810ac	0x2dc	data	English	United States
RT_STRING	0x81388	0x8a	data	English	United States
RT_STRING	0x81414	0xac	data	English	United States
RT_STRING	0x814c0	0xde	data	English	United States
RT_STRING	0x815a0	0x4c4	data	English	United States
RT_STRING	0x81a64	0x264	data	English	United States
RT_STRING	0x81cc8	0x2c	data	English	United States
RT_STRING	0x81cf4	0x42	data	English	United States
RT_STRING	0x81d38	0x48	data	English	United States
RT_GROUP_CURSOR	0x81d80	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x81da4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81db8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81dcc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81de0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81df4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e08	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e30	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e44	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e58	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e80	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e94	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81ea8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States

Imports

DLL	Import
CRYPT32.dll	CertOpenStore
KERNEL32.dll	GetStartupInfoA, GetCommandLineA, ExitProcess, HeapReAlloc, TerminateProcess, ExitThread, CreateThread, HeapSize, FatalAppExitA, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, SetConsoleCtrlHandler, RtlUnwind, GetLocaleInfoW, SetEnvironmentVariableA, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, MultiByteToWideChar, WideCharToMultiByte, GetLastError, GetVersion, lstrcmpiA, lstrlenW, lstrcmpiW, lstrlenA, CompareStringA, CompareStringW, GetEnvironmentVariableA, GetEnvironmentVariableW, GetStringTypeExA, GetStringTypeExW, SizeofResource, LockResource, LoadResource, FindResourceA, FreeResource, GlobalFree, GlobalUnlock, GlobalLock, LocalFree, lstrcpynA, FormatMessageA, GlobalAlloc, GlobalSize, MulDiv, CopyFileA, SetLastError, GetProcAddress, GetModuleHandleA, lstrcmpW, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapFree, HeapAlloc, GetDiskFreeSpaceA, GetTempFileNameA, LocalLock, LocalUnlock, GetFileTime, GetFileAttributesA, SetFileAttributesA, SetFileTime, LocalFileTimeToFileTime, FileTimeToLocalFileTime, SetErrorMode, GetShortPathNameA, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, GetCurrentDirectoryA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, SystemTimeToFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GlobalFlags, DeleteCriticalSection, InitializeCriticalSection, RaiseException, CreateEventA, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GetCurrentThread, lstrcmpA, GetModuleFileNameA, lstrcatA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, InterlockedDecrement, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, LoadLibraryA, FreeLibrary, SetStdHandle
USER32.dll	IsClipboardFormatAvailable, MessageBeep, GetTabbedTextExtentA, GetDCEx, LockWindowUpdate, SetParent, InvalidateRect, InsertMenuItemA, CreatePopupMenu, SetRectEmpty, BringWindowToTop, SetMenu, TranslateAcceleratorA, DestroyIcon, DeleteMenu, wsprintfA, WaitMessage, GetWindowThreadProcessId, ReleaseCapture, WindowFromPoint, SetCapture, LoadCursorA, GetSysColorBrush, GetDialogBaseUnits, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, ShowOwnedPopups, SetCursor, PostQuitMessage, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, DestroyMenu, GetMenuItemInfoA, InflateRect, SetMenuItemBitmaps, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, ScrollWindowEx, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, IsDlgButtonChecked, SetDlgItemInt, GetDlgItemTextA, GetDlgItemInt, CheckRadioButton, CheckDlgButton, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, KillTimer, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, GetFocus, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetLastActivePopup, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, ScrollWindow, MessageBoxA, TrackPopupMenuEx, TrackPopupMenu, GetKeyState, SetScrollRange, SetDlgItemTextA, CharLowerA, CharLowerW, CharUpperA, CharUpperW, SendMessageA, EnableWindow, DrawIcon, AppendMenuA, GetSystemMenu, IsIconic, GetClientRect, SetActiveWindow, LoadIconA, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, IsWindowVisible, UpdateWindow, GetMenu, PostMessageA, GetSysColor, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetTimer, SetRect, UnionRect, IsRectEmpty, MapVirtualKeyA, GetClassInfoA, RegisterClassA, UnregisterClassA, SetWindowPlacement, GetDlgCtrlID, DefWindowProcA, SetWindowLongA, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetKeyNameTextA, LoadMenuA, UnpackDDElParam, ReuseDDElParam, GetClassLongA, LoadAcceleratorsA, CallWindowProcA, LoadStringW, GetSystemMetrics, EndDialog, GetNextDlgTabItem, GetParent, IsWindowEnabled, GetDlgItem, GetWindowLongA, IsWindow, DestroyWindow, CreateDialogIndirectParamA, GetActiveWindow, GetDesktopWindow, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuA, GetWindowRect, CopyRect, PtInRect, GetWindow, GetMenuState, GetMenuStringA, GetMenuItemID
GDI32.dll	SetMapperFlags, SetArcDirection, SetColorAdjustment, DeleteObject, SelectClipRgn, GetClipRgn, CreateRectRgn, SelectClipPath, GetViewportExtEx, GetWindowExtEx, GetPixel, StartDocA, PtVisible, RectVisible, TextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetCurrentPositionEx, ArcTo, PolyDraw, PolylineTo, PolyBezierTo, SetTextCharacterExtra, DeleteDC, CreateDIBPatternBrushPt, CreatePatternBrush, GetStockObject, SelectPalette, PlayMetaFileRecord, GetObjectType, EnumMetaFile, PlayMetaFile, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, GetTextMetricsA, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, CreateCompatibleBitmap, StretchDIBits, GetCharWidthA, CreateFontA, GetBkColor, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32A, ExtTextOutA, BitBlt, CreateCompatibleDC, CreateFontIndirectA, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDCOrgEx, CreateDCA, CopyMetaFileA, ExtSelectClipRgn, GetDeviceCaps
comdlg32.dll	PageSetupDlgA, FindTextA, ReplaceTextA, GetOpenFileNameA, CommDlgExtendedError, PrintDlgA, GetFileTitleA, GetSaveFileNameA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter, GetJobA
ADVAPI32.dll	GetFileSecurityA, RegCloseKey, RegSetValueA, RegOpenKeyA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyA, SetFileSecurityW, SetFileSecurityA
SHELL32.dll	SHGetFileInfoA, DragFinish, DragQueryFileA, ExtractIconA
COMCTL32.dll	ImageList_Draw, ImageList_GetImageInfo, ImageList_Read, ImageList_Write, ImageList_Destroy, ImageList_Create, ImageList_LoadImageA, ImageList_Merge
SHLWAPI.dll	PathRemoveExtensionA, PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
ole32.dll	WriteClassStg, OleRegGetUserType, SetConvertStg, CoTaskMemFree, ReadFmtUserTypeStg, ReadClassStg, StringFromCLSID, CoTreatAsClass, CreateBindCtx, CoTaskMemAlloc, ReleaseStgMedium, OleDuplicateData, CoDisconnectObject, CoCreateInstance, StringFromGUID2, CLSIDFromString, WriteFmtUserTypeStg
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysFreeString, SysStringLen, SysAllocStringByteLen, SysStringByteLen, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, SafeArrayRedim, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocString, SysReAllocStringLen, VarDateFromStr, VarBstrFromDec, VarDecFromStr, VarCyFromStr, VarBstrFromCy, VarBstrFromDate

Exports

Name	Ordinal	Address
mcfGvgupamvngNBNmgO	1	0x401e04

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2021 12:15:13.856343985 CET	49714	443	192.168.2.5	45.33.54.74
Mar 26, 2021 12:15:14.022622108 CET	443	49714	45.33.54.74	192.168.2.5
Mar 26, 2021 12:15:14.533005953 CET	49714	443	192.168.2.5	45.33.54.74
Mar 26, 2021 12:15:14.699125051 CET	443	49714	45.33.54.74	192.168.2.5
Mar 26, 2021 12:15:15.204783916 CET	49714	443	192.168.2.5	45.33.54.74
Mar 26, 2021 12:15:15.372411013 CET	443	49714	45.33.54.74	192.168.2.5
Mar 26, 2021 12:15:19.258178949 CET	49717	8080	192.168.2.5	209.141.41.136
Mar 26, 2021 12:15:22.257272959 CET	49717	8080	192.168.2.5	209.141.41.136
Mar 26, 2021 12:15:28.364118099 CET	49717	8080	192.168.2.5	209.141.41.136
Mar 26, 2021 12:15:45.480190039 CET	49726	8080	192.168.2.5	104.236.246.93
Mar 26, 2021 12:15:48.662617922 CET	49726	8080	192.168.2.5	104.236.246.93
Mar 26, 2021 12:15:54.663077116 CET	49726	8080	192.168.2.5	104.236.246.93
Mar 26, 2021 12:16:10.887083054 CET	49727	8080	192.168.2.5	198.199.114.69
Mar 26, 2021 12:16:13.883450985 CET	49727	8080	192.168.2.5	198.199.114.69
Mar 26, 2021 12:16:19.883981943 CET	49727	8080	192.168.2.5	198.199.114.69
Mar 26, 2021 12:16:37.280674934 CET	49730	8080	192.168.2.5	152.89.236.214
Mar 26, 2021 12:16:37.298701048 CET	8080	49730	152.89.236.214	192.168.2.5
Mar 26, 2021 12:16:37.808387041 CET	49730	8080	192.168.2.5	152.89.236.214
Mar 26, 2021 12:16:37.826337099 CET	8080	49730	152.89.236.214	192.168.2.5
Mar 26, 2021 12:16:38.338735104 CET	49730	8080	192.168.2.5	152.89.236.214
Mar 26, 2021 12:16:38.357024908 CET	8080	49730	152.89.236.214	192.168.2.5
Mar 26, 2021 12:16:44.243448973 CET	49731	8080	192.168.2.5	87.106.136.232
Mar 26, 2021 12:16:44.263411045 CET	8080	49731	87.106.136.232	192.168.2.5
Mar 26, 2021 12:16:44.776601076 CET	49731	8080	192.168.2.5	87.106.136.232
Mar 26, 2021 12:16:44.796765089 CET	8080	49731	87.106.136.232	192.168.2.5
Mar 26, 2021 12:16:45.307971954 CET	49731	8080	192.168.2.5	87.106.136.232
Mar 26, 2021 12:16:45.328773975 CET	8080	49731	87.106.136.232	192.168.2.5
Mar 26, 2021 12:16:49.226500034 CET	49732	8080	192.168.2.5	178.210.51.222
Mar 26, 2021 12:16:52.230490923 CET	49732	8080	192.168.2.5	178.210.51.222
Mar 26, 2021 12:16:58.230922937 CET	49732	8080	192.168.2.5	178.210.51.222

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2021 12:14:41.512866974 CET	54302	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:41.525654078 CET	53	54302	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:41.585858107 CET	53784	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:41.598005056 CET	53	53784	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:41.610990047 CET	65307	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:41.615739107 CET	64344	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:41.623008013 CET	53	65307	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:41.627897024 CET	53	64344	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:42.167435884 CET	62060	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:42.180625916 CET	53	62060	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:43.448725939 CET	61805	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:43.461241007 CET	53	61805	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:44.423804998 CET	54795	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:44.436858892 CET	53	54795	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:45.104419947 CET	49557	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:45.117428064 CET	53	49557	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:46.996332884 CET	61733	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:47.010894060 CET	53	61733	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:48.214711905 CET	65447	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:48.228995085 CET	53	65447	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:49.268984079 CET	52441	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:49.283057928 CET	53	52441	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:50.040528059 CET	62176	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:50.053486109 CET	53	62176	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:51.121691942 CET	59596	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:51.135163069 CET	53	59596	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:51.804497004 CET	65296	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:51.819228888 CET	53	65296	8.8.8.8	192.168.2.5
Mar 26, 2021 12:14:53.942034006 CET	63183	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:14:53.955611944 CET	53	63183	8.8.8.8	192.168.2.5
Mar 26, 2021 12:15:09.783927917 CET	60151	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:15:09.802167892 CET	53	60151	8.8.8.8	192.168.2.5
Mar 26, 2021 12:15:17.823621988 CET	56969	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:15:17.836400986 CET	53	56969	8.8.8.8	192.168.2.5
Mar 26, 2021 12:15:37.598907948 CET	55161	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:15:37.611623049 CET	53	55161	8.8.8.8	192.168.2.5
Mar 26, 2021 12:15:39.159313917 CET	54757	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:15:39.192080975 CET	53	54757	8.8.8.8	192.168.2.5
Mar 26, 2021 12:15:44.632929087 CET	49992	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:15:44.651496887 CET	53	49992	8.8.8.8	192.168.2.5
Mar 26, 2021 12:16:18.667603016 CET	60075	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:16:18.680677891 CET	53	60075	8.8.8.8	192.168.2.5
Mar 26, 2021 12:16:18.968331099 CET	55016	53	192.168.2.5	8.8.8.8
Mar 26, 2021 12:16:19.002011061 CET	53	55016	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: aEdlObiYav.exe PID: 5064 Parent PID: 5764

General

Start time:	12:14:48
Start date:	26/03/2021
Path:	C:\Users\user\Desktop\aEdlObiYav.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\aEdlObiYav.exe'
Imagebase:	0x400000
File size:	516346 bytes
MD5 hash:	AE03A6F8FB74D401B403647D28E21574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.221393603.00000000022C0000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.221405204.00000000022D1000.00000020.00000001.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: aEdlObiYav.exe PID: 5528 Parent PID: 5064

General

Start time:	12:14:48
Start date:	26/03/2021
Path:	C:\Users\user\Desktop\aEdlObiYav.exe
Wow64 process (32bit):	true
Commandline:	--79fd8b32
Imagebase:	0x400000
File size:	516346 bytes
MD5 hash:	AE03A6F8FB74D401B403647D28E21574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.241329316.0000000002180000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.241344979.0000000002191000.00000020.00000001.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: picturerus.exe PID: 6084 Parent PID: 556

General

Start time:	12:14:57
Start date:	26/03/2021
Path:	C:\Windows\SysWOW64\picturerus.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\picturerus.exe
Imagebase:	0x400000
File size:	516346 bytes
MD5 hash:	AE03A6F8FB74D401B403647D28E21574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000003.00000002.240281211.0000000000E21000.00000020.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000003.00000002.240268046.0000000000E10000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: picturerus.exe PID: 4228 Parent PID: 6084

General

Start time:	12:14:57
Start date:	26/03/2021
Path:	C:\Windows\SysWOW64\picturerus.exe
Wow64 process (32bit):	true
Commandline:	--b743c2a4
Imagebase:	0x400000
File size:	516346 bytes
MD5 hash:	AE03A6F8FB74D401B403647D28E21574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000004.00000002.488250881.0000000000ED1000.00000020.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000004.00000002.487903177.0000000000600000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: svchost.exe PID: 5536 Parent PID: 556

General

Start time:	12:15:06
Start date:	26/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 2376 Parent PID: 556

General

Start time:	12:15:16
Start date:	26/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4504 Parent PID: 556

General

Start time:	12:15:17
Start date:	26/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 804 Parent PID: 556

General

Start time:	12:15:17
Start date:	26/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: SgrmBroker.exe PID: 1228 Parent PID: 556

General

Start time:	12:15:18
Start date:	26/03/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff744c80000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5540 Parent PID: 556

General

Start time:	12:15:18
Start date:	26/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MpCmdRun.exe PID: 5048 Parent PID: 5540

General

Start time:	12:16:20
Start date:	26/03/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff668430000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 3896 Parent PID: 5048

General

Start time:	12:16:21
Start date:	26/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: aEdlObiYav.exe PID: 5064 Parent PID: 5764 aEdlObiYav.exeCOMMON

Executed Functions

Function 004315F6, Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004315FB
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00431633
LoadResource.KERNEL32(?,00000000), ref: 0043163B

Part of subcall function 00433622: UnhookWindowsHookEx.USER32(?), ref: 00433647

LockResource.KERNEL32(00000000), ref: 0043164D
GetDesktopWindow.USER32 ref: 0043167A
IsWindowEnabled.USER32(00000000), ref: 00431688
EnableWindow.USER32(00000000,00000000), ref: 00431697
EnableWindow.USER32(00000000,00000001), ref: 00431726
GetActiveWindow.USER32 ref: 00431731
SetActiveWindow.USER32(00000000), ref: 0043173F
FreeResource.KERNEL32(00000000), ref: 0043175B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: ce71086b03d54d9c65edfdc0c6feb1ec0fe07aa3cb5f2fb9872758785c552c6d
Instruction ID: c80a947bf2f6b874c5c82c51990a73349f493b2a6f47a5415102d4061b6d75a7
Opcode Fuzzy Hash: ce71086b03d54d9c65edfdc0c6feb1ec0fe07aa3cb5f2fb9872758785c552c6d
Instruction Fuzzy Hash: A8418030900705DFDB21AFA5C95A7BEBBB5AF08716F14102FF102A22A1CB789941CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00432655, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(COMCTL32.DLL,00008000,00000000,00000400,0043346D,00000000,00040000,00000000,?), ref: 0043265E
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 00432667
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0043267B
#17.COMCTL32(?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 00432696
#17.COMCTL32(?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 004326B2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 004326BF

Strings

COMCTL32.DLL, xrefs: 00432658, 0043265D, 00432664
InitCommonControlsEx, xrefs: 00432673

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: fbc869dff4a4af753050b1c1a6b0d85685cb09798fd04b456239473298ed4885
Instruction ID: 5fa1d96a4472cd52907bff507a2bc74d54206005f978a52e19e2591faae4ea83
Opcode Fuzzy Hash: fbc869dff4a4af753050b1c1a6b0d85685cb09798fd04b456239473298ed4885
Instruction Fuzzy Hash: 23F0A9326007229787115B659D59A2FB6ECBF94753B451436F805F3211CFA8EC0586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00420406, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000203B8), ref: 0042040B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bd62c4e1d80563d32ea440ce6060cb46cd4ae1cee373a393b7e2554c0fa64008
Instruction ID: 1b1c346f4f04dce3418a89abf90b8b8a101ec60d6b84e6121621e05be0691acb
Opcode Fuzzy Hash: bd62c4e1d80563d32ea440ce6060cb46cd4ae1cee373a393b7e2554c0fa64008
Instruction Fuzzy Hash: E2A011B0220320CBA300CF30AC0A2083AE0E380202B0082BAA800C2A22EF308080AA08

Uniqueness

Uniqueness Score: -1.00%

Function 00401E04, Relevance: 35.0, APIs: 1, Strings: 9, Instructions: 19977memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D3B: LoadStringW.USER32(00000005,0000000A,00000000,00000000), ref: 00401D4F

Part of subcall function 00401D5A: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000064,00000000,Characters: %c %c ,000007B9,?,004120B2,00000000), ref: 00401D82

VirtualAlloc.KERNELBASE(00000000,0000E944,00001000,00000040), ref: 004120E2

Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401C9A
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CA1
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CA8
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CAF
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CB6
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CBD
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CC4
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CCB
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CD2
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CD9
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CE0
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CE7
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CEE
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CF5

Strings

A string, xrefs: 00401EFB, 00401F76, 00401FF1, 0040206C, 004020E7, 00402162, 004021DD, 00402258, 004022D3, 0040234E, 004023C9, 00402444, 004024BF, 0040253A, 004025B5, 00402630, 004026AB, 00402726, 004027A1, 0040281C, 00402897, 00402912, 0040298D, 00402A08, 00402A83, 00402AFE, 00402B79, 00402BF4, 00402C6F, 00402CEA, 00402D65, 00402DE0, 00402E5B, 00402ED6, 00402F51, 00402FCC, 00403047, 004030C2, 0040313D, 004031B8, 00403233, 004032AE, 00403329, 004033A4, 0040341F, 0040349A, 00403515, 00403590, 0040360B, 00403686, 00403701, 0040377C, 004037F7, 00403872, 004038ED, 00403968, 004039E3, 00403A5E, 00403AD9, 00403B54, 00403BCF, 00403C4A, 00403CC5, 00403D40, 00403DBB, 00403E36, 00403EB1, 00403F2C, 00403FA7, 00404022, 0040409D, 00404118, 00404193, 0040420E, 00404289, 00404304, 0040437F, 004043FA, 00404475, 004044F0, 0040456B, 004045E6, 00404661, 004046DC, 00404757, 004047D2, 0040484D, 004048C8, 00404943, 004049BE, 00404A39, 00404AB4, 00404B2F, 00404BAA, 00404C25, 00404CA0, 00404D1B, 00404D96, 00404E11, 00404E8C, 00404F07, 00404F82, 00404FFD, 00405078, 004050F3, 0040516E, 004051E9, 00405264, 004052DF, 0040535A, 004053D5, 00405450, 004054CB, 00405546, 004055C1, 0040563C, 004056B7, 00405732, 004057AD, 00405828, 004058A3, 0040591E, 00405999, 00405A14, 00405A8F, 00405B0A, 00405B85, 00405C00, 00405C7B, 00405CF6, 00405D71, 00405DEC, 00405E67, 00405EE2, 00405F5D, 00405FD8, 00406053, 004060CE, 00406149, 004061C4, 0040623F, 004062BA, 00406335, 004063B0, 0040642B, 004064A6, 00406521, 0040659C, 00406617, 00406692, 0040670D, 00406788, 00406803, 0040687E, 004068F9, 00406974, 004069EF, 00406A6A, 00406AE5, 00406B60, 00406BDB, 00406C56, 00406CD1, 00406D4C, 00406DC7, 00406E42, 00406EBD, 00406F38, 00406FB3, 0040702E, 004070A9, 00407124, 0040719F, 0040721A, 00407295, 00407310, 0040738B, 00407406, 00407481, 004074FC, 00407577, 004075F2, 0040766D, 004076E8, 00407763, 004077DE, 00407859, 004078D4, 0040794F, 004079CA, 00407A45, 00407AC0, 00407B3B, 00407BB6, 00407C31, 00407CAC, 00407D27, 00407DA2, 00407E1D, 00407E98, 00407F13, 00407F8E, 00408009, 00408084, 004080FF, 0040817A, 004081F5, 00408270, 004082EB, 00408366, 004083E1, 0040845C, 004084D7, 00408552, 004085CD, 00408648, 004086C3, 0040873E, 004087B9, 00408834, 004088AF, 0040892A, 004089A5, 00408A20, 00408A9B, 00408B16, 00408B91, 00408C0C, 00408C87, 00408D02, 00408D7D, 00408DF8, 00408E73, 00408EEE, 00408F69, 00408FE4, 0040905F, 004090DA, 00409155, 004091D0, 0040924B, 004092C6, 00409341, 004093BC, 00409437, 004094B2, 0040952D, 004095A8, 00409623, 0040969E, 00409719, 00409794, 0040980F, 0040988A, 00409905, 00409980, 004099FB, 00409A76, 00409AF1, 00409B6C, 00409BE7, 00409C62, 00409CDD, 00409D58, 00409DD3, 00409E4E, 00409EC9, 00409F44, 00409FBF, 0040A03A, 0040A0B5, 0040A130, 0040A1AB, 0040A226, 0040A2A1, 0040A31C, 0040A397, 0040A412, 0040A48D, 0040A508, 0040A583, 0040A5FE, 0040A679, 0040A6F4, 0040A76F, 0040A7EA, 0040A865, 0040A8E0, 0040A95B, 0040A9D6, 0040AA51, 0040AACC, 0040AB47, 0040ABC2, 0040AC3D, 0040ACB8, 0040AD33, 0040ADAE, 0040AE29, 0040AEA4, 0040AF1F, 0040AF9A, 0040B015, 0040B090, 0040B10B, 0040B186, 0040B201, 0040B27C, 0040B2F7, 0040B372, 0040B3ED, 0040B468, 0040B4E3, 0040B55E, 0040B5D9, 0040B654, 0040B6CF, 0040B74A, 0040B7C5, 0040B840, 0040B8BB, 0040B936, 0040B9B1, 0040BA2C, 0040BAA7, 0040BB22, 0040BB9D, 0040BC18, 0040BC93, 0040BD0E, 0040BD89, 0040BE04, 0040BE7F, 0040BEFA, 0040BF75, 0040BFF0, 0040C06B, 0040C0E6, 0040C161, 0040C1DC, 0040C257, 0040C2D2, 0040C34D, 0040C3C8, 0040C443, 0040C4BE, 0040C539, 0040C5B4, 0040C62F, 0040C6AA, 0040C725, 0040C7A0, 0040C81B, 0040C896, 0040C911, 0040C98C, 0040CA07, 0040CA82, 0040CAFD, 0040CB78, 0040CBF3, 0040CC6E, 0040CCE9, 0040CD64, 0040CDDF, 0040CE5A, 0040CED5, 0040CF50, 0040CFCB, 0040D046, 0040D0C1, 0040D13C, 0040D1B7, 0040D232, 0040D2AD, 0040D328, 0040D3A3, 0040D41E, 0040D499, 0040D514, 0040D58F, 0040D60A, 0040D685, 0040D700, 0040D77B, 0040D7F6, 0040D871, 0040D8EC, 0040D967, 0040D9E2, 0040DA5D, 0040DAD8, 0040DB53, 0040DBCE, 0040DC49, 0040DCC4, 0040DD3F, 0040DDBA, 0040DE35, 0040DEB0, 0040DF2B, 0040DFA6, 0040E021, 0040E09C, 0040E117, 0040E192, 0040E20D, 0040E288, 0040E303, 0040E37E, 0040E3F9, 0040E474, 0040E4EF, 0040E56A, 0040E5E5, 0040E660, 0040E6DB, 0040E756, 0040E7D1, 0040E84C, 0040E8C7, 0040E942, 0040E9BD, 0040EA38, 0040EAB3, 0040EB2E, 0040EBA9, 0040EC24, 0040EC9F, 0040ED1A, 0040ED95, 0040EE10, 0040EE8B, 0040EF06, 0040EF81, 0040EFFC, 0040F077, 0040F0F2, 0040F16D, 0040F1E8, 0040F263, 0040F2DE, 0040F359, 0040F3D4, 0040F44F, 0040F4CA, 0040F545, 0040F5C0, 0040F63B, 0040F6B6, 0040F731, 0040F7AC, 0040F827, 0040F8A2, 0040F91D, 0040F998, 0040FA13, 0040FA8E, 0040FB09, 0040FB84, 0040FBFF, 0040FC7A, 0040FCF5, 0040FD70, 0040FDEB, 0040FE66, 0040FEE1, 0040FF5C, 0040FFD7, 00410052, 004100CD, 00410148, 004101C3, 0041023E, 004102B9, 00410334, 004103AF, 0041042A, 004104A5, 00410520, 0041059B, 00410616, 00410691, 0041070C, 00410787, 00410802, 0041087D, 004108F8, 00410973, 004109EE, 00410A69, 00410AE4, 00410B5F, 00410BDA, 00410C55, 00410CD0, 00410D4B, 00410DC6, 00410E41, 00410EBC, 00410F37, 00410FB2, 0041102D, 004110A8, 00411123, 0041119E, 00411219, 00411294, 0041130F, 0041138A, 00411405, 00411480, 004114FB, 00411576, 004115F1, 0041166C, 004116E7, 00411762, 004117DD, 00411858, 004118D3, 0041194E, 004119C9, 00411A44, 00411ABF, 00411B3A, 00411BB5, 00411C30, 00411CAB, 00411D26, 00411DA1, 00411E1C, 00411E97, 00411F12, 00411F8D, 00412008, 00412083
Characters: %c %c , xrefs: 00401E0C, 00401E11, 00401E32, 00401E4F, 00401E64, 00401E81, 00401E96, 00401F0E, 00401F89, 00402004, 0040207F, 004020FA, 00402175, 004021F0, 0040226B, 004022E6, 00402361, 004023DC, 00402457, 004024D2, 0040254D, 004025C8, 00402643, 004026BE, 00402739, 004027B4, 0040282F, 004028AA, 00402925, 004029A0, 00402A1B, 00402A96, 00402B11, 00402B8C, 00402C07, 00402C82, 00402CFD, 00402D78, 00402DF3, 00402E6E, 00402EE9, 00402F64, 00402FDF, 0040305A, 004030D5, 00403150, 004031CB, 00403246, 004032C1, 0040333C, 004033B7, 00403432, 004034AD, 00403528, 004035A3, 0040361E, 00403699, 00403714, 0040378F, 0040380A, 00403885, 00403900, 0040397B, 004039F6, 00403A71, 00403AEC, 00403B67, 00403BE2, 00403C5D, 00403CD8, 00403D53, 00403DCE, 00403E49, 00403EC4, 00403F3F, 00403FBA, 00404035, 004040B0, 0040412B, 004041A6, 00404221, 0040429C, 00404317, 00404392, 0040440D, 00404488, 00404503, 0040457E, 004045F9, 00404674, 004046EF, 0040476A, 004047E5, 00404860, 004048DB, 00404956, 004049D1, 00404A4C, 00404AC7, 00404B42, 00404BBD, 00404C38, 00404CB3, 00404D2E, 00404DA9, 00404E24, 00404E9F, 00404F1A, 00404F95, 00405010, 0040508B, 00405106, 00405181, 004051FC, 00405277, 004052F2, 0040536D, 004053E8, 00405463, 004054DE, 00405559, 004055D4, 0040564F, 004056CA, 00405745, 004057C0, 0040583B, 004058B6, 00405931, 004059AC, 00405A27, 00405AA2, 00405B1D, 00405B98, 00405C13, 00405C8E, 00405D09, 00405D84, 00405DFF, 00405E7A, 00405EF5, 00405F70, 00405FEB, 00406066, 004060E1, 0040615C, 004061D7, 00406252, 004062CD, 00406348, 004063C3, 0040643E, 004064B9, 00406534, 004065AF, 0040662A, 004066A5, 00406720, 0040679B, 00406816, 00406891, 0040690C, 00406987, 00406A02, 00406A7D, 00406AF8, 00406B73, 00406BEE, 00406C69, 00406CE4, 00406D5F, 00406DDA, 00406E55, 00406ED0, 00406F4B, 00406FC6, 00407041, 004070BC, 00407137, 004071B2, 0040722D, 004072A8, 00407323, 0040739E, 00407419, 00407494, 0040750F, 0040758A, 00407605, 00407680, 004076FB, 00407776, 004077F1, 0040786C, 004078E7, 00407962, 004079DD, 00407A58, 00407AD3, 00407B4E, 00407BC9, 00407C44, 00407CBF, 00407D3A, 00407DB5, 00407E30, 00407EAB, 00407F26, 00407FA1, 0040801C, 00408097, 00408112, 0040818D, 00408208, 00408283, 004082FE, 00408379, 004083F4, 0040846F, 004084EA, 00408565, 004085E0, 0040865B, 004086D6, 00408751, 004087CC, 00408847, 004088C2, 0040893D, 004089B8, 00408A33, 00408AAE, 00408B29, 00408BA4, 00408C1F, 00408C9A, 00408D15, 00408D90, 00408E0B, 00408E86, 00408F01, 00408F7C, 00408FF7, 00409072, 004090ED, 00409168, 004091E3, 0040925E, 004092D9, 00409354, 004093CF, 0040944A, 004094C5, 00409540, 004095BB, 00409636, 004096B1, 0040972C, 004097A7, 00409822, 0040989D, 00409918, 00409993, 00409A0E, 00409A89, 00409B04, 00409B7F, 00409BFA, 00409C75, 00409CF0, 00409D6B, 00409DE6, 00409E61, 00409EDC, 00409F57, 00409FD2, 0040A04D, 0040A0C8, 0040A143, 0040A1BE, 0040A239, 0040A2B4, 0040A32F, 0040A3AA, 0040A425, 0040A4A0, 0040A51B, 0040A596, 0040A611, 0040A68C, 0040A707, 0040A782, 0040A7FD, 0040A878, 0040A8F3, 0040A96E, 0040A9E9, 0040AA64, 0040AADF, 0040AB5A, 0040ABD5, 0040AC50, 0040ACCB, 0040AD46, 0040ADC1, 0040AE3C, 0040AEB7, 0040AF32, 0040AFAD, 0040B028, 0040B0A3, 0040B11E, 0040B199, 0040B214, 0040B28F, 0040B30A, 0040B385, 0040B400, 0040B47B, 0040B4F6, 0040B571, 0040B5EC, 0040B667, 0040B6E2, 0040B75D, 0040B7D8, 0040B853, 0040B8CE, 0040B949, 0040B9C4, 0040BA3F, 0040BABA, 0040BB35, 0040BBB0, 0040BC2B, 0040BCA6, 0040BD21, 0040BD9C, 0040BE17, 0040BE92, 0040BF0D, 0040BF88, 0040C003, 0040C07E, 0040C0F9, 0040C174, 0040C1EF, 0040C26A, 0040C2E5, 0040C360, 0040C3DB, 0040C456, 0040C4D1, 0040C54C, 0040C5C7, 0040C642, 0040C6BD, 0040C738, 0040C7B3, 0040C82E, 0040C8A9, 0040C924, 0040C99F, 0040CA1A, 0040CA95, 0040CB10, 0040CB8B, 0040CC06, 0040CC81, 0040CCFC, 0040CD77, 0040CDF2, 0040CE6D, 0040CEE8, 0040CF63, 0040CFDE, 0040D059, 0040D0D4, 0040D14F, 0040D1CA, 0040D245, 0040D2C0, 0040D33B, 0040D3B6, 0040D431, 0040D4AC, 0040D527, 0040D5A2, 0040D61D, 0040D698, 0040D713, 0040D78E, 0040D809, 0040D884, 0040D8FF, 0040D97A, 0040D9F5, 0040DA70, 0040DAEB, 0040DB66, 0040DBE1, 0040DC5C, 0040DCD7, 0040DD52, 0040DDCD, 0040DE48, 0040DEC3, 0040DF3E, 0040DFB9, 0040E034, 0040E0AF, 0040E12A, 0040E1A5, 0040E220, 0040E29B, 0040E316, 0040E391, 0040E40C, 0040E487, 0040E502, 0040E57D, 0040E5F8, 0040E673, 0040E6EE, 0040E769, 0040E7E4, 0040E85F, 0040E8DA, 0040E955, 0040E9D0, 0040EA4B, 0040EAC6, 0040EB41, 0040EBBC, 0040EC37, 0040ECB2, 0040ED2D, 0040EDA8, 0040EE23, 0040EE9E, 0040EF19, 0040EF94, 0040F00F, 0040F08A, 0040F105, 0040F180, 0040F1FB, 0040F276, 0040F2F1, 0040F36C, 0040F3E7, 0040F462, 0040F4DD, 0040F558, 0040F5D3, 0040F64E, 0040F6C9, 0040F744, 0040F7BF, 0040F83A, 0040F8B5, 0040F930, 0040F9AB, 0040FA26, 0040FAA1, 0040FB1C, 0040FB97, 0040FC12, 0040FC8D, 0040FD08, 0040FD83, 0040FDFE, 0040FE79, 0040FEF4, 0040FF6F, 0040FFEA, 00410065, 004100E0, 0041015B, 004101D6, 00410251, 004102CC, 00410347, 004103C2, 0041043D, 004104B8, 00410533, 004105AE, 00410629, 004106A4, 0041071F, 0041079A, 00410815, 00410890, 0041090B, 00410986, 00410A01, 00410A7C, 00410AF7, 00410B72, 00410BED, 00410C68, 00410CE3, 00410D5E, 00410DD9, 00410E54, 00410ECF, 00410F4A, 00410FC5, 00411040, 004110BB, 00411136, 004111B1, 0041122C, 004112A7, 00411322, 0041139D, 00411418, 00411493, 0041150E, 00411589, 00411604, 0041167F, 004116FA, 00411775, 004117F0, 0041186B, 004118E6, 00411961, 004119DC, 00411A57, 00411AD2, 00411B4D, 00411BC8, 00411C43, 00411CBE, 00411D39, 00411DB4, 00411E2F, 00411EAA, 00411F25, 00411FA0, 0041201B, 00412096
Preceding with blanks: %10d , xrefs: 00401E41, 00401E73, 00401EA5, 00401F24, 00401F9F, 0040201A, 00402095, 00402110, 0040218B, 00402206, 00402281, 004022FC, 00402377, 004023F2, 0040246D, 004024E8, 00402563, 004025DE, 00402659, 004026D4, 0040274F, 004027CA, 00402845, 004028C0, 0040293B, 004029B6, 00402A31, 00402AAC, 00402B27, 00402BA2, 00402C1D, 00402C98, 00402D13, 00402D8E, 00402E09, 00402E84, 00402EFF, 00402F7A, 00402FF5, 00403070, 004030EB, 00403166, 004031E1, 0040325C, 004032D7, 00403352, 004033CD, 00403448, 004034C3, 0040353E, 004035B9, 00403634, 004036AF, 0040372A, 004037A5, 00403820, 0040389B, 00403916, 00403991, 00403A0C, 00403A87, 00403B02, 00403B7D, 00403BF8, 00403C73, 00403CEE, 00403D69, 00403DE4, 00403E5F, 00403EDA, 00403F55, 00403FD0, 0040404B, 004040C6, 00404141, 004041BC, 00404237, 004042B2, 0040432D, 004043A8, 00404423, 0040449E, 00404519, 00404594, 0040460F, 0040468A, 00404705, 00404780, 004047FB, 00404876, 004048F1, 0040496C, 004049E7, 00404A62, 00404ADD, 00404B58, 00404BD3, 00404C4E, 00404CC9, 00404D44, 00404DBF, 00404E3A, 00404EB5, 00404F30, 00404FAB, 00405026, 004050A1, 0040511C, 00405197, 00405212, 0040528D, 00405308, 00405383, 004053FE, 00405479, 004054F4, 0040556F, 004055EA, 00405665, 004056E0, 0040575B, 004057D6, 00405851, 004058CC, 00405947, 004059C2, 00405A3D, 00405AB8, 00405B33, 00405BAE, 00405C29, 00405CA4, 00405D1F, 00405D9A, 00405E15, 00405E90, 00405F0B, 00405F86, 00406001, 0040607C, 004060F7, 00406172, 004061ED, 00406268, 004062E3, 0040635E, 004063D9, 00406454, 004064CF, 0040654A, 004065C5, 00406640, 004066BB, 00406736, 004067B1, 0040682C, 004068A7, 00406922, 0040699D, 00406A18, 00406A93, 00406B0E, 00406B89, 00406C04, 00406C7F, 00406CFA, 00406D75, 00406DF0, 00406E6B, 00406EE6, 00406F61, 00406FDC, 00407057, 004070D2, 0040714D, 004071C8, 00407243, 004072BE, 00407339, 004073B4, 0040742F, 004074AA, 00407525, 004075A0, 0040761B, 00407696, 00407711, 0040778C, 00407807, 00407882, 004078FD, 00407978, 004079F3, 00407A6E, 00407AE9, 00407B64, 00407BDF, 00407C5A, 00407CD5, 00407D50, 00407DCB, 00407E46, 00407EC1, 00407F3C, 00407FB7, 00408032, 004080AD, 00408128, 004081A3, 0040821E, 00408299, 00408314, 0040838F, 0040840A, 00408485, 00408500, 0040857B, 004085F6, 00408671, 004086EC, 00408767, 004087E2, 0040885D, 004088D8, 00408953, 004089CE, 00408A49, 00408AC4, 00408B3F, 00408BBA, 00408C35, 00408CB0, 00408D2B, 00408DA6, 00408E21, 00408E9C, 00408F17, 00408F92, 0040900D, 00409088, 00409103, 0040917E, 004091F9, 00409274, 004092EF, 0040936A, 004093E5, 00409460, 004094DB, 00409556, 004095D1, 0040964C, 004096C7, 00409742, 004097BD, 00409838, 004098B3, 0040992E, 004099A9, 00409A24, 00409A9F, 00409B1A, 00409B95, 00409C10, 00409C8B, 00409D06, 00409D81, 00409DFC, 00409E77, 00409EF2, 00409F6D, 00409FE8, 0040A063, 0040A0DE, 0040A159, 0040A1D4, 0040A24F, 0040A2CA, 0040A345, 0040A3C0, 0040A43B, 0040A4B6, 0040A531, 0040A5AC, 0040A627, 0040A6A2, 0040A71D, 0040A798, 0040A813, 0040A88E, 0040A909, 0040A984, 0040A9FF, 0040AA7A, 0040AAF5, 0040AB70, 0040ABEB, 0040AC66, 0040ACE1, 0040AD5C, 0040ADD7, 0040AE52, 0040AECD, 0040AF48, 0040AFC3, 0040B03E, 0040B0B9, 0040B134, 0040B1AF, 0040B22A, 0040B2A5, 0040B320, 0040B39B, 0040B416, 0040B491, 0040B50C, 0040B587, 0040B602, 0040B67D, 0040B6F8, 0040B773, 0040B7EE, 0040B869, 0040B8E4, 0040B95F, 0040B9DA, 0040BA55, 0040BAD0, 0040BB4B, 0040BBC6, 0040BC41, 0040BCBC, 0040BD37, 0040BDB2, 0040BE2D, 0040BEA8, 0040BF23, 0040BF9E, 0040C019, 0040C094, 0040C10F, 0040C18A, 0040C205, 0040C280, 0040C2FB, 0040C376, 0040C3F1, 0040C46C, 0040C4E7, 0040C562, 0040C5DD, 0040C658, 0040C6D3, 0040C74E, 0040C7C9, 0040C844, 0040C8BF, 0040C93A, 0040C9B5, 0040CA30, 0040CAAB, 0040CB26, 0040CBA1, 0040CC1C, 0040CC97, 0040CD12, 0040CD8D, 0040CE08, 0040CE83, 0040CEFE, 0040CF79, 0040CFF4, 0040D06F, 0040D0EA, 0040D165, 0040D1E0, 0040D25B, 0040D2D6, 0040D351, 0040D3CC, 0040D447, 0040D4C2, 0040D53D, 0040D5B8, 0040D633, 0040D6AE, 0040D729, 0040D7A4, 0040D81F, 0040D89A, 0040D915, 0040D990, 0040DA0B, 0040DA86, 0040DB01, 0040DB7C, 0040DBF7, 0040DC72, 0040DCED, 0040DD68, 0040DDE3, 0040DE5E, 0040DED9, 0040DF54, 0040DFCF, 0040E04A, 0040E0C5, 0040E140, 0040E1BB, 0040E236, 0040E2B1, 0040E32C, 0040E3A7, 0040E422, 0040E49D, 0040E518, 0040E593, 0040E60E, 0040E689, 0040E704, 0040E77F, 0040E7FA, 0040E875, 0040E8F0, 0040E96B, 0040E9E6, 0040EA61, 0040EADC, 0040EB57, 0040EBD2, 0040EC4D, 0040ECC8, 0040ED43, 0040EDBE, 0040EE39, 0040EEB4, 0040EF2F, 0040EFAA, 0040F025, 0040F0A0, 0040F11B, 0040F196, 0040F211, 0040F28C, 0040F307, 0040F382, 0040F3FD, 0040F478, 0040F4F3, 0040F56E, 0040F5E9, 0040F664, 0040F6DF, 0040F75A, 0040F7D5, 0040F850, 0040F8CB, 0040F946, 0040F9C1, 0040FA3C, 0040FAB7, 0040FB32, 0040FBAD, 0040FC28, 0040FCA3, 0040FD1E, 0040FD99, 0040FE14, 0040FE8F, 0040FF0A, 0040FF85, 00410000, 0041007B, 004100F6, 00410171, 004101EC, 00410267, 004102E2, 0041035D, 004103D8, 00410453, 004104CE, 00410549, 004105C4, 0041063F, 004106BA, 00410735, 004107B0, 0041082B, 004108A6, 00410921, 0041099C, 00410A17, 00410A92, 00410B0D, 00410B88, 00410C03, 00410C7E, 00410CF9, 00410D74, 00410DEF, 00410E6A, 00410EE5, 00410F60, 00410FDB, 00411056, 004110D1, 0041114C, 004111C7, 00411242, 004112BD, 00411338, 004113B3, 0041142E, 004114A9, 00411524, 0041159F, 0041161A, 00411695, 00411710, 0041178B, 00411806, 00411881, 004118FC, 00411977, 004119F2, 00411A6D, 00411AE8, 00411B63, 00411BDE, 00411C59, 00411CD4, 00411D4F, 00411DCA, 00411E45, 00411EC0, 00411F3B, 00411FB6, 00412031
Some different radices: %d %x %o %#x %#o , xrefs: 00401EC2, 00401F3E, 00401FB9, 00402034, 004020AF, 0040212A, 004021A5, 00402220, 0040229B, 00402316, 00402391, 0040240C, 00402487, 00402502, 0040257D, 004025F8, 00402673, 004026EE, 00402769, 004027E4, 0040285F, 004028DA, 00402955, 004029D0, 00402A4B, 00402AC6, 00402B41, 00402BBC, 00402C37, 00402CB2, 00402D2D, 00402DA8, 00402E23, 00402E9E, 00402F19, 00402F94, 0040300F, 0040308A, 00403105, 00403180, 004031FB, 00403276, 004032F1, 0040336C, 004033E7, 00403462, 004034DD, 00403558, 004035D3, 0040364E, 004036C9, 00403744, 004037BF, 0040383A, 004038B5, 00403930, 004039AB, 00403A26, 00403AA1, 00403B1C, 00403B97, 00403C12, 00403C8D, 00403D08, 00403D83, 00403DFE, 00403E79, 00403EF4, 00403F6F, 00403FEA, 00404065, 004040E0, 0040415B, 004041D6, 00404251, 004042CC, 00404347, 004043C2, 0040443D, 004044B8, 00404533, 004045AE, 00404629, 004046A4, 0040471F, 0040479A, 00404815, 00404890, 0040490B, 00404986, 00404A01, 00404A7C, 00404AF7, 00404B72, 00404BED, 00404C68, 00404CE3, 00404D5E, 00404DD9, 00404E54, 00404ECF, 00404F4A, 00404FC5, 00405040, 004050BB, 00405136, 004051B1, 0040522C, 004052A7, 00405322, 0040539D, 00405418, 00405493, 0040550E, 00405589, 00405604, 0040567F, 004056FA, 00405775, 004057F0, 0040586B, 004058E6, 00405961, 004059DC, 00405A57, 00405AD2, 00405B4D, 00405BC8, 00405C43, 00405CBE, 00405D39, 00405DB4, 00405E2F, 00405EAA, 00405F25, 00405FA0, 0040601B, 00406096, 00406111, 0040618C, 00406207, 00406282, 004062FD, 00406378, 004063F3, 0040646E, 004064E9, 00406564, 004065DF, 0040665A, 004066D5, 00406750, 004067CB, 00406846, 004068C1, 0040693C, 004069B7, 00406A32, 00406AAD, 00406B28, 00406BA3, 00406C1E, 00406C99, 00406D14, 00406D8F, 00406E0A, 00406E85, 00406F00, 00406F7B, 00406FF6, 00407071, 004070EC, 00407167, 004071E2, 0040725D, 004072D8, 00407353, 004073CE, 00407449, 004074C4, 0040753F, 004075BA, 00407635, 004076B0, 0040772B, 004077A6, 00407821, 0040789C, 00407917, 00407992, 00407A0D, 00407A88, 00407B03, 00407B7E, 00407BF9, 00407C74, 00407CEF, 00407D6A, 00407DE5, 00407E60, 00407EDB, 00407F56, 00407FD1, 0040804C, 004080C7, 00408142, 004081BD, 00408238, 004082B3, 0040832E, 004083A9, 00408424, 0040849F, 0040851A, 00408595, 00408610, 0040868B, 00408706, 00408781, 004087FC, 00408877, 004088F2, 0040896D, 004089E8, 00408A63, 00408ADE, 00408B59, 00408BD4, 00408C4F, 00408CCA, 00408D45, 00408DC0, 00408E3B, 00408EB6, 00408F31, 00408FAC, 00409027, 004090A2, 0040911D, 00409198, 00409213, 0040928E, 00409309, 00409384, 004093FF, 0040947A, 004094F5, 00409570, 004095EB, 00409666, 004096E1, 0040975C, 004097D7, 00409852, 004098CD, 00409948, 004099C3, 00409A3E, 00409AB9, 00409B34, 00409BAF, 00409C2A, 00409CA5, 00409D20, 00409D9B, 00409E16, 00409E91, 00409F0C, 00409F87, 0040A002, 0040A07D, 0040A0F8, 0040A173, 0040A1EE, 0040A269, 0040A2E4, 0040A35F, 0040A3DA, 0040A455, 0040A4D0, 0040A54B, 0040A5C6, 0040A641, 0040A6BC, 0040A737, 0040A7B2, 0040A82D, 0040A8A8, 0040A923, 0040A99E, 0040AA19, 0040AA94, 0040AB0F, 0040AB8A, 0040AC05, 0040AC80, 0040ACFB, 0040AD76, 0040ADF1, 0040AE6C, 0040AEE7, 0040AF62, 0040AFDD, 0040B058, 0040B0D3, 0040B14E, 0040B1C9, 0040B244, 0040B2BF, 0040B33A, 0040B3B5, 0040B430, 0040B4AB, 0040B526, 0040B5A1, 0040B61C, 0040B697, 0040B712, 0040B78D, 0040B808, 0040B883, 0040B8FE, 0040B979, 0040B9F4, 0040BA6F, 0040BAEA, 0040BB65, 0040BBE0, 0040BC5B, 0040BCD6, 0040BD51, 0040BDCC, 0040BE47, 0040BEC2, 0040BF3D, 0040BFB8, 0040C033, 0040C0AE, 0040C129, 0040C1A4, 0040C21F, 0040C29A, 0040C315, 0040C390, 0040C40B, 0040C486, 0040C501, 0040C57C, 0040C5F7, 0040C672, 0040C6ED, 0040C768, 0040C7E3, 0040C85E, 0040C8D9, 0040C954, 0040C9CF, 0040CA4A, 0040CAC5, 0040CB40, 0040CBBB, 0040CC36, 0040CCB1, 0040CD2C, 0040CDA7, 0040CE22, 0040CE9D, 0040CF18, 0040CF93, 0040D00E, 0040D089, 0040D104, 0040D17F, 0040D1FA, 0040D275, 0040D2F0, 0040D36B, 0040D3E6, 0040D461, 0040D4DC, 0040D557, 0040D5D2, 0040D64D, 0040D6C8, 0040D743, 0040D7BE, 0040D839, 0040D8B4, 0040D92F, 0040D9AA, 0040DA25, 0040DAA0, 0040DB1B, 0040DB96, 0040DC11, 0040DC8C, 0040DD07, 0040DD82, 0040DDFD, 0040DE78, 0040DEF3, 0040DF6E, 0040DFE9, 0040E064, 0040E0DF, 0040E15A, 0040E1D5, 0040E250, 0040E2CB, 0040E346, 0040E3C1, 0040E43C, 0040E4B7, 0040E532, 0040E5AD, 0040E628, 0040E6A3, 0040E71E, 0040E799, 0040E814, 0040E88F, 0040E90A, 0040E985, 0040EA00, 0040EA7B, 0040EAF6, 0040EB71, 0040EBEC, 0040EC67, 0040ECE2, 0040ED5D, 0040EDD8, 0040EE53, 0040EECE, 0040EF49, 0040EFC4, 0040F03F, 0040F0BA, 0040F135, 0040F1B0, 0040F22B, 0040F2A6, 0040F321, 0040F39C, 0040F417, 0040F492, 0040F50D, 0040F588, 0040F603, 0040F67E, 0040F6F9, 0040F774, 0040F7EF, 0040F86A, 0040F8E5, 0040F960, 0040F9DB, 0040FA56, 0040FAD1, 0040FB4C, 0040FBC7, 0040FC42, 0040FCBD, 0040FD38, 0040FDB3, 0040FE2E, 0040FEA9, 0040FF24, 0040FF9F, 0041001A, 00410095, 00410110, 0041018B, 00410206, 00410281, 004102FC, 00410377, 004103F2, 0041046D, 004104E8, 00410563, 004105DE, 00410659, 004106D4, 0041074F, 004107CA, 00410845, 004108C0, 0041093B, 004109B6, 00410A31, 00410AAC, 00410B27, 00410BA2, 00410C1D, 00410C98, 00410D13, 00410D8E, 00410E09, 00410E84, 00410EFF, 00410F7A, 00410FF5, 00411070, 004110EB, 00411166, 004111E1, 0041125C, 004112D7, 00411352, 004113CD, 00411448, 004114C3, 0041153E, 004115B9, 00411634, 004116AF, 0041172A, 004117A5, 00411820, 0041189B, 00411916, 00411991, 00411A0C, 00411A87, 00411B02, 00411B7D, 00411BF8, 00411C73, 00411CEE, 00411D69, 00411DE4, 00411E5F, 00411EDA, 00411F55, 00411FD0, 0041204B
floats: %4.2f %+.0e %E , xrefs: 00401EE3, 00401F5E, 00401FD9, 00402054, 004020CF, 0040214A, 004021C5, 00402240, 004022BB, 00402336, 004023B1, 0040242C, 004024A7, 00402522, 0040259D, 00402618, 00402693, 0040270E, 00402789, 00402804, 0040287F, 004028FA, 00402975, 004029F0, 00402A6B, 00402AE6, 00402B61, 00402BDC, 00402C57, 00402CD2, 00402D4D, 00402DC8, 00402E43, 00402EBE, 00402F39, 00402FB4, 0040302F, 004030AA, 00403125, 004031A0, 0040321B, 00403296, 00403311, 0040338C, 00403407, 00403482, 004034FD, 00403578, 004035F3, 0040366E, 004036E9, 00403764, 004037DF, 0040385A, 004038D5, 00403950, 004039CB, 00403A46, 00403AC1, 00403B3C, 00403BB7, 00403C32, 00403CAD, 00403D28, 00403DA3, 00403E1E, 00403E99, 00403F14, 00403F8F, 0040400A, 00404085, 00404100, 0040417B, 004041F6, 00404271, 004042EC, 00404367, 004043E2, 0040445D, 004044D8, 00404553, 004045CE, 00404649, 004046C4, 0040473F, 004047BA, 00404835, 004048B0, 0040492B, 004049A6, 00404A21, 00404A9C, 00404B17, 00404B92, 00404C0D, 00404C88, 00404D03, 00404D7E, 00404DF9, 00404E74, 00404EEF, 00404F6A, 00404FE5, 00405060, 004050DB, 00405156, 004051D1, 0040524C, 004052C7, 00405342, 004053BD, 00405438, 004054B3, 0040552E, 004055A9, 00405624, 0040569F, 0040571A, 00405795, 00405810, 0040588B, 00405906, 00405981, 004059FC, 00405A77, 00405AF2, 00405B6D, 00405BE8, 00405C63, 00405CDE, 00405D59, 00405DD4, 00405E4F, 00405ECA, 00405F45, 00405FC0, 0040603B, 004060B6, 00406131, 004061AC, 00406227, 004062A2, 0040631D, 00406398, 00406413, 0040648E, 00406509, 00406584, 004065FF, 0040667A, 004066F5, 00406770, 004067EB, 00406866, 004068E1, 0040695C, 004069D7, 00406A52, 00406ACD, 00406B48, 00406BC3, 00406C3E, 00406CB9, 00406D34, 00406DAF, 00406E2A, 00406EA5, 00406F20, 00406F9B, 00407016, 00407091, 0040710C, 00407187, 00407202, 0040727D, 004072F8, 00407373, 004073EE, 00407469, 004074E4, 0040755F, 004075DA, 00407655, 004076D0, 0040774B, 004077C6, 00407841, 004078BC, 00407937, 004079B2, 00407A2D, 00407AA8, 00407B23, 00407B9E, 00407C19, 00407C94, 00407D0F, 00407D8A, 00407E05, 00407E80, 00407EFB, 00407F76, 00407FF1, 0040806C, 004080E7, 00408162, 004081DD, 00408258, 004082D3, 0040834E, 004083C9, 00408444, 004084BF, 0040853A, 004085B5, 00408630, 004086AB, 00408726, 004087A1, 0040881C, 00408897, 00408912, 0040898D, 00408A08, 00408A83, 00408AFE, 00408B79, 00408BF4, 00408C6F, 00408CEA, 00408D65, 00408DE0, 00408E5B, 00408ED6, 00408F51, 00408FCC, 00409047, 004090C2, 0040913D, 004091B8, 00409233, 004092AE, 00409329, 004093A4, 0040941F, 0040949A, 00409515, 00409590, 0040960B, 00409686, 00409701, 0040977C, 004097F7, 00409872, 004098ED, 00409968, 004099E3, 00409A5E, 00409AD9, 00409B54, 00409BCF, 00409C4A, 00409CC5, 00409D40, 00409DBB, 00409E36, 00409EB1, 00409F2C, 00409FA7, 0040A022, 0040A09D, 0040A118, 0040A193, 0040A20E, 0040A289, 0040A304, 0040A37F, 0040A3FA, 0040A475, 0040A4F0, 0040A56B, 0040A5E6, 0040A661, 0040A6DC, 0040A757, 0040A7D2, 0040A84D, 0040A8C8, 0040A943, 0040A9BE, 0040AA39, 0040AAB4, 0040AB2F, 0040ABAA, 0040AC25, 0040ACA0, 0040AD1B, 0040AD96, 0040AE11, 0040AE8C, 0040AF07, 0040AF82, 0040AFFD, 0040B078, 0040B0F3, 0040B16E, 0040B1E9, 0040B264, 0040B2DF, 0040B35A, 0040B3D5, 0040B450, 0040B4CB, 0040B546, 0040B5C1, 0040B63C, 0040B6B7, 0040B732, 0040B7AD, 0040B828, 0040B8A3, 0040B91E, 0040B999, 0040BA14, 0040BA8F, 0040BB0A, 0040BB85, 0040BC00, 0040BC7B, 0040BCF6, 0040BD71, 0040BDEC, 0040BE67, 0040BEE2, 0040BF5D, 0040BFD8, 0040C053, 0040C0CE, 0040C149, 0040C1C4, 0040C23F, 0040C2BA, 0040C335, 0040C3B0, 0040C42B, 0040C4A6, 0040C521, 0040C59C, 0040C617, 0040C692, 0040C70D, 0040C788, 0040C803, 0040C87E, 0040C8F9, 0040C974, 0040C9EF, 0040CA6A, 0040CAE5, 0040CB60, 0040CBDB, 0040CC56, 0040CCD1, 0040CD4C, 0040CDC7, 0040CE42, 0040CEBD, 0040CF38, 0040CFB3, 0040D02E, 0040D0A9, 0040D124, 0040D19F, 0040D21A, 0040D295, 0040D310, 0040D38B, 0040D406, 0040D481, 0040D4FC, 0040D577, 0040D5F2, 0040D66D, 0040D6E8, 0040D763, 0040D7DE, 0040D859, 0040D8D4, 0040D94F, 0040D9CA, 0040DA45, 0040DAC0, 0040DB3B, 0040DBB6, 0040DC31, 0040DCAC, 0040DD27, 0040DDA2, 0040DE1D, 0040DE98, 0040DF13, 0040DF8E, 0040E009, 0040E084, 0040E0FF, 0040E17A, 0040E1F5, 0040E270, 0040E2EB, 0040E366, 0040E3E1, 0040E45C, 0040E4D7, 0040E552, 0040E5CD, 0040E648, 0040E6C3, 0040E73E, 0040E7B9, 0040E834, 0040E8AF, 0040E92A, 0040E9A5, 0040EA20, 0040EA9B, 0040EB16, 0040EB91, 0040EC0C, 0040EC87, 0040ED02, 0040ED7D, 0040EDF8, 0040EE73, 0040EEEE, 0040EF69, 0040EFE4, 0040F05F, 0040F0DA, 0040F155, 0040F1D0, 0040F24B, 0040F2C6, 0040F341, 0040F3BC, 0040F437, 0040F4B2, 0040F52D, 0040F5A8, 0040F623, 0040F69E, 0040F719, 0040F794, 0040F80F, 0040F88A, 0040F905, 0040F980, 0040F9FB, 0040FA76, 0040FAF1, 0040FB6C, 0040FBE7, 0040FC62, 0040FCDD, 0040FD58, 0040FDD3, 0040FE4E, 0040FEC9, 0040FF44, 0040FFBF, 0041003A, 004100B5, 00410130, 004101AB, 00410226, 004102A1, 0041031C, 00410397, 00410412, 0041048D, 00410508, 00410583, 004105FE, 00410679, 004106F4, 0041076F, 004107EA, 00410865, 004108E0, 0041095B, 004109D6, 00410A51, 00410ACC, 00410B47, 00410BC2, 00410C3D, 00410CB8, 00410D33, 00410DAE, 00410E29, 00410EA4, 00410F1F, 00410F9A, 00411015, 00411090, 0041110B, 00411186, 00411201, 0041127C, 004112F7, 00411372, 004113ED, 00411468, 004114E3, 0041155E, 004115D9, 00411654, 004116CF, 0041174A, 004117C5, 00411840, 004118BB, 00411936, 004119B1, 00411A2C, 00411AA7, 00411B22, 00411B9D, 00411C18, 00411C93, 00411D0E, 00411D89, 00411E04, 00411E7F, 00411EFA, 00411F75, 00411FF0, 0041206B
%s , xrefs: 00401F00, 00401F7B, 00401FF6, 00402071, 004020EC, 00402167, 004021E2, 0040225D, 004022D8, 00402353, 004023CE, 00402449, 004024C4, 0040253F, 004025BA, 00402635, 004026B0, 0040272B, 004027A6, 00402821, 0040289C, 00402917, 00402992, 00402A0D, 00402A88, 00402B03, 00402B7E, 00402BF9, 00402C74, 00402CEF, 00402D6A, 00402DE5, 00402E60, 00402EDB, 00402F56, 00402FD1, 0040304C, 004030C7, 00403142, 004031BD, 00403238, 004032B3, 0040332E, 004033A9, 00403424, 0040349F, 0040351A, 00403595, 00403610, 0040368B, 00403706, 00403781, 004037FC, 00403877, 004038F2, 0040396D, 004039E8, 00403A63, 00403ADE, 00403B59, 00403BD4, 00403C4F, 00403CCA, 00403D45, 00403DC0, 00403E3B, 00403EB6, 00403F31, 00403FAC, 00404027, 004040A2, 0040411D, 00404198, 00404213, 0040428E, 00404309, 00404384, 004043FF, 0040447A, 004044F5, 00404570, 004045EB, 00404666, 004046E1, 0040475C, 004047D7, 00404852, 004048CD, 00404948, 004049C3, 00404A3E, 00404AB9, 00404B34, 00404BAF, 00404C2A, 00404CA5, 00404D20, 00404D9B, 00404E16, 00404E91, 00404F0C, 00404F87, 00405002, 0040507D, 004050F8, 00405173, 004051EE, 00405269, 004052E4, 0040535F, 004053DA, 00405455, 004054D0, 0040554B, 004055C6, 00405641, 004056BC, 00405737, 004057B2, 0040582D, 004058A8, 00405923, 0040599E, 00405A19, 00405A94, 00405B0F, 00405B8A, 00405C05, 00405C80, 00405CFB, 00405D76, 00405DF1, 00405E6C, 00405EE7, 00405F62, 00405FDD, 00406058, 004060D3, 0040614E, 004061C9, 00406244, 004062BF, 0040633A, 004063B5, 00406430, 004064AB, 00406526, 004065A1, 0040661C, 00406697, 00406712, 0040678D, 00406808, 00406883, 004068FE, 00406979, 004069F4, 00406A6F, 00406AEA, 00406B65, 00406BE0, 00406C5B, 00406CD6, 00406D51, 00406DCC, 00406E47, 00406EC2, 00406F3D, 00406FB8, 00407033, 004070AE, 00407129, 004071A4, 0040721F, 0040729A, 00407315, 00407390, 0040740B, 00407486, 00407501, 0040757C, 004075F7, 00407672, 004076ED, 00407768, 004077E3, 0040785E, 004078D9, 00407954, 004079CF, 00407A4A, 00407AC5, 00407B40, 00407BBB, 00407C36, 00407CB1, 00407D2C, 00407DA7, 00407E22, 00407E9D, 00407F18, 00407F93, 0040800E, 00408089, 00408104, 0040817F, 004081FA, 00408275, 004082F0, 0040836B, 004083E6, 00408461, 004084DC, 00408557, 004085D2, 0040864D, 004086C8, 00408743, 004087BE, 00408839, 004088B4, 0040892F, 004089AA, 00408A25, 00408AA0, 00408B1B, 00408B96, 00408C11, 00408C8C, 00408D07, 00408D82, 00408DFD, 00408E78, 00408EF3, 00408F6E, 00408FE9, 00409064, 004090DF, 0040915A, 004091D5, 00409250, 004092CB, 00409346, 004093C1, 0040943C, 004094B7, 00409532, 004095AD, 00409628, 004096A3, 0040971E, 00409799, 00409814, 0040988F, 0040990A, 00409985, 00409A00, 00409A7B, 00409AF6, 00409B71, 00409BEC, 00409C67, 00409CE2, 00409D5D, 00409DD8, 00409E53, 00409ECE, 00409F49, 00409FC4, 0040A03F, 0040A0BA, 0040A135, 0040A1B0, 0040A22B, 0040A2A6, 0040A321, 0040A39C, 0040A417, 0040A492, 0040A50D, 0040A588, 0040A603, 0040A67E, 0040A6F9, 0040A774, 0040A7EF, 0040A86A, 0040A8E5, 0040A960, 0040A9DB, 0040AA56, 0040AAD1, 0040AB4C, 0040ABC7, 0040AC42, 0040ACBD, 0040AD38, 0040ADB3, 0040AE2E, 0040AEA9, 0040AF24, 0040AF9F, 0040B01A, 0040B095, 0040B110, 0040B18B, 0040B206, 0040B281, 0040B2FC, 0040B377, 0040B3F2, 0040B46D, 0040B4E8, 0040B563, 0040B5DE, 0040B659, 0040B6D4, 0040B74F, 0040B7CA, 0040B845, 0040B8C0, 0040B93B, 0040B9B6, 0040BA31, 0040BAAC, 0040BB27, 0040BBA2, 0040BC1D, 0040BC98, 0040BD13, 0040BD8E, 0040BE09, 0040BE84, 0040BEFF, 0040BF7A, 0040BFF5, 0040C070, 0040C0EB, 0040C166, 0040C1E1, 0040C25C, 0040C2D7, 0040C352, 0040C3CD, 0040C448, 0040C4C3, 0040C53E, 0040C5B9, 0040C634, 0040C6AF, 0040C72A, 0040C7A5, 0040C820, 0040C89B, 0040C916, 0040C991, 0040CA0C, 0040CA87, 0040CB02, 0040CB7D, 0040CBF8, 0040CC73, 0040CCEE, 0040CD69, 0040CDE4, 0040CE5F, 0040CEDA, 0040CF55, 0040CFD0, 0040D04B, 0040D0C6, 0040D141, 0040D1BC, 0040D237, 0040D2B2, 0040D32D, 0040D3A8, 0040D423, 0040D49E, 0040D519, 0040D594, 0040D60F, 0040D68A, 0040D705, 0040D780, 0040D7FB, 0040D876, 0040D8F1, 0040D96C, 0040D9E7, 0040DA62, 0040DADD, 0040DB58, 0040DBD3, 0040DC4E, 0040DCC9, 0040DD44, 0040DDBF, 0040DE3A, 0040DEB5, 0040DF30, 0040DFAB, 0040E026, 0040E0A1, 0040E11C, 0040E197, 0040E212, 0040E28D, 0040E308, 0040E383, 0040E3FE, 0040E479, 0040E4F4, 0040E56F, 0040E5EA, 0040E665, 0040E6E0, 0040E75B, 0040E7D6, 0040E851, 0040E8CC, 0040E947, 0040E9C2, 0040EA3D, 0040EAB8, 0040EB33, 0040EBAE, 0040EC29, 0040ECA4, 0040ED1F, 0040ED9A, 0040EE15, 0040EE90, 0040EF0B, 0040EF86, 0040F001, 0040F07C, 0040F0F7, 0040F172, 0040F1ED, 0040F268, 0040F2E3, 0040F35E, 0040F3D9, 0040F454, 0040F4CF, 0040F54A, 0040F5C5, 0040F640, 0040F6BB, 0040F736, 0040F7B1, 0040F82C, 0040F8A7, 0040F922, 0040F99D, 0040FA18, 0040FA93, 0040FB0E, 0040FB89, 0040FC04, 0040FC7F, 0040FCFA, 0040FD75, 0040FDF0, 0040FE6B, 0040FEE6, 0040FF61, 0040FFDC, 00410057, 004100D2, 0041014D, 004101C8, 00410243, 004102BE, 00410339, 004103B4, 0041042F, 004104AA, 00410525, 004105A0, 0041061B, 00410696, 00410711, 0041078C, 00410807, 00410882, 004108FD, 00410978, 004109F3, 00410A6E, 00410AE9, 00410B64, 00410BDF, 00410C5A, 00410CD5, 00410D50, 00410DCB, 00410E46, 00410EC1, 00410F3C, 00410FB7, 00411032, 004110AD, 00411128, 004111A3, 0041121E, 00411299, 00411314, 0041138F, 0041140A, 00411485, 00411500, 0041157B, 004115F6, 00411671, 004116EC, 00411767, 004117E2, 0041185D, 004118D8, 00411953, 004119CE, 00411A49, 00411AC4, 00411B3F, 00411BBA, 00411C35, 00411CB0, 00411D2B, 00411DA6, 00411E21, 00411E9C, 00411F17, 00411F92, 0041200D, 00412088
Preceding with zeros: %010d , xrefs: 00401EB0, 00401F2F, 00401FAA, 00402025, 004020A0, 0040211B, 00402196, 00402211, 0040228C, 00402307, 00402382, 004023FD, 00402478, 004024F3, 0040256E, 004025E9, 00402664, 004026DF, 0040275A, 004027D5, 00402850, 004028CB, 00402946, 004029C1, 00402A3C, 00402AB7, 00402B32, 00402BAD, 00402C28, 00402CA3, 00402D1E, 00402D99, 00402E14, 00402E8F, 00402F0A, 00402F85, 00403000, 0040307B, 004030F6, 00403171, 004031EC, 00403267, 004032E2, 0040335D, 004033D8, 00403453, 004034CE, 00403549, 004035C4, 0040363F, 004036BA, 00403735, 004037B0, 0040382B, 004038A6, 00403921, 0040399C, 00403A17, 00403A92, 00403B0D, 00403B88, 00403C03, 00403C7E, 00403CF9, 00403D74, 00403DEF, 00403E6A, 00403EE5, 00403F60, 00403FDB, 00404056, 004040D1, 0040414C, 004041C7, 00404242, 004042BD, 00404338, 004043B3, 0040442E, 004044A9, 00404524, 0040459F, 0040461A, 00404695, 00404710, 0040478B, 00404806, 00404881, 004048FC, 00404977, 004049F2, 00404A6D, 00404AE8, 00404B63, 00404BDE, 00404C59, 00404CD4, 00404D4F, 00404DCA, 00404E45, 00404EC0, 00404F3B, 00404FB6, 00405031, 004050AC, 00405127, 004051A2, 0040521D, 00405298, 00405313, 0040538E, 00405409, 00405484, 004054FF, 0040557A, 004055F5, 00405670, 004056EB, 00405766, 004057E1, 0040585C, 004058D7, 00405952, 004059CD, 00405A48, 00405AC3, 00405B3E, 00405BB9, 00405C34, 00405CAF, 00405D2A, 00405DA5, 00405E20, 00405E9B, 00405F16, 00405F91, 0040600C, 00406087, 00406102, 0040617D, 004061F8, 00406273, 004062EE, 00406369, 004063E4, 0040645F, 004064DA, 00406555, 004065D0, 0040664B, 004066C6, 00406741, 004067BC, 00406837, 004068B2, 0040692D, 004069A8, 00406A23, 00406A9E, 00406B19, 00406B94, 00406C0F, 00406C8A, 00406D05, 00406D80, 00406DFB, 00406E76, 00406EF1, 00406F6C, 00406FE7, 00407062, 004070DD, 00407158, 004071D3, 0040724E, 004072C9, 00407344, 004073BF, 0040743A, 004074B5, 00407530, 004075AB, 00407626, 004076A1, 0040771C, 00407797, 00407812, 0040788D, 00407908, 00407983, 004079FE, 00407A79, 00407AF4, 00407B6F, 00407BEA, 00407C65, 00407CE0, 00407D5B, 00407DD6, 00407E51, 00407ECC, 00407F47, 00407FC2, 0040803D, 004080B8, 00408133, 004081AE, 00408229, 004082A4, 0040831F, 0040839A, 00408415, 00408490, 0040850B, 00408586, 00408601, 0040867C, 004086F7, 00408772, 004087ED, 00408868, 004088E3, 0040895E, 004089D9, 00408A54, 00408ACF, 00408B4A, 00408BC5, 00408C40, 00408CBB, 00408D36, 00408DB1, 00408E2C, 00408EA7, 00408F22, 00408F9D, 00409018, 00409093, 0040910E, 00409189, 00409204, 0040927F, 004092FA, 00409375, 004093F0, 0040946B, 004094E6, 00409561, 004095DC, 00409657, 004096D2, 0040974D, 004097C8, 00409843, 004098BE, 00409939, 004099B4, 00409A2F, 00409AAA, 00409B25, 00409BA0, 00409C1B, 00409C96, 00409D11, 00409D8C, 00409E07, 00409E82, 00409EFD, 00409F78, 00409FF3, 0040A06E, 0040A0E9, 0040A164, 0040A1DF, 0040A25A, 0040A2D5, 0040A350, 0040A3CB, 0040A446, 0040A4C1, 0040A53C, 0040A5B7, 0040A632, 0040A6AD, 0040A728, 0040A7A3, 0040A81E, 0040A899, 0040A914, 0040A98F, 0040AA0A, 0040AA85, 0040AB00, 0040AB7B, 0040ABF6, 0040AC71, 0040ACEC, 0040AD67, 0040ADE2, 0040AE5D, 0040AED8, 0040AF53, 0040AFCE, 0040B049, 0040B0C4, 0040B13F, 0040B1BA, 0040B235, 0040B2B0, 0040B32B, 0040B3A6, 0040B421, 0040B49C, 0040B517, 0040B592, 0040B60D, 0040B688, 0040B703, 0040B77E, 0040B7F9, 0040B874, 0040B8EF, 0040B96A, 0040B9E5, 0040BA60, 0040BADB, 0040BB56, 0040BBD1, 0040BC4C, 0040BCC7, 0040BD42, 0040BDBD, 0040BE38, 0040BEB3, 0040BF2E, 0040BFA9, 0040C024, 0040C09F, 0040C11A, 0040C195, 0040C210, 0040C28B, 0040C306, 0040C381, 0040C3FC, 0040C477, 0040C4F2, 0040C56D, 0040C5E8, 0040C663, 0040C6DE, 0040C759, 0040C7D4, 0040C84F, 0040C8CA, 0040C945, 0040C9C0, 0040CA3B, 0040CAB6, 0040CB31, 0040CBAC, 0040CC27, 0040CCA2, 0040CD1D, 0040CD98, 0040CE13, 0040CE8E, 0040CF09, 0040CF84, 0040CFFF, 0040D07A, 0040D0F5, 0040D170, 0040D1EB, 0040D266, 0040D2E1, 0040D35C, 0040D3D7, 0040D452, 0040D4CD, 0040D548, 0040D5C3, 0040D63E, 0040D6B9, 0040D734, 0040D7AF, 0040D82A, 0040D8A5, 0040D920, 0040D99B, 0040DA16, 0040DA91, 0040DB0C, 0040DB87, 0040DC02, 0040DC7D, 0040DCF8, 0040DD73, 0040DDEE, 0040DE69, 0040DEE4, 0040DF5F, 0040DFDA, 0040E055, 0040E0D0, 0040E14B, 0040E1C6, 0040E241, 0040E2BC, 0040E337, 0040E3B2, 0040E42D, 0040E4A8, 0040E523, 0040E59E, 0040E619, 0040E694, 0040E70F, 0040E78A, 0040E805, 0040E880, 0040E8FB, 0040E976, 0040E9F1, 0040EA6C, 0040EAE7, 0040EB62, 0040EBDD, 0040EC58, 0040ECD3, 0040ED4E, 0040EDC9, 0040EE44, 0040EEBF, 0040EF3A, 0040EFB5, 0040F030, 0040F0AB, 0040F126, 0040F1A1, 0040F21C, 0040F297, 0040F312, 0040F38D, 0040F408, 0040F483, 0040F4FE, 0040F579, 0040F5F4, 0040F66F, 0040F6EA, 0040F765, 0040F7E0, 0040F85B, 0040F8D6, 0040F951, 0040F9CC, 0040FA47, 0040FAC2, 0040FB3D, 0040FBB8, 0040FC33, 0040FCAE, 0040FD29, 0040FDA4, 0040FE1F, 0040FE9A, 0040FF15, 0040FF90, 0041000B, 00410086, 00410101, 0041017C, 004101F7, 00410272, 004102ED, 00410368, 004103E3, 0041045E, 004104D9, 00410554, 004105CF, 0041064A, 004106C5, 00410740, 004107BB, 00410836, 004108B1, 0041092C, 004109A7, 00410A22, 00410A9D, 00410B18, 00410B93, 00410C0E, 00410C89, 00410D04, 00410D7F, 00410DFA, 00410E75, 00410EF0, 00410F6B, 00410FE6, 00411061, 004110DC, 00411157, 004111D2, 0041124D, 004112C8, 00411343, 004113BE, 00411439, 004114B4, 0041152F, 004115AA, 00411625, 004116A0, 0041171B, 00411796, 00411811, 0041188C, 00411907, 00411982, 004119FD, 00411A78, 00411AF3, 00411B6E, 00411BE9, 00411C64, 00411CDF, 00411D5A, 00411DD5, 00411E50, 00411ECB, 00411F46, 00411FC1, 0041203C
Width trick: %*d , xrefs: 00401EF1, 00401F6C, 00401FE7, 00402062, 004020DD, 00402158, 004021D3, 0040224E, 004022C9, 00402344, 004023BF, 0040243A, 004024B5, 00402530, 004025AB, 00402626, 004026A1, 0040271C, 00402797, 00402812, 0040288D, 00402908, 00402983, 004029FE, 00402A79, 00402AF4, 00402B6F, 00402BEA, 00402C65, 00402CE0, 00402D5B, 00402DD6, 00402E51, 00402ECC, 00402F47, 00402FC2, 0040303D, 004030B8, 00403133, 004031AE, 00403229, 004032A4, 0040331F, 0040339A, 00403415, 00403490, 0040350B, 00403586, 00403601, 0040367C, 004036F7, 00403772, 004037ED, 00403868, 004038E3, 0040395E, 004039D9, 00403A54, 00403ACF, 00403B4A, 00403BC5, 00403C40, 00403CBB, 00403D36, 00403DB1, 00403E2C, 00403EA7, 00403F22, 00403F9D, 00404018, 00404093, 0040410E, 00404189, 00404204, 0040427F, 004042FA, 00404375, 004043F0, 0040446B, 004044E6, 00404561, 004045DC, 00404657, 004046D2, 0040474D, 004047C8, 00404843, 004048BE, 00404939, 004049B4, 00404A2F, 00404AAA, 00404B25, 00404BA0, 00404C1B, 00404C96, 00404D11, 00404D8C, 00404E07, 00404E82, 00404EFD, 00404F78, 00404FF3, 0040506E, 004050E9, 00405164, 004051DF, 0040525A, 004052D5, 00405350, 004053CB, 00405446, 004054C1, 0040553C, 004055B7, 00405632, 004056AD, 00405728, 004057A3, 0040581E, 00405899, 00405914, 0040598F, 00405A0A, 00405A85, 00405B00, 00405B7B, 00405BF6, 00405C71, 00405CEC, 00405D67, 00405DE2, 00405E5D, 00405ED8, 00405F53, 00405FCE, 00406049, 004060C4, 0040613F, 004061BA, 00406235, 004062B0, 0040632B, 004063A6, 00406421, 0040649C, 00406517, 00406592, 0040660D, 00406688, 00406703, 0040677E, 004067F9, 00406874, 004068EF, 0040696A, 004069E5, 00406A60, 00406ADB, 00406B56, 00406BD1, 00406C4C, 00406CC7, 00406D42, 00406DBD, 00406E38, 00406EB3, 00406F2E, 00406FA9, 00407024, 0040709F, 0040711A, 00407195, 00407210, 0040728B, 00407306, 00407381, 004073FC, 00407477, 004074F2, 0040756D, 004075E8, 00407663, 004076DE, 00407759, 004077D4, 0040784F, 004078CA, 00407945, 004079C0, 00407A3B, 00407AB6, 00407B31, 00407BAC, 00407C27, 00407CA2, 00407D1D, 00407D98, 00407E13, 00407E8E, 00407F09, 00407F84, 00407FFF, 0040807A, 004080F5, 00408170, 004081EB, 00408266, 004082E1, 0040835C, 004083D7, 00408452, 004084CD, 00408548, 004085C3, 0040863E, 004086B9, 00408734, 004087AF, 0040882A, 004088A5, 00408920, 0040899B, 00408A16, 00408A91, 00408B0C, 00408B87, 00408C02, 00408C7D, 00408CF8, 00408D73, 00408DEE, 00408E69, 00408EE4, 00408F5F, 00408FDA, 00409055, 004090D0, 0040914B, 004091C6, 00409241, 004092BC, 00409337, 004093B2, 0040942D, 004094A8, 00409523, 0040959E, 00409619, 00409694, 0040970F, 0040978A, 00409805, 00409880, 004098FB, 00409976, 004099F1, 00409A6C, 00409AE7, 00409B62, 00409BDD, 00409C58, 00409CD3, 00409D4E, 00409DC9, 00409E44, 00409EBF, 00409F3A, 00409FB5, 0040A030, 0040A0AB, 0040A126, 0040A1A1, 0040A21C, 0040A297, 0040A312, 0040A38D, 0040A408, 0040A483, 0040A4FE, 0040A579, 0040A5F4, 0040A66F, 0040A6EA, 0040A765, 0040A7E0, 0040A85B, 0040A8D6, 0040A951, 0040A9CC, 0040AA47, 0040AAC2, 0040AB3D, 0040ABB8, 0040AC33, 0040ACAE, 0040AD29, 0040ADA4, 0040AE1F, 0040AE9A, 0040AF15, 0040AF90, 0040B00B, 0040B086, 0040B101, 0040B17C, 0040B1F7, 0040B272, 0040B2ED, 0040B368, 0040B3E3, 0040B45E, 0040B4D9, 0040B554, 0040B5CF, 0040B64A, 0040B6C5, 0040B740, 0040B7BB, 0040B836, 0040B8B1, 0040B92C, 0040B9A7, 0040BA22, 0040BA9D, 0040BB18, 0040BB93, 0040BC0E, 0040BC89, 0040BD04, 0040BD7F, 0040BDFA, 0040BE75, 0040BEF0, 0040BF6B, 0040BFE6, 0040C061, 0040C0DC, 0040C157, 0040C1D2, 0040C24D, 0040C2C8, 0040C343, 0040C3BE, 0040C439, 0040C4B4, 0040C52F, 0040C5AA, 0040C625, 0040C6A0, 0040C71B, 0040C796, 0040C811, 0040C88C, 0040C907, 0040C982, 0040C9FD, 0040CA78, 0040CAF3, 0040CB6E, 0040CBE9, 0040CC64, 0040CCDF, 0040CD5A, 0040CDD5, 0040CE50, 0040CECB, 0040CF46, 0040CFC1, 0040D03C, 0040D0B7, 0040D132, 0040D1AD, 0040D228, 0040D2A3, 0040D31E, 0040D399, 0040D414, 0040D48F, 0040D50A, 0040D585, 0040D600, 0040D67B, 0040D6F6, 0040D771, 0040D7EC, 0040D867, 0040D8E2, 0040D95D, 0040D9D8, 0040DA53, 0040DACE, 0040DB49, 0040DBC4, 0040DC3F, 0040DCBA, 0040DD35, 0040DDB0, 0040DE2B, 0040DEA6, 0040DF21, 0040DF9C, 0040E017, 0040E092, 0040E10D, 0040E188, 0040E203, 0040E27E, 0040E2F9, 0040E374, 0040E3EF, 0040E46A, 0040E4E5, 0040E560, 0040E5DB, 0040E656, 0040E6D1, 0040E74C, 0040E7C7, 0040E842, 0040E8BD, 0040E938, 0040E9B3, 0040EA2E, 0040EAA9, 0040EB24, 0040EB9F, 0040EC1A, 0040EC95, 0040ED10, 0040ED8B, 0040EE06, 0040EE81, 0040EEFC, 0040EF77, 0040EFF2, 0040F06D, 0040F0E8, 0040F163, 0040F1DE, 0040F259, 0040F2D4, 0040F34F, 0040F3CA, 0040F445, 0040F4C0, 0040F53B, 0040F5B6, 0040F631, 0040F6AC, 0040F727, 0040F7A2, 0040F81D, 0040F898, 0040F913, 0040F98E, 0040FA09, 0040FA84, 0040FAFF, 0040FB7A, 0040FBF5, 0040FC70, 0040FCEB, 0040FD66, 0040FDE1, 0040FE5C, 0040FED7, 0040FF52, 0040FFCD, 00410048, 004100C3, 0041013E, 004101B9, 00410234, 004102AF, 0041032A, 004103A5, 00410420, 0041049B, 00410516, 00410591, 0041060C, 00410687, 00410702, 0041077D, 004107F8, 00410873, 004108EE, 00410969, 004109E4, 00410A5F, 00410ADA, 00410B55, 00410BD0, 00410C4B, 00410CC6, 00410D41, 00410DBC, 00410E37, 00410EB2, 00410F2D, 00410FA8, 00411023, 0041109E, 00411119, 00411194, 0041120F, 0041128A, 00411305, 00411380, 004113FB, 00411476, 004114F1, 0041156C, 004115E7, 00411662, 004116DD, 00411758, 004117D3, 0041184E, 004118C9, 00411944, 004119BF, 00411A3A, 00411AB5, 00411B30, 00411BAB, 00411C26, 00411CA1, 00411D1C, 00411D97, 00411E12, 00411E8D, 00411F08, 00411F83, 00411FFE, 00412079
Decimals: %d %ld, xrefs: 00401E23, 00401E28, 00401E3A, 00401E5A, 00401E6C, 00401E89, 00401E9E, 00401F1A, 00401F95, 00402010, 0040208B, 00402106, 00402181, 004021FC, 00402277, 004022F2, 0040236D, 004023E8, 00402463, 004024DE, 00402559, 004025D4, 0040264F, 004026CA, 00402745, 004027C0, 0040283B, 004028B6, 00402931, 004029AC, 00402A27, 00402AA2, 00402B1D, 00402B98, 00402C13, 00402C8E, 00402D09, 00402D84, 00402DFF, 00402E7A, 00402EF5, 00402F70, 00402FEB, 00403066, 004030E1, 0040315C, 004031D7, 00403252, 004032CD, 00403348, 004033C3, 0040343E, 004034B9, 00403534, 004035AF, 0040362A, 004036A5, 00403720, 0040379B, 00403816, 00403891, 0040390C, 00403987, 00403A02, 00403A7D, 00403AF8, 00403B73, 00403BEE, 00403C69, 00403CE4, 00403D5F, 00403DDA, 00403E55, 00403ED0, 00403F4B, 00403FC6, 00404041, 004040BC, 00404137, 004041B2, 0040422D, 004042A8, 00404323, 0040439E, 00404419, 00404494, 0040450F, 0040458A, 00404605, 00404680, 004046FB, 00404776, 004047F1, 0040486C, 004048E7, 00404962, 004049DD, 00404A58, 00404AD3, 00404B4E, 00404BC9, 00404C44, 00404CBF, 00404D3A, 00404DB5, 00404E30, 00404EAB, 00404F26, 00404FA1, 0040501C, 00405097, 00405112, 0040518D, 00405208, 00405283, 004052FE, 00405379, 004053F4, 0040546F, 004054EA, 00405565, 004055E0, 0040565B, 004056D6, 00405751, 004057CC, 00405847, 004058C2, 0040593D, 004059B8, 00405A33, 00405AAE, 00405B29, 00405BA4, 00405C1F, 00405C9A, 00405D15, 00405D90, 00405E0B, 00405E86, 00405F01, 00405F7C, 00405FF7, 00406072, 004060ED, 00406168, 004061E3, 0040625E, 004062D9, 00406354, 004063CF, 0040644A, 004064C5, 00406540, 004065BB, 00406636, 004066B1, 0040672C, 004067A7, 00406822, 0040689D, 00406918, 00406993, 00406A0E, 00406A89, 00406B04, 00406B7F, 00406BFA, 00406C75, 00406CF0, 00406D6B, 00406DE6, 00406E61, 00406EDC, 00406F57, 00406FD2, 0040704D, 004070C8, 00407143, 004071BE, 00407239, 004072B4, 0040732F, 004073AA, 00407425, 004074A0, 0040751B, 00407596, 00407611, 0040768C, 00407707, 00407782, 004077FD, 00407878, 004078F3, 0040796E, 004079E9, 00407A64, 00407ADF, 00407B5A, 00407BD5, 00407C50, 00407CCB, 00407D46, 00407DC1, 00407E3C, 00407EB7, 00407F32, 00407FAD, 00408028, 004080A3, 0040811E, 00408199, 00408214, 0040828F, 0040830A, 00408385, 00408400, 0040847B, 004084F6, 00408571, 004085EC, 00408667, 004086E2, 0040875D, 004087D8, 00408853, 004088CE, 00408949, 004089C4, 00408A3F, 00408ABA, 00408B35, 00408BB0, 00408C2B, 00408CA6, 00408D21, 00408D9C, 00408E17, 00408E92, 00408F0D, 00408F88, 00409003, 0040907E, 004090F9, 00409174, 004091EF, 0040926A, 004092E5, 00409360, 004093DB, 00409456, 004094D1, 0040954C, 004095C7, 00409642, 004096BD, 00409738, 004097B3, 0040982E, 004098A9, 00409924, 0040999F, 00409A1A, 00409A95, 00409B10, 00409B8B, 00409C06, 00409C81, 00409CFC, 00409D77, 00409DF2, 00409E6D, 00409EE8, 00409F63, 00409FDE, 0040A059, 0040A0D4, 0040A14F, 0040A1CA, 0040A245, 0040A2C0, 0040A33B, 0040A3B6, 0040A431, 0040A4AC, 0040A527, 0040A5A2, 0040A61D, 0040A698, 0040A713, 0040A78E, 0040A809, 0040A884, 0040A8FF, 0040A97A, 0040A9F5, 0040AA70, 0040AAEB, 0040AB66, 0040ABE1, 0040AC5C, 0040ACD7, 0040AD52, 0040ADCD, 0040AE48, 0040AEC3, 0040AF3E, 0040AFB9, 0040B034, 0040B0AF, 0040B12A, 0040B1A5, 0040B220, 0040B29B, 0040B316, 0040B391, 0040B40C, 0040B487, 0040B502, 0040B57D, 0040B5F8, 0040B673, 0040B6EE, 0040B769, 0040B7E4, 0040B85F, 0040B8DA, 0040B955, 0040B9D0, 0040BA4B, 0040BAC6, 0040BB41, 0040BBBC, 0040BC37, 0040BCB2, 0040BD2D, 0040BDA8, 0040BE23, 0040BE9E, 0040BF19, 0040BF94, 0040C00F, 0040C08A, 0040C105, 0040C180, 0040C1FB, 0040C276, 0040C2F1, 0040C36C, 0040C3E7, 0040C462, 0040C4DD, 0040C558, 0040C5D3, 0040C64E, 0040C6C9, 0040C744, 0040C7BF, 0040C83A, 0040C8B5, 0040C930, 0040C9AB, 0040CA26, 0040CAA1, 0040CB1C, 0040CB97, 0040CC12, 0040CC8D, 0040CD08, 0040CD83, 0040CDFE, 0040CE79, 0040CEF4, 0040CF6F, 0040CFEA, 0040D065, 0040D0E0, 0040D15B, 0040D1D6, 0040D251, 0040D2CC, 0040D347, 0040D3C2, 0040D43D, 0040D4B8, 0040D533, 0040D5AE, 0040D629, 0040D6A4, 0040D71F, 0040D79A, 0040D815, 0040D890, 0040D90B, 0040D986, 0040DA01, 0040DA7C, 0040DAF7, 0040DB72, 0040DBED, 0040DC68, 0040DCE3, 0040DD5E, 0040DDD9, 0040DE54, 0040DECF, 0040DF4A, 0040DFC5, 0040E040, 0040E0BB, 0040E136, 0040E1B1, 0040E22C, 0040E2A7, 0040E322, 0040E39D, 0040E418, 0040E493, 0040E50E, 0040E589, 0040E604, 0040E67F, 0040E6FA, 0040E775, 0040E7F0, 0040E86B, 0040E8E6, 0040E961, 0040E9DC, 0040EA57, 0040EAD2, 0040EB4D, 0040EBC8, 0040EC43, 0040ECBE, 0040ED39, 0040EDB4, 0040EE2F, 0040EEAA, 0040EF25, 0040EFA0, 0040F01B, 0040F096, 0040F111, 0040F18C, 0040F207, 0040F282, 0040F2FD, 0040F378, 0040F3F3, 0040F46E, 0040F4E9, 0040F564, 0040F5DF, 0040F65A, 0040F6D5, 0040F750, 0040F7CB, 0040F846, 0040F8C1, 0040F93C, 0040F9B7, 0040FA32, 0040FAAD, 0040FB28, 0040FBA3, 0040FC1E, 0040FC99, 0040FD14, 0040FD8F, 0040FE0A, 0040FE85, 0040FF00, 0040FF7B, 0040FFF6, 00410071, 004100EC, 00410167, 004101E2, 0041025D, 004102D8, 00410353, 004103CE, 00410449, 004104C4, 0041053F, 004105BA, 00410635, 004106B0, 0041072B, 004107A6, 00410821, 0041089C, 00410917, 00410992, 00410A0D, 00410A88, 00410B03, 00410B7E, 00410BF9, 00410C74, 00410CEF, 00410D6A, 00410DE5, 00410E60, 00410EDB, 00410F56, 00410FD1, 0041104C, 004110C7, 00411142, 004111BD, 00411238, 004112B3, 0041132E, 004113A9, 00411424, 0041149F, 0041151A, 00411595, 00411610, 0041168B, 00411706, 00411781, 004117FC, 00411877, 004118F2, 0041196D, 004119E8, 00411A63, 00411ADE, 00411B59, 00411BD4, 00411C4F, 00411CCA, 00411D45, 00411DC0, 00411E3B, 00411EB6, 00411F31, 00411FAC, 00412027

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CallProcWindow$AllocByteCharLoadMultiStringVirtualWide
String ID: %s $A string$Characters: %c %c $Decimals: %d %ld$Preceding with blanks: %10d $Preceding with zeros: %010d $Some different radices: %d %x %o %#x %#o $Width trick: %*d $floats: %4.2f %+.0e %E
API String ID: 965092674-1380062066
Opcode ID: 4faedc87637a6878093169c4d3d605fe4ab5dc08f946da224ed09edfd01ae1de
Instruction ID: 0aebab6a80ce3fde290079580919b52b1e3247745899e55c1e150ea4edafc8a6
Opcode Fuzzy Hash: 4faedc87637a6878093169c4d3d605fe4ab5dc08f946da224ed09edfd01ae1de
Instruction Fuzzy Hash: EF3422F0794B0170DD217A728D7BFBF1A189F61B8AF20084FF9D4342E3999D5AA4416E

Uniqueness

Uniqueness Score: -1.00%

Function 00434CC5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434CCA
GetPropA.USER32 ref: 00434CE2
CallWindowProcA.USER32 ref: 00434D40

Part of subcall function 00433D23: GetWindowRect.USER32 ref: 00433D48
Part of subcall function 00433D23: GetWindow.USER32(?,00000004), ref: 00433D65

SetWindowLongA.USER32 ref: 00434D70
RemovePropA.USER32 ref: 00434D78
GlobalFindAtomA.KERNEL32 ref: 00434D7F
GlobalDeleteAtom.KERNEL32 ref: 00434D86

Part of subcall function 00432754: GetWindowRect.USER32 ref: 00432760

CallWindowProcA.USER32 ref: 00434DDA

Strings

AfxOldWndProc423, xrefs: 00434CDB, 00434CE0, 00434D76, 00434D7E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ff15bca09e0eb7e406143482a3ef9c335fcd6e55898f3d77f75a080db70639e7
Instruction ID: 12abf3a039a44a727739dfb4959889e1be9217344ea0f0b479962cac14099a61
Opcode Fuzzy Hash: ff15bca09e0eb7e406143482a3ef9c335fcd6e55898f3d77f75a080db70639e7
Instruction Fuzzy Hash: 0C316172800219BBCB119FA5DD49EFF7F78FF49316F00412AF501A2161C739AA119BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044EAAF, Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0047B6F4,75144DE0,?,?,0047B6D8,0047B6D8,?,0044F06F,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484), ref: 0044EAC0
GlobalAlloc.KERNELBASE(00000002,00000040,?,?,0047B6D8,0047B6D8,?,0044F06F,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484), ref: 0044EB11
GlobalHandle.KERNEL32(005A15D8), ref: 0044EB1A
GlobalUnlock.KERNEL32(00000000,?,?,0047B6D8,0047B6D8,?,0044F06F,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,75144DE0), ref: 0044EB24
GlobalReAlloc.KERNEL32 ref: 0044EB38
GlobalHandle.KERNEL32(005A15D8), ref: 0044EB4A
GlobalLock.KERNEL32 ref: 0044EB51
LeaveCriticalSection.KERNEL32(?,?,?,0047B6D8,0047B6D8,?,0044F06F,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,75144DE0), ref: 0044EB5A
GlobalLock.KERNEL32 ref: 0044EB66
LeaveCriticalSection.KERNEL32(?), ref: 0044EBAE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: b04793688510a88f67e5c568a89932a2d6769de8e8383a32167a042d3a654f9b
Instruction ID: f7f23203b9efe10dc177ef4e6959b102c6c9f186cb83817a26fe115b791422a3
Opcode Fuzzy Hash: b04793688510a88f67e5c568a89932a2d6769de8e8383a32167a042d3a654f9b
Instruction Fuzzy Hash: B431EE30A00B05AFD720CF6ADC98A6ABBF9FF40345B01496EE956D3621D778F940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004313E9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004313EE
GetSystemMetrics.USER32 ref: 004314B2
GlobalLock.KERNEL32 ref: 0043151D
CreateDialogIndirectParamA.USER32(?,?,?,Function_00030DE2,00000000), ref: 0043154C

Strings

MS Shell Dlg, xrefs: 004314BC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: b1838b986e74c8f40b3d4ecf676eea66dee448865fa6d39ddd366ea3ccbe1829
Instruction ID: e0f64d9ec0343e99e2e9ee4d9acaebb91454337ed0347725652701e1449b16bc
Opcode Fuzzy Hash: b1838b986e74c8f40b3d4ecf676eea66dee448865fa6d39ddd366ea3ccbe1829
Instruction Fuzzy Hash: 6751A431900205EFCF119FA4C8859EEBBB5EF48315F24556BF412A72A2DB389E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00450457, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00450498
PathFindExtensionA.KERNELBASE(?), ref: 004504B2
lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045054C
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00450579

Strings

.HLP, xrefs: 00450544
.CHM, xrefs: 0045053D
.INI, xrefs: 0045056D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
String ID: .CHM$.HLP$.INI
API String ID: 2140653559-4017452060
Opcode ID: 77cb3e02a1d5fd2dcdfbfdbf5264098ea0434eb04d60befdb6af3fc4bd62b3ee
Instruction ID: b6df33e5751ea74f5826cc98093051f0f3abe019c6a471caf1ebe553c2435343
Opcode Fuzzy Hash: 77cb3e02a1d5fd2dcdfbfdbf5264098ea0434eb04d60befdb6af3fc4bd62b3ee
Instruction Fuzzy Hash: 70412875500B09AFCB71EFA5D845BDA77E8AB08306F10482FFA89C6242EB38D5448F25

Uniqueness

Uniqueness Score: -1.00%

Function 0043918C, Relevance: 12.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 00439199
GetSystemMetrics.USER32 ref: 004391A0
GetSystemMetrics.USER32 ref: 004391A7
GetSystemMetrics.USER32 ref: 004391B1
GetDC.USER32(00000000), ref: 004391BB
GetDeviceCaps.GDI32(00000000,00000058), ref: 004391CC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004391D4
ReleaseDC.USER32 ref: 004391DC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 2dbb417450004d57444fbcb471158f4b0ee786ac08df754a132355d1f0c5ae34
Instruction ID: 042a91b24d9d83c6ebad07df20038e5cd2289658d9ba2151f457e89fbd6056d9
Opcode Fuzzy Hash: 2dbb417450004d57444fbcb471158f4b0ee786ac08df754a132355d1f0c5ae34
Instruction Fuzzy Hash: A0F03671A40B04AEE7206F729C59F277BB4EB95B12F11442AE6418B1D1D6B5D8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0044F45C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F461
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F4DA
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F50D
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F528
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 0044F57B

Strings

mE, xrefs: 0044F572

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: QueryValue$CloseH_prologPrivateProfileString
String ID: mE
API String ID: 1022837590-852767849
Opcode ID: 249ea3ed76278fdc5f2ad60c9f866fb1f1cab811b581774d5f974148515f067f
Instruction ID: f1cded26cd753e4b897d3bf62b173a12f1a3ee0e8f92eae1bcd43dace040cb53
Opcode Fuzzy Hash: 249ea3ed76278fdc5f2ad60c9f866fb1f1cab811b581774d5f974148515f067f
Instruction Fuzzy Hash: 0D416770800259FBDF20DF11CC408EEBB79FF48354F0084AAF959A6261D7B89A95EF54

Uniqueness

Uniqueness Score: -1.00%

Function 004505A5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0043B4A3,?,?,?,?,75144DE0,00000000,?,00419D19,00000000), ref: 004505AE
SetErrorMode.KERNELBASE(00000000,?,00419D19,00000000), ref: 004505B6
GetModuleHandleA.KERNEL32(user32.dll,00419D19,00000000), ref: 00450601
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00450611

Part of subcall function 00450457: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00450498
Part of subcall function 00450457: PathFindExtensionA.KERNELBASE(?), ref: 004504B2
Part of subcall function 00450457: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045054C
Part of subcall function 00450457: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00450579

Strings

user32.dll, xrefs: 004505FC
NotifyWinEvent, xrefs: 0045060B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
String ID: NotifyWinEvent$user32.dll
API String ID: 4004864024-597752486
Opcode ID: b50bf68e2b5de257a348941957a5666d38a24f24bd2454486d7854c91595e3bd
Instruction ID: 74da4d911cd3c67dbcb73de4fb85063a1f61eb744a766c99006dd413cafa1df5
Opcode Fuzzy Hash: b50bf68e2b5de257a348941957a5666d38a24f24bd2454486d7854c91595e3bd
Instruction Fuzzy Hash: 94014BB4A10710AFD710EF619804A1A7B94AF08706F05886FF84997363DF78C844CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044DB78, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044DB7D

Part of subcall function 00439945: __EH_prolog.LIBCMT ref: 0043994A

Strings

PreviewPages, xrefs: 0044DBE0
Recent File List, xrefs: 0044DBBF
Settings, xrefs: 0044DBE5
File%d, xrefs: 0044DBBA

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: f06a5cb311d69bc97bd4333ebde88718be601381b48ec27b8e411bc5b28f1ba3
Instruction ID: 6ecb9a6e47c6ed6da365f7f5841e959e2fb76d13caa31787ec29dc486ad6f34b
Opcode Fuzzy Hash: f06a5cb311d69bc97bd4333ebde88718be601381b48ec27b8e411bc5b28f1ba3
Instruction Fuzzy Hash: 5D014971E04340ABDB25DF689C01BAF7AB1FB85B10F20452FF821A7382CBB80900C758

Uniqueness

Uniqueness Score: -1.00%

Function 0041257E, Relevance: 7.6, APIs: 5, Instructions: 70windowencryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412583
CertOpenStore.CRYPT32(00000000,00000000,00000000,00000000,00000000), ref: 00412595
GetSystemMenu.USER32(?,00000000), ref: 004125CB
AppendMenuA.USER32 ref: 00412610
AppendMenuA.USER32 ref: 0041261B

Part of subcall function 00401D3B: LoadStringW.USER32(00000005,0000000A,00000000,00000000), ref: 00401D4F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Menu$Append$CertH_prologLoadOpenStoreStringSystem
String ID:
API String ID: 2154892219-0
Opcode ID: 11bb417483d622feea004db716fe9203556d7dc3c7520d62cdc46bb90d24d3f2
Instruction ID: acac48fb911abb386090c21b2f7dd5dbfc6e7f2fbe9a5444ef82efc6a18a4669
Opcode Fuzzy Hash: 11bb417483d622feea004db716fe9203556d7dc3c7520d62cdc46bb90d24d3f2
Instruction Fuzzy Hash: 2C110B70900114AFDB107BB6CC55EAFBB35FF44324F00452EF115E72A2CB7898108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044D9CA, Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,004781F0,00000000,00000001,?), ref: 0044DA0D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 0044DA2D
RegCloseKey.ADVAPI32(?), ref: 0044DA71
RegCloseKey.ADVAPI32(00000000), ref: 0044DA87

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: e5fe929cb7eb099dfd86e2b72a41db03c230be63d796b1944a5c0b7d55085c9c
Instruction ID: 7605e3d858354b6adad4e8cc50f48b23ac3a8088f01cb4c1ddeff153822fe4fb
Opcode Fuzzy Hash: e5fe929cb7eb099dfd86e2b72a41db03c230be63d796b1944a5c0b7d55085c9c
Instruction Fuzzy Hash: DD2138B1D04208EFEB14CF96CC45AAEBBB8EF90705F1040ABE505B6261D7745A00CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3F3, Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0044F42C
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0044F435
GetPrivateProfileIntA.KERNEL32 ref: 0044F451

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClosePrivateProfileQueryValue
String ID:
API String ID: 1423431592-0
Opcode ID: a5adae195a35fa4e73bf76f32d84e35c62258e7142751bb22f96dca9acb772e9
Instruction ID: 74f09bcaac624bead4b59f43faef543b983ea7b1c8e5fdb6f0ea1876ef778dd1
Opcode Fuzzy Hash: a5adae195a35fa4e73bf76f32d84e35c62258e7142751bb22f96dca9acb772e9
Instruction Fuzzy Hash: 49014672100218FBDB129F80DC04EEF3BB8EF54755F10803AFA05AA110DB75EA199B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C139, Relevance: 3.1, APIs: 2, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041C17D
RtlAllocateHeap.NTDLL(00000008,?,0045C8B8,00000010,0041E3E7,00000001,0000008C,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17), ref: 0041C1BB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocateHeap__lock
String ID:
API String ID: 4078605025-0
Opcode ID: 1c62fde75f761435134d66b5f4cffda9508f87cd5b6bc7cb12e4df8c1025f6b6
Instruction ID: c1d28866222c0dc6414e7fea66e701ef6e43db6b2debc05eda2622e8d1883d5a
Opcode Fuzzy Hash: 1c62fde75f761435134d66b5f4cffda9508f87cd5b6bc7cb12e4df8c1025f6b6
Instruction Fuzzy Hash: 1611E632DC0615A6CB21AB658C816DE7B21AF90724F15421BEC24A73D3CB3C8AC18F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004398A4, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004398A9
wsprintfA.USER32 ref: 004398E6

Part of subcall function 0044F45C: __EH_prolog.LIBCMT ref: 0044F461

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog$wsprintf
String ID:
API String ID: 172397338-0
Opcode ID: 3de8a07d2760c78c032f7f6cf612e55542b580be98464b1f87c14e7a0f445d2a
Instruction ID: b58df83bfa8cb1f87c15a047e07b73912b99d9eb8ca075b9dcc5624172093b3b
Opcode Fuzzy Hash: 3de8a07d2760c78c032f7f6cf612e55542b580be98464b1f87c14e7a0f445d2a
Instruction Fuzzy Hash: 8511B671900605DFCB14EFA9D8819AEB7F5FF48318F10452EF461E7691CB34A904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041902C, Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041904E

Part of subcall function 0041C486: EnterCriticalSection.KERNEL32(00478DA0,00478DA0,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041C4AE

RtlAllocateHeap.NTDLL(00000000,?,0045C768,0000000C,004190B7,000000E0,004190E2,?,0041C409,00000018,0045C8C8,00000008,0041C49F,?,00478DA0), ref: 0041908F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 915dc4749733b52090c7e78aff1820d60ee7a4f24177a6b31d71a6b438375017
Instruction ID: dc5206d65ac73eaf864f438a6c0f78885cd20580cda411dd0d3dda0f5c44dbbb
Opcode Fuzzy Hash: 915dc4749733b52090c7e78aff1820d60ee7a4f24177a6b31d71a6b438375017
Instruction Fuzzy Hash: 85F0F631C80211D6DB24BB759C567DE7B60AB08324F25422EEC58672E1C73C5DC0CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00431AAC, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00431AD3
CallWindowProcA.USER32 ref: 00431AE8

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: a8875d60b43fa694f0911aa7ee2c2c2b59b12663bbda4821a0ac7331270e0a87
Instruction ID: 9a5d0fe453fd5e5d442d397c126565b24aef5118643a609f3f89f8589eb6a085
Opcode Fuzzy Hash: a8875d60b43fa694f0911aa7ee2c2c2b59b12663bbda4821a0ac7331270e0a87
Instruction Fuzzy Hash: 01F01536101609EFCF219F95DC18DAA7BBAFF0C352F048429FA0586630D372E820AB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4D1, Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00419C63,00000001,?,0045C7A8,00000060), ref: 0041C4E2

Part of subcall function 0041C5BC: HeapAlloc.KERNEL32(00000000,00000140,0041C50A,000003F8,?,0045C7A8,00000060), ref: 0041C5C9

HeapDestroy.KERNEL32(?,0045C7A8,00000060), ref: 0041C515

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 87bbc2843d472829b2ef89704e86d8af703d01ada110c1709cc2f7aeb2b71cc2
Instruction ID: 7c3bd9f5b4b46e9794cf6a332750d5066d7fd5e8b96e20f30908588fd1cd5013
Opcode Fuzzy Hash: 87bbc2843d472829b2ef89704e86d8af703d01ada110c1709cc2f7aeb2b71cc2
Instruction Fuzzy Hash: C7E04FB1695310EADB10AF719D8DBAA3AD6DB4478AF00043FF404C51E1EB78D5C0EA1D

Uniqueness

Uniqueness Score: -1.00%

Function 0043503C, Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

GetCurrentThreadId.KERNEL32 ref: 0043505E
SetWindowsHookExA.USER32 ref: 0043506E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: fa57018b2061f09c2615cee7a7a8ab451c877c7e69fac4a8b5c0bd024d663bfc
Instruction ID: 63aff0302d2982f97e3b76b7288842a291ddd2f00c7bfc238e4339544eb3de98
Opcode Fuzzy Hash: fa57018b2061f09c2615cee7a7a8ab451c877c7e69fac4a8b5c0bd024d663bfc
Instruction Fuzzy Hash: 7CE06531740B109ED2306B92AC15F5776A4DBC8726F51552FE50986141C335A84486BD

Uniqueness

Uniqueness Score: -1.00%

Function 00438522, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00438535
SetWindowsHookExA.USER32 ref: 00438545

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 60a374326582e6fd45de703582bfe03cc6b3e523ebf7321959d28aa07a968d44
Instruction ID: ccc9c6806e51c4b76788036dcd35ea03a28c57b756b3c0db120f588d1f581546
Opcode Fuzzy Hash: 60a374326582e6fd45de703582bfe03cc6b3e523ebf7321959d28aa07a968d44
Instruction Fuzzy Hash: F2D0A771C047607FFB102B746C19B293A505B05739F54175EF424961D2CE7CD5404B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00433D9C, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00433DA1

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1f4f402cad16baa03feb8c9b8df4c1ff7379fb18e5b1fbac80ea2e244e1f3584
Instruction ID: 217b5259fde65db3885a56b274e9404f905c368ae3fa042c110acc6f53840b47
Opcode Fuzzy Hash: 1f4f402cad16baa03feb8c9b8df4c1ff7379fb18e5b1fbac80ea2e244e1f3584
Instruction Fuzzy Hash: BF2168B2900219EFCF05DF59C4829EE7BB5FB48354F10402AF801AB241D374AE85CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0044F02F, Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F034

Part of subcall function 0044ED79: TlsAlloc.KERNEL32(?,0044F05E,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,75144DE0,00000000,?,00419D19,00000000), ref: 0044ED9B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: 08853716338d5d36f3402c2a6b0b7152c1237e78638d7e359c55b01d012e747f
Instruction ID: b0c5c036e64a4565b7a51127bc03cc4d744149bd569e55b8a23d2c6ab39c094b
Opcode Fuzzy Hash: 08853716338d5d36f3402c2a6b0b7152c1237e78638d7e359c55b01d012e747f
Instruction Fuzzy Hash: 3D0181356006019FEB29EF26D81176DB7B2FBD0365F10417EE58697391DB388D40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00433E89, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4ba2c1095bed3d4b5280d8abe911dbadc0f125a87d9c0df28e24cff0d19e04
Instruction ID: ce3cd2652dd46680a49740dd8ad986874befb26150446ae74fbe0de2da8d8814
Opcode Fuzzy Hash: 3d4ba2c1095bed3d4b5280d8abe911dbadc0f125a87d9c0df28e24cff0d19e04
Instruction Fuzzy Hash: 67F0153240121DFBCF125E919C069EF3B69AF0D366F049426FA1591121C739DB22ABAA

Uniqueness

Uniqueness Score: -1.00%

Function 00412675, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041267A

Part of subcall function 0044DB78: __EH_prolog.LIBCMT ref: 0044DB7D

Part of subcall function 00412137: __EH_prolog.LIBCMT ref: 0041213C

Part of subcall function 004315F6: __EH_prolog.LIBCMT ref: 004315FB
Part of subcall function 004315F6: FindResourceA.KERNEL32(?,00000000,00000005), ref: 00431633
Part of subcall function 004315F6: LoadResource.KERNEL32(?,00000000), ref: 0043163B
Part of subcall function 004315F6: LockResource.KERNEL32(00000000), ref: 0043164D

Part of subcall function 00430E44: __EH_prolog.LIBCMT ref: 00430E49

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog$Resource$FindLoadLock
String ID:
API String ID: 807587585-0
Opcode ID: 440cd8fa29eb9ee4f3801710ff5bdcedb7e66363f248bb282ecd869aaa0fc82a
Instruction ID: b45528432e8057bea371eba47b4c80f828b5add35470d5ee7ebcf6187e48438f
Opcode Fuzzy Hash: 440cd8fa29eb9ee4f3801710ff5bdcedb7e66363f248bb282ecd869aaa0fc82a
Instruction Fuzzy Hash: B9F08CB1E002199BCB24EB71CA027D8B770AF04329F0086AE9246A2581DF785F04CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0044EA87, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,?,0044EE76,00000010,?,?,0047B6D8,?,0044F097,?,00000000,?,75144DE0,00000000,?,0044D598), ref: 0044EA8D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: d2e79616b60776e2bc31ad6d9bb95daf1f1a21edb826a79946fb987e643edbbd
Instruction ID: 13ce1ef4d37947a88db7a44f601ec1a38e18faf4ed9f4b99ce46d884010a754e
Opcode Fuzzy Hash: d2e79616b60776e2bc31ad6d9bb95daf1f1a21edb826a79946fb987e643edbbd
Instruction Fuzzy Hash: 21B092BA20070256E6143FA25C56F1EAA58BF60B86F41842AE74890051D67A8450A62E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042F3FF, Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 315
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0042F3FF(signed int __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t108;
				void* _t111;
				signed int _t112;
				signed int _t113;
				signed int _t115;
				intOrPtr _t119;
				void* _t132;
				signed int _t136;
				signed int _t140;
				void* _t148;
				intOrPtr* _t155;
				signed int _t157;
				signed int _t169;
				signed int _t170;
				signed int _t173;
				signed int _t183;
				void* _t185;
				signed short _t192;
				void* _t195;
				void* _t198;
				void* _t200;
				void* _t201;
				void* _t204;

				_t108 = E00419918(E00454A1C, _t198);
				_t201 = _t200 - 0x7c;
				_t155 =  *((intOrPtr*)(_t198 + 8));
				_t192 =  *(_t155 + 4);
				_t183 = __ecx;
				 *(_t198 - 0x10) = __ecx;
				 *(_t198 - 0x1c) = _t192;
				if(_t192 == 0x200 || _t192 == 0xa0 || _t192 == 0x202 || _t192 == 0x205 || _t192 == 0x208) {
					_t108 = GetKeyState(1);
					if(_t108 < 0) {
						L46:
						_t192 =  *(_t198 - 0x1c);
						goto L47;
					}
					_t108 = GetKeyState(2);
					if(_t108 < 0) {
						goto L46;
					}
					_t108 = GetKeyState(4);
					if(_t108 < 0) {
						goto L46;
					} else {
						_t111 = E0044D5AF();
						_push( *_t155);
						_t195 = _t111;
						 *(_t198 - 0x18) = _t195;
						while(1) {
							_t108 = E0043357A(_t198);
							if(_t108 == 0) {
								break;
							}
							__eflags =  *(_t108 + 0x38) & 0x00000401;
							if(( *(_t108 + 0x38) & 0x00000401) != 0) {
								break;
							} else {
								_push(GetParent( *(_t108 + 0x1c)));
								continue;
							}
						}
						if(_t108 == _t183) {
							_t157 =  *(_t195 + 0x3c);
							_t112 = E0043389A(_t183);
							__eflags = _t157;
							 *(_t198 - 0x14) = _t112;
							if(_t157 == 0) {
								L19:
								_t113 = E004373BE(0x6c);
								 *(_t198 - 0x1c) = _t113;
								_t157 = 0;
								__eflags = _t113;
								 *(_t198 - 4) = 0;
								if(__eflags != 0) {
									_t157 = E0042EEE1(_t113, __eflags);
								}
								 *(_t198 - 4) =  *(_t198 - 4) | 0xffffffff;
								_t115 =  *((intOrPtr*)( *_t157 + 0x130))( *(_t198 - 0x14), 1);
								__eflags = _t115;
								if(_t115 != 0) {
									SendMessageA( *(_t157 + 0x1c), 0x401, 0, 0);
									_t183 =  *(_t198 - 0x10);
									 *(_t195 + 0x3c) = _t157;
									L24:
									L00419E80(_t198 - 0x88, 0, 0x30);
									_t119 =  *((intOrPtr*)(_t198 + 8));
									 *((intOrPtr*)(_t198 - 0x24)) =  *((intOrPtr*)(_t119 + 0x18));
									 *(_t198 - 0x28) =  *(_t119 + 0x14);
									ScreenToClient( *(_t183 + 0x1c), _t198 - 0x28);
									L00419E80(_t198 - 0x58, 0, 0x30);
									_t204 = _t201 + 0x18;
									 *(_t198 - 0x58) = 0x28;
									_t108 =  *((intOrPtr*)( *_t183 + 0x6c))( *(_t198 - 0x28),  *((intOrPtr*)(_t198 - 0x24)), _t198 - 0x58);
									asm("sbb ecx, ecx");
									_t169 =  ~(_t108 + 1) & _t183;
									__eflags =  *(_t195 + 0x44) - _t108;
									 *(_t198 - 0x1c) = _t108;
									 *(_t198 - 0x14) = _t169;
									if( *(_t195 + 0x44) != _t108) {
										L30:
										__eflags = _t108 - 0xffffffff;
										if(_t108 == 0xffffffff) {
											SendMessageA( *(_t157 + 0x1c), 0x401, 0, 0);
											L39:
											E0042F1F9(_t157,  *((intOrPtr*)(_t198 + 8)));
											_t83 = _t195 + 0x48; // 0x48
											_t185 = _t83;
											__eflags =  *_t185 - 0x28;
											if( *_t185 >= 0x28) {
												SendMessageA( *(_t157 + 0x1c), 0x405, 0, _t185);
											}
											 *(_t195 + 0x40) =  *(_t198 - 0x14);
											 *(_t195 + 0x44) =  *(_t198 - 0x1c);
											_t170 = 0xc;
											_t195 = _t198 - 0x58;
											_t108 = memcpy(_t185, _t195, _t170 << 2);
											_t183 = _t195 + _t170 + _t170;
											L42:
											__eflags =  *((intOrPtr*)(_t198 - 0x34)) - 0xffffffff;
											if( *((intOrPtr*)(_t198 - 0x34)) != 0xffffffff) {
												__eflags =  *(_t198 - 0x38);
												if(__eflags == 0) {
													_push( *((intOrPtr*)(_t198 - 0x34)));
													_t108 = E004190E5(_t157, _t183, _t195, __eflags);
												}
											}
											goto L75;
										}
										_t173 = 0xc;
										_t132 = memcpy(_t198 - 0x88, _t198 - 0x58, _t173 << 2);
										_t204 = _t204 + 0xc;
										 *(_t198 - 0x81) =  *(_t198 - 0x81) & 0x0000003f;
										__eflags =  *(_t132 + 0x38) & 0x00000400;
										if(( *(_t132 + 0x38) & 0x00000400) != 0) {
											_t65 = _t198 - 0x84;
											 *_t65 =  *(_t198 - 0x84) | 0x00000020;
											__eflags =  *_t65;
										}
										SendMessageA( *(_t157 + 0x1c), 0x404, 0, _t198 - 0x88);
										__eflags =  *(_t198 - 0x51) & 0x00000040;
										if(( *(_t198 - 0x51) & 0x00000040) != 0) {
											L35:
											SendMessageA( *(_t157 + 0x1c), 0x401, 1, 0);
											_t136 =  *(_t198 - 0x10);
											__eflags =  *(_t136 + 0x38) & 0x00000400;
											if(( *(_t136 + 0x38) & 0x00000400) != 0) {
												SendMessageA( *(_t157 + 0x1c), 0x411, 1, _t198 - 0x88);
											}
											SetWindowPos( *(_t157 + 0x1c), 0, 0, 0, 0, 0, 0x213);
											goto L38;
										} else {
											_t140 = E0043480D();
											__eflags = _t140;
											if(_t140 == 0) {
												L38:
												_t195 =  *(_t198 - 0x18);
												goto L39;
											}
											goto L35;
										}
									}
									__eflags =  *(_t195 + 0x40) - _t169;
									if( *(_t195 + 0x40) != _t169) {
										goto L30;
									}
									__eflags =  *(_t183 + 0x39) & 0x00000004;
									if(( *(_t183 + 0x39) & 0x00000004) == 0) {
										__eflags = _t108 - 0xffffffff;
										if(_t108 != 0xffffffff) {
											_t108 = E0042F1F9(_t157,  *((intOrPtr*)(_t198 + 8)));
										}
									} else {
										GetCursorPos(_t198 - 0x20);
										_t108 = SendMessageA( *(_t157 + 0x1c), 0x412, 0, ( *(_t198 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t198 - 0x20) & 0x0000ffff);
									}
									goto L42;
								} else {
									_t108 =  *((intOrPtr*)( *_t157 + 4))(1);
									goto L75;
								}
							}
							_t148 = E00413B0C(_t157);
							__eflags = _t148 -  *(_t198 - 0x14);
							if(_t148 !=  *(_t198 - 0x14)) {
								 *((intOrPtr*)( *_t157 + 0x60))();
								 *((intOrPtr*)( *_t157 + 4))(1);
								_t157 = 0;
								__eflags = 0;
								 *(_t195 + 0x3c) = 0;
							}
							__eflags = _t157;
							if(_t157 != 0) {
								goto L24;
							} else {
								goto L19;
							}
						}
						if(_t108 == 0) {
							 *(_t195 + 0x40) =  *(_t195 + 0x40) & _t108;
							 *(_t195 + 0x44) =  *(_t195 + 0x44) | 0xffffffff;
						}
						goto L75;
					}
				} else {
					L47:
					__eflags =  *(_t183 + 0x38) & 0x00000401;
					if(( *(_t183 + 0x38) & 0x00000401) == 0) {
						L75:
						 *[fs:0x0] =  *((intOrPtr*)(_t198 - 0xc));
						return _t108;
					}
					_push( *_t155);
					while(1) {
						_t108 = E0043357A(_t198);
						__eflags = _t108;
						if(_t108 == 0) {
							break;
						}
						__eflags = _t108 - _t183;
						if(_t108 == _t183) {
							L54:
							__eflags = _t192 - 0x100;
							if(_t192 < 0x100) {
								L56:
								__eflags = _t192 - 0x104;
								if(_t192 < 0x104) {
									L59:
									_t108 = 0;
									__eflags = 0;
									L60:
									__eflags =  *(_t183 + 0x39) & 0x00000004;
									if(( *(_t183 + 0x39) & 0x00000004) != 0) {
										goto L75;
									}
									__eflags = _t108;
									if(_t108 != 0) {
										L74:
										_t108 = E0043280E(_t108);
										goto L75;
									}
									__eflags = _t192 - 0x201;
									if(_t192 == 0x201) {
										goto L74;
									}
									__eflags = _t192 - 0x203;
									if(_t192 == 0x203) {
										goto L74;
									}
									__eflags = _t192 - 0x204;
									if(_t192 == 0x204) {
										goto L74;
									}
									__eflags = _t192 - 0x206;
									if(_t192 == 0x206) {
										goto L74;
									}
									__eflags = _t192 - 0x207;
									if(_t192 == 0x207) {
										goto L74;
									}
									__eflags = _t192 - 0x209;
									if(_t192 == 0x209) {
										goto L74;
									}
									__eflags = _t192 - 0xa1;
									if(_t192 == 0xa1) {
										goto L74;
									}
									__eflags = _t192 - 0xa3;
									if(_t192 == 0xa3) {
										goto L74;
									}
									__eflags = _t192 - 0xa4;
									if(_t192 == 0xa4) {
										goto L74;
									}
									__eflags = _t192 - 0xa6;
									if(_t192 == 0xa6) {
										goto L74;
									}
									__eflags = _t192 - 0xa7;
									if(_t192 == 0xa7) {
										goto L74;
									}
									__eflags = _t192 - 0xa9;
									if(_t192 != 0xa9) {
										goto L75;
									}
									goto L74;
								}
								__eflags = _t192 - 0x107;
								if(_t192 > 0x107) {
									goto L59;
								}
								L58:
								_t108 = 1;
								goto L60;
							}
							__eflags = _t192 - 0x109;
							if(_t192 <= 0x109) {
								goto L58;
							}
							goto L56;
						}
						__eflags =  *(_t108 + 0x38) & 0x00000401;
						if(( *(_t108 + 0x38) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t108 + 0x1c)));
					}
					__eflags = _t108 - _t183;
					if(_t108 != _t183) {
						goto L75;
					}
					goto L54;
				}
			}

0x0042f404
0x0042f409
0x0042f40d
0x0042f411
0x0042f41b
0x0042f41d
0x0042f420
0x0042f423
0x0042f451
0x0042f456
0x0042f70f
0x0042f70f
0x00000000
0x0042f70f
0x0042f45e
0x0042f463
0x00000000
0x00000000
0x0042f46b
0x0042f470
0x00000000
0x0042f476
0x0042f476
0x0042f47b
0x0042f47d
0x0042f47f
0x0042f496
0x0042f496
0x0042f49d
0x00000000
0x00000000
0x0042f484
0x0042f48a
0x00000000
0x0042f48c
0x0042f495
0x00000000
0x0042f495
0x0042f48a
0x0042f4a1
0x0042f4b7
0x0042f4bc
0x0042f4c1
0x0042f4c3
0x0042f4c6
0x0042f4ed
0x0042f4ef
0x0042f4f5
0x0042f4f8
0x0042f4fa
0x0042f4fc
0x0042f4ff
0x0042f508
0x0042f508
0x0042f50c
0x0042f517
0x0042f51d
0x0042f51f
0x0042f53b
0x0042f541
0x0042f544
0x0042f547
0x0042f552
0x0042f557
0x0042f563
0x0042f56d
0x0042f570
0x0042f57e
0x0042f585
0x0042f594
0x0042f59b
0x0042f5a3
0x0042f5a5
0x0042f5a7
0x0042f5aa
0x0042f5ad
0x0042f5b0
0x0042f601
0x0042f601
0x0042f604
0x0042f707
0x0042f6a3
0x0042f6a7
0x0042f6ac
0x0042f6ac
0x0042f6af
0x0042f6b2
0x0042f6bf
0x0042f6bf
0x0042f6c8
0x0042f6ce
0x0042f6d3
0x0042f6d4
0x0042f6d7
0x0042f6d7
0x0042f6d9
0x0042f6d9
0x0042f6dd
0x0042f6e3
0x0042f6e7
0x0042f6ed
0x0042f6f0
0x0042f6f5
0x0042f6e7
0x00000000
0x0042f6dd
0x0042f60f
0x0042f619
0x0042f619
0x0042f61b
0x0042f627
0x0042f62a
0x0042f62c
0x0042f62c
0x0042f62c
0x0042f62c
0x0042f645
0x0042f64b
0x0042f64f
0x0042f65d
0x0042f668
0x0042f66e
0x0042f671
0x0042f674
0x0042f687
0x0042f687
0x0042f69a
0x00000000
0x0042f651
0x0042f654
0x0042f659
0x0042f65b
0x0042f6a0
0x0042f6a0
0x00000000
0x0042f6a0
0x00000000
0x0042f65b
0x0042f64f
0x0042f5b2
0x0042f5b5
0x00000000
0x00000000
0x0042f5b7
0x0042f5bb
0x0042f5ea
0x0042f5ed
0x0042f5f7
0x0042f5f7
0x0042f5bd
0x0042f5c1
0x0042f5df
0x0042f5df
0x00000000
0x0042f521
0x0042f527
0x00000000
0x0042f527
0x0042f51f
0x0042f4ca
0x0042f4cf
0x0042f4d2
0x0042f4d8
0x0042f4e1
0x0042f4e4
0x0042f4e4
0x0042f4e6
0x0042f4e6
0x0042f4e9
0x0042f4eb
0x00000000
0x00000000
0x00000000
0x00000000
0x0042f4eb
0x0042f4a5
0x0042f4ab
0x0042f4ae
0x0042f4ae
0x00000000
0x0042f4a5
0x0042f712
0x0042f712
0x0042f712
0x0042f718
0x0042f7e0
0x0042f7e6
0x0042f7ee
0x0042f7ee
0x0042f71e
0x0042f738
0x0042f738
0x0042f73d
0x0042f73f
0x00000000
0x00000000
0x0042f722
0x0042f724
0x0042f749
0x0042f749
0x0042f74f
0x0042f759
0x0042f759
0x0042f75f
0x0042f76e
0x0042f76e
0x0042f76e
0x0042f770
0x0042f770
0x0042f774
0x00000000
0x00000000
0x0042f776
0x0042f778
0x0042f7da
0x0042f7db
0x00000000
0x0042f7db
0x0042f77a
0x0042f780
0x00000000
0x00000000
0x0042f782
0x0042f788
0x00000000
0x00000000
0x0042f78a
0x0042f790
0x00000000
0x00000000
0x0042f792
0x0042f798
0x00000000
0x00000000
0x0042f79a
0x0042f7a0
0x00000000
0x00000000
0x0042f7a2
0x0042f7a8
0x00000000
0x00000000
0x0042f7aa
0x0042f7b0
0x00000000
0x00000000
0x0042f7b2
0x0042f7b8
0x00000000
0x00000000
0x0042f7ba
0x0042f7c0
0x00000000
0x00000000
0x0042f7c2
0x0042f7c8
0x00000000
0x00000000
0x0042f7ca
0x0042f7d0
0x00000000
0x00000000
0x0042f7d2
0x0042f7d8
0x00000000
0x00000000
0x00000000
0x0042f7d8
0x0042f761
0x0042f767
0x00000000
0x00000000
0x0042f769
0x0042f76b
0x00000000
0x0042f76b
0x0042f751
0x0042f757
0x00000000
0x00000000
0x00000000
0x0042f757
0x0042f726
0x0042f72c
0x00000000
0x00000000
0x0042f737
0x0042f737
0x0042f741
0x0042f743
0x00000000
0x00000000
0x00000000
0x0042f743

APIs

__EH_prolog.LIBCMT ref: 0042F404
GetKeyState.USER32(00000001), ref: 0042F451
GetKeyState.USER32(00000002), ref: 0042F45E
GetKeyState.USER32(00000004), ref: 0042F46B
GetParent.USER32(?), ref: 0042F48F
SendMessageA.USER32 ref: 0042F53B
ScreenToClient.USER32 ref: 0042F570
GetCursorPos.USER32(?), ref: 0042F5C1
SendMessageA.USER32 ref: 0042F5DF
SendMessageA.USER32 ref: 0042F645
SendMessageA.USER32 ref: 0042F668
SendMessageA.USER32 ref: 0042F687
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0042F69A
SendMessageA.USER32 ref: 0042F6BF
SendMessageA.USER32 ref: 0042F707
GetParent.USER32(?), ref: 0042F731

Strings

(, xrefs: 0042F594
@, xrefs: 0042F64B
, xrefs: 0042F62C
?, xrefs: 0042F61B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: $($?$@
API String ID: 986702660-3087990773
Opcode ID: fa45840331a6837140e9f3663fdfe2cf2cf915c048df345d933a95ca7f139334
Instruction ID: 645ea65694465927c16707bc8c9557f9d65393d4b53347270150bd7d072ef258
Opcode Fuzzy Hash: fa45840331a6837140e9f3663fdfe2cf2cf915c048df345d933a95ca7f139334
Instruction Fuzzy Hash: 79B1D231F003259BDF249F64E894BAEBB71BF44310FD0403BE915A62A2D7B89C49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043F939, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043F93E
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 0043F9F8
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,00000002,00000000), ref: 0043FA59
GetTempFileNameA.KERNEL32(?,MFC,00000000,00000000,00000105), ref: 0043FA81
GetFileTime.KERNEL32(?,?,?,?,?), ref: 0043FAEC
SetFileTime.KERNEL32(?,?,?,?), ref: 0043FB23
GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 0043FB3D
GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 0043FB5B
SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 0043FB66

Part of subcall function 0043AE3F: lstrlenA.KERNEL32(?), ref: 0043AE64

Part of subcall function 0043A335: lstrcpynA.KERNEL32(00000000,?,00000104,?,?,?), ref: 0043A35A
Part of subcall function 0043A335: PathStripToRootA.SHLWAPI(00000000,?,?), ref: 0043A361

Strings

MFC, xrefs: 0043FA75

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: File$Security$NamePathTime$DiskFreeFullH_prologRootSpaceStripTemplstrcpynlstrlen
String ID: MFC
API String ID: 2960963224-3472178984
Opcode ID: 000f3017135bc5596765eadf87e780dc25116876d85065b7d0e35b8530dcd974
Instruction ID: d14240499df8106903f71790e60ea8d1bfa2d9f101d02f2e5fa7e7c4b8ddae1d
Opcode Fuzzy Hash: 000f3017135bc5596765eadf87e780dc25116876d85065b7d0e35b8530dcd974
Instruction Fuzzy Hash: A56142B2900618AFDF21AF51CC95AEEB7B9EF08314F0041AAF919E6151DB349E94CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004415C2, Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 475windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004415C7

Part of subcall function 00412B67: __EH_prolog.LIBCMT ref: 00412B6C

IsIconic.USER32 ref: 004417E9

Part of subcall function 00435F86: ShowWindow.USER32(?,?,00438612,?,?,00000363,00000001,00000000,00000001,00000001,?,?,00000363,00000001,00000000), ref: 00435F93

SetForegroundWindow.USER32(?,-00000005), ref: 0044180B
SendMessageA.USER32 ref: 00441B13
PostMessageA.USER32 ref: 00441B55

Strings

",", xrefs: 0044185E, 00441863, 00441935, 00441A04
[printto(", xrefs: 004416A1
[open(", xrefs: 00441606
[print(", xrefs: 00441655

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prologMessageWindow$ForegroundIconicPostSendShow
String ID: ","$[open("$[print("$[printto("
API String ID: 2480954500-3790869113
Opcode ID: 40ea25502fe8bc902dd47906edb569e27eccf96a855221a8527ff40bd0404a27
Instruction ID: e4b983113aa8f667d0804ef484494dddcb033bac977f96556f38b6c415734fcc
Opcode Fuzzy Hash: 40ea25502fe8bc902dd47906edb569e27eccf96a855221a8527ff40bd0404a27
Instruction Fuzzy Hash: C402D931900144AFDB04EBB9C885EDE7BB4AF15328F14426EF5556B2E3DF389A48C798

Uniqueness

Uniqueness Score: -1.00%

Function 0043A377, Relevance: 15.1, APIs: 10, Instructions: 102stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043A37C
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000104,?,?), ref: 0043A3A6
lstrcpynA.KERNEL32(?,?,00000104,?,?), ref: 0043A3B7

Part of subcall function 0043A335: lstrcpynA.KERNEL32(00000000,?,00000104,?,?,?), ref: 0043A35A
Part of subcall function 0043A335: PathStripToRootA.SHLWAPI(00000000,?,?), ref: 0043A361

PathIsUNCA.SHLWAPI(?,?,?,?,?), ref: 0043A3EC
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0043A410
CharUpperA.USER32(?,?,?), ref: 0043A428
FindFirstFileA.KERNEL32(?,?,?,?), ref: 0043A441
FindClose.KERNEL32(00000000,?,?), ref: 0043A44D
lstrlenA.KERNEL32(?,?,?), ref: 0043A46A
lstrcpyA.KERNEL32(?,?,?,?), ref: 0043A489

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
String ID:
API String ID: 4080879615-0
Opcode ID: 9fdb73c9f1dba1122f5efb8da8d55b859529b77c08e8a971a5295cd1962b9ea6
Instruction ID: 1d4a934237853f749489da2ceee5b8d8318a5f46f87b742eeab7e1df982f92f0
Opcode Fuzzy Hash: 9fdb73c9f1dba1122f5efb8da8d55b859529b77c08e8a971a5295cd1962b9ea6
Instruction Fuzzy Hash: CE31DF31900618EFCB119F60CC8CAFE7BB8EF58359F0041AAF959D6261D7788E908B59

Uniqueness

Uniqueness Score: -1.00%

Function 0042755B, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

_TranslateName.LIBCMT ref: 004275B6
_TranslateName.LIBCMT ref: 004275FF
IsValidCodePage.KERNEL32(00000000,00000082,?,004791F8,004222F7,?,0047BC84,?), ref: 00427663
IsValidLocale.KERNEL32(00000001), ref: 00427679
_strcat.LIBCMT ref: 004276BC

Part of subcall function 00427449: _strlen.LIBCMT ref: 0042744F
Part of subcall function 00427449: EnumSystemLocalesA.KERNEL32(0042705F,00000001,?,004791F8,004222F7,?,0047BC84,?), ref: 00427469

Strings

Norwegian-Nynorsk, xrefs: 004276B6
<E, xrefs: 004275B1
XE, xrefs: 004275FA

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: NameTranslateValid$CodeEnumLocaleLocalesPageSystem_strcat_strlen
String ID: <E$Norwegian-Nynorsk$XE
API String ID: 4291917928-1725171474
Opcode ID: 1f61790615aa3eb59a1923533b9a541d7558c9e93240893c09cd30b8e043bae2
Instruction ID: a45bc2cc55280f0d1b121632ea3b8d7c861e95774fdeb6208efc4cf1831572eb
Opcode Fuzzy Hash: 1f61790615aa3eb59a1923533b9a541d7558c9e93240893c09cd30b8e043bae2
Instruction Fuzzy Hash: 1541E171708271ABCB319B76BC81B2676A0FB40715F89403FE145972A1E72D9884DBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004450BA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164keyboardtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00413B0C: GetParent.USER32(?), ref: 00413B16

ScreenToClient.USER32 ref: 00445144
GetKeyState.USER32(00000001), ref: 004451A1
GetKeyState.USER32(00000001), ref: 004451E9
GetKeyState.USER32(00000001), ref: 00445223
KillTimer.USER32(?,0000E001), ref: 00445248
IsWindow.USER32(?), ref: 00445294

Strings

(, xrefs: 00445168

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: State$ClientKillParentScreenTimerWindow
String ID: (
API String ID: 1540673551-3887548279
Opcode ID: fff6a820c60129b48477db4f983be7f42c84b448f9f1583d61c5e07c3bc108e2
Instruction ID: cd667e9f1567b0cb063222fda460d541725427692b9275c9cedc4368ed56ad0c
Opcode Fuzzy Hash: fff6a820c60129b48477db4f983be7f42c84b448f9f1583d61c5e07c3bc108e2
Instruction Fuzzy Hash: 7B518131A01A049FEF209F94C949BAE7BB1BF44315F1400ABE915A72D2D7B99981CF49

Uniqueness

Uniqueness Score: -1.00%

Function 004231DB, Relevance: 12.2, APIs: 8, Instructions: 212timeCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 004231EE

Part of subcall function 0041C486: EnterCriticalSection.KERNEL32(00478DA0,00478DA0,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041C4AE

_strlen.LIBCMT ref: 00423260
_strcat.LIBCMT ref: 0042327D
_strncpy.LIBCMT ref: 00423296

Part of subcall function 004190E5: __lock.LIBCMT ref: 00419103
Part of subcall function 004190E5: HeapFree.KERNEL32(00000000,?,0045C778,0000000C,0041C46A,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001), ref: 0041914A

GetTimeZoneInformation.KERNEL32(0047BCE0,0045D2C8,00000018,004237F0,0045D2D8,00000008,0041BEAB,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 004232FF
WideCharToMultiByte.KERNEL32(00000000,00000000,0047BCE4,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 0042338D
WideCharToMultiByte.KERNEL32(00000000,00000000,0047BD38,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 004233C1

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
String ID:
API String ID: 3757401926-0
Opcode ID: 356a6bdc5e0bf33f91bd0b415802b226bb262df18769a7cbcbf1a2700ca9d2c0
Instruction ID: 3d09c1e6fdf1ff37a9327f1b3f502f45996753ad7f6b55a4f5102a7ca2792313
Opcode Fuzzy Hash: 356a6bdc5e0bf33f91bd0b415802b226bb262df18769a7cbcbf1a2700ca9d2c0
Instruction Fuzzy Hash: AC71F430A042609ED7219F29BC45B567BB9FB49311FA4016FE858C72E1DB3C4E82CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00451B05, Relevance: 12.2, APIs: 8, Instructions: 210stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,0000F094,?,00000050), ref: 00451BAE
lstrlenW.KERNEL32(00000000), ref: 00451BE2
lstrlenW.KERNEL32(?), ref: 00451BE8
CoTaskMemAlloc.OLE32(?), ref: 00451BF2
CoTaskMemFree.OLE32(?), ref: 00451C10
CreateBindCtx.OLE32(00000000,?), ref: 00451C4D
CoTaskMemFree.OLE32(?), ref: 00451CED
CoTaskMemFree.OLE32(?), ref: 00451CF8

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Task$Freelstrlen$AllocBindCreate
String ID:
API String ID: 2007904770-0
Opcode ID: 9db421d854155c047c32189c6de628196021e0d9da916f11e4ff0d30769632a0
Instruction ID: 8c6efcea8930fc8c57dd9750372b0a4d90cee16b28d91ca181a1559669a40612
Opcode Fuzzy Hash: 9db421d854155c047c32189c6de628196021e0d9da916f11e4ff0d30769632a0
Instruction Fuzzy Hash: C97135B2D00219AFCF11DFA5CC849EEBBB9EF09301F14405AF911A7262D7799A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00449796, Relevance: 10.6, APIs: 7, Instructions: 67windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 004497A7
GetKeyState.USER32(00000010), ref: 004497B7
GetFocus.USER32 ref: 004497C7
GetDesktopWindow.USER32 ref: 004497CF
SendMessageA.USER32 ref: 004497F3
SendMessageA.USER32 ref: 00449812
GetParent.USER32(00000000), ref: 0044981B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: 13e940703fbcf19c2319d83293092415ae999b9021930d2ac61ac217a9fb0fd7
Instruction ID: 96721e7d0b783edc0146127f8627573c13a0186a0774a71e46c8f2530adc7091
Opcode Fuzzy Hash: 13e940703fbcf19c2319d83293092415ae999b9021930d2ac61ac217a9fb0fd7
Instruction Fuzzy Hash: 30110A32A21714BBFB101FA59C84D7B37A8EB047A5F500437FE41EB241E6B5DD01A7A8

Uniqueness

Uniqueness Score: -1.00%

Function 004121E0, Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 004121EC
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 004121FD

Part of subcall function 0043C35E: __EH_prolog.LIBCMT ref: 0043C363
Part of subcall function 0043C35E: BeginPaint.USER32(?,?,?,?,00430EA3), ref: 0043C391

SendMessageA.USER32 ref: 00412215
GetSystemMetrics.USER32 ref: 00412223
GetSystemMetrics.USER32 ref: 00412229
GetClientRect.USER32 ref: 00412234
DrawIcon.USER32 ref: 0041225E

Part of subcall function 0043C3B9: __EH_prolog.LIBCMT ref: 0043C3BE
Part of subcall function 0043C3B9: EndPaint.USER32(?,?,?,?,00430EC9,?), ref: 0043C3DB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prologMetricsPaintSystem$BeginClientDrawFileIconIconicMessageRectSecuritySend
String ID:
API String ID: 2442360429-0
Opcode ID: 58735c31f9651c539da59f0306160509228691e277dee4335b7c50f1e30cb25f
Instruction ID: 6dfefef6daff10c6dbd3fd16b738f4a2c95a3f090111ed2935b50b8baa9065f9
Opcode Fuzzy Hash: 58735c31f9651c539da59f0306160509228691e277dee4335b7c50f1e30cb25f
Instruction Fuzzy Hash: 8D11A032600709AFCB10AFB9ED4DDBF7BBAEB84701F040129F606E61A0CA70E905CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044A5CB, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24registrywindowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0044A5D3
GetVersion.KERNEL32 ref: 0044A5DE
GetVersion.KERNEL32 ref: 0044A5E6
GetVersion.KERNEL32 ref: 0044A5EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 0044A5F9

Strings

MSWHEEL_ROLLMSG, xrefs: 0044A5F4

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 57befa0d0cf744bb6faeabde4dfa4ea4a605172469921c4fc54b585aff7258b8
Instruction ID: fb2bac4d7ef4cd12301920e04219e4347d430778caee8721f1ee1f1a4bee6878
Opcode Fuzzy Hash: 57befa0d0cf744bb6faeabde4dfa4ea4a605172469921c4fc54b585aff7258b8
Instruction Fuzzy Hash: 5AE026BA84521696F7116724AC003762AA09B443B1F9B803BDA0053350CA7C48D38FFF

Uniqueness

Uniqueness Score: -1.00%

Function 00429B1E, Relevance: 9.1, APIs: 6, Instructions: 102COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,0045E988,00000018,004291DB,?,?,?,00000080,00000000,?,?,00000001), ref: 00429B3B
GetLastError.KERNEL32(?,?,00000001), ref: 00429B4D
GetLocaleInfoW.KERNEL32(00000001,?,00000000,00000000,0045E988,00000018,004291DB,?,?,?,00000080,00000000,?,?,00000001), ref: 00429B98
GetLocaleInfoW.KERNEL32(00000001,?,?,00000000,?,?,00000001), ref: 00429C07
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000,?,00000000,?,?,00000001), ref: 00429C29

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: InfoLocale$ByteCharErrorLastMultiWide
String ID:
API String ID: 97497842-0
Opcode ID: d82886cadeaf2d97a86859ec321c48c6c547772dcd2f95da69573d29694a1d21
Instruction ID: a4ed4afe280ecfbcc7b664259ccdda49b71f24b31cb3ebb77be7e7274f6a884c
Opcode Fuzzy Hash: d82886cadeaf2d97a86859ec321c48c6c547772dcd2f95da69573d29694a1d21
Instruction Fuzzy Hash: 15319C30A00228ABCF218F51ED489EF7FB9FF49760F50412AF514A6260C7388E81DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 004299EE, Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,0045E978,00000018,0042928F,?,?,0047BE18,00000004,00000000,?,?,00000001), ref: 00429A0B
GetLastError.KERNEL32(?,?,00000001), ref: 00429A1D
GetLocaleInfoW.KERNEL32(00000001,?,?,?,0045E978,00000018,0042928F,?,?,0047BE18,00000004,00000000,?,?,00000001), ref: 00429A47
GetLocaleInfoA.KERNEL32(00000001,?,00000000,00000000,0045E978,00000018,0042928F,?,?,0047BE18,00000004,00000000,?,?,00000001), ref: 00429A76
GetLocaleInfoA.KERNEL32(00000001,?,?,?,?,?,00000001), ref: 00429ADD
MultiByteToWideChar.KERNEL32(?,00000001,?,000000FF,?,?,?,?,?,?,00000001), ref: 00429AFD

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: InfoLocale$ByteCharErrorLastMultiWide
String ID:
API String ID: 97497842-0
Opcode ID: 1c2ddac769fc6566056a3fdf9803dc78f31a0f62cf32b9d66715de61e05ddb11
Instruction ID: 4d97eaf8c4575049713de0d39633e2cf7aea6be559c2bc5e4fe388c3e1d99218
Opcode Fuzzy Hash: 1c2ddac769fc6566056a3fdf9803dc78f31a0f62cf32b9d66715de61e05ddb11
Instruction Fuzzy Hash: 2D318B30A00669AFCF229F51EC448EF7F75FF88350F60412AF815A2260D7398D90DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00416DE7, Relevance: 7.7, APIs: 5, Instructions: 231COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416E4A
VariantClear.OLEAUT32(?), ref: 00416E6B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClearH_prologVariant
String ID:
API String ID: 1166855276-0
Opcode ID: 59497bb2afd48fedbad3a333b64659be0640053596244d95b67473db09c2eaee
Instruction ID: 7ec257f1a53ff0c6b26f37716c15e5223fd542edcc4439dd4d62890bdfa07dc7
Opcode Fuzzy Hash: 59497bb2afd48fedbad3a333b64659be0640053596244d95b67473db09c2eaee
Instruction Fuzzy Hash: 4B61E931A002049FDB04EB65DCA59FE7BA9AF85314B15445FF849D7242DB2CD883CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00419156, Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00419170
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00419181
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004191C7
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 00419205
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 0041922B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 8d9e22ba586fd86cec1a3d9698b176ad49e0d5a874822963dd54f3e104bf4844
Instruction ID: 1b373f2e56b1145c03012bcf7937971b7b0af76e9a71cf3849547e7b3f96fcaa
Opcode Fuzzy Hash: 8d9e22ba586fd86cec1a3d9698b176ad49e0d5a874822963dd54f3e104bf4844
Instruction Fuzzy Hash: FE31A272E0021EFBDF108FA4DD98AEDBBB8EB09355F140066E905E7190D7749E80DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00420151, Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0042016C
GetCurrentProcessId.KERNEL32 ref: 00420178
GetCurrentThreadId.KERNEL32 ref: 00420180
GetTickCount.KERNEL32 ref: 00420188
QueryPerformanceCounter.KERNEL32(?), ref: 00420194

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 68475cf7401b115077d5566bc53c8b292e2b0df1156c70f62a2222efa04ac823
Instruction ID: ba3e7e43f68762bebc45f382722b151c5f15542101549dcd5918e164c92bf49a
Opcode Fuzzy Hash: 68475cf7401b115077d5566bc53c8b292e2b0df1156c70f62a2222efa04ac823
Instruction Fuzzy Hash: 7CF0FFB1D412249BCB109BB4EC0C5AEBBF8FF08355B864565E801EB211EB34E9408F89

Uniqueness

Uniqueness Score: -1.00%

Function 0044D759, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43librarystringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000800,LOC), ref: 0044D77C
LoadLibraryA.KERNEL32(?), ref: 0044D7AF
GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 0044D7BF

Strings

LOC, xrefs: 0044D776

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpy
String ID: LOC
API String ID: 864663389-519433814
Opcode ID: e173b8cc3e98f895997c5c9cb835f845040e09654273059fab590b07196c67f5
Instruction ID: c2e9716c13a74e38236ad5512413a70ed3a7c7e62d5c990739df4f5138f8d032
Opcode Fuzzy Hash: e173b8cc3e98f895997c5c9cb835f845040e09654273059fab590b07196c67f5
Instruction Fuzzy Hash: B201A270D00208BBEB109B60DC46EEA376CAB00B29F108563FA19D6191E738DB948B99

Uniqueness

Uniqueness Score: -1.00%

Function 004514EB, Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

CreateBindCtx.OLE32(00000000,?), ref: 00451541
lstrlenA.KERNEL32(00000000,?,?,00000002,?), ref: 0045159C
CoTaskMemFree.OLE32(?,?,?,00000002,?), ref: 004515A8

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: BindCreateFreeTasklstrlen
String ID:
API String ID: 856384521-0
Opcode ID: c3c3c4101a74bb0d563ddd451ee4f8f445066b674a8cc9ebbf8a30e2462f72a7
Instruction ID: cda77011c6f3f2de2cea81693f83856f7985ad91c2fd34cbb995a1afa06f9582
Opcode Fuzzy Hash: c3c3c4101a74bb0d563ddd451ee4f8f445066b674a8cc9ebbf8a30e2462f72a7
Instruction Fuzzy Hash: 4521327590020DFFCF10AFA5CC849AF7BB8EF45346B50446AF906D6212E738DA49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00433B4D, Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetKeyState.USER32(00000010), ref: 00433B71
GetKeyState.USER32(00000011), ref: 00433B7A
GetKeyState.USER32(00000012), ref: 00433B83
SendMessageA.USER32 ref: 00433B99

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: e557bfa6ddef9d295620bfdfe8ba4a3812f7e7328e03b64543fa17c8f453c905
Instruction ID: 8cc5803fbefc7659a736b9a153a976b2dbbc06c6c3c791125e1da2b5aad001b8
Opcode Fuzzy Hash: e557bfa6ddef9d295620bfdfe8ba4a3812f7e7328e03b64543fa17c8f453c905
Instruction Fuzzy Hash: 18F0AE36340B8A2AEA203F755C42FA5C1144F58BEFF51153AB742FA3D3CD98EA425178

Uniqueness

Uniqueness Score: -1.00%

Function 0043AE3F, Relevance: 4.6, APIs: 3, Instructions: 95filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0043AE64
FindFirstFileA.KERNEL32(?,?,?,?), ref: 0043AE97
FindClose.KERNEL32(00000000), ref: 0043AEAC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID:
API String ID: 2767606509-0
Opcode ID: c5e5c7643f6205a3f13e5afdef13d63ebce952af23c969e6ecede4ae524dcf50
Instruction ID: 27ef264583626511914cceeb7bee4e024af603411ce3de5cb553320a473431fb
Opcode Fuzzy Hash: c5e5c7643f6205a3f13e5afdef13d63ebce952af23c969e6ecede4ae524dcf50
Instruction Fuzzy Hash: 1D3139B55407048FD724DF68D8819AABBF8FF58300F10892EE49AD7351EB34E944CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00412F6C, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3bce6573e5327f4a2d716e155a67d3a9d0e73a7f121b37453505c264540ef4
Instruction ID: a49f8bf21c1a0727bba3429f9eb219b0de270bc92a742b604217b045e4d34089
Opcode Fuzzy Hash: 0d3bce6573e5327f4a2d716e155a67d3a9d0e73a7f121b37453505c264540ef4
Instruction Fuzzy Hash: CBF0193110410DABCF019FA1DE04AEF7BB9EB04345F448426F905D5121DBB9CAE2AB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043ED39, Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043ED49
IsIconic.USER32 ref: 0043ED75
GetParent.USER32(?), ref: 0043ED82

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Parent$Iconic
String ID:
API String ID: 344791563-0
Opcode ID: 58a3f935cf36623e1332bcfd1206750641107c0b5411d0383e34c7c268d06e93
Instruction ID: bae9f98652729457bcdc4815848d1a75ff85c461e139815cabe892a22f4bfe69
Opcode Fuzzy Hash: 58a3f935cf36623e1332bcfd1206750641107c0b5411d0383e34c7c268d06e93
Instruction Fuzzy Hash: D5F0BE31202702ABDB216F72AC14A2BAA69EF98392F10543BB400C62A1DB28DC15869D

Uniqueness

Uniqueness Score: -1.00%

Function 00427480, Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00427486
_strlen.LIBCMT ref: 0042749E
EnumSystemLocalesA.KERNEL32(00427164,00000001), ref: 004274E5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strlen$EnumLocalesSystem
String ID:
API String ID: 2581538701-0
Opcode ID: 42d16374027909394213e677e5bcfd64f0f00fc87c7d6439cd2ad262711315da
Instruction ID: d59d3481069b895e28f9b8e132aa08482eaa47e9f7bdf504140f0bf0bd478903
Opcode Fuzzy Hash: 42d16374027909394213e677e5bcfd64f0f00fc87c7d6439cd2ad262711315da
Instruction Fuzzy Hash: 60F04F306582258EDB21AF34FC0D7613AA1FB45715FA0027BE449822A4D77D48C58B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00401069, Relevance: 4.5, APIs: 3, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 00401071
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 00401083
GetACP.KERNEL32 ref: 004010AC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: ef13a87e8da90230abdff8e6c4aa2c036571bf621e08d58aff36463bb3a0f3f8
Instruction ID: 2ee87717f845540d368ddee7b455f44f1bb09434cdd50e568d7a7d63add3033e
Opcode Fuzzy Hash: ef13a87e8da90230abdff8e6c4aa2c036571bf621e08d58aff36463bb3a0f3f8
Instruction Fuzzy Hash: 80F0E9329107746BE7114B50D865AFB3BA89B01B81F0401A9EAC2E7651E674A98487D8

Uniqueness

Uniqueness Score: -1.00%

Function 0043814C, Relevance: 4.5, APIs: 3, Instructions: 27keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0043816E
GetKeyState.USER32(00000011), ref: 00438177
GetKeyState.USER32(00000012), ref: 00438180

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 5ce6cda0adb12fd27b59ad971044f2bbe0222b1532eefd7804ecf7a38413f2b9
Instruction ID: b2432ceb55a8bcd10794c181b7d64abfc744c423bb8754facd4205c8d79a9191
Opcode Fuzzy Hash: 5ce6cda0adb12fd27b59ad971044f2bbe0222b1532eefd7804ecf7a38413f2b9
Instruction Fuzzy Hash: 57E0923451139DB9DF90A3508D02BA6E9D05F1A794F0CA46FB984A7096CFA8884396AD

Uniqueness

Uniqueness Score: -1.00%

Function 00426F2A, Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,?), ref: 00426F68
_strncpy.LIBCMT ref: 00426FF8

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: InfoLocale_strncpy
String ID:
API String ID: 4025304676-0
Opcode ID: f8bb38ff0c0d62aef9ede1b60afdf272c33a0bc1e30ea10ace14e9813badd8c1
Instruction ID: d3b9b2289e1d08e23ea3353d2b9d61e7cffa44219714d46435fea35dba020491
Opcode Fuzzy Hash: f8bb38ff0c0d62aef9ede1b60afdf272c33a0bc1e30ea10ace14e9813badd8c1
Instruction Fuzzy Hash: AC210B3270802297DF284938FF855777A59DB54301B874077D805CB6A1E629EE55C38D

Uniqueness

Uniqueness Score: -1.00%

Function 00429BD1, Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00419156: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00419170
Part of subcall function 00419156: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00419181
Part of subcall function 00419156: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004191C7

GetLocaleInfoW.KERNEL32(00000001,?,?,00000000,?,?,00000001), ref: 00429C07
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000,?,00000000,?,?,00000001), ref: 00429C29

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: InfoQueryVirtual$ByteCharLocaleMultiSystemWide
String ID:
API String ID: 2568233206-0
Opcode ID: 414def533fc632d0492c49e89d1aaa1c1662c57ab834549369878edcb9cf5dbe
Instruction ID: 43b29300060abfe07c802eaa957c9c5be20c218d590998203c7379d0164a5e59
Opcode Fuzzy Hash: 414def533fc632d0492c49e89d1aaa1c1662c57ab834549369878edcb9cf5dbe
Instruction Fuzzy Hash: 80018430901139ABCF219F52EC498DFBFB9AF49760F50426AF42463191CB388D81CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00429AAA, Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00419156: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00419170
Part of subcall function 00419156: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00419181
Part of subcall function 00419156: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004191C7

GetLocaleInfoA.KERNEL32(00000001,?,?,?,?,?,00000001), ref: 00429ADD
MultiByteToWideChar.KERNEL32(?,00000001,?,000000FF,?,?,?,?,?,?,00000001), ref: 00429AFD

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: InfoQueryVirtual$ByteCharLocaleMultiSystemWide
String ID:
API String ID: 2568233206-0
Opcode ID: 9645deb8664da4a4ec28987ca7f0ea0c311f1ac0614ec0b1d11bf23e89b5465b
Instruction ID: 071649ff7a99147aa935aa34d2b45674897def8e62d12f414e5ef03ccc299b0d
Opcode Fuzzy Hash: 9645deb8664da4a4ec28987ca7f0ea0c311f1ac0614ec0b1d11bf23e89b5465b
Instruction Fuzzy Hash: D3017131D00129AA8F219F65EC458DF7F75EF44364F50022AF825721A1D6394D91CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0044C334, Relevance: 3.0, APIs: 2, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetKeyState.USER32(00000073), ref: 0044C35E
GetKeyState.USER32(00000012), ref: 0044C367

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: State$LongWindow
String ID:
API String ID: 3716621309-0
Opcode ID: 397b47a6b3098b174837028ca5273697430aa25f15713eefcb8345dc68bb0608
Instruction ID: 449af439f9e3c682b98d3943b00fa89e2967c9510b9041f694b25c3adca048a9
Opcode Fuzzy Hash: 397b47a6b3098b174837028ca5273697430aa25f15713eefcb8345dc68bb0608
Instruction Fuzzy Hash: 1EF02B3620160926FF113E66CC91BBE3A55CF507E8F08C03BFD045A651CA79CD1192A8

Uniqueness

Uniqueness Score: -1.00%

Function 00449839, Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00449849
IsIconic.USER32 ref: 0044985B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 19f45fd0a450737797d39323b26bbcab8469ec90ba09b78729ede2c1329ef110
Instruction ID: 474cd1448cfea782cb99ea4e181eb62a59d0bdd49cfd4fdbb16f9fa93e1c47c6
Opcode Fuzzy Hash: 19f45fd0a450737797d39323b26bbcab8469ec90ba09b78729ede2c1329ef110
Instruction Fuzzy Hash: 36F05C3131062457DA20362E5C009FF625D8FD6331714033FF854A21E1CF588C43A1D8

Uniqueness

Uniqueness Score: -1.00%

Function 00427506, Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042750C
EnumSystemLocalesA.KERNEL32(0042737E,00000001,?,004791F8,004222F7,?,0047BC84,?), ref: 00427544

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: EnumLocalesSystem_strlen
String ID:
API String ID: 216762292-0
Opcode ID: c3498768bc7c7ce3007366be8544f74c947c9db044cc43ff3b9eaa97fdab2f53
Instruction ID: 22303a000b31451e145bd79138486843a8f293b1420a8acae8eac2092729c4f6
Opcode Fuzzy Hash: c3498768bc7c7ce3007366be8544f74c947c9db044cc43ff3b9eaa97fdab2f53
Instruction Fuzzy Hash: 73E01AB17983119ADB219F31FC097617BA1FB40705FD0017BE588851A1C77A48C5CF8C

Uniqueness

Uniqueness Score: -1.00%

Function 00427449, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042744F
EnumSystemLocalesA.KERNEL32(0042705F,00000001,?,004791F8,004222F7,?,0047BC84,?), ref: 00427469

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: EnumLocalesSystem_strlen
String ID:
API String ID: 216762292-0
Opcode ID: 20b9a74ebc507af4f055ee249a5635c439ef28494afc777d7bbc1637771c6048
Instruction ID: c7a7253a78cd63768734b03cced16f1f27e7f5927e0e7e4f128dfd1aad362f67
Opcode Fuzzy Hash: 20b9a74ebc507af4f055ee249a5635c439ef28494afc777d7bbc1637771c6048
Instruction Fuzzy Hash: 3ED05E706283054AEB209F31AC087703A61F712B15F84426BD948840E1C3BD44848F8C

Uniqueness

Uniqueness Score: -1.00%

Function 004351C1, Relevance: 1.9, APIs: 1, Instructions: 440COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004351C6

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7b6b0fc25a619e8ffa761b182e959269960955f28e5955b6301a44609188f890
Instruction ID: dfc8b4442d3cc53466dc1065af5a8aa30e92b72730c47a418db72a96a54edf46
Opcode Fuzzy Hash: 7b6b0fc25a619e8ffa761b182e959269960955f28e5955b6301a44609188f890
Instruction Fuzzy Hash: 6BE19B70600609EFDF14DF59C881ABE7BA9EF0C315F10911AF81ADB251C779EA01EB69

Uniqueness

Uniqueness Score: -1.00%

Function 00427749, Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 00427769

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 31677afb6fc1b5535ad2128ff8b655f223d6da6b4e3fde0445c149e2e9e034fb
Instruction ID: 9ccb574f024ad6bc899cc84eafcd8e94f00df29e88357d2f1656e84893630a58
Opcode Fuzzy Hash: 31677afb6fc1b5535ad2128ff8b655f223d6da6b4e3fde0445c149e2e9e034fb
Instruction Fuzzy Hash: 95E0D830A04208BBCB00EBA4E846FDE7BB89B44318F4042AAF621D61D0DB74DA449B59

Uniqueness

Uniqueness Score: -1.00%

Function 0042041A, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0042041F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2c4fbdc62b8baea12eb78e9123705ccc1766836269fb6bb3ed2f109398d8077e
Instruction ID: 24497ee9b1b3a07a1162324fb9a9e74d7b7788caf2941abb3185c305368c9b96
Opcode Fuzzy Hash: 2c4fbdc62b8baea12eb78e9123705ccc1766836269fb6bb3ed2f109398d8077e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00401BA2, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Characters: %c %c , xrefs: 00401BA8

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID:
String ID: Characters: %c %c
API String ID: 0-719169735
Opcode ID: f41542d3a7ff05b9c1c259bf3f09c9e246db3fc2e68b761b14089f319458687e
Instruction ID: c1b71fc60166c77876d5900eecb29c51c7ad8c386318f820fcf62762977cba70
Opcode Fuzzy Hash: f41542d3a7ff05b9c1c259bf3f09c9e246db3fc2e68b761b14089f319458687e
Instruction Fuzzy Hash: D621D134A4814A9FDB10DF68C4C0EAAB7F6FF09310B1485AAD840EB361D335E946CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00419288, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca158314e5fdf86d87acb8034818eb9930b794b9cab69a97c95613ed4a669a4
Instruction ID: a61786a819a219ec4bf0303514e7d66edc8e6bd7f43a4f93b4cbc92c4d050e25
Opcode Fuzzy Hash: 8ca158314e5fdf86d87acb8034818eb9930b794b9cab69a97c95613ed4a669a4
Instruction Fuzzy Hash: FD21B572900208DBCB14EF69C8908EBB7A5BF49350B09856AEC158B285D734FD55C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00401B93, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d066225cf355ea081255d090b5d8f0af9ab1788191efed86126529aafbb94d05
Instruction ID: c8adc5ccf16261ec5d31fbc12676845fb7cbd01a58cf37860a19b5389e3966a9
Opcode Fuzzy Hash: d066225cf355ea081255d090b5d8f0af9ab1788191efed86126529aafbb94d05
Instruction Fuzzy Hash: 61B092B111A940CBC206DB08D480A44B3E4A708600F10091CE086C3A00C32494008A01

Uniqueness

Uniqueness Score: -1.00%

Function 00437647, Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 395
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00437647(signed int __ecx) {
				void* __edi;
				int _t175;
				intOrPtr _t182;
				int _t184;
				intOrPtr* _t211;
				RECT* _t213;
				signed char _t217;
				signed int _t228;
				intOrPtr _t236;
				long _t255;
				long _t256;
				long _t294;
				long _t298;
				int _t304;
				signed char _t306;
				intOrPtr _t316;
				intOrPtr _t326;
				signed int _t337;
				CHAR* _t353;
				int _t360;
				signed int _t363;
				intOrPtr _t367;
				struct tagMENUITEMINFOA _t369;
				int* _t376;
				void* _t377;

				_t175 = E00419918(E00453A8B, _t377);
				_t304 =  *(_t377 + 8);
				_t363 = __ecx;
				_t316 =  *((intOrPtr*)(_t304 + 0x2c));
				 *(_t377 - 0x24) = __ecx;
				 *((intOrPtr*)(_t377 - 0x28)) = _t316;
				if(_t316 != 0) {
					_t175 = E004389D2(_t316, ",pE");
					if(_t175 != 0) {
						_t369 = 0x30;
						L00419E80(_t377 - 0x90, 0, _t369);
						 *(_t377 - 0x90) = _t369;
						 *((intOrPtr*)(_t377 - 0x8c)) = 0x40;
						_t175 = GetMenuItemInfoA( *(_t363 + 4),  *(_t304 + 8), 0, _t377 - 0x90);
						if(_t175 != 0) {
							_t358 =  *(E00436C1F());
							 *(_t377 - 0x20) =  *((intOrPtr*)(_t358 + 0xc))() + 0x10;
							 *(_t377 - 4) =  *(_t377 - 4) & 0x00000000;
							_t182 = E004124D6(_t377 - 0x20,  *((intOrPtr*)(_t377 - 0x68)));
							 *((intOrPtr*)(_t377 - 0x68)) =  *((intOrPtr*)(_t377 - 0x68)) + 1;
							 *((intOrPtr*)(_t377 - 0x6c)) = _t182;
							_t184 = GetMenuItemInfoA( *(_t363 + 4),  *(_t304 + 8), 0, _t377 - 0x90);
							E00413996(_t377 - 0x20, 0xffffffff);
							if(_t184 != 0) {
								CopyRect(_t377 - 0xa0, _t304 + 0x1c);
								GetObjectA( *( *((intOrPtr*)(_t377 - 0x28)) + 4), 0x18, _t377 - 0xb8);
								 *(_t377 - 0x2c) = GetSysColor(4);
								 *(_t377 - 0x1c) =  *(_t377 - 0x1c) & 0x00000000;
								asm("cdq");
								asm("cdq");
								 *((intOrPtr*)(_t377 - 0x14)) =  *((intOrPtr*)(_t377 - 0xb4)) + 1;
								_t326 = ( *((intOrPtr*)(_t377 - 0x94)) -  *((intOrPtr*)(_t377 - 0x9c)) - _t358 >> 1) - ( *((intOrPtr*)(_t377 - 0xb0)) - _t358 >> 1) +  *((intOrPtr*)(_t377 - 0x9c)) - 1;
								 *((intOrPtr*)(_t377 - 0x18)) = _t326;
								 *((intOrPtr*)(_t377 - 0x10)) =  *((intOrPtr*)(_t377 - 0xb0)) + 1 + _t326;
								_t376 = E0043C17F();
								 *((intOrPtr*)(_t377 - 0x50)) =  *((intOrPtr*)( *_t376 + 0x1c))( *((intOrPtr*)(_t304 + 0x18)));
								 *((intOrPtr*)( *_t376 + 0x28))( *(_t377 - 0x24) + 8);
								_t211 = L00413FCF(_t376, _t377 - 0x44, _t377 - 0x20);
								 *((intOrPtr*)(_t377 - 0x38)) =  *((intOrPtr*)(_t211 + 4));
								 *((intOrPtr*)(_t377 - 0x3c)) =  *_t211;
								_t213 = _t304 + 0x1c;
								if(( *(_t304 + 0x10) & 0x00000001) == 0) {
									E004476C6(_t376, _t213);
									 *((intOrPtr*)( *_t376 + 0x2c))( *(_t377 - 0x2c),  *(_t377 - 0x2c));
									_t217 =  *(_t304 + 0x10);
									__eflags = _t217 & 0x00000002;
									if((_t217 & 0x00000002) == 0) {
										__eflags = _t217 & 0x00000008;
										if(__eflags != 0) {
											 *(_t377 + 8) =  *((intOrPtr*)(_t377 - 0x10)) -  *((intOrPtr*)(_t377 - 0x18));
											 *(_t377 - 0x40) =  *((intOrPtr*)(_t377 - 0x14)) -  *(_t377 - 0x1c);
											_t255 = GetSysColor(0x14);
											_t256 = GetSysColor(0x10);
											__eflags =  *(_t377 - 0x40) + 1;
											E00447BC6(_t376, __eflags,  *(_t377 - 0x1c),  *((intOrPtr*)(_t377 - 0x18)),  *(_t377 - 0x40) + 1,  *(_t377 + 8) + 1, _t256, _t255);
										}
										 *((intOrPtr*)( *_t376 + 0x2c))( *(_t377 - 0x2c));
										 *(_t377 + 8) =  *_t376;
										 *((intOrPtr*)( *(_t377 + 8) + 0x30))(GetSysColor(7));
										goto L16;
									} else {
										 *((intOrPtr*)( *_t376 + 0x30))(GetSysColor(0x14));
										E0043B5AC(_t376, 1);
										_t350 =  *((intOrPtr*)(_t377 - 0x18));
										asm("cdq");
										 *(_t377 - 0x24) =  *((intOrPtr*)(_t377 - 0x38)) - _t358;
										 *(_t377 - 0x24) =  *(_t377 - 0x24) >> 1;
										asm("cdq");
										_t94 = _t350 + 1; // 0x2
										_t360 =  *((intOrPtr*)(_t377 - 0x14)) + 4;
										ExtTextOutA(_t376[1], _t360, ( *((intOrPtr*)(_t377 - 0x10)) -  *((intOrPtr*)(_t377 - 0x18)) - _t358 >> 1) -  *(_t377 - 0x24) + _t94, 2, 0,  *(_t377 - 0x20),  *( *(_t377 - 0x20) - 0xc), 0);
										 *(_t377 - 0x40) =  *_t376;
										 *((intOrPtr*)( *(_t377 - 0x40) + 0x30))(GetSysColor(0x11));
										_t353 =  *(_t377 - 0x20);
										_t366 =  *(_t353 - 0xc);
										asm("cdq");
										_t358 =  *((intOrPtr*)(_t377 - 0x14)) + 3;
										ExtTextOutA(_t376[1],  *((intOrPtr*)(_t377 - 0x14)) + 3, ( *((intOrPtr*)(_t377 - 0x10)) -  *((intOrPtr*)(_t377 - 0x18)) - _t360 >> 1) -  *(_t377 - 0x24) +  *((intOrPtr*)(_t377 - 0x18)), 0, 0, _t353,  *(_t353 - 0xc), 0);
										_t304 =  *(_t377 + 8);
									}
								} else {
									CopyRect(_t377 - 0x4c, _t213);
									 *(_t377 - 0x4c) =  *((intOrPtr*)(_t377 - 0x14)) + 2;
									_push(GetSysColor(0xd));
									E004476C6(_t376, _t377 - 0x4c);
									if(( *(_t304 + 0x10) & 0x0000000a) == 0) {
										 *(_t377 - 0x24) =  *((intOrPtr*)(_t377 - 0x14)) -  *(_t377 - 0x1c);
										_t298 = GetSysColor(0x10);
										E00447BC6(_t376,  *(_t377 - 0x24) + 1,  *(_t377 - 0x1c),  *((intOrPtr*)(_t377 - 0x18)),  *(_t377 - 0x24) + 1,  *((intOrPtr*)(_t377 - 0x10)) -  *((intOrPtr*)(_t377 - 0x18)) + 1, GetSysColor(0x14), _t298);
									}
									 *((intOrPtr*)( *_t376 + 0x2c))(GetSysColor(0xd));
									_t304 =  *(_t377 + 8);
									if(( *(_t304 + 0x10) & 0x00000002) == 0) {
										_t294 = GetSysColor(0xe);
									} else {
										_t294 =  *(_t377 - 0x2c);
									}
									_t358 =  *_t376;
									 *((intOrPtr*)(_t358 + 0x30))(_t294);
									L16:
									_t366 =  *(_t377 - 0x20);
									asm("cdq");
									_t337 =  *((intOrPtr*)(_t377 - 0x10)) -  *((intOrPtr*)(_t377 - 0x18)) - _t358;
									asm("cdq");
									_t228 =  *((intOrPtr*)(_t377 - 0x38)) - _t358;
									_t358 =  *(_t366 - 0xc);
									ExtTextOutA(_t376[1],  *((intOrPtr*)(_t377 - 0x14)) + 3, (_t337 >> 1) - (_t228 >> 1) +  *((intOrPtr*)(_t377 - 0x18)), 2, 0, _t366,  *(_t366 - 0xc), 0);
								}
								 *(_t377 - 0x30) =  *(_t377 - 0x30) & 0x00000000;
								 *((intOrPtr*)(_t377 - 0x34)) = 0x456f88;
								_t306 =  *(_t304 + 0x10);
								_t392 = _t306 & 0x00000002;
								 *(_t377 - 4) = 1;
								if((_t306 & 0x00000002) == 0) {
									__eflags = _t306 & 0x00000008;
									if(__eflags != 0) {
										_push(0xffffff);
										_push( *(_t377 - 0x2c));
										_push(_t377 - 0x34);
										_push( *((intOrPtr*)(_t377 - 0x28)));
										E0043CFA7(__eflags);
										 *((intOrPtr*)(_t377 - 0x28)) = _t377 - 0x34;
									}
									_t367 =  *((intOrPtr*)(_t377 - 0x28));
								} else {
									_push( *(_t377 - 0x2c));
									_push(_t377 - 0x34);
									_push( *((intOrPtr*)(_t377 - 0x28)));
									E0043CAE3(_t366, _t392);
									_t367 = _t377 - 0x34;
								}
								E0043BAAF(_t377 - 0x60);
								 *(_t377 - 4) = 2;
								E0043C18D(_t377 - 0x60, CreateCompatibleDC(0));
								if(_t367 != 0) {
									_t236 =  *((intOrPtr*)(_t367 + 4));
								} else {
									_t236 = 0;
								}
								E0043C545( *((intOrPtr*)(_t377 - 0x5c)), _t236);
								InflateRect(_t377 - 0x1c, 0xffffffff, 0xffffffff);
								L00413EFD(_t376,  *(_t377 - 0x1c),  *((intOrPtr*)(_t377 - 0x18)),  *((intOrPtr*)(_t377 - 0x14)),  *((intOrPtr*)(_t377 - 0x10)), _t377 - 0x60, 0, 0, 0xcc0020);
								 *((intOrPtr*)( *_t376 + 0x20))( *((intOrPtr*)(_t377 - 0x50)));
								 *(_t377 - 4) = 1;
								E0043C20B(_t377 - 0x60);
								 *(_t377 - 4) = 0;
								 *((intOrPtr*)(_t377 - 0x34)) = 0x456f68;
								E0043C4E1(_t377 - 0x34);
							}
							_t175 = E004011BA( &(( *(_t377 - 0x20))[0xfffffffffffffff0]), _t358);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t377 - 0xc));
				return _t175;
			}

0x0043764c
0x00437658
0x0043765c
0x0043765e
0x00437663
0x00437666
0x00437669
0x00437674
0x0043767b
0x00437684
0x0043768f
0x004376a7
0x004376b3
0x004376bd
0x004376c1
0x004376cc
0x004376d6
0x004376dc
0x004376e3
0x004376e8
0x004376f2
0x004376fe
0x00437707
0x0043770e
0x0043771f
0x00437734
0x0043774a
0x00437753
0x00437759
0x00437767
0x00437777
0x00437780
0x00437787
0x0043778a
0x00437792
0x004377a1
0x004377a9
0x004377b6
0x004377c4
0x004377c7
0x004377ca
0x004377cd
0x0043785b
0x00437867
0x0043786a
0x0043786d
0x0043786f
0x00437911
0x00437913
0x0043791d
0x00437926
0x00437929
0x0043792e
0x00437939
0x00437943
0x00437943
0x0043794f
0x00437956
0x00437961
0x00000000
0x00437875
0x0043787e
0x00437885
0x0043788d
0x00437890
0x00437893
0x00437899
0x0043789e
0x004378ab
0x004378c2
0x004378c9
0x004378cf
0x004378da
0x004378e3
0x004378e6
0x004378e9
0x00437900
0x00437907
0x00437909
0x00437909
0x004377d3
0x004377d8
0x004377e6
0x004377eb
0x004377f2
0x004377fb
0x0043780b
0x0043780e
0x00437825
0x00437825
0x00437833
0x00437836
0x0043783d
0x00437846
0x0043783f
0x0043783f
0x0043783f
0x00437848
0x0043784d
0x00437964
0x0043796a
0x0043796d
0x00437970
0x00437975
0x00437978
0x0043797a
0x00437997
0x00437997
0x0043799d
0x004379a1
0x004379a8
0x004379ab
0x004379ae
0x004379b2
0x004379c8
0x004379cb
0x004379cd
0x004379d2
0x004379d8
0x004379d9
0x004379dc
0x004379e4
0x004379e4
0x004379e7
0x004379b4
0x004379b4
0x004379ba
0x004379bb
0x004379be
0x004379c3
0x004379c3
0x004379ed
0x004379f5
0x00437a03
0x00437a0a
0x00437a10
0x00437a0c
0x00437a0c
0x00437a0c
0x00437a17
0x00437a24
0x00437a43
0x00437a4f
0x00437a55
0x00437a59
0x00437a61
0x00437a65
0x00437a6c
0x00437a6c
0x00437a77
0x00437a77
0x00437a7c
0x0043767b
0x00437a82
0x00437a8a

APIs

__EH_prolog.LIBCMT ref: 0043764C
GetMenuItemInfoA.USER32 ref: 004376BD
GetMenuItemInfoA.USER32 ref: 004376FE

Part of subcall function 00413996: _strlen.LIBCMT ref: 004139A9

CopyRect.USER32 ref: 0043771F
GetObjectA.GDI32(00000000,00000018,?), ref: 00437734
GetSysColor.USER32(00000004), ref: 00437742

Part of subcall function 00413FCF: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00413FE4

CopyRect.USER32 ref: 004377D8
GetSysColor.USER32(00000010), ref: 0043780E
GetSysColor.USER32(00000014), ref: 00437813
GetSysColor.USER32(0000000D), ref: 0043782E
GetSysColor.USER32(0000000E), ref: 00437846
GetSysColor.USER32(0000000D), ref: 004377E9

Part of subcall function 004476C6: SetBkColor.GDI32(?,?), ref: 004476D0
Part of subcall function 004476C6: ExtTextOutA.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004476E6

GetSysColor.USER32(00000014), ref: 00437879
ExtTextOutA.GDI32(?,?,00000002,00000002,00000000,?,?,00000000), ref: 004378C9
GetSysColor.USER32(00000011), ref: 004378D2
ExtTextOutA.GDI32(?,?,?,00000000,00000000,?,?,00000000), ref: 00437907
GetSysColor.USER32(00000014), ref: 00437929
GetSysColor.USER32(00000010), ref: 0043792E
GetSysColor.USER32(00000007), ref: 00437959
ExtTextOutA.GDI32(?,?,?,00000002,00000000,?,?,00000000), ref: 00437997
CreateCompatibleDC.GDI32(00000000), ref: 004379F9
InflateRect.USER32(00000000,000000FF,000000FF), ref: 00437A24

Strings

@, xrefs: 004376B3
,pE, xrefs: 0043766F
hoE, xrefs: 00437A65

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Color$Text$Rect$CopyInfoItemMenu$CompatibleCreateExtentH_prologInflateObjectPoint32_strlen
String ID: ,pE$@$hoE
API String ID: 691039055-1898369464
Opcode ID: 8adb4555a99cabf7edf82d29c6c65b8fd60cd92f4652a3f10762ff7d8a132e44
Instruction ID: f710bba91004a7be4c33f9a55ea345a042ffcba9fe0887686f80ed640f844b6c
Opcode Fuzzy Hash: 8adb4555a99cabf7edf82d29c6c65b8fd60cd92f4652a3f10762ff7d8a132e44
Instruction Fuzzy Hash: 29E138B1A00219AFDF14DFA8CC85FEEBBB9FF48314F14415AE905A7291CB74A941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004255D4, Relevance: 39.2, APIs: 26, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004255D4() {
				signed int _v8;
				void* _v12;
				intOrPtr* _v16;
				char _v20;
				void* _t104;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t128;
				intOrPtr* _t130;
				void* _t136;
				void* _t150;
				intOrPtr _t151;
				char _t157;
				signed int _t160;
				intOrPtr _t164;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				void* _t171;
				void* _t172;
				void* _t173;

				_t170 =  *0x4794d0; // 0x4794d8
				_t160 = 0;
				_v8 = 0;
				do {
					_v20 = E0041A2C0( *((intOrPtr*)((_v8 << 2) + _t170 + 0x1c)));
					_t104 = E0041A2C0( *((intOrPtr*)((_v8 << 2) + _t170)));
					_v8 = _v8 + 1;
					_t12 = _v20 + 2; // 0x2
					_t160 = _t104 + _t160 + _t12;
				} while (_v8 < 7);
				_t13 = _t170 + 0x38; // 0x479510
				_v16 = _t13;
				_v12 = 0xc;
				do {
					_v20 = E0041A2C0( *((intOrPtr*)(_v16 + 0x30)));
					_t108 = E0041A2C0( *_v16);
					_v16 = _v16 + 4;
					_t157 = _v20;
					_t22 =  &_v12;
					 *_t22 = _v12 - 1;
					_t25 = _t157 + 2; // 0x2
					_t160 = _t108 + _t160 + _t25;
				} while ( *_t22 != 0);
				_t26 = _t170 + 0x98; // 0x45d94c
				_t110 = E0041A2C0( *_t26);
				_t27 = _t170 + 0x9c; // 0x45d948
				_t150 = _t110;
				_t111 = E0041A2C0( *_t27);
				_t28 = _t170 + 0xa0; // 0x45d93c
				_t30 = _t150 + 2; // 0x2
				_t113 = E0041A2C0( *_t28);
				_t31 = _t170 + 0xa4; // 0x45d928
				_t114 = E0041A2C0( *_t31);
				_t34 = _t170 + 0xa8; // 0x45d91c
				_t151 = E004190D3(_t111 + _t160 + _t30 + _t113 + 1 + _t114 + 1 + E0041A2C0( *_t34) + 1 + 0xb8);
				_t172 = _t171 + 0x18;
				if(_t151 != 0) {
					_t39 = _t151 + 0xb8; // 0xb8
					_t164 = _t39;
					L00419F80(_t151,  *0x4794d0, 0xb8);
					_v8 = _v8 & 0x00000000;
					_t42 = _t170 + 0x1c; // 0x4794f4
					_v16 = _t151;
					_t173 = _t172 + 0xc;
					_v16 = _v16 - _t170;
					_v12 = _t42;
					do {
						 *((intOrPtr*)(_t151 + _v8 * 4)) = _t164;
						_t165 = _t164 + E0041A2C0(E00421CC0(_t164,  *((intOrPtr*)(_v12 - 0x1c)))) + 1;
						 *((intOrPtr*)(_v16 + _v12)) = _t165;
						_t128 = E0041A2C0(E00421CC0(_t165,  *_v12));
						_v12 = _v12 + 4;
						_t173 = _t173 + 0x18;
						_v8 = _v8 + 1;
						_t164 = _t165 + _t128 + 1;
					} while (_v8 < 7);
					_t64 = _t151 + 0x68; // 0x68
					_v8 = _t64;
					_t66 = _t170 + 0x38; // 0x479510
					_t130 = _t66;
					_v12 = _t130;
					_v20 = 0xc;
					while(1) {
						 *((intOrPtr*)(_t130 + _v16)) = _t164;
						_t166 = _t164 + E0041A2C0(E00421CC0(_t164,  *_t130)) + 1;
						 *_v8 = _t166;
						_t136 = E0041A2C0(E00421CC0(_t166,  *((intOrPtr*)(_v12 + 0x30))));
						_v12 = _v12 + 4;
						_v8 = _v8 + 4;
						_t173 = _t173 + 0x18;
						_t81 =  &_v20;
						 *_t81 = _v20 - 1;
						_t164 = _t166 + _t136 + 1;
						if( *_t81 == 0) {
							break;
						}
						_t130 = _v12;
					}
					 *((intOrPtr*)(_t151 + 0x98)) = _t164;
					_t86 = _t170 + 0x98; // 0x45d94c
					_t167 = _t164 + E0041A2C0(E00421CC0(_t164,  *_t86)) + 1;
					 *((intOrPtr*)(_t151 + 0x9c)) = _t167;
					_t90 = _t170 + 0x9c; // 0x45d948
					_t168 = _t167 + E0041A2C0(E00421CC0(_t167,  *_t90)) + 1;
					 *((intOrPtr*)(_t151 + 0xa0)) = _t168;
					_t94 = _t170 + 0xa0; // 0x45d93c
					_t169 = _t168 + E0041A2C0(E00421CC0(_t168,  *_t94)) + 1;
					 *((intOrPtr*)(_t151 + 0xa4)) = _t169;
					_t98 = _t170 + 0xa4; // 0x45d928
					 *((intOrPtr*)(_t151 + 0xa8)) = _t169 + E0041A2C0(E00421CC0(_t169,  *_t98)) + 1;
					_t102 = _t170 + 0xa8; // 0x45d91c
					E00421CC0(_t169 + E0041A2C0(E00421CC0(_t169,  *_t98)) + 1,  *_t102);
				}
				return _t151;
			}

0x004255dc
0x004255e3
0x004255e5
0x004255e8
0x004255fa
0x004255fd
0x00425604
0x00425610
0x00425610
0x00425610
0x00425616
0x00425619
0x0042561c
0x00425623
0x00425630
0x00425633
0x00425638
0x0042563e
0x00425643
0x00425643
0x00425646
0x00425646
0x00425646
0x0042564c
0x00425652
0x00425657
0x0042565d
0x0042565f
0x00425664
0x0042566c
0x00425670
0x00425675
0x0042567f
0x00425684
0x004256a2
0x004256a4
0x004256a9
0x004256ba
0x004256ba
0x004256c1
0x004256c6
0x004256ca
0x004256cd
0x004256d0
0x004256d3
0x004256d6
0x004256d9
0x004256dc
0x004256f4
0x004256fb
0x00425707
0x0042570c
0x00425710
0x00425713
0x0042571a
0x0042571a
0x00425720
0x00425723
0x00425726
0x00425726
0x00425729
0x0042572c
0x00425738
0x0042573b
0x0042574c
0x00425753
0x00425762
0x00425767
0x0042576b
0x0042576f
0x00425772
0x00425772
0x00425775
0x00425779
0x00000000
0x00000000
0x00425735
0x00425735
0x0042577b
0x00425781
0x00425793
0x00425797
0x0042579d
0x004257af
0x004257b3
0x004257b9
0x004257cb
0x004257cf
0x004257d5
0x004257eb
0x004257f1
0x004257f8
0x004257fd
0x00425806

APIs

_strlen.LIBCMT ref: 004255F2
_strlen.LIBCMT ref: 004255FD
_strlen.LIBCMT ref: 00425629
_strlen.LIBCMT ref: 00425633
_strlen.LIBCMT ref: 00425652
_strlen.LIBCMT ref: 0042565F
_strlen.LIBCMT ref: 00425670
_strlen.LIBCMT ref: 0042567F
_strlen.LIBCMT ref: 0042568E
_strcat.LIBCMT ref: 004256E6
_strlen.LIBCMT ref: 004256EC
_strcat.LIBCMT ref: 00425701
_strlen.LIBCMT ref: 00425707
_strcat.LIBCMT ref: 00425741
_strlen.LIBCMT ref: 00425747
_strcat.LIBCMT ref: 0042575C
_strlen.LIBCMT ref: 00425762
_strcat.LIBCMT ref: 00425788
_strlen.LIBCMT ref: 0042578E
_strcat.LIBCMT ref: 004257A4
_strlen.LIBCMT ref: 004257AA
_strcat.LIBCMT ref: 004257C0
_strlen.LIBCMT ref: 004257C6
_strcat.LIBCMT ref: 004257DC
_strlen.LIBCMT ref: 004257E2
_strcat.LIBCMT ref: 004257F8

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strlen$_strcat
String ID:
API String ID: 1497175149-0
Opcode ID: 78eac6da2b45a6b404cf464f687b79bb8168e5f9446ea683aebb997eef74dfce
Instruction ID: cb75d5def161fe6c383dfbf8beea332d41ef0a8b038c2de46e16753c7809acee
Opcode Fuzzy Hash: 78eac6da2b45a6b404cf464f687b79bb8168e5f9446ea683aebb997eef74dfce
Instruction Fuzzy Hash: 3E61D079900304FFCB11EFA5C845ADEB7B9FF45328F40449AE80467216CB3ABA65CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044D7EE, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0044D7EE(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				void* _v28;
				void* _v32;
				int _v36;
				int _v40;
				signed short _v44;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				intOrPtr _t42;
				struct HINSTANCE__* _t43;
				_Unknown_base(*)()* _t44;
				struct HINSTANCE__* _t46;
				void* _t47;
				signed int _t50;
				signed short _t65;
				signed int _t66;
				int _t70;
				signed short _t71;
				signed int _t72;
				signed short _t78;
				signed int _t79;
				char* _t85;
				int _t87;
				signed int _t95;
				signed int _t99;
				int _t100;
				int _t101;
				void* _t105;
				void* _t109;

				_t42 =  *0x4789bc; // 0x47818ee5
				_t85 = 0;
				_v8 = _t42;
				_v28 = 0;
				_t43 = GetModuleHandleA("kernel32.dll");
				_v36 = _t43;
				_t44 = GetProcAddress(_t43, "GetUserDefaultUILanguage");
				if(_t44 == 0) {
					if(GetVersion() >= 0) {
						_t46 = GetModuleHandleA("ntdll.dll");
						if(_t46 == 0) {
							L13:
							 *((intOrPtr*)(_t109 + 0xffffffffffffffc4)) = 0x800;
							_t105 = 1;
							_t99 = 0;
							if(1 <= _t85) {
								L16:
								_t47 = 0;
								L17:
								return E00419D9B(_t47, _v8);
							} else {
								goto L14;
							}
							while(1) {
								L14:
								_t47 = E0044D759(_t85, _t88, _t105, _a4,  *((intOrPtr*)(_t109 + _t99 * 4 - 0x3c)));
								_pop(_t88);
								if(_t47 != _t85) {
									goto L17;
								}
								_t99 =  &(1[_t99]);
								if(_t99 < _t105) {
									continue;
								}
								goto L16;
							}
							goto L17;
						}
						_t88 =  &_v28;
						_v28 = 0;
						EnumResourceLanguagesA(_t46, 0x10, 1, E0044D7D8,  &_v28);
						if(_v28 == 0) {
							goto L13;
						}
						_t50 = _v28 & 0x0000ffff;
						_t88 = _t50 & 0x000003ff;
						_t100 = _t50 & 0x3ff;
						_v64 = ConvertDefaultLocale(_t50 & 0x0000fc00 | _t100);
						_v60 = ConvertDefaultLocale(_t100);
						_push(2);
						L12:
						_pop(0);
						goto L13;
					}
					_v32 = 0;
					if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v32) == 0) {
						_v36 = 0x10;
						if(RegQueryValueExA(_v32, 0, 0,  &_v40,  &_v24,  &_v36) == 0 && _v40 == 1 && E0041AB78(0, GetModuleHandleA, 0,  &_v24, "%x",  &_v44) == 1) {
							_t65 = _v44;
							_v28 = _t65;
							_t66 = _t65 & 0x0000ffff;
							_t88 = _t66 & 0x000003ff;
							_t101 = _t66 & 0x3ff;
							_v64 = ConvertDefaultLocale(_t66 & 0x0000fc00 | _t101);
							_t70 = ConvertDefaultLocale(_t101);
							_push(2);
							_v60 = _t70;
							_pop(0);
						}
						RegCloseKey(_v32);
					}
					goto L13;
				}
				_t71 =  *_t44();
				_v28 = _t71;
				_t72 = _t71 & 0x0000ffff;
				_t95 = _t72 & 0x3ff;
				_v32 = _t95;
				_v64 = ConvertDefaultLocale(_t72 & 0x0000fc00 | _t95);
				_v60 = ConvertDefaultLocale(_v32);
				_t78 =  *(GetProcAddress(_v36, "GetSystemDefaultUILanguage"))();
				_v28 = _t78;
				_t79 = _t78 & 0x0000ffff;
				_t88 = _t79 & 0x000003ff;
				_t87 = _t79 & 0x3ff;
				_v56 = ConvertDefaultLocale(_t79 & 0x0000fc00 | _t87);
				_v52 = ConvertDefaultLocale(_t87);
				_push(4);
				_t85 = 0;
				goto L12;
			}

0x0044d7f4
0x0044d802
0x0044d809
0x0044d80c
0x0044d811
0x0044d819
0x0044d81c
0x0044d824
0x0044d898
0x0044d945
0x0044d949
0x0044d993
0x0044d993
0x0044d99b
0x0044d99c
0x0044d9a0
0x0044d9b9
0x0044d9b9
0x0044d9bb
0x0044d9c7
0x00000000
0x00000000
0x00000000
0x0044d9a2
0x0044d9a2
0x0044d9a9
0x0044d9b1
0x0044d9b2
0x00000000
0x00000000
0x0044d9b4
0x0044d9b7
0x00000000
0x00000000
0x00000000
0x0044d9b7
0x00000000
0x0044d9a2
0x0044d94b
0x0044d959
0x0044d95c
0x0044d966
0x00000000
0x00000000
0x0044d968
0x0044d974
0x0044d97a
0x0044d988
0x0044d98d
0x0044d990
0x0044d992
0x0044d992
0x00000000
0x0044d992
0x0044d8b2
0x0044d8bd
0x0044d8d4
0x0044d8e3
0x0044d905
0x0044d90e
0x0044d911
0x0044d916
0x0044d91c
0x0044d92a
0x0044d92d
0x0044d92f
0x0044d931
0x0044d934
0x0044d934
0x0044d938
0x0044d938
0x00000000
0x0044d8bd
0x0044d826
0x0044d838
0x0044d83b
0x0044d842
0x0044d84a
0x0044d852
0x0044d85f
0x0044d868
0x0044d86a
0x0044d86d
0x0044d872
0x0044d874
0x0044d87f
0x0044d884
0x0044d887
0x0044d889
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0044D811
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0044D81C
ConvertDefaultLocale.KERNEL32(?), ref: 0044D84D
ConvertDefaultLocale.KERNEL32(?), ref: 0044D855
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0044D862
ConvertDefaultLocale.KERNEL32(?), ref: 0044D87C
ConvertDefaultLocale.KERNEL32(000003FF), ref: 0044D882
GetVersion.KERNEL32 ref: 0044D890
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 0044D8B5
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0044D8DB
ConvertDefaultLocale.KERNEL32(?), ref: 0044D927
ConvertDefaultLocale.KERNEL32(75144DE0), ref: 0044D92D
RegCloseKey.ADVAPI32(?), ref: 0044D938

Strings

kernel32.dll, xrefs: 0044D804
Control Panel\Desktop\ResourceLocale, xrefs: 0044D8A8
GetSystemDefaultUILanguage, xrefs: 0044D857
ntdll.dll, xrefs: 0044D940
GetUserDefaultUILanguage, xrefs: 0044D813

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: 6b910cebc838d9d5c67e293c98c5040ea4decf8a0657a5c79aa85c9e0f4b8000
Instruction ID: 82e7fc0370013d025ca45bbe9d76fc255a0128a646972587bdb33a34b6b7b41e
Opcode Fuzzy Hash: 6b910cebc838d9d5c67e293c98c5040ea4decf8a0657a5c79aa85c9e0f4b8000
Instruction Fuzzy Hash: 9F5183B1E00219AFDF109FE5DC85ABEBBF8EB48315F10043BE905E3291D67C99448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044FE2B, Relevance: 35.4, APIs: 4, Strings: 16, Instructions: 429
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044FE2B(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr* _t158;
				intOrPtr _t164;
				void* _t166;
				intOrPtr* _t183;
				void* _t187;
				char* _t200;
				char* _t203;
				char* _t213;
				char* _t216;
				char* _t221;
				intOrPtr _t225;
				char* _t228;
				char* _t231;
				char* _t234;
				char* _t242;
				char* _t245;
				intOrPtr _t248;
				char* _t253;
				intOrPtr* _t259;
				void* _t265;
				char* _t272;
				intOrPtr _t273;
				void* _t303;
				void* _t304;
				void* _t315;
				void* _t321;
				long _t359;
				intOrPtr _t360;
				char* _t362;
				void* _t363;
				void* _t364;
				void* _t365;
				intOrPtr _t367;
				intOrPtr _t368;
				struct HICON__* _t369;
				void* _t371;
				void* _t373;
				void* _t374;
				intOrPtr _t377;

				E00419918(E00454216, _t371);
				_t374 = _t373 - 0x38;
				_t365 = __ecx;
				 *(_t371 - 0x2c) =  *((intOrPtr*)( *((intOrPtr*)(E00436C1F())) + 0xc))() + 0x10;
				 *(_t371 - 4) =  *(_t371 - 4) & 0x00000000;
				_t158 = E00436C1F();
				_t354 =  *_t158;
				 *((intOrPtr*)(_t371 - 0x14)) =  *((intOrPtr*)( *_t158 + 0xc))(_t364) + 0x10;
				 *(_t371 - 4) = 1;
				E0043A64B(_t365,  *(E0044D589() + 8), _t371 - 0x2c);
				_t164 =  *((intOrPtr*)(_t365 + 8));
				 *((intOrPtr*)(_t371 - 0x3c)) = _t164;
				 *(_t371 - 0x30) = 1;
				if(_t164 == 0) {
					L46:
					E004011BA( *((intOrPtr*)(_t371 - 0x14)) + 0xfffffff0, _t354);
					_t166 = E004011BA( &(( *(_t371 - 0x2c))[0xfffffffffffffff0]), _t354);
					 *[fs:0x0] =  *((intOrPtr*)(_t371 - 0xc));
					return _t166;
				} else {
					_t367 = _t365 + 4;
					_t377 = _t367;
					 *((intOrPtr*)(_t371 - 0x40)) = _t367;
					do {
						_t359 =  *(E00412D0E(_t371 - 0x3c));
						 *(_t371 - 0x44) = _t359;
						E004143D4(_t371 - 0x24, _t377, _t371 - 0x2c);
						 *(_t371 - 4) = 2;
						E004143D4(_t371 - 0x28, _t377, _t371 - 0x2c);
						 *(_t371 - 4) = 3;
						E004143D4(_t371 - 0x20, _t377, _t371 - 0x2c);
						 *(_t371 - 4) = 4;
						E004143D4(_t371 - 0x38, _t377, _t371 - 0x2c);
						_t272 =  *(_t371 + 8);
						 *(_t371 - 4) = 5;
						if(_t272 != 0) {
							_t259 = E00436C1F();
							_t357 =  *_t259;
							 *(_t371 - 0x34) =  *((intOrPtr*)( *_t259 + 0xc))() + 0x10;
							 *(_t371 - 4) = 6;
							_t369 = ExtractIconA( *(E0044D589() + 8),  *(_t371 - 0x2c),  *(_t371 - 0x30));
							_t265 = _t371 - 0x34;
							if(_t369 == 0) {
								E0044FB2C(_t265, ",%d", 0);
								_t374 = _t374 + 0xc;
							} else {
								E0044FB2C(_t265, ",%d",  *(_t371 - 0x30));
								_t374 = _t374 + 0xc;
								DestroyIcon(_t369);
							}
							_t370 =  *(_t371 - 0x34);
							E00412A8E(_t371 - 0x38,  *(_t371 - 0x34),  *((intOrPtr*)( *(_t371 - 0x34) - 0xc)));
							 *(_t371 - 4) = 5;
							E004011BA(_t370 - 0x10, _t357);
						}
						 *(_t371 - 0x18) =  *((intOrPtr*)( *((intOrPtr*)(E00436C1F())) + 0xc))() + 0x10;
						 *(_t371 - 4) = 7;
						 *((intOrPtr*)(_t371 - 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(E00436C1F())) + 0xc))() + 0x10;
						 *(_t371 - 4) = 8;
						_t183 = E00436C1F();
						_t354 =  *_t183;
						 *((intOrPtr*)(_t371 - 0x1c)) =  *((intOrPtr*)( *_t183 + 0xc))() + 0x10;
						 *(_t371 - 4) = 9;
						_t187 =  *((intOrPtr*)( *_t359 + 0x64))(_t371 - 0x10, 5);
						_t368 =  *((intOrPtr*)(_t371 - 0x38));
						if(_t187 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t371 - 0x10)) - 0xc)) == 0) {
							_t360 =  *((intOrPtr*)(_t371 - 0x24));
							_t273 =  *((intOrPtr*)(_t371 - 0x28));
							goto L42;
						} else {
							_push(6);
							_push(_t371 - 0x1c);
							if( *((intOrPtr*)( *_t359 + 0x64))() == 0) {
								E00417A22(_t272, _t371 - 0x1c, _t371, _t371 - 0x10);
							}
							if(E0044F6D3( *((intOrPtr*)(_t371 - 0x10)),  *((intOrPtr*)(_t371 - 0x1c)), 0) != 0) {
								__eflags = _t272;
								if(_t272 == 0) {
									L15:
									_t200 =  *((intOrPtr*)( *_t359 + 0x64))(_t371 - 0x14, 0);
									__eflags = _t200;
									if(_t200 == 0) {
										L19:
										_t362 = "ddeexec";
										_push(_t362);
										E0044FB2C(_t371 - 0x14, "%s\\shell\\open\\%s",  *((intOrPtr*)(_t371 - 0x10)));
										_t374 = _t374 + 0x10;
										_t203 = E0044F6D3( *((intOrPtr*)(_t371 - 0x14)), "[open(\"%1\")]", 0);
										__eflags = _t203;
										if(_t203 == 0) {
											L23:
											E004011BA( *((intOrPtr*)(_t371 - 0x1c)) + 0xfffffff0, _t354);
											E004011BA( *((intOrPtr*)(_t371 - 0x10)) + 0xfffffff0, _t354);
											__eflags =  &(( *(_t371 - 0x18))[0xfffffffffffffff0]);
											E004011BA( &(( *(_t371 - 0x18))[0xfffffffffffffff0]), _t354);
											_t315 = _t368 - 0x10;
											goto L24;
										}
										__eflags = _t272;
										if(_t272 == 0) {
											_push(" \"%1\"");
											_t321 = _t371 - 0x24;
											L28:
											E0044C79F(_t321);
											L29:
											_push("command");
											E0044FB2C(_t371 - 0x14, "%s\\shell\\open\\%s",  *((intOrPtr*)(_t371 - 0x10)));
											_t360 =  *((intOrPtr*)(_t371 - 0x24));
											_t374 = _t374 + 0x10;
											_t213 = E0044F6D3( *((intOrPtr*)(_t371 - 0x14)), _t360, 0);
											__eflags = _t213;
											if(_t213 != 0) {
												__eflags = _t272;
												_t273 =  *((intOrPtr*)(_t371 - 0x28));
												if(_t272 == 0) {
													L34:
													_t354 = _t371 - 0x18;
													 *((intOrPtr*)( *( *(_t371 - 0x44)) + 0x64))(_t371 - 0x18, 4);
													_t216 =  *(_t371 - 0x18);
													__eflags =  *(_t216 - 0xc);
													if( *(_t216 - 0xc) == 0) {
														L42:
														E004011BA( *((intOrPtr*)(_t371 - 0x1c)) + 0xfffffff0, _t354);
														E004011BA( *((intOrPtr*)(_t371 - 0x10)) + 0xfffffff0, _t354);
														E004011BA( &(( *(_t371 - 0x18))[0xfffffffffffffff0]), _t354);
														E004011BA(_t368 - 0x10, _t354);
														__eflags =  *((intOrPtr*)(_t371 - 0x20)) + 0xfffffff0;
														E004011BA( *((intOrPtr*)(_t371 - 0x20)) + 0xfffffff0, _t354);
														_t303 = _t273 - 0x10;
														L43:
														E004011BA(_t303, _t354);
														_t304 = _t360 - 0x10;
														goto L44;
													}
													 *(_t371 - 0x34) = _t216;
													 *(_t371 - 0x44) = 0x208;
													 *(_t371 - 0x34) = RegQueryValueA(0x80000000,  *(_t371 - 0x34), E004124D6(_t371 - 0x14, 0x208), _t371 - 0x44);
													E00413996(_t371 - 0x14, 0xffffffff);
													__eflags =  *(_t371 - 0x34);
													if( *(_t371 - 0x34) != 0) {
														L38:
														_t221 = E0044F6D3( *(_t371 - 0x18),  *((intOrPtr*)(_t371 - 0x10)), 0);
														__eflags = _t221;
														if(_t221 != 0) {
															__eflags =  *(_t371 + 8);
															if( *(_t371 + 8) != 0) {
																E0044FB2C(_t371 - 0x14, "%s\\ShellNew",  *(_t371 - 0x18));
																_t374 = _t374 + 0xc;
																E0044F6D3( *((intOrPtr*)(_t371 - 0x14)), 0x457dac, "NullFile");
															}
														}
														goto L42;
													}
													_t225 =  *((intOrPtr*)(_t371 - 0x14));
													__eflags =  *(_t225 - 0xc);
													if( *(_t225 - 0xc) == 0) {
														goto L38;
													}
													_t228 = E0044F8A8(_t371 - 0x14, _t371 - 0x10);
													__eflags = _t228;
													if(_t228 == 0) {
														goto L42;
													}
													goto L38;
												}
												_push("command");
												E0044FB2C(_t371 - 0x14, "%s\\shell\\print\\%s",  *((intOrPtr*)(_t371 - 0x10)));
												_t374 = _t374 + 0x10;
												_t231 = E0044F6D3( *((intOrPtr*)(_t371 - 0x14)), _t273, 0);
												__eflags = _t231;
												if(_t231 == 0) {
													goto L42;
												}
												_push("command");
												E0044FB2C(_t371 - 0x14, "%s\\shell\\printto\\%s",  *((intOrPtr*)(_t371 - 0x10)));
												_t374 = _t374 + 0x10;
												_t234 = E0044F6D3( *((intOrPtr*)(_t371 - 0x14)),  *((intOrPtr*)(_t371 - 0x20)), 0);
												__eflags = _t234;
												if(_t234 == 0) {
													goto L42;
												}
												goto L34;
											}
											E004011BA( *((intOrPtr*)(_t371 - 0x1c)) + 0xfffffff0, _t354);
											E004011BA( *((intOrPtr*)(_t371 - 0x10)) + 0xfffffff0, _t354);
											E004011BA( &(( *(_t371 - 0x18))[0xfffffffffffffff0]), _t354);
											E004011BA(_t368 - 0x10, _t354);
											E004011BA( *((intOrPtr*)(_t371 - 0x20)) + 0xfffffff0, _t354);
											_t303 =  *((intOrPtr*)(_t371 - 0x28)) + 0xfffffff0;
											goto L43;
										}
										_push(_t362);
										E0044FB2C(_t371 - 0x14, "%s\\shell\\print\\%s",  *((intOrPtr*)(_t371 - 0x10)));
										_t374 = _t374 + 0x10;
										_t242 = E0044F6D3( *((intOrPtr*)(_t371 - 0x14)), "[print(\"%1\")]", 0);
										__eflags = _t242;
										if(_t242 == 0) {
											goto L23;
										}
										_push(_t362);
										E0044FB2C(_t371 - 0x14, "%s\\shell\\printto\\%s",  *((intOrPtr*)(_t371 - 0x10)));
										_t374 = _t374 + 0x10;
										_t245 = E0044F6D3( *((intOrPtr*)(_t371 - 0x14)), "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]", 0);
										__eflags = _t245;
										if(_t245 != 0) {
											_t363 = " /dde";
											E0044C79F(_t371 - 0x24, _t363);
											E0044C79F(_t371 - 0x28, _t363);
											_push(_t363);
											L26:
											_t321 = _t371 - 0x20;
											goto L28;
										}
										goto L23;
									}
									_t248 =  *((intOrPtr*)(_t371 - 0x14));
									__eflags =  *(_t248 - 0xc);
									if( *(_t248 - 0xc) == 0) {
										goto L19;
									}
									E0044C79F(_t371 - 0x24, " \"%1\"");
									__eflags = _t272;
									if(_t272 == 0) {
										goto L29;
									}
									E0044C79F(_t371 - 0x28, " /p \"%1\"");
									_push(" /pt \"%1\" \"%2\" \"%3\" \"%4\"");
									goto L26;
								}
								E0044FB2C(_t371 - 0x14, "%s\\DefaultIcon",  *((intOrPtr*)(_t371 - 0x10)));
								_t374 = _t374 + 0xc;
								_t253 = E0044F6D3( *((intOrPtr*)(_t371 - 0x14)), _t368, 0);
								__eflags = _t253;
								if(_t253 == 0) {
									goto L23;
								}
								goto L15;
							} else {
								E004011BA( *((intOrPtr*)(_t371 - 0x1c)) + 0xfffffff0, _t354);
								E004011BA( *((intOrPtr*)(_t371 - 0x10)) + 0xfffffff0, _t354);
								E004011BA( &(( *(_t371 - 0x18))[0xfffffffffffffff0]), _t354);
								_t315 =  *((intOrPtr*)(_t371 - 0x38)) + 0xfffffff0;
								L24:
								E004011BA(_t315, _t354);
								E004011BA( *((intOrPtr*)(_t371 - 0x20)) + 0xfffffff0, _t354);
								E004011BA( *((intOrPtr*)(_t371 - 0x28)) + 0xfffffff0, _t354);
								_t304 =  *((intOrPtr*)(_t371 - 0x24)) + 0xfffffff0;
								goto L44;
							}
						}
						L44:
						 *(_t371 - 4) = 1;
						E004011BA(_t304, _t354);
						 *(_t371 - 0x30) =  *(_t371 - 0x30) + 1;
					} while ( *((intOrPtr*)(_t371 - 0x3c)) != 0);
					goto L46;
				}
			}

0x0044fe30
0x0044fe35
0x0044fe39
0x0044fe4a
0x0044fe4d
0x0044fe51
0x0044fe56
0x0044fe60
0x0044fe63
0x0044fe74
0x0044fe79
0x0044fe7e
0x0044fe81
0x0044fe88
0x0045036a
0x00450370
0x0045037b
0x00450384
0x0045038c
0x0044fe8e
0x0044fe8e
0x0044fe8e
0x0044fe92
0x0044fe96
0x0044fea2
0x0044feab
0x0044feae
0x0044feba
0x0044febe
0x0044feca
0x0044fece
0x0044feda
0x0044fede
0x0044fee3
0x0044fee8
0x0044feec
0x0044feee
0x0044fef3
0x0044fefd
0x0044ff00
0x0044ff19
0x0044ff1d
0x0044ff20
0x0044ff44
0x0044ff49
0x0044ff22
0x0044ff2b
0x0044ff30
0x0044ff34
0x0044ff34
0x0044ff4c
0x0044ff56
0x0044ff5e
0x0044ff62
0x0044ff62
0x0044ff76
0x0044ff79
0x0044ff8c
0x0044ff8f
0x0044ff93
0x0044ff98
0x0044ffa2
0x0044ffaf
0x0044ffb3
0x0044ffb8
0x0044ffbb
0x0045030d
0x00450310
0x00000000
0x0044ffce
0x0044ffd0
0x0044ffd5
0x0044ffdd
0x0044ffe6
0x0044ffe6
0x0044fffa
0x00450028
0x0045002a
0x00450053
0x0045005d
0x00450060
0x00450062
0x00450099
0x00450099
0x0045009e
0x004500ab
0x004500b0
0x004500bd
0x004500c2
0x004500c4
0x0045011e
0x00450124
0x0045012f
0x00450137
0x0045013a
0x0045013f
0x00000000
0x0045013f
0x004500c6
0x004500c8
0x00450185
0x0045018a
0x0045018d
0x0045018d
0x00450192
0x00450192
0x004501a3
0x004501a8
0x004501ab
0x004501b4
0x004501b9
0x004501bb
0x004501fc
0x004501fe
0x00450201
0x0045025d
0x00450264
0x00450268
0x0045026b
0x0045026e
0x00450272
0x00450313
0x00450319
0x00450324
0x0045032f
0x00450337
0x0045033f
0x00450342
0x00450347
0x0045034a
0x0045034a
0x0045034f
0x00000000
0x0045034f
0x00450278
0x00450284
0x004502a4
0x004502a7
0x004502ac
0x004502b0
0x004502ce
0x004502d6
0x004502db
0x004502dd
0x004502df
0x004502e3
0x004502f1
0x004502f6
0x00450306
0x00450306
0x004502e3
0x00000000
0x004502dd
0x004502b2
0x004502b5
0x004502b9
0x00000000
0x00000000
0x004502c3
0x004502c8
0x004502cc
0x00000000
0x00000000
0x00000000
0x004502cc
0x00450203
0x00450214
0x00450219
0x00450222
0x00450227
0x00450229
0x00000000
0x00000000
0x0045022f
0x00450240
0x00450245
0x00450250
0x00450255
0x00450257
0x00000000
0x00000000
0x00000000
0x00450257
0x004501c3
0x004501ce
0x004501d9
0x004501e1
0x004501ec
0x004501f4
0x00000000
0x004501f4
0x004500ce
0x004500db
0x004500e0
0x004500ed
0x004500f2
0x004500f4
0x00000000
0x00000000
0x004500f6
0x00450103
0x00450108
0x00450115
0x0045011a
0x0045011c
0x00450168
0x00450171
0x0045017a
0x0045017f
0x00450180
0x00450180
0x00000000
0x00450180
0x00000000
0x0045011c
0x00450064
0x00450067
0x0045006b
0x00000000
0x00000000
0x00450075
0x0045007a
0x0045007c
0x00000000
0x00000000
0x0045008a
0x0045008f
0x00000000
0x0045008f
0x00450038
0x0045003d
0x00450046
0x0045004b
0x0045004d
0x00000000
0x00000000
0x00000000
0x0044fffc
0x00450002
0x0045000d
0x00450018
0x00450020
0x00450142
0x00450142
0x0045014d
0x00450158
0x00450160
0x00000000
0x00450160
0x0044fffa
0x00450352
0x00450352
0x00450356
0x0045035b
0x0045035e
0x00000000
0x00450369

APIs

__EH_prolog.LIBCMT ref: 0044FE30

Part of subcall function 0043A64B: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0043A66D
Part of subcall function 0043A64B: GetShortPathNameA.KERNEL32 ref: 0043A685

ExtractIconA.SHELL32(?,?,00000001), ref: 0044FF13
DestroyIcon.USER32(00000000), ref: 0044FF34

Part of subcall function 0044F6D3: lstrlenA.KERNEL32(?), ref: 0044F6DF
Part of subcall function 0044F6D3: RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 0044F6F3

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 00450299

Part of subcall function 0044F6D3: RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 0044F70D
Part of subcall function 0044F6D3: lstrlenA.KERNEL32(?), ref: 0044F71A
Part of subcall function 0044F6D3: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 0044F72F
Part of subcall function 0044F6D3: RegCloseKey.ADVAPI32(?), ref: 0044F73A

Strings

%s\ShellNew, xrefs: 004502EB
[print("%1")], xrefs: 004500E5
%s\shell\printto\%s, xrefs: 004500FD, 0045023A
/pt "%1" "%2" "%3" "%4", xrefs: 0045008F
[printto("%1","%2","%3","%4")], xrefs: 0045010D
command, xrefs: 00450192, 00450203, 0045022F
"%1", xrefs: 0045006D, 00450185
[open("%1")], xrefs: 004500B5
%s\DefaultIcon, xrefs: 00450032
%s\shell\print\%s, xrefs: 004500D5, 0045020E
/p "%1", xrefs: 00450082
NullFile, xrefs: 004502F9
/dde, xrefs: 00450168, 0045016D, 00450176, 0045017F
%s\shell\open\%s, xrefs: 004500A5, 0045019D
,%d, xrefs: 0044FF25, 0044FF3E
ddeexec, xrefs: 00450099, 0045009E, 004500CE, 004500F6

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Value$IconNamelstrlen$CloseCreateDestroyExtractFileH_prologModulePathQueryShort
String ID: "%1"$ /dde$ /p "%1"$ /pt "%1" "%2" "%3" "%4"$%s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$,%d$NullFile$[open("%1")]$[print("%1")]$[printto("%1","%2","%3","%4")]$command$ddeexec
API String ID: 786781762-4043335175
Opcode ID: 942324d5f122441e3a9fa2a1b6ea3dbead0c643711e3af8eba8bee1a0c0d595e
Instruction ID: 6606e3a3e9fc8bf1c563b893878ada245ce4851fce26314b57698521d275cca7
Opcode Fuzzy Hash: 942324d5f122441e3a9fa2a1b6ea3dbead0c643711e3af8eba8bee1a0c0d595e
Instruction Fuzzy Hash: F4F19031900209ABDB14EBE5DC56FEEB775EF04319F14422AF911B72E2DB385908CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00434E1D, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

CallNextHookEx.USER32 ref: 00434E52
GetClassLongA.USER32 ref: 00434E97
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 00434EC3
lstrcmpiA.KERNEL32(?,ime,?,?,Function_0004C800), ref: 00434ED2
SetWindowLongA.USER32 ref: 00434F0C
CallNextHookEx.USER32 ref: 00435010
UnhookWindowsHookEx.USER32(?), ref: 00435021

Strings

AfxOldWndProc423, xrefs: 00434FC7, 00434FCC, 00434FD9, 00434FE3, 00434FEE
ime, xrefs: 00434ECC
#32768, xrefs: 00434F4D, 00434F52, 00434F9E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
String ID: #32768$AfxOldWndProc423$ime
API String ID: 3204395069-4034971020
Opcode ID: 5cdde7d71113afa8dad29cd9178dfbb437c68f33628eb6adc5adda42ee59bf0f
Instruction ID: 04c338b00dbe23e70856017f5550d94cab5149a2a54fc5ed05cc8cf8f952ab21
Opcode Fuzzy Hash: 5cdde7d71113afa8dad29cd9178dfbb437c68f33628eb6adc5adda42ee59bf0f
Instruction Fuzzy Hash: 4451C271900614ABCF10AF50DC48BEA3BB5EF08366F159166F918972A1D739DE40CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00438A29, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 99stringCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00438A3F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00438A5C
MulDiv.KERNEL32(?,00000000), ref: 00438A68
lstrcpynA.KERNEL32(?,?,00000020), ref: 00438A87
CreateFontIndirectA.GDI32(?), ref: 00438A91
SelectObject.GDI32(00000000,00000000), ref: 00438AA6
GetTextMetricsA.GDI32(00000000,?), ref: 00438AB3
GetTextExtentPoint32A.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 00438AD1
SelectObject.GDI32(00000000,?), ref: 00438AEA
DeleteObject.GDI32(?), ref: 00438AEF
GetDialogBaseUnits.USER32 ref: 00438B00
GetDialogBaseUnits.USER32 ref: 00438B05
ReleaseDC.USER32 ref: 00438B0F
MulDiv.KERNEL32(?,?,00000004), ref: 00438B1B
MulDiv.KERNEL32(?,00000000,00000008), ref: 00438B2C

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00438ACB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Object$BaseDialogSelectTextUnits$CapsCreateDeleteDeviceExtentFontIndirectMetricsPoint32Releaselstrcpyn
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 3852259643-222967699
Opcode ID: 7a6c97618d9ca0b9e586f1911e35b0138ee0c2eaf06f1180d3b7c5f65dc8c5cd
Instruction ID: abdb32216791cd6410cd44fdbbba9d954b5523de830bfe6ea2fdfafa5f4ad5bb
Opcode Fuzzy Hash: 7a6c97618d9ca0b9e586f1911e35b0138ee0c2eaf06f1180d3b7c5f65dc8c5cd
Instruction Fuzzy Hash: 15313EB1900718AFDB109FA4DC59FAE7BB9FF48716F004425FA05E7192DA74E900CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00412D88, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,00412ED2), ref: 00412DB1
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00412DCD
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00412DDE
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00412DEF
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00412E00
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00412E11
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00412E22
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 00412E33

Strings

GetSystemMetrics, xrefs: 00412DC7
EnumDisplayDevicesA, xrefs: 00412E2D
MonitorFromRect, xrefs: 00412DE9
MonitorFromWindow, xrefs: 00412DD8
EnumDisplayMonitors, xrefs: 00412E0B
GetMonitorInfoA, xrefs: 00412E1C
USER32, xrefs: 00412DA7
MonitorFromPoint, xrefs: 00412DFA

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 5d95698d711f4ce314934613e368d75e1a952b9166006762c9e0b215dffd3a85
Instruction ID: c662cc1401f9ea76623b90970a22a169da1b198d03bcc97975755aeb2bcca249
Opcode Fuzzy Hash: 5d95698d711f4ce314934613e368d75e1a952b9166006762c9e0b215dffd3a85
Instruction Fuzzy Hash: 43216D71A407949A87119F75ADC067ABAE0F74C7467A4443FE80CE2270D7B844C5CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0043CFA7, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 252windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CFAC
CreateCompatibleDC.GDI32(00000000), ref: 0043D004
CreateCompatibleDC.GDI32(00000000), ref: 0043D018
CreateCompatibleDC.GDI32(00000000), ref: 0043D02C
GetObjectA.GDI32(00000004,00000018,?), ref: 0043D04B

Part of subcall function 004142C8: CreateBitmap.GDI32(?,?,?,?,?), ref: 004142DD

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0045742C), ref: 0043D096

Part of subcall function 004142A7: CreatePatternBrush.GDI32(?), ref: 004142B6

Part of subcall function 0043C4E1: DeleteObject.GDI32(00000000), ref: 0043C4F0

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043D0BE

Part of subcall function 0043C545: SelectObject.GDI32(?,?), ref: 0043C54D

GetPixel.GDI32(?,00000000,00000000), ref: 0043D0FE

Part of subcall function 0043B57D: SetBkColor.GDI32(?,7378A410), ref: 0043B597
Part of subcall function 0043B57D: SetBkColor.GDI32(?,7378A410), ref: 0043B5A5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043D12A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 0043D14E
FillRect.USER32 ref: 0043D1B2
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0043D1E2
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 0043D1F9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0043D20C

Strings

hoE, xrefs: 0043D239

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Create$BitmapCompatibleObject$Color$BrushDeleteFillH_prologPatternPixelRectSelect
String ID: hoE
API String ID: 389627645-1565950461
Opcode ID: 0455afdb3a4af36fbea09df85f64318f41e169593f4745fb02d73314cc687523
Instruction ID: d12b53beaae28db31b44cd612a9cc323c89a1feea20d10ac01c6b69663cfadc8
Opcode Fuzzy Hash: 0455afdb3a4af36fbea09df85f64318f41e169593f4745fb02d73314cc687523
Instruction Fuzzy Hash: 4AA1E2B1D00218AEDF11AFA6DC85DEEBBB9FF08348F10802AF515A2162DB359D15DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00432E69, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetParent.USER32(?), ref: 00432E94
SendMessageA.USER32 ref: 00432EB7
GetWindowRect.USER32 ref: 00432ED0
GetWindowLongA.USER32 ref: 00432EE3
CopyRect.USER32 ref: 00432F30
CopyRect.USER32 ref: 00432F3A
GetWindowRect.USER32 ref: 00432F43
CopyRect.USER32 ref: 00432F5F

Strings

(, xrefs: 00432EFB
@, xrefs: 00432ED2

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: b82890d851b8e2da6a6fbaaebbc6452024d8fc3d2a56ed72e8a46de3ae787ebf
Instruction ID: 156d11904469ca472d1bff8b67a00e482418959c8120b2b7afc05ebe5806b83b
Opcode Fuzzy Hash: b82890d851b8e2da6a6fbaaebbc6452024d8fc3d2a56ed72e8a46de3ae787ebf
Instruction Fuzzy Hash: CF519272900619AFCB10DBA8CD85EEFBBB9AF4C314F155116F501F3281DB74E9059B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F6A6, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0041F727
_strcat.LIBCMT ref: 0041F73A
_strlen.LIBCMT ref: 0041F747
_strlen.LIBCMT ref: 0041F756
_strncpy.LIBCMT ref: 0041F76D
_strlen.LIBCMT ref: 0041F776
_strlen.LIBCMT ref: 0041F783
_strcat.LIBCMT ref: 0041F7A1
_strlen.LIBCMT ref: 0041F7E9
GetStdHandle.KERNEL32(000000F4,0045CDE8,00000000,?,00000000,00000000,00000000,00000000), ref: 0041F7F4
WriteFile.KERNEL32(00000000), ref: 0041F7FB

Strings

Microsoft Visual C++ Runtime Library, xrefs: 0041F7C9
..., xrefs: 0041F767
<program name unknown>, xrefs: 0041F734
Runtime Error!Program: , xrefs: 0041F79B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3601721357-4022980321
Opcode ID: 939f8de6d6e72a824d5f0d55c1893107b7837ee78243a8b86d8d4cbeb4b97691
Instruction ID: 05af4fad23ae658f53e644d571ec695a43406aa5ca7b43e0cd7d4eb8a82dd95a
Opcode Fuzzy Hash: 939f8de6d6e72a824d5f0d55c1893107b7837ee78243a8b86d8d4cbeb4b97691
Instruction Fuzzy Hash: C4312C726402046BD724BB759C86FEF3769EB44324F20042FF915D3292DA3DA899875C

Uniqueness

Uniqueness Score: -1.00%

Function 004478E1, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 233windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004478E6

Part of subcall function 00417B4F: CreateRectRgnIndirect.GDI32(00000000), ref: 00417B56

CopyRect.USER32 ref: 00447925
InflateRect.USER32(?,?,?), ref: 0044793B
IntersectRect.USER32 ref: 00447949
CreateRectRgnIndirect.GDI32(?), ref: 00447953
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00447966

Part of subcall function 00417B83: CombineRgn.GDI32(?,?,?,00000003), ref: 00417BA6

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 004479C2
CopyRect.USER32 ref: 004479DF
InflateRect.USER32(?,?,?), ref: 004479F5
IntersectRect.USER32 ref: 00447A03
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00447A39

Part of subcall function 00447842: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,MXD), ref: 00447886
Part of subcall function 00447842: CreatePatternBrush.GDI32(00000000), ref: 00447893
Part of subcall function 00447842: DeleteObject.GDI32(00000000), ref: 0044789F

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00447AAE

Part of subcall function 0043C5DE: SelectObject.GDI32(?,00000000), ref: 0043C600
Part of subcall function 0043C5DE: SelectObject.GDI32(?,00000004), ref: 0043C616

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00447B01

Strings

hoE, xrefs: 00447B1A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prologPattern
String ID: hoE
API String ID: 897514543-1565950461
Opcode ID: fad595cbf874af288846ad99be0ab83881625e2c44da7a337406f9e8e0453a42
Instruction ID: d797a0faafa0ee908359e509ee31b665bc817e805a7a0b46762df096e07bfb37
Opcode Fuzzy Hash: fad595cbf874af288846ad99be0ab83881625e2c44da7a337406f9e8e0453a42
Instruction Fuzzy Hash: B091D4B190020DAFCF01EFA5D9959EEBBB9FF18304F10411AF506B2251DB39AE05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004408D9, Relevance: 24.2, APIs: 16, Instructions: 181windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000201,00000201,00000001), ref: 00440966
SendMessageA.USER32 ref: 00440986
ReleaseCapture.USER32 ref: 004409C1
GetMessageA.USER32 ref: 004409D0
PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 004409E4
DispatchMessageA.USER32 ref: 00440A17

Part of subcall function 004405DA: ScreenToClient.USER32 ref: 004405E7
Part of subcall function 004405DA: SendMessageA.USER32 ref: 00440603
Part of subcall function 004405DA: ClientToScreen.USER32(?,?), ref: 00440610
Part of subcall function 004405DA: GetWindowLongA.USER32 ref: 00440619
Part of subcall function 004405DA: GetParent.USER32(?), ref: 00440627

PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 00440A08
GetCapture.USER32 ref: 00440A22
ReleaseCapture.USER32 ref: 00440A34
PeekMessageA.USER32(?,00000000,00000200,00000209,00000003), ref: 00440A4B
PeekMessageA.USER32(?,00000000,?,?,00000000), ref: 00440A59
GetMessageA.USER32 ref: 00440A66
TranslateMessage.USER32(?), ref: 00440A7D
DispatchMessageA.USER32 ref: 00440A9C
GetCursorPos.USER32(?), ref: 00440AA6
PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 00440ACA

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Message$Peek$Capture$ClientDispatchReleaseScreenSend$CursorLongParentTranslateWindow
String ID:
API String ID: 1710791347-0
Opcode ID: 795e70119724999315d44a23b4c37cb6843bed09b74b9cfe5e4ba5c530c80004
Instruction ID: d441850eea8e3e2f6b7d74ab23434fa270696b8da893454e3a25ce14a6477f91
Opcode Fuzzy Hash: 795e70119724999315d44a23b4c37cb6843bed09b74b9cfe5e4ba5c530c80004
Instruction Fuzzy Hash: 27518170200B04BFFB209B55CC98EBF77BDEB45701F10482AF646E6292D678DD518B69

Uniqueness

Uniqueness Score: -1.00%

Function 0044936E, Relevance: 24.2, APIs: 16, Instructions: 178windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 004493C4
GetDlgItem.USER32 ref: 0044945A
ShowWindow.USER32(00000000,00000000), ref: 00449462
GetMenu.USER32(?), ref: 0044946B
InvalidateRect.USER32(?,00000000,00000001), ref: 0044947E
SetMenu.USER32(?,00000000), ref: 00449488
GetDlgItem.USER32 ref: 004494B7
SetWindowLongA.USER32 ref: 004494CF
GetDlgItem.USER32 ref: 004494EE
GetDlgItem.USER32 ref: 00449501
SetWindowLongA.USER32 ref: 0044950F
SetWindowLongA.USER32 ref: 0044951C
InvalidateRect.USER32(?,00000000,00000001), ref: 0044952F
SetMenu.USER32(?,00000000), ref: 0044953B
GetDlgItem.USER32 ref: 0044956B
ShowWindow.USER32(?,00000005), ref: 00449577

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$Ctrl
String ID:
API String ID: 461998371-0
Opcode ID: 2c7696c0541f3139354534915a2e95358a36cc92d6046c8600301a565d7ad734
Instruction ID: 482171b699f72708907a630518d38d0c9c5b93df0630ad1482439d3971dcf4bc
Opcode Fuzzy Hash: 2c7696c0541f3139354534915a2e95358a36cc92d6046c8600301a565d7ad734
Instruction Fuzzy Hash: B9616870204701EFEB209F64DC88A2BBBE5FF48305F144A2EF556962A1DB38EC55DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401C7A, Relevance: 24.1, APIs: 16, Instructions: 128COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32 ref: 00401C9A
CallWindowProcA.USER32 ref: 00401CA1
CallWindowProcA.USER32 ref: 00401CA8
CallWindowProcA.USER32 ref: 00401CAF
CallWindowProcA.USER32 ref: 00401CB6
CallWindowProcA.USER32 ref: 00401CBD
CallWindowProcA.USER32 ref: 00401CC4
CallWindowProcA.USER32 ref: 00401CCB
CallWindowProcA.USER32 ref: 00401CD2
CallWindowProcA.USER32 ref: 00401CD9
CallWindowProcA.USER32 ref: 00401CE0
CallWindowProcA.USER32 ref: 00401CE7
CallWindowProcA.USER32 ref: 00401CEE
CallWindowProcA.USER32 ref: 00401CF5
CallWindowProcA.USER32 ref: 00401CFC
CallWindowProcA.USER32 ref: 00401D03

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 03f8262770729f059899c0ffdf7b09b31668fedc707cedca52dd3fe3c2d1ff3a
Instruction ID: 9ac8df9b581aef376a830b8349e5af841db8db295ae9e18f4eb8a03f69a4eb8c
Opcode Fuzzy Hash: 03f8262770729f059899c0ffdf7b09b31668fedc707cedca52dd3fe3c2d1ff3a
Instruction Fuzzy Hash: F801CC315069ACBA8B22BB66CC48CDF7BADEED63147120056F40496111CB789B03DEFA

Uniqueness

Uniqueness Score: -1.00%

Function 0044DC5A, Relevance: 24.1, APIs: 9, Strings: 7, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(?,0045772C), ref: 0044DC6F
lstrcmpA.KERNEL32(?,00457728), ref: 0044DC87

Strings

Unregserver, xrefs: 0044DCC8
Embedding, xrefs: 0044DCEF
Automation, xrefs: 0044DD0E
Unregister, xrefs: 0044DCBC
Regserver, xrefs: 0044DCB0
Register, xrefs: 0044DCA0
dde, xrefs: 0044DCD4

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: lstrcmp
String ID: Automation$Embedding$Register$Regserver$Unregister$Unregserver$dde
API String ID: 1534048567-1547061805
Opcode ID: 9e90b0a01d8e930e9827115b86dfdacbc6888fe95c0ec1b3f864d3c09f2cdba2
Instruction ID: b7c596884f0afac0d7cc90e788d394c5263c31d9ba90760a366f999e1f843f26
Opcode Fuzzy Hash: 9e90b0a01d8e930e9827115b86dfdacbc6888fe95c0ec1b3f864d3c09f2cdba2
Instruction Fuzzy Hash: D611B4F0E44706B6F2105B71AC85F176E9C6B2479AF104927A801A1686DFBCD44686BC

Uniqueness

Uniqueness Score: -1.00%

Function 004399F1, Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 273stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 00439A13
__EH_prolog.LIBCMT ref: 00439AA1
DeleteMenu.USER32(?,?,00000000), ref: 00439B1F
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00439B38
lstrlenA.KERNEL32(?), ref: 00439B55
wsprintfA.USER32 ref: 00439C64

Part of subcall function 0043A377: __EH_prolog.LIBCMT ref: 0043A37C
Part of subcall function 0043A377: GetFullPathNameA.KERNEL32(?,00000104,?,?,00000104,?,?), ref: 0043A3A6
Part of subcall function 0043A377: lstrcpynA.KERNEL32(?,?,00000104,?,?), ref: 0043A3B7

lstrcpyA.KERNEL32(?,1&0 ,000000FF,?), ref: 00439C52
InsertMenuA.USER32(00000002,00000000,00000400,00000002,?), ref: 00439CC4
GetMenuItemCount.USER32 ref: 00439D02

Part of subcall function 00439DA7: lstrcmpiA.KERNEL32(?,00000000), ref: 00439DC0

Strings

%d , xrefs: 00439C40
&%d , xrefs: 00439C5B
\, xrefs: 00439B5D
1&0 , xrefs: 00439C49

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Menu$H_prologlstrlen$CountCurrentDeleteDirectoryFullInsertItemNamePathlstrcmpilstrcpylstrcpynwsprintf
String ID: %d $&%d $1&0 $\
API String ID: 342826643-2399880791
Opcode ID: 7f26fd5a5e491e423358dffc5beb36b26a3eb22c3936aa7a1b789c6c9f526e93
Instruction ID: d9a81d5f5f7e66c5b0972c695b248a71e86a636c87a90ecee9bda49c2bd8a7ca
Opcode Fuzzy Hash: 7f26fd5a5e491e423358dffc5beb36b26a3eb22c3936aa7a1b789c6c9f526e93
Instruction Fuzzy Hash: 05B1A230500605DFDB10DF65C895BAAB7B4FF08318F0092AAE55A9B292D778ED94CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0043CAE3, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CAE8
GetSysColor.USER32(00000014), ref: 0043CB2A

Part of subcall function 0043C9FF: __EH_prolog.LIBCMT ref: 0043CA04
Part of subcall function 0043C9FF: CreateSolidBrush.GDI32(?), ref: 0043CA21

GetSysColor.USER32(00000010), ref: 0043CB3B
CreateCompatibleDC.GDI32(00000000), ref: 0043CB51
CreateCompatibleDC.GDI32(00000000), ref: 0043CB65
GetObjectA.GDI32(00000004,00000018,?), ref: 0043CB84

Part of subcall function 004142C8: CreateBitmap.GDI32(?,?,?,?,?), ref: 004142DD

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043CBBE

Part of subcall function 0043C545: SelectObject.GDI32(?,?), ref: 0043C54D

GetPixel.GDI32(?,00000000,00000000), ref: 0043CC08

Part of subcall function 0043B57D: SetBkColor.GDI32(?,7378A410), ref: 0043B597
Part of subcall function 0043B57D: SetBkColor.GDI32(?,7378A410), ref: 0043B5A5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043CC35
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 0043CC5A
BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 0043CCBA
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 0043CCD9

Strings

hoE, xrefs: 0043CD0E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Create$Color$BitmapCompatibleH_prologObject$BrushPixelSelectSolid
String ID: hoE
API String ID: 3961675159-1565950461
Opcode ID: a8d97d001e0b882ede4cc4e0ff13c5240deee4c963582f00f6ed0ef793795675
Instruction ID: ca165975993b74f7b237811596ec307cc7e2fbd42ad6d907f5acbfdf13ffaa01
Opcode Fuzzy Hash: a8d97d001e0b882ede4cc4e0ff13c5240deee4c963582f00f6ed0ef793795675
Instruction Fuzzy Hash: 0E8104B1C0021CBEDF11AFE5DC919EEBB79EF08348F14802AF515B61A1CB359A45DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042C31B, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 123registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,?,Function_0004C800), ref: 0042C376
RegisterWindowMessageA.USER32(commdlg_ShareViolation,?,Function_0004C800), ref: 0042C382
RegisterWindowMessageA.USER32(commdlg_FileNameOK,?,Function_0004C800), ref: 0042C38E
RegisterWindowMessageA.USER32(commdlg_ColorOK,?,Function_0004C800), ref: 0042C39A
RegisterWindowMessageA.USER32(commdlg_help,?,Function_0004C800), ref: 0042C3A6
RegisterWindowMessageA.USER32(commdlg_SetRGBColor,?,Function_0004C800), ref: 0042C3B2

Strings

commdlg_SetRGBColor, xrefs: 0042C3A8
commdlg_FileNameOK, xrefs: 0042C384
commdlg_ColorOK, xrefs: 0042C390
commdlg_ShareViolation, xrefs: 0042C378
commdlg_LBSelChangedNotify, xrefs: 0042C371
commdlg_help, xrefs: 0042C39C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1814269913-3888057576
Opcode ID: 592434c9e07c4225fc59059171f471fe7423def0eeb28905d8a3c879c8097484
Instruction ID: aa6bb77140da68abb181f66e944e8e8398f4c27f6b1d6886d7dde89fd002265d
Opcode Fuzzy Hash: 592434c9e07c4225fc59059171f471fe7423def0eeb28905d8a3c879c8097484
Instruction Fuzzy Hash: 9B41A4B1700224AFDB21AF25EC94B7F3BA1FB48351B50482BFA0557251D7399851CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 004201B7, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0045D038,00000118,00419D83,00000001,00000000,0045C7B8,00000008,0041F812,00000000,00000000,00000000), ref: 00420238
_strcat.LIBCMT ref: 0042024E
_strlen.LIBCMT ref: 0042025E
_strlen.LIBCMT ref: 0042026F
_strncpy.LIBCMT ref: 00420289
_strlen.LIBCMT ref: 00420292
_strcat.LIBCMT ref: 004202AE

Strings

Program: , xrefs: 004202BF
Microsoft Visual C++ Runtime Library, xrefs: 004202E9
..., xrefs: 00420283
<program name unknown>, xrefs: 00420242
Buffer overrun detected!, xrefs: 00420214, 004202AC
Unknown security failure detected!, xrefs: 004201FE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 3058806289-1673886896
Opcode ID: 0177c881da9ae6d55a5c325bfeb579e2decad6df57dbe786d19a9a84fe88f374
Instruction ID: 509323ec3595f1feca5a828ad170a626c0d4052a041754f985ff224a12890268
Opcode Fuzzy Hash: 0177c881da9ae6d55a5c325bfeb579e2decad6df57dbe786d19a9a84fe88f374
Instruction Fuzzy Hash: FF31F631A41224AFC710AB66AC46FDE37A89F05724F50405FF814A7293CB7CDE648B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E5B2, Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,75144DE0,00000000,00419C75,?,0045C7A8,00000060), ref: 0041E5CA
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041E5E2
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041E5EF
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041E5FC
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041E609
FlsAlloc.KERNEL32(0041E430,?,0045C7A8,00000060), ref: 0041E646
FlsSetValue.KERNEL32(00000000,?,0045C7A8,00000060), ref: 0041E673
GetCurrentThreadId.KERNEL32 ref: 0041E687

Part of subcall function 0041E38F: FlsFree.KERNEL32(00000006,0041E69C,?,0045C7A8,00000060), ref: 0041E39A

Strings

kernel32.dll, xrefs: 0041E5C5
FlsFree, xrefs: 0041E5FE
FlsGetValue, xrefs: 0041E5E4
FlsSetValue, xrefs: 0041E5F1
FlsAlloc, xrefs: 0041E5DC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
API String ID: 2355849793-282957996
Opcode ID: b0fc7db47b1ed1aa3e6ab7518098af21e142eb5520a994f0bcd2061fc11b20e4
Instruction ID: 18653ac72d73170730b48cb4d738fcd4fae9ece10a62ae51c04a8065f066ec95
Opcode Fuzzy Hash: b0fc7db47b1ed1aa3e6ab7518098af21e142eb5520a994f0bcd2061fc11b20e4
Instruction Fuzzy Hash: 88217F746407449EC3205F36AC48B667FE4EB50755360413BEC08D76A5EB78A4C5CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00446A94, Relevance: 21.4, APIs: 14, Instructions: 397COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00446AB8
GetClientRect.USER32 ref: 00446AF6
BeginDeferWindowPos.USER32 ref: 00446B23
GetWindowRect.USER32 ref: 00446BD9
OffsetRect.USER32(?,?,00000000), ref: 00446C0C
OffsetRect.USER32(?,?,00000000), ref: 00446C41
OffsetRect.USER32(?,00000002,00000000), ref: 00446C61
EqualRect.USER32 ref: 00446C9B
OffsetRect.USER32(?,00000000,?), ref: 00446D17
OffsetRect.USER32(?,00000000,?), ref: 00446D4C
OffsetRect.USER32(?,00000000,?), ref: 00446D70
EqualRect.USER32 ref: 00446D7E
EndDeferWindowPos.USER32(?), ref: 00446ECB
SetRectEmpty.USER32(?), ref: 00446ED5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 4fc6c7ce028b81e223960b5415d59cbcae61e89ede4da77da175392c96d09566
Instruction ID: ec35842a05b671a41ca4f092263317eddd2c1415014e09843f5530c1a106a44f
Opcode Fuzzy Hash: 4fc6c7ce028b81e223960b5415d59cbcae61e89ede4da77da175392c96d09566
Instruction Fuzzy Hash: 29F11071E00619DFDF15CFA8C884AEEBBB5FF49301F25412AE905E7211E738A941CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00442AB5, Relevance: 21.1, APIs: 14, Instructions: 136windowCOMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?), ref: 00442AC1
LockResource.KERNEL32(00000000), ref: 00442AD4
GetSysColor.USER32(00000000), ref: 00442B53
GetSysColor.USER32(00000000), ref: 00442B61
GetSysColor.USER32(00000000), ref: 00442B76
GetDC.USER32(00000000), ref: 00442BA8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00442BB4
CreateCompatibleDC.GDI32(00000000), ref: 00442BC4
SelectObject.GDI32(00000000,?), ref: 00442BD6
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000010,00000000,00000000,?,00000010,00000000,00000000,00000000,00CC0020), ref: 00442C05
SelectObject.GDI32(00000000,00000010), ref: 00442C0F
DeleteDC.GDI32(00000000), ref: 00442C12
ReleaseDC.USER32 ref: 00442C1D
FreeResource.KERNEL32(00000000), ref: 00442C2D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ColorResource$CompatibleCreateObjectSelect$BitmapBitsDeleteFreeLoadLockReleaseStretch
String ID:
API String ID: 2552574679-0
Opcode ID: b6cd25d081ebcbbcdc3eb6bbb8a846c915e03783bfb04099abe3044299ce3b7a
Instruction ID: e668aa8e6fefe6ccbbc5973c51a600fd6a2f7cfa73832fc3c5997a9df98bb69e
Opcode Fuzzy Hash: b6cd25d081ebcbbcdc3eb6bbb8a846c915e03783bfb04099abe3044299ce3b7a
Instruction Fuzzy Hash: FD419C71500608FFEB119F64CC98ABE7BB9FF49352B40842AFA0586261DB75E910DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,0045CE38,?,?), ref: 00424A26
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00424A42
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00424A53
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00424A60
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00424A76
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00424A87

Strings

user32.dll, xrefs: 00424A21
GetProcessWindowStation, xrefs: 00424A81
GetUserObjectInformationA, xrefs: 00424A70
MessageBoxA, xrefs: 00424A3C
GetActiveWindow, xrefs: 00424A4D
GetLastActivePopup, xrefs: 00424A55

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: 07883a8530852e86b6cfd7917d0937b589c557e04ffda26da383b73b86869424
Instruction ID: ea4dac2c55dd507aa576aa07ab65aca5b26ba79e5af85967ffc6543cd80e143e
Opcode Fuzzy Hash: 07883a8530852e86b6cfd7917d0937b589c557e04ffda26da383b73b86869424
Instruction Fuzzy Hash: 9621B931740325AED7709FB5AC45B273AA8EFC4754B44003BE905D5251E7B9CC44CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00414DAF, Relevance: 19.7, APIs: 13, Instructions: 187COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414DB4
SafeArrayGetDim.OLEAUT32(?), ref: 00414DDE
SafeArrayGetDim.OLEAUT32(00000000), ref: 00414DE8
SafeArrayGetElemsize.OLEAUT32(?), ref: 00414E09
SafeArrayGetElemsize.OLEAUT32(00000000), ref: 00414E11
SafeArrayGetLBound.OLEAUT32(?,?,?), ref: 00414E86
SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 00414E9F
SafeArrayGetUBound.OLEAUT32(?,?,?), ref: 00414EB8
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 00414ECE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ArraySafe$Bound$Elemsize$H_prolog
String ID:
API String ID: 779546493-0
Opcode ID: 708f1f9609431b435d77d8d62470854a913c61a55ce75a000f21eff0f1adeb98
Instruction ID: 7f3136ff9381ac1d983a0d7e1d634f472201e5da1b5bb1324ced171fea0add02
Opcode Fuzzy Hash: 708f1f9609431b435d77d8d62470854a913c61a55ce75a000f21eff0f1adeb98
Instruction Fuzzy Hash: 6F516D72D00219AFCF10AFB5DC469EE7FB5EF48355F10842AF815E7211DA388980DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044AE39, Relevance: 19.6, APIs: 13, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418BC5: SendMessageA.USER32 ref: 00418BCE

GetObjectA.GDI32(?,0000003C,?), ref: 0044AE84
GetStockObject.GDI32(0000000D), ref: 0044AE8E
GetObjectA.GDI32(00000000,?,?), ref: 0044AE95
lstrcmpiA.KERNEL32(?,?,?,?,00000000), ref: 0044AE9F
GetDC.USER32(00000000), ref: 0044AEAA
GetDeviceCaps.GDI32(?,0000005A), ref: 0044AEC1
GetDeviceCaps.GDI32(?,0000005A), ref: 0044AECA
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044AED7
GetDeviceCaps.GDI32(?,00000058), ref: 0044AEE4
GetDeviceCaps.GDI32(?,00000058), ref: 0044AEEE
MulDiv.KERNEL32(?,?,00000000), ref: 0044AEF7
ReleaseDC.USER32 ref: 0044AF01
CreateFontIndirectA.GDI32(?), ref: 0044AF0B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CapsDevice$Object$CreateFontIndirectMessageReleaseSendStocklstrcmpi
String ID:
API String ID: 1481441486-0
Opcode ID: 9678cde88a6559030b11c2b2b3ed4fdb7880391946f3822137df3de0dfcacd3a
Instruction ID: e8756f1a9448432b0a326bebeb9a4b639dfdf7c736c494c77775caaa8bc3770c
Opcode Fuzzy Hash: 9678cde88a6559030b11c2b2b3ed4fdb7880391946f3822137df3de0dfcacd3a
Instruction Fuzzy Hash: 46312971900618AFDB11AFA5DC88EAE7FB9FF58312F04402AF905A72A2DB749904CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0045172B, Relevance: 18.3, APIs: 12, Instructions: 274comfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00451730
GlobalLock.KERNEL32 ref: 00451827
CopyMetaFileA.GDI32(?,00000000,?,?), ref: 00451833
GlobalUnlock.KERNEL32(?,?,?), ref: 00451843
GlobalFree.KERNEL32 ref: 0045184C
GlobalUnlock.KERNEL32(?,?,?), ref: 00451858
OleDuplicateData.OLE32(?,?,00000000), ref: 004517F8

Part of subcall function 004512BF: GlobalSize.KERNEL32(?), ref: 004512CE
Part of subcall function 004512BF: GlobalAlloc.KERNEL32(00002002,00000000,?,00451A04,?,?,?,?), ref: 004512DF
Part of subcall function 004512BF: GlobalLock.KERNEL32 ref: 004512F4
Part of subcall function 004512BF: GlobalLock.KERNEL32 ref: 004512FA
Part of subcall function 004512BF: GlobalUnlock.KERNEL32(?,?,?), ref: 00451310
Part of subcall function 004512BF: GlobalUnlock.KERNEL32(?,?,?), ref: 00451315

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Global$Unlock$Lock$AllocCopyDataDuplicateFileFreeH_prologMetaSize
String ID:
API String ID: 642034962-0
Opcode ID: 01c0bb7b4acda0ba8a6bc883a1cac3351e27136f1e28cc1e01a9a739ecef4207
Instruction ID: 076e18101630beb8349e47186ce00d69df3d34095af2b93e3d6cc229d2a02d15
Opcode Fuzzy Hash: 01c0bb7b4acda0ba8a6bc883a1cac3351e27136f1e28cc1e01a9a739ecef4207
Instruction Fuzzy Hash: 5F91B3B1500205EFCB14AFA4CD48A6BBBB9FF08346710852EF816D7662D738ED44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00440AD9, Relevance: 18.1, APIs: 12, Instructions: 148windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00440777: LoadCursorA.USER32 ref: 00440793
Part of subcall function 00440777: LoadCursorA.USER32 ref: 004407AC

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00440B0C
PostMessageA.USER32 ref: 00440B5D
SendMessageA.USER32 ref: 00440B7C
GetCursorPos.USER32(?), ref: 00440B97
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00440BC3
ReleaseCapture.USER32 ref: 00440C0A
SetCapture.USER32(?), ref: 00440C0F
ReleaseCapture.USER32(00000000), ref: 00440C1B
SendMessageA.USER32 ref: 00440C2F
SendMessageA.USER32 ref: 00440C57
PostMessageA.USER32 ref: 00440C75

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: 91894a4790515d5501cedf5eb0fcac709e36fed5d6ce8b1a45a3dca4635d0297
Instruction ID: b83cadd06f3c8146ebf596e871fa0c02ccdfbc4b289a84d902721088b97faccc
Opcode Fuzzy Hash: 91894a4790515d5501cedf5eb0fcac709e36fed5d6ce8b1a45a3dca4635d0297
Instruction Fuzzy Hash: 93513C70600B09EFEB21AFA0CCC596BBBB9FF04305F10456AE242A62A1D774ED51CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0043B004, Relevance: 18.1, APIs: 12, Instructions: 121filetimeCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 0043B018
GetLastError.KERNEL32(?), ref: 0043B02F
SetFileAttributesA.KERNEL32(?,?), ref: 0043B04D
GetLastError.KERNEL32(?), ref: 0043B05A
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 0043B0C4
GetLastError.KERNEL32(?), ref: 0043B0D4
SetFileTime.KERNEL32(00000000,?,?,?), ref: 0043B0E7
GetLastError.KERNEL32(?), ref: 0043B0F4
CloseHandle.KERNEL32(00000000), ref: 0043B0FD
GetLastError.KERNEL32(?), ref: 0043B10A
SetFileAttributesA.KERNEL32(?,?), ref: 0043B125
GetLastError.KERNEL32(?), ref: 0043B132

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ErrorLast$File$Attributes$CloseCreateHandleTime
String ID:
API String ID: 3867745407-0
Opcode ID: 6f1d07302c18f1d2ad3a8125a50d2cbb08cf6f311a8417fda7e85f54f3d5fed2
Instruction ID: 73132a415d90a435f771cdb688ba3fa4b5f9f4544d593402c2a6585c2cc81fc6
Opcode Fuzzy Hash: 6f1d07302c18f1d2ad3a8125a50d2cbb08cf6f311a8417fda7e85f54f3d5fed2
Instruction Fuzzy Hash: 44419D71900208BBDF20EF61CC85EAF7FB9EF08354F10905AF955A61A1D738EA40CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00422978, Relevance: 16.8, APIs: 11, Instructions: 299COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0045D24C,00000001,00000000,00000000,0045D250,00000038,0041B580,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 0042299F
GetLastError.KERNEL32 ref: 004229B1
MultiByteToWideChar.KERNEL32(?,00000000,0041B82D,?,00000000,00000000,0045D250,00000038,0041B580,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 00422A38
MultiByteToWideChar.KERNEL32(?,00000001,0041B82D,?,?,00000000), ref: 00422AB9
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00422AD3
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 00422B0E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 3179b567ccfc5ca14bad512f28ba5826864f7eb4d2a39d1be44cd2e33936c28c
Instruction ID: f54c2d8475ee0af1f4e1ca74572c8f4fa2e15d9ad433e95aac6cf8e76986935d
Opcode Fuzzy Hash: 3179b567ccfc5ca14bad512f28ba5826864f7eb4d2a39d1be44cd2e33936c28c
Instruction Fuzzy Hash: 14B18C7290022ABFCF219FA4ED849EE7F75FF08314F50412AF915A6260C7798991DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00438787, Relevance: 16.6, APIs: 11, Instructions: 88synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004387B9
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004387C3
ResumeThread.KERNEL32(00000000), ref: 00438805
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00438810
CloseHandle.KERNEL32(?), ref: 00438819
SuspendThread.KERNEL32(?), ref: 00438824
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00438834
CloseHandle.KERNEL32(?), ref: 0043883D
SetEvent.KERNEL32(00000004), ref: 00438847
CloseHandle.KERNEL32(?), ref: 00438855
CloseHandle.KERNEL32(?), ref: 0043885F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CloseHandle$Event$CreateObjectSingleThreadWait$ResumeSuspend
String ID:
API String ID: 3826824246-0
Opcode ID: 456450cc531a0582b2dcfafbb6c853774876ee58cf6b25959946ee626575ef5e
Instruction ID: d8ccb2f0d0974a06ccb63f2d0638bb3e92d0aa62c15449ef3d625595b2a532c0
Opcode Fuzzy Hash: 456450cc531a0582b2dcfafbb6c853774876ee58cf6b25959946ee626575ef5e
Instruction Fuzzy Hash: BA315E72C00308BFDF11BFA5DC849AEBBB9EB08326F50853EF115A1161DA359A81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0044AC49, Relevance: 16.6, APIs: 11, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000002,?), ref: 0044AC5A
LocalLock.KERNEL32(00000000), ref: 0044AC67
LocalUnlock.KERNEL32(00000000,00000000,?), ref: 0044AC7F
LocalFree.KERNEL32(00000000), ref: 0044AC86

Part of subcall function 0043E2A0: __EH_prolog.LIBCMT ref: 0043E2A5
Part of subcall function 0043E2A0: lstrcpynA.KERNEL32(?,?,00000104,?,?), ref: 0043E32C
Part of subcall function 0043E2A0: lstrcpyA.KERNEL32(?,?,00000000,?,?,00000104,?,?,?,?), ref: 0043E38A

SetWindowTextA.USER32(?,?), ref: 0044ACA9
LocalUnlock.KERNEL32(00000000), ref: 0044ACB3
LocalFree.KERNEL32(00000000), ref: 0044ACBA
GetWindowTextLengthA.USER32(?), ref: 0044ACCA
LocalUnlock.KERNEL32(00000000), ref: 0044ACEB
LocalFree.KERNEL32(00000000), ref: 0044ACF9
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 0044AD0E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Local$FreeUnlock$TextWindow$AllocH_prologInvalidateLengthLockRectlstrcpylstrcpyn
String ID:
API String ID: 2902883896-0
Opcode ID: 5509c39f0e67925bf53a2be8ad1d2a0fdbb110d79da5d8585d972dd4da7335b1
Instruction ID: 0947a974706040fddc3d8749a596057ed878d2cf9dc90dcc60b0ba33ce5e063f
Opcode Fuzzy Hash: 5509c39f0e67925bf53a2be8ad1d2a0fdbb110d79da5d8585d972dd4da7335b1
Instruction Fuzzy Hash: 9D217F71100704AFD7216F65EC99B6EBBB9BF88712F10802EF90A86261DB78D401CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0044E196, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 233registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044FB5C

Part of subcall function 0043A64B: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0043A66D
Part of subcall function 0043A64B: GetShortPathNameA.KERNEL32 ref: 0043A685

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 0044FD70

Strings

%s\DefaultIcon, xrefs: 0044FC5A
%s\shell\print\%s, xrefs: 0044FCB6, 0044FD0D
%s\ShellNew, xrefs: 0044FDA7
%s\shell\printto\%s, xrefs: 0044FBBB, 0044FCD7, 0044FD2A
command, xrefs: 0044FBC0, 0044FCE9, 0044FD06, 0044FD23
%s\shell\open\%s, xrefs: 0044FC95, 0044FCF0
ddeexec, xrefs: 0044FC8A, 0044FCAB, 0044FCCC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Name$FileH_prologModulePathQueryShortValue
String ID: %s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$command$ddeexec
API String ID: 365916388-556638191
Opcode ID: dd1f939e0eaad5d4c64701df3c2b59bc61daf8bcd96d28cd91a1bc5fb47a980c
Instruction ID: db1a637a5095635c9331f209b3570edfdb7fcc833a558f1f9e8dd43a48226729
Opcode Fuzzy Hash: dd1f939e0eaad5d4c64701df3c2b59bc61daf8bcd96d28cd91a1bc5fb47a980c
Instruction Fuzzy Hash: 8E819E71D0020AAFDF04EBA5CC56AAFB7B5EF04319F14456EF511B7292DB38A908CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042858F, Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00428667
_strcat.LIBCMT ref: 00428684
___shr_12.LIBCMT ref: 0042874D

Strings

1#INF, xrefs: 0042865E
1#QNAN, xrefs: 0042867B
1#IND, xrefs: 0042864D
GB, xrefs: 004287EA
1#SNAN, xrefs: 00428633
?, xrefs: 004285E4

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strcat$___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?$GB
API String ID: 1152255961-1528962588
Opcode ID: 75816fbd6709745af420aadf5755ed4d756680c6e09ac812335c773944bd6a0f
Instruction ID: 83a505903eb4dc0acc4a06e87b226786863f2b4345c34ed71ad3617d14a4c8b2
Opcode Fuzzy Hash: 75816fbd6709745af420aadf5755ed4d756680c6e09ac812335c773944bd6a0f
Instruction Fuzzy Hash: B6811731A052AACECF11CB68D8447AFBBB4AF61314F94459FD850DB282DB7C8605C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0043D294, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 210windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043D299

Part of subcall function 00413EC5: CreateCompatibleDC.GDI32(?), ref: 00413ED4

GetObjectA.GDI32(00000003,00000018,?), ref: 0043D30F
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0045743C), ref: 0043D330

Part of subcall function 004142A7: CreatePatternBrush.GDI32(?), ref: 004142B6

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043D35A

Part of subcall function 0043C545: SelectObject.GDI32(?,?), ref: 0043C54D

GetPixel.GDI32(?,00000000,00000000), ref: 0043D39A

Part of subcall function 0043B57D: SetBkColor.GDI32(?,7378A410), ref: 0043B597
Part of subcall function 0043B57D: SetBkColor.GDI32(?,7378A410), ref: 0043B5A5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043D3C7
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 0043D3EB
FillRect.USER32 ref: 0043D438

Part of subcall function 00413EFD: BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 00413F23

Strings

hoE, xrefs: 0043D4C2

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Create$BitmapColorObject$BrushCompatibleFillH_prologPatternPixelRectSelect
String ID: hoE
API String ID: 1648284681-1565950461
Opcode ID: 20b2d6d1de208eef09397783c7214cbce6fabd1978e68b5c59d12a1ca7cf4146
Instruction ID: afbdf219a7e566c47c71acd82c161841e6cd698d46cf8b307deafd8d0c4a900d
Opcode Fuzzy Hash: 20b2d6d1de208eef09397783c7214cbce6fabd1978e68b5c59d12a1ca7cf4146
Instruction Fuzzy Hash: 4781F371900218AFCF11EFA5DC95DEEBBBAFF18304F10802AF515A72A1CB759A14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043CD67, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CD6C
GetSysColor.USER32(00000014), ref: 0043CDAF

Part of subcall function 0043C9FF: __EH_prolog.LIBCMT ref: 0043CA04
Part of subcall function 0043C9FF: CreateSolidBrush.GDI32(?), ref: 0043CA21

GetSysColor.USER32(00000010), ref: 0043CDC0

Part of subcall function 00413EC5: CreateCompatibleDC.GDI32(?), ref: 00413ED4

GetObjectA.GDI32(00000004,00000018,?), ref: 0043CE00
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043CE19

Part of subcall function 0043C545: SelectObject.GDI32(?,?), ref: 0043C54D

GetPixel.GDI32(?,00000000,00000000), ref: 0043CE60

Part of subcall function 0043B57D: SetBkColor.GDI32(?,7378A410), ref: 0043B597
Part of subcall function 0043B57D: SetBkColor.GDI32(?,7378A410), ref: 0043B5A5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043CE8D
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 0043CEB1

Part of subcall function 00447B7A: SetBkColor.GDI32(?,?), ref: 00447B89
Part of subcall function 00447B7A: ExtTextOutA.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00447BBB

Part of subcall function 0043C5DE: SelectObject.GDI32(?,00000000), ref: 0043C600
Part of subcall function 0043C5DE: SelectObject.GDI32(?,00000004), ref: 0043C616

Part of subcall function 00413EFD: BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 00413F23

Strings

hoE, xrefs: 0043CF4D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Color$Object$CreateSelect$H_prolog$BitmapBrushCompatiblePixelSolidText
String ID: hoE
API String ID: 1654650548-1565950461
Opcode ID: 112319b5739f18a687645c4649c27427777c8c5ebdfc4fe5b7f08d3534b3fd62
Instruction ID: 8b8cb7e7b3736dfd8fb0ee5cb5ce5dac2b2d508f212eadebdbdde6b9921fc74f
Opcode Fuzzy Hash: 112319b5739f18a687645c4649c27427777c8c5ebdfc4fe5b7f08d3534b3fd62
Instruction Fuzzy Hash: F5711771900258AFDF01EFE5CC91AEEBFBAEF08354F14402AF505B22A1CB359A55DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00419B95, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,0045C7A8,00000060), ref: 00419BB5
GetModuleHandleA.KERNEL32(00000000,?,0045C7A8,00000060), ref: 00419C08
_fast_error_exit.LIBCMT ref: 00419C6A
_fast_error_exit.LIBCMT ref: 00419C7B
GetCommandLineA.KERNEL32(?,0045C7A8,00000060), ref: 00419C9A
GetStartupInfoA.KERNEL32(?), ref: 00419CEE
__wincmdln.LIBCMT ref: 00419CF4
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00419D11

Strings

83Y, xrefs: 00419CA0

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: HandleModule_fast_error_exit$CommandInfoLineStartupVersion__wincmdln
String ID: 83Y
API String ID: 3897392166-870703450
Opcode ID: c7b810416b3cb4ee185734de9c24465ae950a755994dc1b0a15ae6c3568e95cc
Instruction ID: db611573d3dd2026059f269b740be33e05bef8bcac8a64d9767e843f5c6e0519
Opcode Fuzzy Hash: c7b810416b3cb4ee185734de9c24465ae950a755994dc1b0a15ae6c3568e95cc
Instruction Fuzzy Hash: 4D41D371D007148ADB20AF76A9556EE77A0AF44714F10043FE955AB291EB7C8CC2CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 0043A285, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0043A2BD
RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0043A2D1
RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0043A2EC
RegQueryValueExA.ADVAPI32(?,00456DE0,00000000,?,?,?), ref: 0043A306
RegCloseKey.ADVAPI32(?), ref: 0043A316
RegCloseKey.ADVAPI32(00000001), ref: 0043A31B
RegCloseKey.ADVAPI32(?), ref: 0043A320

Strings

CLSID, xrefs: 0043A2A7
InProcServer32, xrefs: 0043A2E1

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CloseOpen$QueryValue
String ID: CLSID$InProcServer32
API String ID: 3523390698-323508013
Opcode ID: 5a7a506247fa7e00fd7b64c3e8444606b4c94e783b7e91c6e316d7fbc07d2de5
Instruction ID: 984fed07da336b98bc6cf402eb151cb2433222e2e92e65c565225a5bb75c8c43
Opcode Fuzzy Hash: 5a7a506247fa7e00fd7b64c3e8444606b4c94e783b7e91c6e316d7fbc07d2de5
Instruction Fuzzy Hash: 6E11597290021CBBCF01AF95CC40DEEBBB8EF047A4F104166F914A6260D7749B51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004507A6, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004507B8
GetSystemMetrics.USER32 ref: 004507DC
CreateFontA.GDI32(00000000,?,?,?,?,?,00450D37,00001000,?,?,?,?,?,?), ref: 004507E3
SelectObject.GDI32(00000000,00000000), ref: 004507F7
GetCharWidthA.GDI32(00000000,00000036,00000036,0047867C), ref: 00450807
SelectObject.GDI32(00000000,?), ref: 00450816
DeleteObject.GDI32(00000000), ref: 00450819
ReleaseDC.USER32 ref: 00450821

Strings

Marlett, xrefs: 004507BE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 27ad61f5fc4afac548a7cf8b0a45ec88b21fe2e9004e1efcc27439bc8ae7119b
Instruction ID: e990b6c00733b2c1b84947776a299cf6471bd77b4640a7217df8343d24277fe5
Opcode Fuzzy Hash: 27ad61f5fc4afac548a7cf8b0a45ec88b21fe2e9004e1efcc27439bc8ae7119b
Instruction Fuzzy Hash: 520192712427247BC2315B269C5DEAF7E6CEF4ABB2F100525F60992192CB259800CAFC

Uniqueness

Uniqueness Score: -1.00%

Function 004513F8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49registrystringCOMMON

Download Yara Rule

APIs

CoTreatAsClass.OLE32(?,?), ref: 0045140B
RegOpenKeyA.ADVAPI32(80000000,CLSID,00000000), ref: 00451427
StringFromCLSID.OLE32(?,00000000), ref: 00451438

Part of subcall function 0044EA25: CoTaskMemFree.OLE32(00000000,74561760,00451446,00000000), ref: 0044EA36

lstrlenA.KERNEL32(00000000,00000000), ref: 0045144B
RegSetValueA.ADVAPI32(00000000,00000000,00000001,00000000,00000000), ref: 0045145B
CoTaskMemFree.OLE32(00000000), ref: 00451462
CoTreatAsClass.OLE32(?,?), ref: 0045146E
RegCloseKey.ADVAPI32(00000000), ref: 00451475

Strings

CLSID, xrefs: 0045141D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClassFreeTaskTreat$CloseFromOpenStringValuelstrlen
String ID: CLSID
API String ID: 2259541326-910414637
Opcode ID: 4fcb1667894efca83af69ef1937f43604743cfcaf1144a8d868397f52fb1ad2c
Instruction ID: 13bddbe97897fe715664a3a42cf2b4dabff06fe79c654c4ba0aa2f19e6f8e4a2
Opcode Fuzzy Hash: 4fcb1667894efca83af69ef1937f43604743cfcaf1144a8d868397f52fb1ad2c
Instruction Fuzzy Hash: 21011736400208FBDF01AF90DC08EAE7FBAFB88716F544125FA0492172DB75DA64DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00452096, Relevance: 15.2, APIs: 10, Instructions: 153windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0045209B
GetMenuItemCount.USER32 ref: 004520C0
GetSubMenu.USER32 ref: 00452107
GetMenuState.USER32 ref: 00452119
GetSubMenu.USER32 ref: 0045217D
GetMenuStringA.USER32(?,?,?,00000100,00000400), ref: 0045219F
AppendMenuA.USER32 ref: 0045220B
GetMenuItemCount.USER32 ref: 00452244
GetMenuItemID.USER32(?,?), ref: 00452275
InsertMenuA.USER32(?,?,00000000,00000000), ref: 00452288

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prologInsertStateString
String ID:
API String ID: 2474435406-0
Opcode ID: 372dc654f15e9b2f8ac0be70bace5d96c795dd82f727226a8d71bf9d6cad6b70
Instruction ID: a3c65f0e911ed5a887e71280702ae2ff3894231feb2ed3ed90b26f7783ef1852
Opcode Fuzzy Hash: 372dc654f15e9b2f8ac0be70bace5d96c795dd82f727226a8d71bf9d6cad6b70
Instruction Fuzzy Hash: A4612A70900229DFCB25CF10DD85AEEBBB5FB09315F1040EAEA09A6252D7749E95CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041712F, Relevance: 15.1, APIs: 10, Instructions: 105threadstringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417134

Part of subcall function 00435D1B: GetDlgItem.USER32 ref: 00435D28

GetWindowTextLengthA.USER32(?), ref: 00417170
GetWindowTextA.USER32 ref: 0041719E

Part of subcall function 00413996: _strlen.LIBCMT ref: 004139A9

GetThreadLocale.KERNEL32(00000000,?,000000FF), ref: 004171BC
VarDecFromStr.OLEAUT32(00000000,00000000), ref: 004171C4
SysFreeString.OLEAUT32(00000000), ref: 004171CE

Part of subcall function 0044042F: __EH_prolog.LIBCMT ref: 00440434

Part of subcall function 00441BFB: SetFocus.USER32(00000000,?,?), ref: 00441C24
Part of subcall function 00441BFB: SendMessageA.USER32 ref: 00441C3C

GetThreadLocale.KERNEL32(00000000,?,?,?,?), ref: 004171FF
VarBstrFromDec.OLEAUT32(?,00000000), ref: 00417209
lstrlenW.KERNEL32(?), ref: 0041721B
SysFreeString.OLEAUT32(?), ref: 00417244

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: FreeFromH_prologLocaleStringTextThreadWindow$BstrFocusItemLengthMessageSend_strlenlstrlen
String ID:
API String ID: 683855824-0
Opcode ID: 21115dd91643fdbddafeee7538ae3136ca7be2087e56efbd40c0d6095c00dd24
Instruction ID: 0df45603b56d8d39115b9752e8b36fb6660d35c0ba95fd6aec973dfb3cbb0927
Opcode Fuzzy Hash: 21115dd91643fdbddafeee7538ae3136ca7be2087e56efbd40c0d6095c00dd24
Instruction Fuzzy Hash: 85319171500605AFDF00AFA1DC599FE7779FF44325B00822AF926962A2DB38DA40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0044494C, Relevance: 15.1, APIs: 10, Instructions: 96COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 00444961
GetWindowRect.USER32 ref: 00444979
SetRect.USER32 ref: 004449B3
InvalidateRect.USER32(?,?,00000001), ref: 004449C2
SetRect.USER32 ref: 004449D9
InvalidateRect.USER32(?,?,00000001), ref: 004449E8
SetRect.USER32 ref: 00444A13
InvalidateRect.USER32(?,?,00000001), ref: 00444A1E
SetRect.USER32 ref: 00444A35
InvalidateRect.USER32(?,?,00000001), ref: 00444A40

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: cca6739d5958046b3cae817321433fce64366c241de196c15b274b91701adbe6
Instruction ID: eb290115575f2aa36b2ac2a6ae4feb55bf2803e6a6752251ac244afeed595781
Opcode Fuzzy Hash: cca6739d5958046b3cae817321433fce64366c241de196c15b274b91701adbe6
Instruction Fuzzy Hash: 8031F872900209BFDB00DFA4DD89FAE7BB9FB08301F144125FA01A75A1D770AA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00431BB5, Relevance: 15.1, APIs: 10, Instructions: 81stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00431BBA
GetClassInfoA.USER32 ref: 00431BD5
RegisterClassA.USER32 ref: 00431BE8
lstrlenA.KERNEL32(-00000034,00000001), ref: 00431C24
lstrlenA.KERNEL32(?), ref: 00431C2B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Classlstrlen$H_prologInfoRegister
String ID:
API String ID: 3690589370-0
Opcode ID: 766b377bf746a578ddd6375089ba13038c5b0ebe8b555adc77a719e0c8f0900b
Instruction ID: 685d18d19a88bf2d76c7d7669dc8efcc8b0b674d70be0c48b0eff5c0da083dd2
Opcode Fuzzy Hash: 766b377bf746a578ddd6375089ba13038c5b0ebe8b555adc77a719e0c8f0900b
Instruction Fuzzy Hash: 81319171900619EFDB01AFA0CD45AAEBFB4FF09355F10542BF805A2262C778DA51CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045132B, Relevance: 15.1, APIs: 10, Instructions: 79comCOMMON

Download Yara Rule

APIs

ReadClassStg.OLE32(?,?), ref: 00451343
ReadFmtUserTypeStg.OLE32(?,?,?), ref: 0045135F
OleRegGetUserType.OLE32(?,00000001,?), ref: 00451374
WriteClassStg.OLE32(?,?), ref: 0045138F
WriteFmtUserTypeStg.OLE32(?,?,?), ref: 004513A5
SetConvertStg.OLE32(?,00000001), ref: 004513B1
WriteClassStg.OLE32(?,?), ref: 004513C3
WriteFmtUserTypeStg.OLE32(?,?,?), ref: 004513CC
CoTaskMemFree.OLE32(?), ref: 004513E0
CoTaskMemFree.OLE32(?), ref: 004513E5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: TypeUserWrite$Class$FreeReadTask$Convert
String ID:
API String ID: 2659014025-0
Opcode ID: a34d53b140bbba6b413f7122dd9f3fb881ac3816825872594c7da36be4d669bc
Instruction ID: 0fe9ca0442ba30225d73466667c4682b3aed5f569858f3abbcbbde4ec1b808b2
Opcode Fuzzy Hash: a34d53b140bbba6b413f7122dd9f3fb881ac3816825872594c7da36be4d669bc
Instruction Fuzzy Hash: AB21F97190061DAFDF01EF95DC909FEBBB9EF48355B108026FD04A6221D7389A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042201A, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 00422051
_strncpy.LIBCMT ref: 004220C2
_strcspn.LIBCMT ref: 004220DF

Strings

., xrefs: 0042207E
,, xrefs: 004220B2
_, xrefs: 00422095
_.,, xrefs: 004220D9
,, xrefs: 004220CA

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strncpy$_strcspn
String ID: ,$,$.$_$_.,
API String ID: 209312476-1893563293
Opcode ID: 6fc35b0e0376efad0445b6cc118e48abc4a1d54569f41b8d96b3e20eaf0bbdb0
Instruction ID: d9546b861bfaa6606657a772b24a8f806a5c2564f1d67e86ba1ec477af54f37f
Opcode Fuzzy Hash: 6fc35b0e0376efad0445b6cc118e48abc4a1d54569f41b8d96b3e20eaf0bbdb0
Instruction Fuzzy Hash: B3210731740125BEEF704A15BE01BF63759AF25324F988417FA4996282C2FCA985C79E

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC59, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042DC5E

Part of subcall function 00447842: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,MXD), ref: 00447886
Part of subcall function 00447842: CreatePatternBrush.GDI32(00000000), ref: 00447893
Part of subcall function 00447842: DeleteObject.GDI32(00000000), ref: 0044789F

GetClientRect.USER32 ref: 0042DC83
CreateRectRgnIndirect.GDI32(?), ref: 0042DC9C
GetDC.USER32(?), ref: 0042DCAE

Part of subcall function 0043BDB8: SelectClipRgn.GDI32(?,00000000), ref: 0043BDDA
Part of subcall function 0043BDB8: SelectClipRgn.GDI32(?,?), ref: 0043BDF0

SendMessageA.USER32 ref: 0042DCD6

Part of subcall function 0043C5DE: SelectObject.GDI32(?,00000000), ref: 0043C600
Part of subcall function 0043C5DE: SelectObject.GDI32(?,00000004), ref: 0043C616

PatBlt.GDI32(?,?,00000002,?,00000002,005A0049), ref: 0042DD0F
ReleaseDC.USER32 ref: 0042DD23

Strings

hoE, xrefs: 0042DCA3

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Select$CreateObject$ClipRect$BitmapBrushClientDeleteH_prologIndirectMessagePatternReleaseSend
String ID: hoE
API String ID: 1066504646-1565950461
Opcode ID: 9ee63b1ddb46cfa0af92d53346c5ac252f9e145509d3516c513b28864cbea5b2
Instruction ID: c7c73f0e369c50de65a70dc7060f6656812d8b4a93a550cffdbebe1352cbb9e6
Opcode Fuzzy Hash: 9ee63b1ddb46cfa0af92d53346c5ac252f9e145509d3516c513b28864cbea5b2
Instruction Fuzzy Hash: A8215072900608AFCB11EFA4DD999EEBBB9FF08315F10422AE101B2191DB799A04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00434876, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004348C6
SetActiveWindow.USER32(?), ref: 004348D8
SendMessageA.USER32 ref: 004348EE
IsWindow.USER32(?), ref: 004348FB
SetActiveWindow.USER32(?), ref: 00434902
IsWindow.USER32(?), ref: 00434907
SetFocus.USER32(?), ref: 00434911

Strings

u, xrefs: 0043491C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 2e038301550099cdbf95b41fd42d17ea790e5b2d912dc148cb4129947452d21b
Instruction ID: c9cc414b2db8118b7e61bef0cd12ff310efcf5ea25e9cb6b0c247af0848cbf2c
Opcode Fuzzy Hash: 2e038301550099cdbf95b41fd42d17ea790e5b2d912dc148cb4129947452d21b
Instruction Fuzzy Hash: 7F11D0B2500209ABDF246F75DD08BBF7B68EF8D311F445037E942962A6D63CEE00DA58

Uniqueness

Uniqueness Score: -1.00%

Function 00438E5A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00438E7E
GetStockObject.GDI32(0000000D), ref: 00438E86
GetObjectA.GDI32(00000000,0000003C,?), ref: 00438E93
GetDC.USER32(00000000), ref: 00438EA2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00438EB6
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00438EC2
ReleaseDC.USER32 ref: 00438ECD

Strings

System, xrefs: 00438E79, 00438EE3

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: b1b7f18e2e6c33df39302ae84abbb4e29a33501770e64295b2049fac0e8f1893
Instruction ID: 50509be1ad3fe7d4fbf8d969076776d2ccdc3688f8ac3e13cbfc11f6af4df904
Opcode Fuzzy Hash: b1b7f18e2e6c33df39302ae84abbb4e29a33501770e64295b2049fac0e8f1893
Instruction Fuzzy Hash: 3E118271A00718EBDB109BA0DC56BAF7BB8AB48745F00402DF605E61D1DB749D05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00429CDD, Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0045D24C,00000001,0045D24C,00000001,0045E998,00000040,0042954A,?,00000001,?,00000000,?,00000000,?), ref: 00429D09
GetLastError.KERNEL32(?,004279B8,00000000,00000000,00000000,00000000,00000000,00000000,0042321E,0045D2C4,0045D2C8,00000018,004237F0,0045D2D8,00000008,0041BEAB), ref: 00429D1B
GetCPInfo.KERNEL32(00000000,00000000,0045E998,00000040,0042954A,?,00000001,?,00000000,?,00000000,?,?,004279B8,00000000,00000000), ref: 00429DC5
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000004,00000000,00000000,?,004279B8,00000000,00000000,00000000,00000000,00000000,00000000,0042321E,0045D2C4), ref: 00429E53
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000190,00000000,?,004279B8,00000000,00000000,00000000,00000000,00000000,00000000,0042321E,0045D2C4), ref: 00429ECC
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,0041839E,00000000,00000000,?,004279B8,00000000,00000000,00000000,00000000,00000000,00000000,0042321E,0045D2C4), ref: 00429EE9
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,0041839E,?,00000000,?,004279B8,00000000,00000000,00000000,00000000,00000000,00000000,0042321E,0045D2C4), ref: 00429F5F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: f5b0631a8a230c7cf34f4b09aa0cef4afbdd0b8d9c8e7d8a2e02899e50a54230
Instruction ID: 8879693e22c9e7cdcecdbf323db20faba66d2d3ddb4863d48057496f30f15322
Opcode Fuzzy Hash: f5b0631a8a230c7cf34f4b09aa0cef4afbdd0b8d9c8e7d8a2e02899e50a54230
Instruction Fuzzy Hash: 6AB19E31A00229AFCF21DF55ED84BEF7BB5AF45310FA5002BF80496291D7398C91DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00448E5E, Relevance: 13.6, APIs: 9, Instructions: 137windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043D63E: GetFocus.USER32(?,00448E72,?), ref: 0043D63F
Part of subcall function 0043D63E: GetParent.USER32(00000000), ref: 0043D668
Part of subcall function 0043D63E: GetWindowLongA.USER32 ref: 0043D683
Part of subcall function 0043D63E: GetParent.USER32(00448E72), ref: 0043D691
Part of subcall function 0043D63E: GetDesktopWindow.USER32 ref: 0043D695
Part of subcall function 0043D63E: SendMessageA.USER32 ref: 0043D6A9

GetMenu.USER32(?), ref: 00448EC2
GetMenu.USER32(?), ref: 00448ED6
GetMenuItemCount.USER32 ref: 00448EDF
GetSubMenu.USER32 ref: 00448EF0
GetMenuItemCount.USER32 ref: 00448F12
GetMenuItemID.USER32(?,00000000), ref: 00448F33
GetMenuItemID.USER32(?,00000000), ref: 00448F5B
GetMenuItemCount.USER32 ref: 00448F92
GetMenuItemID.USER32(?,00000000), ref: 00448FAD

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 4b8e995cbe303c707adac10594b88d378759b3f5cbc2d5f318f88ef50f99b059
Instruction ID: 1186a40309dbe65c30ebfcea576b18409112a957daea0ae91ad0f12664eb9b55
Opcode Fuzzy Hash: 4b8e995cbe303c707adac10594b88d378759b3f5cbc2d5f318f88ef50f99b059
Instruction Fuzzy Hash: EB416331900605EFEF11AFA4C980AAEB7F6FF48311F20456EE511E2251DB39ED45DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004447A1, Relevance: 13.6, APIs: 9, Instructions: 127timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 004447AC
GetCursorPos.USER32(?), ref: 004447CB
ScreenToClient.USER32 ref: 004447D8
GetCapture.USER32 ref: 00444825

Part of subcall function 00435FA7: IsWindowEnabled.USER32(?), ref: 00435FB0

ClientToScreen.USER32(?,?), ref: 0044486C
WindowFromPoint.USER32(?,?), ref: 00444878
IsChild.USER32(?,00000000), ref: 0044488D
KillTimer.USER32(?,0000E001), ref: 004448CA
KillTimer.USER32(?,0000E000), ref: 004448E6

Part of subcall function 0043480D: GetLastActivePopup.USER32(?), ref: 00434816
Part of subcall function 0043480D: GetForegroundWindow.USER32(00000000,?,00444804), ref: 00434824

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: 2d0581b59e6152926ea8c38ef2e1866b8e1c34534853f3d2e96e5dbe9b70a7e4
Instruction ID: 6965d146c38e4620de229449cf063ea3f8ea19e5a9af1fe4010416ca4d351169
Opcode Fuzzy Hash: 2d0581b59e6152926ea8c38ef2e1866b8e1c34534853f3d2e96e5dbe9b70a7e4
Instruction Fuzzy Hash: F8414134A00745EFEB20AF65CC44B6E7BB5BF84325F20466AE421D72E1DB34D9418B58

Uniqueness

Uniqueness Score: -1.00%

Function 004407D1, Relevance: 13.6, APIs: 9, Instructions: 92threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004407EA
GetActiveWindow.USER32 ref: 00440813
GetCurrentThreadId.KERNEL32 ref: 0044082C
GetWindowThreadProcessId.USER32(?,00000000), ref: 0044083B
GetDesktopWindow.USER32 ref: 00440849

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopProcess
String ID:
API String ID: 886339953-0
Opcode ID: b7866de01b63e34e6c970548139f8289d3006cc25d858ad3108556eb056168bb
Instruction ID: 3cc15904af073210b79dccec0842aa9cf3bf2c91b1676e83d6829647f8157671
Opcode Fuzzy Hash: b7866de01b63e34e6c970548139f8289d3006cc25d858ad3108556eb056168bb
Instruction Fuzzy Hash: EC316031900214EFDF11BFA5D9485AEB7B1EF44342B208476E901D7261E738CD61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8B4, Relevance: 13.6, APIs: 9, Instructions: 85windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0042B8C2
GetFocus.USER32 ref: 0042B8E3

Part of subcall function 00433622: UnhookWindowsHookEx.USER32(?), ref: 00433647

IsWindowEnabled.USER32(?), ref: 0042B910
EnableWindow.USER32(?,00000000), ref: 0042B923
GetOpenFileNameA.COMDLG32(?), ref: 0042B949
GetSaveFileNameA.COMDLG32(?), ref: 0042B951
EnableWindow.USER32(?,00000001), ref: 0042B96B
IsWindow.USER32(?), ref: 0042B971
SetFocus.USER32(?), ref: 0042B97F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: 8a50f48914794e372aa88668e7ac60900198de104dff56d558731ad55933d148
Instruction ID: 1d2e9c735bb1c7179fa8111554d0a05b97cbe472878d5b32c700dfe4c4918759
Opcode Fuzzy Hash: 8a50f48914794e372aa88668e7ac60900198de104dff56d558731ad55933d148
Instruction Fuzzy Hash: 46318F70600B00AFDB219F35EC59A2ABBE5FF44705F54442EF65687262DB39E842CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041BCC1, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0041BD79
__allrem.LIBCMT ref: 0041BD91
__allrem.LIBCMT ref: 0041BDAD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041BDE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041BE04
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041BE1B

Part of subcall function 004237C2: __lock.LIBCMT ref: 004237DA

Strings

E, xrefs: 0041BD3F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
String ID: E
API String ID: 4106114094-3568589458
Opcode ID: ba3e2642bcc2f90b1e8ae813dae209bb82a79ac6229ee24fd7958747690a94ef
Instruction ID: 1de95eb517ababffbda6894dbf5f9152a0d755badacd506acec4cbac23241b0b
Opcode Fuzzy Hash: ba3e2642bcc2f90b1e8ae813dae209bb82a79ac6229ee24fd7958747690a94ef
Instruction Fuzzy Hash: 5D718471E00618AFDF14DFA9CC81BDEB7B6EB48314F14816AF614E6291D7789A808B84

Uniqueness

Uniqueness Score: -1.00%

Function 00437A8D, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00437A92
GetObjectA.GDI32(00000000,00000018,?), ref: 00437ACC
GetSystemMetrics.USER32 ref: 00437AE3
GetSystemMetrics.USER32 ref: 00437AEC
GetMenuItemInfoA.USER32 ref: 00437B25
GetMenuItemInfoA.USER32 ref: 00437B49

Strings

@, xrefs: 00437B1E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: InfoItemMenuMetricsSystem$H_prologObject
String ID: @
API String ID: 652124166-2766056989
Opcode ID: c5fdd4d7ddd440c2d48ef46a859edf6935f61638a6448ce92d1d4a2748497f8a
Instruction ID: ee933510e8ff2e1830613674225738e5fc6bfb33bbb6d8e8fa93956d6ed3d076
Opcode Fuzzy Hash: c5fdd4d7ddd440c2d48ef46a859edf6935f61638a6448ce92d1d4a2748497f8a
Instruction Fuzzy Hash: EF415F72900209AFCB10EFA5CC41FEEBBB4FF58318F14412EE515A7292DB74AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004394D7, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 004394E2

Part of subcall function 00450428: PathFindFileNameA.SHLWAPI(?,004504DE,?,?,00000104), ref: 0045042C
Part of subcall function 00450428: lstrlenA.KERNEL32(00000000), ref: 0045043A

lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 00439563
lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 0043957A
lstrcatA.KERNEL32(?,\...), ref: 00439599
lstrcatA.KERNEL32(?,00000000), ref: 0043959D

Strings

\..., xrefs: 00439589
mE, xrefs: 00439516

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: lstrlen$lstrcat$FileFindNamePathlstrcpy
String ID: \...$mE
API String ID: 1604900594-287629680
Opcode ID: d6077757688e26ed8305fa125a7c83f940fdd495b79f35def1dec05b2ea30191
Instruction ID: 09aba274806faf3487fa2ef03754c5be15a086bf3c4b0ba3b08622cbd8cb28a9
Opcode Fuzzy Hash: d6077757688e26ed8305fa125a7c83f940fdd495b79f35def1dec05b2ea30191
Instruction Fuzzy Hash: 12210772900705BFDF229B248C80B6F7BA89B19356F10542FF80597142D3BCADC08B59

Uniqueness

Uniqueness Score: -1.00%

Function 0042778C, Relevance: 12.2, APIs: 8, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,?,0045E880,00000038,00422EB7,?,00000000,00000000,0041B82D,00000000,00000000,0045D278,0000001C,0041B55C,00000001,00000020), ref: 004277CA
GetCPInfo.KERNEL32(00000000,00000001), ref: 004277DD
_strlen.LIBCMT ref: 00427801
MultiByteToWideChar.KERNEL32(00000000,00000001,0041B82D,?,00000000,00000000), ref: 00427822

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID:
API String ID: 1335377746-0
Opcode ID: c822bc344de4615cda02f0a85b585d1b16def2495c8cf272e604d85222981cd1
Instruction ID: 908147545bd977651c2b3bb9268f1a49b27d97bb9cabcd1bf242168730a4dcd5
Opcode Fuzzy Hash: c822bc344de4615cda02f0a85b585d1b16def2495c8cf272e604d85222981cd1
Instruction Fuzzy Hash: 3B518170A04229BFCF219F65EC888AFBFB9EF89750F60011AF415A2260D7755D81CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD5D, Relevance: 12.1, APIs: 8, Instructions: 131COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(75144DE0,00000000,?,?,?,?,00419CAA,?,0045C7A8,00000060), ref: 0041FD79
GetLastError.KERNEL32(?,?,?,?,00419CAA,?,0045C7A8,00000060), ref: 0041FD8D
GetEnvironmentStringsW.KERNEL32(75144DE0,00000000,?,?,?,?,00419CAA,?,0045C7A8,00000060), ref: 0041FDAF
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,75144DE0,00000000,?,?,?,?,00419CAA), ref: 0041FDE3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,00419CAA,?,0045C7A8,00000060), ref: 0041FE05
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,00419CAA,?,0045C7A8,00000060), ref: 0041FE1E
GetEnvironmentStrings.KERNEL32(75144DE0,00000000,?,?,?,?,00419CAA,?,0045C7A8,00000060), ref: 0041FE34
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041FE70

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID:
API String ID: 883850110-0
Opcode ID: 1c5756c9de1c30e4f1f695086e9f44755d1be05005563390b6625aadb238d136
Instruction ID: a135d8831ca9e299a2d27de6bff3e8ec8892586160f99b122d285ffa3d9249cd
Opcode Fuzzy Hash: 1c5756c9de1c30e4f1f695086e9f44755d1be05005563390b6625aadb238d136
Instruction Fuzzy Hash: C23139725053156FD7202F75BC848BBBADCEB85354715093FF546C3222E6298CCB86AD

Uniqueness

Uniqueness Score: -1.00%

Function 00433973, Relevance: 12.1, APIs: 8, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 004339A6
BeginDeferWindowPos.USER32 ref: 004339BE
GetTopWindow.USER32(?), ref: 004339D0
GetDlgCtrlID.USER32 ref: 004339DB
SendMessageA.USER32 ref: 00433A0D
GetWindow.USER32(00000000,00000002), ref: 00433A16
CopyRect.USER32 ref: 00433A34
EndDeferWindowPos.USER32(00000000), ref: 00433AAE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: bb7d123d0f982ccc362c19797bf1ac84c55a903cbdd3fd8bc6b6971af7d4f8f1
Instruction ID: 93cbe03643935ea6084548903dedfa5d458824e0c62958fa44a0f854518e946e
Opcode Fuzzy Hash: bb7d123d0f982ccc362c19797bf1ac84c55a903cbdd3fd8bc6b6971af7d4f8f1
Instruction Fuzzy Hash: 2341467290024AEFCF10EF94D8849EEBBB5FF0C312F14516AE845A6251C7789E41CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004474C0, Relevance: 12.1, APIs: 8, Instructions: 110windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004474C5
GetSystemMenu.USER32(?,00000000), ref: 0044753A
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 00447558
DeleteMenu.USER32(?,0000F020,00000000), ref: 00447564
DeleteMenu.USER32(?,0000F030,00000000), ref: 00447570
DeleteMenu.USER32(?,0000F120,00000000), ref: 0044757C
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 004475AF
AppendMenuA.USER32 ref: 004475BE

Part of subcall function 00418FE6: SetParent.USER32(?,00000000), ref: 00418FF5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: cb268a6b9311794fd0b52d85bfe050a53e12b8c1e8a3aae1882f48264c6cd560
Instruction ID: 1996e082704178db56b20f710397829d4b095804981de7dfd09d41bdd4da9c08
Opcode Fuzzy Hash: cb268a6b9311794fd0b52d85bfe050a53e12b8c1e8a3aae1882f48264c6cd560
Instruction Fuzzy Hash: AB311631740215BBEB205F21CC56FAEBB65FF44714F158129FA08AF2D2C7B8A811DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041306C, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bd416ac915eb7d92c7af6f7d990aa70e41ac88983979b11f2ce045b8114dd7
Instruction ID: 44817ab0cff2d5d7262e9f23271493fd3986ca7f44045db8597fe87f08be5891
Opcode Fuzzy Hash: a1bd416ac915eb7d92c7af6f7d990aa70e41ac88983979b11f2ce045b8114dd7
Instruction Fuzzy Hash: 2C31097190020EBF9F019FA5DD449FFBBBCEB08356F148426F905E2210E739DA819B68

Uniqueness

Uniqueness Score: -1.00%

Function 00439DA7, Relevance: 12.1, APIs: 8, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,00000000), ref: 00439DC0
GetSystemMetrics.USER32 ref: 00439DD3

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MetricsSystemlstrcmpi
String ID:
API String ID: 2335526769-0
Opcode ID: c3d60e82709cd49561099679e4197a2a92a863e7637816cb6e54cfb2d1077794
Instruction ID: 7b2c7b4bdfcfb2f673e60cc537648b78ec905c21c1d2922e59de5f8c48f836aa
Opcode Fuzzy Hash: c3d60e82709cd49561099679e4197a2a92a863e7637816cb6e54cfb2d1077794
Instruction Fuzzy Hash: B2212971600219BADB10AB709C45FBF7B6CDB49720F245662F926D22C1D6F4CD42CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004511E4, Relevance: 12.1, APIs: 8, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 004511F2
GetMenuItemCount.USER32 ref: 004511FC
GetSubMenu.USER32 ref: 00451214
GetMenuItemCount.USER32 ref: 00451225
GetSubMenu.USER32 ref: 00451235
RemoveMenu.USER32(00000000,00000000,00000400), ref: 0045124D
GetSubMenu.USER32 ref: 00451265
RemoveMenu.USER32(?,00000000,00000400), ref: 0045127E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 398588c90de5b74bcf7154966dbc1d9013e1d2bcb43c63eca92f241cd113f64c
Instruction ID: 746b2f664515372a0ad781a10bf9a9983c1bc3f1e70f7136d6a50455f0798202
Opcode Fuzzy Hash: 398588c90de5b74bcf7154966dbc1d9013e1d2bcb43c63eca92f241cd113f64c
Instruction Fuzzy Hash: 5F11D031108700BBC6119B158C45F2FBBE8FBC4B0BF1006ABF944F2122D638AD498A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00437DD4, Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00437DF1
lstrcmpA.KERNEL32(?,?), ref: 00437DFD
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00437E0F
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00437E2F
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00437E37
GlobalLock.KERNEL32 ref: 00437E41
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00437E4E
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00437E66

Part of subcall function 0043D6B5: GlobalFlags.KERNEL32(?), ref: 0043D6BF
Part of subcall function 0043D6B5: GlobalUnlock.KERNEL32(?,00000000,?,00437E60,?,00000000,?,?,00000000,00000000,00000002), ref: 0043D6D0
Part of subcall function 0043D6B5: GlobalFree.KERNEL32 ref: 0043D6DB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 0126cb4afb009e872db47b14b0bd818db00ca21c9c050d74237f53f8a94ac3d0
Instruction ID: 0ece4fc62f972c34930ccebf000084c9fe4f8188dd14870b44cf379947c3c425
Opcode Fuzzy Hash: 0126cb4afb009e872db47b14b0bd818db00ca21c9c050d74237f53f8a94ac3d0
Instruction Fuzzy Hash: 5C11C1B2500600BFDB216B66DC8AD7FBABDEF89704F10045EF945C2222D639DD50DB28

Uniqueness

Uniqueness Score: -1.00%

Function 0043C68C, Relevance: 10.7, APIs: 7, Instructions: 199COMMON

Download Yara Rule

APIs

GetObjectType.GDI32 ref: 0043C711
GetStockObject.GDI32(0000000D), ref: 0043C71D
SelectObject.GDI32(?,00000000), ref: 0043C733
SelectObject.GDI32(?,?), ref: 0043C73E
PlayMetaFileRecord.GDI32(?,?,?,?), ref: 0043C812

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Object$Select$FileMetaPlayRecordStockType
String ID:
API String ID: 4008327421-0
Opcode ID: ff844772d8feca82522a0d794dde81d5bc5c0601914da326bd39f5ff6cf9565c
Instruction ID: 13c5e960a5dfd4f0f5ec388ab69daed2e38bc03bccbd5585ebd55d7f1b39093c
Opcode Fuzzy Hash: ff844772d8feca82522a0d794dde81d5bc5c0601914da326bd39f5ff6cf9565c
Instruction Fuzzy Hash: 9E716F75500615DBCB18EFA4C8C48BBBBB5FF8C702B10D41EF95266660D738E940DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00451D2C, Relevance: 10.7, APIs: 7, Instructions: 185stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00451D90

Part of subcall function 00412743: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,?), ref: 00412765

lstrlenA.KERNEL32(00000000), ref: 00451DC2
lstrlenA.KERNEL32(00000000), ref: 00451DF6
lstrlenW.KERNEL32(00000000), ref: 00451E30
lstrlenW.KERNEL32(00000000), ref: 00451E48
lstrlenW.KERNEL32(00000000), ref: 00451E60
CoTaskMemAlloc.OLE32(?), ref: 00451EAA

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: lstrlen$AllocByteCharMultiTaskWide
String ID:
API String ID: 237993643-0
Opcode ID: ed3180c4c92e8cfc99b193cd2ea157024b5ba1f669fc7eba1d765cae00203a9e
Instruction ID: 67354c6a88ed39dba44ccc1b09efe26b344e87aff5cdb49963f059b8707c01dc
Opcode Fuzzy Hash: ed3180c4c92e8cfc99b193cd2ea157024b5ba1f669fc7eba1d765cae00203a9e
Instruction Fuzzy Hash: 7C61A176C00219EBCB10AFA5CC417FEBBB4FF04325F10846AE85697262D37C9A85DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044724B, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00447276
EqualRect.USER32 ref: 0044729B
GetDlgCtrlID.USER32 ref: 00447322
CopyRect.USER32 ref: 0044735A
GetParent.USER32(?), ref: 00447414

Strings

@, xrefs: 004472BB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$CopyCtrlEqualParentWindow
String ID: @
API String ID: 2544134605-2766056989
Opcode ID: ce25f9cad4003159e50acac0045503ce27eaf7a81df5c2f6ed88c1c224e7353a
Instruction ID: 3f2e18c560a0e6de16d949a5dbdf98d88c58a62188854486105d1e99f89ce2a8
Opcode Fuzzy Hash: ce25f9cad4003159e50acac0045503ce27eaf7a81df5c2f6ed88c1c224e7353a
Instruction Fuzzy Hash: 5D518F716006059FEF25DF68CC85BBE77AAFF48304F14452EF9199B292CB38A806CB15

Uniqueness

Uniqueness Score: -1.00%

Function 004441A5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 00444216
SetRectEmpty.USER32(?), ref: 00444250
UnionRect.USER32 ref: 00444293
IsRectEmpty.USER32(?), ref: 004442A1
SetRectEmpty.USER32(?), ref: 004442AF

Strings

P, xrefs: 004441C5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$Empty$LongUnionWindow
String ID: P
API String ID: 1811082079-3110715001
Opcode ID: 49e24d0d7558a79cab25b101c2103ebf144890795ab70709db9ecec09b9c5f98
Instruction ID: 72f0b4e5eaf80483aa8d82ad998524f260634638f742aec56d863f194f8569c4
Opcode Fuzzy Hash: 49e24d0d7558a79cab25b101c2103ebf144890795ab70709db9ecec09b9c5f98
Instruction Fuzzy Hash: A6414971A002199FEB14CF94C849EFEB7B8FF88705F14456EF511AB280DBB89901CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0043301E, Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043304C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00433073
UpdateWindow.USER32(?), ref: 0043308D
SendMessageA.USER32 ref: 004330B1
SendMessageA.USER32 ref: 004330CB
UpdateWindow.USER32(?), ref: 00433111
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00433145

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: f05eaf972e1e8e22f92118e16d07a1387f3238ed22c66bd5ecfd30a7672949b2
Instruction ID: 6388c1f0776f2a6c3e95a2978629202c0a1e4d84d2f71559620c623a3996fb0f
Opcode Fuzzy Hash: f05eaf972e1e8e22f92118e16d07a1387f3238ed22c66bd5ecfd30a7672949b2
Instruction Fuzzy Hash: 8B41B4302047409BDB319F268C44A2BBAF4FFC8B56F14592EF491912A1D73ADA05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00440055, Relevance: 10.6, APIs: 7, Instructions: 111windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0044066B
SendMessageA.USER32 ref: 00440684
GetFocus.USER32(?,?,?,?,00000000), ref: 00440696
SendMessageA.USER32 ref: 004406A2
GetLastActivePopup.USER32(?), ref: 004406C9
SendMessageA.USER32 ref: 004406D4
SendMessageA.USER32 ref: 004406F8

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: fb674626c453f9c38f97a0d3c94d23ff4fc27fcaab8961a43ce8e921fd551bfa
Instruction ID: 6c3208c50c0dad0549d0e1f65c99075a098f6c397707bc05cd8c5ec6542013c1
Opcode Fuzzy Hash: fb674626c453f9c38f97a0d3c94d23ff4fc27fcaab8961a43ce8e921fd551bfa
Instruction Fuzzy Hash: 3F31E771300205ABEA106B25DC84E7F769DABC5795F12083BF203C7341DB7DEC2146A9

Uniqueness

Uniqueness Score: -1.00%

Function 00417267, Relevance: 10.6, APIs: 7, Instructions: 108stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041726C

Part of subcall function 00435D1B: GetDlgItem.USER32 ref: 00435D28

GetWindowTextLengthA.USER32(?), ref: 004172BC
GetWindowTextA.USER32 ref: 004172EE

Part of subcall function 00413996: _strlen.LIBCMT ref: 004139A9

lstrlenA.KERNEL32(?,000000FF), ref: 0041730A
CLSIDFromString.OLE32(00000000,?), ref: 00417335
StringFromGUID2.OLE32(?,?,00000040,?,?,?), ref: 0041736A
lstrlenW.KERNEL32(?), ref: 00417377

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: FromStringTextWindowlstrlen$H_prologItemLength_strlen
String ID:
API String ID: 1405133281-0
Opcode ID: 3ad56218be434b1bfd164963c49eb312643e7cb2ac916042b354963481bfa48d
Instruction ID: 2c0ffebfdae8514149fcedfb22c54ca54f7705be2de4bbfa77872122a1f2e0c5
Opcode Fuzzy Hash: 3ad56218be434b1bfd164963c49eb312643e7cb2ac916042b354963481bfa48d
Instruction Fuzzy Hash: 1341D171500119ABDF10AF71DC49FEEB779FF04325F00456AF929972A2DB389A90CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044E4E2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E4E7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0044E5C7
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0044E5E4
RegCloseKey.ADVAPI32(?,?,?,?,Software\), ref: 0044E604
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 0044E620

Strings

Software\, xrefs: 0044E545

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CloseEnumH_prologOpenQueryValue
String ID: Software\
API String ID: 2161548231-964853688
Opcode ID: 5743724e13406c2e7e9bcb00e3e52899bac800b6c5a1d6c8244880fea5765235
Instruction ID: 7a2801851b4db7ea290316ac2235575d8356fa22de5b450ebb6719c5dfc1a47a
Opcode Fuzzy Hash: 5743724e13406c2e7e9bcb00e3e52899bac800b6c5a1d6c8244880fea5765235
Instruction Fuzzy Hash: 8B41A231800118ABDB25EB65DC45EEEB7B9FF49314F0041AAF145A3291DB389E95CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0044EE1E, Relevance: 10.6, APIs: 7, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0047B6F4,00000000,?,?,0047B6D8,?,0044F097,?,00000000,?,75144DE0,00000000,?,0044D598,0044C800,0044D5B4), ref: 0044EE2E
TlsGetValue.KERNEL32(0047B6D8,?,?,0047B6D8,?,0044F097,?,00000000,?,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34), ref: 0044EE4C
LocalAlloc.KERNEL32(00000000,00000003,00000010,?,?,0047B6D8,?,0044F097,?,00000000,?,75144DE0,00000000,?,0044D598,0044C800), ref: 0044EEA8
LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,?,0047B6D8,?,0044F097,?,00000000,?,75144DE0,00000000,?,0044D598), ref: 0044EEBA
LeaveCriticalSection.KERNEL32(?,?,?,0047B6D8,?,0044F097,?,00000000,?,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34), ref: 0044EEC7
TlsSetValue.KERNEL32(0047B6D8,00000000), ref: 0044EEF7
LeaveCriticalSection.KERNEL32(0047B6F4,?,?,0047B6D8,?,0044F097,?,00000000,?,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34), ref: 0044EF18

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$Enter
String ID:
API String ID: 784703316-0
Opcode ID: ad5dc3029b19cc7618f8c05a7a0fd529d7f8ee4157206f5fe6c2cfbd1026253f
Instruction ID: 74750fb9b15b1461e346a8a8fe795b4931961edb61551a30855e0a732363e377
Opcode Fuzzy Hash: ad5dc3029b19cc7618f8c05a7a0fd529d7f8ee4157206f5fe6c2cfbd1026253f
Instruction Fuzzy Hash: 00318C71500A05AFEB24EF56C894C6AB7B9FF04351720892EE91AC7611C778EC54CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00445765, Relevance: 10.6, APIs: 7, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32 ref: 00445784
DispatchMessageA.USER32 ref: 00445797
PeekMessageA.USER32(0000000F,00000000,0000000F,0000000F,00000000), ref: 004457A6
SetRectEmpty.USER32(?), ref: 004457C7
GetDesktopWindow.USER32 ref: 004457DF
LockWindowUpdate.USER32(?,00000000), ref: 004457F0
GetDCEx.USER32(?,00000000,00000003), ref: 00445807

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 7368904b410e6cc9c59da9eba8f4dfd937869ac22db953286759227cb5cbd0b9
Instruction ID: 7713d5544d199c9a8fc336de2455e0cc203b594d570abb40a1206258e445d6f7
Opcode Fuzzy Hash: 7368904b410e6cc9c59da9eba8f4dfd937869ac22db953286759227cb5cbd0b9
Instruction Fuzzy Hash: 1E2172B1500B08AFE710AF65DC88E27BBEDFB08355F41493EF556C6622EB35E8058B24

Uniqueness

Uniqueness Score: -1.00%

Function 0044F31C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 0044F34A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0044F36D
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 0044F389
RegCloseKey.ADVAPI32(?), ref: 0044F399
RegCloseKey.ADVAPI32(?), ref: 0044F3A3

Strings

software, xrefs: 0044F332

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 787cb9b01a43aaaa8bc82eeae31e2915af47890535ead89b6c02e08f84c07808
Instruction ID: 0563383205b108b6c4597869af9685a504800ebacfae56a00508705b160bb232
Opcode Fuzzy Hash: 787cb9b01a43aaaa8bc82eeae31e2915af47890535ead89b6c02e08f84c07808
Instruction Fuzzy Hash: 7711CB72D00219FB9B21DF96DD84CEFBFBCEF89740B5000AAA504A2121D2759A04DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412FD7, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00413015
GetSystemMetrics.USER32 ref: 0041302D
GetSystemMetrics.USER32 ref: 00413034
lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 0041305A

Strings

DISPLAY, xrefs: 00413051
B, xrefs: 00412FF4

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpyn
String ID: B$DISPLAY
API String ID: 2307409384-3316187204
Opcode ID: 6103ad4da9d4c7917f2b862bd0c980db9c44a83071e0530babe8334b8a5a75df
Instruction ID: 79cd31ecc504d2211d2319fef5c90b76ab43431d142017b7e85e8c76ecd66a12
Opcode Fuzzy Hash: 6103ad4da9d4c7917f2b862bd0c980db9c44a83071e0530babe8334b8a5a75df
Instruction Fuzzy Hash: 2611A7B1500324DBCF119F689C8469BBFA9EF09752F014066FD05BA109D6B4D981CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044E432, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E437

Part of subcall function 0043A64B: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0043A66D
Part of subcall function 0043A64B: GetShortPathNameA.KERNEL32 ref: 0043A685

PathFindFileNameA.SHLWAPI(?), ref: 0044E46D

Part of subcall function 00412B67: __EH_prolog.LIBCMT ref: 00412B6C

PathRemoveExtensionA.SHLWAPI(00000000,00000000), ref: 0044E489

Part of subcall function 00413996: _strlen.LIBCMT ref: 004139A9

GlobalAddAtomA.KERNEL32 ref: 0044E4A2
GlobalAddAtomA.KERNEL32 ref: 0044E4B0

Strings

system, xrefs: 0044E4A4

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: NamePath$AtomFileGlobalH_prolog$ExtensionFindModuleRemoveShort_strlen
String ID: system
API String ID: 1296742602-3377271179
Opcode ID: 522e79b6044faba4197005ea33135ef2f3bf123cb845d31341fd95b7234d0424
Instruction ID: 392e198d2436ba2a14f062ef8f48f1d321ebba5b2b48e2b46caf25f44177814e
Opcode Fuzzy Hash: 522e79b6044faba4197005ea33135ef2f3bf123cb845d31341fd95b7234d0424
Instruction Fuzzy Hash: A7119471900205ABCB04EBA5DC15AEEB775FF04329F10462EF021A72E2DB789904CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004512BF, Relevance: 10.5, APIs: 7, Instructions: 46memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 004512CE
GlobalAlloc.KERNEL32(00002002,00000000,?,00451A04,?,?,?,?), ref: 004512DF
GlobalLock.KERNEL32 ref: 004512F4
GlobalLock.KERNEL32 ref: 004512FA
GlobalUnlock.KERNEL32(?,?,?), ref: 00451310
GlobalUnlock.KERNEL32(?,?,?), ref: 00451315
GlobalSize.KERNEL32(?), ref: 00451321

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Global$LockSizeUnlock$Alloc
String ID:
API String ID: 902569171-0
Opcode ID: 07c3e86cdede4d1902a5c9d2c84a8f5a8a8e4ba16550db1bab10859558306bf4
Instruction ID: 14654601327fc2b8be870c699a9864f6aa8f065c11582639c8b39ab7878f6147
Opcode Fuzzy Hash: 07c3e86cdede4d1902a5c9d2c84a8f5a8a8e4ba16550db1bab10859558306bf4
Instruction Fuzzy Hash: B7F0F43290021C7BCB002B65AC8486FBFACEF846A2B044027FC18D3232D671DC058BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00439148, Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00439154
GetSysColor.USER32(00000010), ref: 0043915B
GetSysColor.USER32(00000014), ref: 00439162
GetSysColor.USER32(00000012), ref: 00439169
GetSysColor.USER32(00000006), ref: 00439170
GetSysColorBrush.USER32(0000000F), ref: 0043917D
GetSysColorBrush.USER32(00000006), ref: 00439184

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 606130d50619fbdcda6609ebbbbfcfa12f01b671345df36709d1d2960f2b43db
Instruction ID: adf6ce61bc4598b9865de68172d8fa58073e23c0972c58f8f0d65ff3a69ea806
Opcode Fuzzy Hash: 606130d50619fbdcda6609ebbbbfcfa12f01b671345df36709d1d2960f2b43db
Instruction Fuzzy Hash: EEF0F8719407489BD730BB729D49B47BAE1FFC4B10F02092EE2858BA91E6B6E041DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00445E31, Relevance: 9.3, APIs: 6, Instructions: 326COMMON

Download Yara Rule

APIs

Part of subcall function 00445765: PeekMessageA.USER32(0000000F,00000000,0000000F,0000000F,00000000), ref: 004457A6
Part of subcall function 00445765: SetRectEmpty.USER32(?), ref: 004457C7
Part of subcall function 00445765: GetDesktopWindow.USER32 ref: 004457DF
Part of subcall function 00445765: LockWindowUpdate.USER32(?,00000000), ref: 004457F0
Part of subcall function 00445765: GetDCEx.USER32(?,00000000,00000003), ref: 00445807

Part of subcall function 0043B945: GetModuleHandleA.KERNEL32(GDI32.DLL,?,00445E58), ref: 0043B94D
Part of subcall function 0043B945: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0043B959

GetWindowRect.USER32 ref: 00445E7B

Part of subcall function 0043B97B: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,00445E65,00000000), ref: 0043B984
Part of subcall function 0043B97B: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0043B992

GetWindowRect.USER32 ref: 00445F45
InflateRect.USER32(?,00000002,00000002), ref: 00445FFD

Part of subcall function 004455DA: OffsetRect.USER32(?,?,?), ref: 00445611

Part of subcall function 0044597A: OffsetRect.USER32(?,?,?), ref: 004459A3
Part of subcall function 0044597A: OffsetRect.USER32(?,?,?), ref: 004459AE
Part of subcall function 0044597A: OffsetRect.USER32(?,?,?), ref: 004459B9
Part of subcall function 0044597A: OffsetRect.USER32(?,?,?), ref: 004459C4

Part of subcall function 00445D16: GetCapture.USER32 ref: 00445D27
Part of subcall function 00445D16: SetCapture.USER32(?), ref: 00445D37
Part of subcall function 00445D16: GetCapture.USER32 ref: 00445D43
Part of subcall function 00445D16: GetMessageA.USER32 ref: 00445D5D
Part of subcall function 00445D16: DispatchMessageA.USER32 ref: 00445D8F
Part of subcall function 00445D16: GetCapture.USER32 ref: 00445DED

GetWindowRect.USER32 ref: 00446018
InflateRect.USER32(?,00000002,00000002), ref: 00446100
InflateRect.USER32(?,00000002,00000002), ref: 00446113

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$OffsetWindow$Capture$InflateMessage$AddressHandleModuleProc$DesktopDispatchEmptyLockPeekUpdate
String ID:
API String ID: 2136250054-0
Opcode ID: 5bcf1a3f6c4516600383489e7bf9fb84f0915f00166d74bb01d6c6a129a6dbaf
Instruction ID: 4b2de1357fd1d50865337d3c8d46d367304aa37b68a33afc485a1e99ea96bd91
Opcode Fuzzy Hash: 5bcf1a3f6c4516600383489e7bf9fb84f0915f00166d74bb01d6c6a129a6dbaf
Instruction Fuzzy Hash: A8B15A72900608AFCF01DFA4C881EEE7BBAEF4A311F154559FD05AF256D671AE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00422D34, Relevance: 9.1, APIs: 6, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0045D24C,00000001,?,0045D278,0000001C,0041B55C,00000001,00000020,00000100,?,00000000), ref: 00422D58
GetLastError.KERNEL32 ref: 00422D6A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,0041B82D,00000000,00000000,0045D278,0000001C,0041B55C,00000001,00000020,00000100,?,00000000), ref: 00422DCC
MultiByteToWideChar.KERNEL32(?,00000001,00000000,0041B82D,?,00000000), ref: 00422E4A
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00422E5C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 93b443806a43967cc9a0a8da09271ea53bec334052f19f8fd5b461f97db20d2f
Instruction ID: a437ac7a1e3d036dd6f538cd7c2cc4f804d9cfcbdaf0fdde08833e9c25febb26
Opcode Fuzzy Hash: 93b443806a43967cc9a0a8da09271ea53bec334052f19f8fd5b461f97db20d2f
Instruction Fuzzy Hash: B941B031A00225BFCF229F54ED45AEF3B65EF48760F51411AF8149A250CBB9CD90DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00442F46, Relevance: 9.1, APIs: 6, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

SendMessageA.USER32 ref: 00442FD6
SendMessageA.USER32 ref: 00442FE2
SendMessageA.USER32 ref: 00442FF2
SendMessageA.USER32 ref: 00443000
SendMessageA.USER32 ref: 0044300A
InvalidateRect.USER32(?,00000000,00000001), ref: 00443074

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSend$InvalidateLongRectWindow
String ID:
API String ID: 74886174-0
Opcode ID: 4000b4efff6aba69efcb7e71a416906e70954016709950a7f5eb50d6c8fd473d
Instruction ID: 5c64a453df50b1a7caf3e2cbcda202e90c6ddb59795d957dbbbc6e6a7266dfdf
Opcode Fuzzy Hash: 4000b4efff6aba69efcb7e71a416906e70954016709950a7f5eb50d6c8fd473d
Instruction Fuzzy Hash: BA418EB0600208BFEB21AF64CC96EFFBBB9EF08744F04441AF651AB291C6749D40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00445D16, Relevance: 9.1, APIs: 6, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00445D27
SetCapture.USER32(?), ref: 00445D37
GetCapture.USER32 ref: 00445D43
GetMessageA.USER32 ref: 00445D5D
DispatchMessageA.USER32 ref: 00445D8F
GetCapture.USER32 ref: 00445DED

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: ea581581487ac5dc7d9617537ded1f934818e2f50e988141afabad28bef9eab9
Instruction ID: e2822b90b4f8ec9bed70f6431e34f5f13f32f10719089fc3d5dcb20249c00b12
Opcode Fuzzy Hash: ea581581487ac5dc7d9617537ded1f934818e2f50e988141afabad28bef9eab9
Instruction Fuzzy Hash: 4E3193B1900E05EBFF20BB6688499BFB7A5EF44705F20841FB046D2253DE2C9941DA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00415A9C, Relevance: 9.1, APIs: 6, Instructions: 87memorystringCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00415AAD
lstrlenA.KERNEL32(00000000), ref: 00415AD1
SysAllocString.OLEAUT32(00000000), ref: 00415AF6
VariantClear.OLEAUT32 ref: 00415B1C
SysAllocString.OLEAUT32(00000000), ref: 00415B5A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocClearStringVariant$lstrlen
String ID:
API String ID: 2129226412-0
Opcode ID: 78a66a6088e3343ee48ef586c60ce1d95eaf34a4446c527aa07e2c9b242a4ca0
Instruction ID: 20141826354ec54e1e644b87163bbe2a864723b2f18c7667f43d7e9e8e11758d
Opcode Fuzzy Hash: 78a66a6088e3343ee48ef586c60ce1d95eaf34a4446c527aa07e2c9b242a4ca0
Instruction Fuzzy Hash: 5021F972500704FBC7106B75DC899DFBBACEF42366B10452AF515C3111E775D950C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00442E92, Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00444ACC

Part of subcall function 0043C2C1: __EH_prolog.LIBCMT ref: 0043C2C6
Part of subcall function 0043C2C1: GetWindowDC.USER32(00000000,?,?,00437B65,00000000,000000FF), ref: 0043C2F4

GetClientRect.USER32 ref: 00444AEC
GetWindowRect.USER32 ref: 00444AF9

Part of subcall function 0043BE44: ScreenToClient.USER32 ref: 0043BE58
Part of subcall function 0043BE44: ScreenToClient.USER32 ref: 0043BE61

OffsetRect.USER32(?,?,?), ref: 00444B20

Part of subcall function 0043B713: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B738
Part of subcall function 0043B713: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B74D

OffsetRect.USER32(?,?,?), ref: 00444B3E

Part of subcall function 0043B797: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043B7BC
Part of subcall function 0043B797: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043B7D1

SendMessageA.USER32 ref: 00444B68

Part of subcall function 0043C31C: __EH_prolog.LIBCMT ref: 0043C321
Part of subcall function 0043C31C: ReleaseDC.USER32 ref: 0043C340

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2727942566-0
Opcode ID: 784f83c97365ee9afceea5387ca49f83fa30f63f3ff8735ed809c188e5b33f49
Instruction ID: acb625c800499a9227c83e6b7996873a2e94e6dce9ab7db83418e81859d653e3
Opcode Fuzzy Hash: 784f83c97365ee9afceea5387ca49f83fa30f63f3ff8735ed809c188e5b33f49
Instruction Fuzzy Hash: 9721DB72D10109EFCB15EB94DC55EFEB7B8EF48315F10412EE522A31A1DB74AA0ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044023C, Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 0044026E
GetParent.USER32(?), ref: 0044027C
GetParent.USER32(?), ref: 0044028F
GetLastActivePopup.USER32(?), ref: 0044029E
IsWindowEnabled.USER32(?), ref: 004402B3
EnableWindow.USER32(?,00000000), ref: 004402C6

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 0d31a740e8bf9da11f87dfe3bb841f06addd3f0bef1286b111a43f32aefdc856
Instruction ID: 7d998507b6e9d1c37daed2e58111c77e7e9158b2913e65cc6971e40818471029
Opcode Fuzzy Hash: 0d31a740e8bf9da11f87dfe3bb841f06addd3f0bef1286b111a43f32aefdc856
Instruction Fuzzy Hash: 7611E332605B2057A6725A698C4CB3BB29CBF55B61F1502A7EE00E73C0DBF8CC20829D

Uniqueness

Uniqueness Score: -1.00%

Function 0042553F, Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042555E
_strlen.LIBCMT ref: 00425567
_strcat.LIBCMT ref: 0042559F
_strlen.LIBCMT ref: 004255A5
_strcat.LIBCMT ref: 004255B3
_strlen.LIBCMT ref: 004255B9

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strlen$_strcat
String ID:
API String ID: 1497175149-0
Opcode ID: 6d8e9a97864912384b394dee8b0a166538910757550b170f8976a70e9cfad3b8
Instruction ID: 11a6cad9a9c860b1f238bfe5ede414f9acfa9136387677aa793d2bd73018cf33
Opcode Fuzzy Hash: 6d8e9a97864912384b394dee8b0a166538910757550b170f8976a70e9cfad3b8
Instruction Fuzzy Hash: 35110676D01125BBDB216B65DC01BCEBFE8EF113BCF64009AE444A3302E73E9A50C698

Uniqueness

Uniqueness Score: -1.00%

Function 0041501B, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 0041502F
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00415043
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00415058
SafeArrayRedim.OLEAUT32(?,?), ref: 00415084
VariantClear.OLEAUT32(?), ref: 00415096
SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 004150B3

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ArraySafe$Bound$ClearCreateRedimVariant
String ID:
API String ID: 3151960920-0
Opcode ID: 423fd0d341eb92b8321c7708c72735d6a29e2c875f3cd92a98c4b5b1cac1f8bb
Instruction ID: 7d4c17ebae19c7622efc9f4619fa4766bb613293cdbd1f94e91858a5a421178e
Opcode Fuzzy Hash: 423fd0d341eb92b8321c7708c72735d6a29e2c875f3cd92a98c4b5b1cac1f8bb
Instruction Fuzzy Hash: D9112971900B09ABCB10EFA5DC89BEEBBB9AF44302F10842AF659D6151D775DAC08B94

Uniqueness

Uniqueness Score: -1.00%

Function 00440D02, Relevance: 9.1, APIs: 6, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 00440D26
RegDeleteValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 00440D46
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0043965F,?), ref: 00440D71

Part of subcall function 0044F31C: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 0044F34A
Part of subcall function 0044F31C: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0044F36D
Part of subcall function 0044F31C: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 0044F389
Part of subcall function 0044F31C: RegCloseKey.ADVAPI32(?), ref: 0044F399
Part of subcall function 0044F31C: RegCloseKey.ADVAPI32(?), ref: 0044F3A3

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00440D8C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: 1584f9c9f667589d5d124923fd595d428c49ee6bf6f48faaff81f67984497072
Instruction ID: be05b2fc9ad5d7b6a1a6ab17eb2dce709ff9d5d88d781b80486be102b95aed3b
Opcode Fuzzy Hash: 1584f9c9f667589d5d124923fd595d428c49ee6bf6f48faaff81f67984497072
Instruction Fuzzy Hash: A011C232800719FBEF221FA0DC04BBE3B65EF04B52F008426FE0499161CB39D8759B99

Uniqueness

Uniqueness Score: -1.00%

Function 00448C9C, Relevance: 9.1, APIs: 6, Instructions: 56stringwindowCOMMON

Download Yara Rule

APIs

UnpackDDElParam.USER32(000003E8,?,?,?), ref: 00448CC8
GlobalLock.KERNEL32 ref: 00448CD3
lstrlenA.KERNEL32(00000000), ref: 00448CDA
GlobalUnlock.KERNEL32(?), ref: 00448CEE
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 00448D09
PostMessageA.USER32 ref: 00448D16

Part of subcall function 00435FA7: IsWindowEnabled.USER32(?), ref: 00435FB0

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrlen
String ID:
API String ID: 462239228-0
Opcode ID: ce3b70960625ce19abcedc1c68bf8aa3a2137f09930ec422f8944f04288b3e9d
Instruction ID: 843f36b2d976dcb65b499918346e33768c8fa267ff354ce29602813c402bb45f
Opcode Fuzzy Hash: ce3b70960625ce19abcedc1c68bf8aa3a2137f09930ec422f8944f04288b3e9d
Instruction Fuzzy Hash: 92114F71900218ABDB11AB61DC89EDEBB79FF58315F0045AAF80A961A2CA34DD50CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00415A03, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(?,?), ref: 00415A13
SafeArrayGetDim.OLEAUT32(?), ref: 00415A22
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00415A38
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00415A47
SafeArrayGetElemsize.OLEAUT32(?), ref: 00415A57
SafeArrayUnaccessData.OLEAUT32(?), ref: 00415A91

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessElemsizeUnaccess
String ID:
API String ID: 1263511061-0
Opcode ID: fd95cfc87a1aac20621c6487e42e07ed4ee01d7dbbcfb95a0d10c0610e068dfe
Instruction ID: 6d2dbdf15a18a1aa65ef0e8d78f49ad1608d14ee84137c46fd22bcc576e12c69
Opcode Fuzzy Hash: fd95cfc87a1aac20621c6487e42e07ed4ee01d7dbbcfb95a0d10c0610e068dfe
Instruction Fuzzy Hash: 5C11A076500615BFCF00AB95EC46EEDBB3DFF05316B404221F919A21A1CB31AD91CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004254C0, Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004254D2
_strlen.LIBCMT ref: 004254DC
_strcat.LIBCMT ref: 00425509
_strlen.LIBCMT ref: 0042550F
_strcat.LIBCMT ref: 0042551F
_strlen.LIBCMT ref: 00425525

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strlen$_strcat
String ID:
API String ID: 1497175149-0
Opcode ID: bac27629e6831043937a660c74ecf41746d9df29e4b177afbeb76c8733d92f15
Instruction ID: 5a9cdce11d134a8d60e3e736b53a6c8a9b1ec1f00342cf81ae35700cce269ff2
Opcode Fuzzy Hash: bac27629e6831043937a660c74ecf41746d9df29e4b177afbeb76c8733d92f15
Instruction Fuzzy Hash: 0A016D7A9051243AC7222E7A6C41696BB88DF1336CB54015EF84453212DA2F5861C1DD

Uniqueness

Uniqueness Score: -1.00%

Function 0043D63E, Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32(?,00448E72,?), ref: 0043D63F

Part of subcall function 0043D528: GetWindowLongA.USER32 ref: 0043D541

GetParent.USER32(00000000), ref: 0043D668

Part of subcall function 0043D528: GetClassNameA.USER32(00000000,?,0000000A), ref: 0043D55C
Part of subcall function 0043D528: lstrcmpiA.KERNEL32(?,combobox), ref: 0043D56B

GetWindowLongA.USER32 ref: 0043D683
GetParent.USER32(00448E72), ref: 0043D691
GetDesktopWindow.USER32 ref: 0043D695
SendMessageA.USER32 ref: 0043D6A9

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: b2e39b67c018302b8db795ef9005cfb936e273397fd55e2763245c0d0f51500b
Instruction ID: 2aeead1192232a8861491448c39e243f527b645f1c210aed3fc1ae82735b63b6
Opcode Fuzzy Hash: b2e39b67c018302b8db795ef9005cfb936e273397fd55e2763245c0d0f51500b
Instruction Fuzzy Hash: 5DF0A431901B206AD32226297C46B6F655D5F8DB22F562226F92CE6295DB2CDC02406D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F6D3, Relevance: 9.0, APIs: 6, Instructions: 47registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0044F6DF
RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 0044F6F3
RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 0044F70D
lstrlenA.KERNEL32(?), ref: 0044F71A
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 0044F72F
RegCloseKey.ADVAPI32(?), ref: 0044F73A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Valuelstrlen$CloseCreate
String ID:
API String ID: 306239685-0
Opcode ID: b6aaf123c395fb8cb14ab4ade5964c64d0abfa8e7a1c6ce6e0f993b895bfe015
Instruction ID: 7da248975641b4749805fee2557fe03239696c892641d72397ea5a3033c23634
Opcode Fuzzy Hash: b6aaf123c395fb8cb14ab4ade5964c64d0abfa8e7a1c6ce6e0f993b895bfe015
Instruction Fuzzy Hash: 6F011636100608BFEF111FA0DC09FBA3B69FB04756F108031FE1AD9061D339C9649B98

Uniqueness

Uniqueness Score: -1.00%

Function 0043D7BA, Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0043D7C9
GetDlgCtrlID.USER32 ref: 0043D7DD
GetWindowLongA.USER32 ref: 0043D7EB
GetWindowRect.USER32 ref: 0043D7FD
PtInRect.USER32(?,?,?), ref: 0043D80D
GetWindow.USER32(?,00000005), ref: 0043D81A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 0fc7a373b090b5259b073385d63363a7906f0b4bfebc10739466c26e28b60476
Instruction ID: 3d79a19879b6ae3f118e2977e9b95a08b707446c133ddebb952dde58d9e12890
Opcode Fuzzy Hash: 0fc7a373b090b5259b073385d63363a7906f0b4bfebc10739466c26e28b60476
Instruction Fuzzy Hash: E6016235500619FBDB116F54AC08EFF7B7CEF0C762F404026F921961A5D734EA018B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0E0, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 233COMMON

Download Yara Rule

APIs

Part of subcall function 0041DFBB: _UnwindNestedFrames.LIBCMT ref: 0041DFDE

__lock.LIBCMT ref: 00423D86
DeleteCriticalSection.KERNEL32(02631C38,0045D340,00000010,00000003), ref: 00423DD4

Strings

csm, xrefs: 0041E109
csm, xrefs: 0041E1AD
csm, xrefs: 0041E179

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalDeleteFramesNestedSectionUnwind__lock
String ID: csm$csm$csm
API String ID: 3118959615-393685449
Opcode ID: eeaf266864a56599e02b96fec17dceafa2841cd87502a846da7742c509402950
Instruction ID: 45f4e78f24e6799535b230a836560dca70766a821e3815cde5dc7873b858194d
Opcode Fuzzy Hash: eeaf266864a56599e02b96fec17dceafa2841cd87502a846da7742c509402950
Instruction Fuzzy Hash: D8918D35A00208AFCF24DF96D881AEE77B5BF04314F54409AEC15AB292C779DDD1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042223E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

mE, xrefs: 00422334

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID:
String ID: mE
API String ID: 0-852767849
Opcode ID: 3fb972b9e255b2ddeb56af8ca57a817e51bfa3a88d179c708d6e8ac248572a28
Instruction ID: 82f871c86f75e6b8a179efe89459e3be698569a2d7d82ffaa44ba97abef56c84
Opcode Fuzzy Hash: 3fb972b9e255b2ddeb56af8ca57a817e51bfa3a88d179c708d6e8ac248572a28
Instruction Fuzzy Hash: 3D310A71704220BAEB24DB71BE01BDB3794DF45314F94846FF908D6292EABD8D40C26E

Uniqueness

Uniqueness Score: -1.00%

Function 00438D22, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00438D46
lstrlenA.KERNEL32(00000000), ref: 00438D8A

Strings

System, xrefs: 00438D43

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: GlobalLocklstrlen
String ID: System
API String ID: 1144527523-3470857405
Opcode ID: 7a5195ea006483a3ba774903d77828ef6269f516ca54ee2f708ef976ec9e096b
Instruction ID: d6a83972c4075e3664bc916c19ab451520e06dc9bf3166b1cd7839a767c994db
Opcode Fuzzy Hash: 7a5195ea006483a3ba774903d77828ef6269f516ca54ee2f708ef976ec9e096b
Instruction Fuzzy Hash: 6441AF3280020AEFCB14DFA4C88589EFBB9FF08314F14812EF415D7281DB389995CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004336BF, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00433775
GetWindowLongA.USER32 ref: 00433787
GetWindowLongA.USER32 ref: 00433798
SetWindowLongA.USER32 ref: 004337B4

Strings

(, xrefs: 0043376B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: a8182f4346ff7a773745d0645a035b05532780077537acdb1f0fc64ed010f592
Instruction ID: 7c58c0ff96d01c341d8469821ee2f37a2893413fb968b27f9251ff600c79a873
Opcode Fuzzy Hash: a8182f4346ff7a773745d0645a035b05532780077537acdb1f0fc64ed010f592
Instruction Fuzzy Hash: E73106B0600710AFCB20AFB5C895A6ABBB4BF08316F14552EF54297391DB38E904CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0044A478, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044A47D

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

wsprintfA.USER32 ref: 0044A4D5

Part of subcall function 0044C79F: _strlen.LIBCMT ref: 0044C7B0

wsprintfA.USER32 ref: 0044A545

Strings

- , xrefs: 0044A4EA, 0044A51C
:%d, xrefs: 0044A4CF, 0044A53F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: wsprintf$H_prologLongWindow_strlen
String ID: - $:%d
API String ID: 2235926753-2359489159
Opcode ID: a6eff60b0e5d01525219bebda3cf8b98d34a5492476112d4545c3f99a4dcad77
Instruction ID: 54f1d16b849051e413a7579d92a27a041ac2cfd59f806004b6f503fdd5eaacc3
Opcode Fuzzy Hash: a6eff60b0e5d01525219bebda3cf8b98d34a5492476112d4545c3f99a4dcad77
Instruction Fuzzy Hash: 7A316F71901108ABDB04EBA5ED96DEEB776EF44305F54452FF102A7191DF38AA08CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0044D0FD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0044D113
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0044D1B5
LoadBitmapA.USER32 ref: 0044D1CD

Strings

$nE, xrefs: 0044D17D
, xrefs: 0044D11F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID: $$nE
API String ID: 2596413745-3930062202
Opcode ID: c17a942b27ee72dca52793b24d71d82dd3dd08e09a4796e96d1be6d8782bbc98
Instruction ID: 8eeb58af6bc36a6aa5eaa7dde0ede022c5e189e02d282ca3f9d1bdb7b0f53ea0
Opcode Fuzzy Hash: c17a942b27ee72dca52793b24d71d82dd3dd08e09a4796e96d1be6d8782bbc98
Instruction Fuzzy Hash: 0721E771E403159FEB10CFA8DC89ABEBBB5EB84701F040527E905EB291E7749944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00448FD8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0044903E
UpdateWindow.USER32(?), ref: 00449055
GetParent.USER32(?), ref: 004490C0
PostMessageA.USER32 ref: 004490DC

Strings

@, xrefs: 004490AB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: aa6acc6ba5b6687fb2a384c7c194ca08e9f41ff811f930c7a7eea882742177c8
Instruction ID: 1ff7c1ed7a98ecd61734d89e463a723a5d04d88656f804b82a0c16df81f54f97
Opcode Fuzzy Hash: aa6acc6ba5b6687fb2a384c7c194ca08e9f41ff811f930c7a7eea882742177c8
Instruction Fuzzy Hash: 4731A535200B00EFFB304F24D948B6B77E5BF55311F20842EE6565A2A1C7BAEC40EB49

Uniqueness

Uniqueness Score: -1.00%

Function 00430FFD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 0043103E
GetDlgItem.USER32 ref: 0043105D
IsWindowEnabled.USER32(00000000), ref: 00431068
SendMessageA.USER32 ref: 0043107E

Strings

Edit, xrefs: 00431048

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 093b15d037e77bcd741ee9ad2f907678fff231c758b462916c28cadcaac5a29a
Instruction ID: da8f9e1f847f9462668e1eb773fa3783db63c140cfcd26e699f80d522220ae4a
Opcode Fuzzy Hash: 093b15d037e77bcd741ee9ad2f907678fff231c758b462916c28cadcaac5a29a
Instruction Fuzzy Hash: AF01C830304341AAEA382B25DC15B6BB6B89F8C755F14652BF141E15B1CB68DC81C55C

Uniqueness

Uniqueness Score: -1.00%

Function 0043F4CC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043F4D1

Part of subcall function 0043A10E: CloseHandle.KERNEL32(?), ref: 0043A11D
Part of subcall function 0043A10E: GetLastError.KERNEL32 ref: 0043A142

GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 0043F504
GetProcAddress.KERNEL32(00000000,ReplaceFileA), ref: 0043F510

Strings

ReplaceFileA, xrefs: 0043F50A
KERNEL32, xrefs: 0043F4FF

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Handle$AddressCloseErrorH_prologLastModuleProc
String ID: KERNEL32$ReplaceFileA
API String ID: 2454685956-852406001
Opcode ID: 4e0c647cbd05ddb4b4ecca2066393c7cf00872802e03386855bf6b47a335b241
Instruction ID: 53eb8aaddabdb9520d169f757aee0b91884b2ad0c80d9ad8177d7ccce8be2223
Opcode Fuzzy Hash: 4e0c647cbd05ddb4b4ecca2066393c7cf00872802e03386855bf6b47a335b241
Instruction Fuzzy Hash: DE015271640604ABC725AB66DC95DAFB3BDFFD4706B40456FF41292152CB789D048624

Uniqueness

Uniqueness Score: -1.00%

Function 00450738, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,?,?,?,0044434E,00008000), ref: 0045074F
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0045075B

Strings

COMCTL32.DLL, xrefs: 0045074A
NCD, xrefs: 0045078D
DllGetVersion, xrefs: 00450755

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion$NCD
API String ID: 1646373207-1701423194
Opcode ID: 0c66b6129527f80c7d16f7460cdeeabfb78536e8b981e02ffb431dbeeadef5a3
Instruction ID: bca01ba98a8a2a2421139e9e7471672394311d298d8601ca3452ff83ae43df70
Opcode Fuzzy Hash: 0c66b6129527f80c7d16f7460cdeeabfb78536e8b981e02ffb431dbeeadef5a3
Instruction Fuzzy Hash: 6AF0C871E0032967D7109BFD9C45BAA76AC9B04756F500536FD04E31D1D6B4DC4887F9

Uniqueness

Uniqueness Score: -1.00%

Function 00434627, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F1DD: EnterCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F20B
Part of subcall function 0044F1DD: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F21D
Part of subcall function 0044F1DD: LeaveCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F226
Part of subcall function 0044F1DD: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4,00437F34), ref: 0044F238

Part of subcall function 0044EC5B: __EH_prolog.LIBCMT ref: 0044EC60

LoadLibraryA.KERNEL32(hhctrl.ocx,0044CF69,0000000C), ref: 0043464B
GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 0043465E
FreeLibrary.KERNEL32(?), ref: 0043466E

Strings

hhctrl.ocx, xrefs: 00434646
HtmlHelpA, xrefs: 00434658

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalSection$EnterLibrary$AddressFreeH_prologInitializeLeaveLoadProc
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 813623328-63838506
Opcode ID: a76a58b66f2fa6d2d5c49b31760f79744e7f9ec3dc106ff10da9545379341535
Instruction ID: f7560a7c9ec6646cd3218d1f6398e703dc06d03c8042333b0dd717768757833b
Opcode Fuzzy Hash: a76a58b66f2fa6d2d5c49b31760f79744e7f9ec3dc106ff10da9545379341535
Instruction Fuzzy Hash: D6F04430200701DBD710AF71DD0AB577EE0AF49B42F00882EF54A915A2D77CE8488B1D

Uniqueness

Uniqueness Score: -1.00%

Function 0043B97B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,00445E65,00000000), ref: 0043B984
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0043B992
SetLastError.KERNEL32(00000078,?,?,00445E65,00000000), ref: 0043B9B4

Strings

GDI32.DLL, xrefs: 0043B97D
SetLayout, xrefs: 0043B98A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: 47df103fd71187099f3c4da9ce68445801409dc8f539e2cc3a2d6f96d4522721
Instruction ID: e78a871e9cc73d6f93c6c50d701f3941f24cb559be91624bba2b32daf4e88e14
Opcode Fuzzy Hash: 47df103fd71187099f3c4da9ce68445801409dc8f539e2cc3a2d6f96d4522721
Instruction Fuzzy Hash: 9DE0D872204B00AB83105725AC08B2F7F56EBC8773F258536FF2DC1190CBB8C8058B69

Uniqueness

Uniqueness Score: -1.00%

Function 0043B945, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,00445E58), ref: 0043B94D
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0043B959
SetLastError.KERNEL32(00000078), ref: 0043B971

Strings

GDI32.DLL, xrefs: 0043B946
GetLayout, xrefs: 0043B953

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 8d0d172e20284ba8bb1477a19cefe609d0a25197dfaf0cc826cef24f23854101
Instruction ID: fab377e476434e9a06085e858239734884506aac6449634fe5dd4850a28566c7
Opcode Fuzzy Hash: 8d0d172e20284ba8bb1477a19cefe609d0a25197dfaf0cc826cef24f23854101
Instruction Fuzzy Hash: BDD05B71A44B1057C75037B47C0DB2A7E549F09BB37550675BE2AE22E2CB98DC0447E8

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABAC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,0041AD38,?,0045C828,00000008,0041AD6F,?,00000001,00000000,004202FE,00000003), ref: 0041ABB1
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041ABC1
ExitProcess.KERNEL32 ref: 0041ABD5

Strings

CorExitProcess, xrefs: 0041ABBB
mscoree.dll, xrefs: 0041ABAC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 133d776a81d15c47b29590f47230e52b208ecf61127093de5c31547b2b78f831
Instruction ID: ccd9feb4c5181765ae07dfacc2c9bac8b5ef29af74bd5ac725210336e5f0eabc
Opcode Fuzzy Hash: 133d776a81d15c47b29590f47230e52b208ecf61127093de5c31547b2b78f831
Instruction Fuzzy Hash: 06D0C930204B00AFDE003F71AC5AE2F7EA9AE40B87B108835B805D0172CB78D814AA2A

Uniqueness

Uniqueness Score: -1.00%

Function 00422FB6, Relevance: 7.7, APIs: 5, Instructions: 216COMMON

Download Yara Rule

APIs

Part of subcall function 0041E3BF: GetLastError.KERNEL32(?,00000000,0041BC41,0041C448,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001,00478DA0), ref: 0041E3C1
Part of subcall function 0041E3BF: FlsGetValue.KERNEL32(?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E3CF
Part of subcall function 0041E3BF: FlsSetValue.KERNEL32(00000000,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E3F6
Part of subcall function 0041E3BF: GetCurrentThreadId.KERNEL32 ref: 0041E40E
Part of subcall function 0041E3BF: SetLastError.KERNEL32(00000000,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E425

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423028
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423125
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042317E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042319B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004231BE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
String ID:
API String ID: 223281555-0
Opcode ID: 9695677f3be746f3c3269b4f773a90983936c10807f0c3828925298f7a3e3b85
Instruction ID: 1d619bc14e2f9ed3f9d1c0703bd3e01fbac7dbc366a132f6e4aa3b4db7166954
Opcode Fuzzy Hash: 9695677f3be746f3c3269b4f773a90983936c10807f0c3828925298f7a3e3b85
Instruction Fuzzy Hash: 4261F476B00319AFDB149F99DC41BAFB7B6EB84314F24816EF50097281DB7DAE408B58

Uniqueness

Uniqueness Score: -1.00%

Function 00446FDF, Relevance: 7.7, APIs: 5, Instructions: 204windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0044700A
EqualRect.USER32 ref: 00447030
IsWindowVisible.USER32(?), ref: 004470BE
CopyRect.USER32 ref: 004470FA
GetParent.USER32(?), ref: 004471B8

Part of subcall function 00418FE6: SetParent.USER32(?,00000000), ref: 00418FF5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$ParentWindow$CopyEqualVisible
String ID:
API String ID: 545338366-0
Opcode ID: fce6ec38e5d29166fe0af2471629ac67a4cece6c21d7f99fa14d103d6e44b6f7
Instruction ID: b154d10cbb416971668674b4ffb39726ab97605e305236bb6e81b3dd2bd63be6
Opcode Fuzzy Hash: fce6ec38e5d29166fe0af2471629ac67a4cece6c21d7f99fa14d103d6e44b6f7
Instruction Fuzzy Hash: 08619F71600705DFEF21DFB9CC41BAEB7BAAF48304F10452EE9199B296CB389846CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00416E45, Relevance: 7.7, APIs: 5, Instructions: 184COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416E4A
VariantClear.OLEAUT32(?), ref: 00416E6B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClearH_prologVariant
String ID:
API String ID: 1166855276-0
Opcode ID: d63b1bd9e7ce214a3da40469daddbcecd6a15598aeafbcf9094e61a031583407
Instruction ID: 0d6a19fed4c9b0342e9decbe4a7131d05c89e341c5b7d5d7635bcba1a21a32f7
Opcode Fuzzy Hash: d63b1bd9e7ce214a3da40469daddbcecd6a15598aeafbcf9094e61a031583407
Instruction Fuzzy Hash: BC518071A01208ABCB00EF59DC959FE77A9AF88305F15441FF909E7241DB3CE982976A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D569, Relevance: 7.7, APIs: 5, Instructions: 184COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,004192C9,?), ref: 0041D61C
InterlockedExchange.KERNEL32(0047BB48,00000001), ref: 0041D69A
InterlockedExchange.KERNEL32(0047BB48,00000000), ref: 0041D6FF
InterlockedExchange.KERNEL32(0047BB48,00000001), ref: 0041D723
InterlockedExchange.KERNEL32(0047BB48,00000000), ref: 0041D783

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: 3bef946cde86772381c7ade2703218cb5d58f068fcd97a92456abdfcaaf57326
Instruction ID: f2abfbe5d141307501c52c7c7846b977ca9cae80eb25a51dfe44d68325f93dcd
Opcode Fuzzy Hash: 3bef946cde86772381c7ade2703218cb5d58f068fcd97a92456abdfcaaf57326
Instruction Fuzzy Hash: C35195B0E006159FDB24DF28D8947EA73A1EB45718F24856BD82A872D5D378ECC1C78D

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE7F, Relevance: 7.7, APIs: 5, Instructions: 172COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0041FEDC
GetFileType.KERNEL32(?), ref: 0041FF86
GetStdHandle.KERNEL32(-000000F6), ref: 00420007

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: FileHandleInfoStartupType
String ID:
API String ID: 2461013171-0
Opcode ID: 4a296191032d028d6c84ec615931b67ac9deb95b6112b67e3293b00eeaa38792
Instruction ID: c3da2a0a733c6fa3edf195603f5b2897a4154b14640d1987d2d9940839348d3e
Opcode Fuzzy Hash: 4a296191032d028d6c84ec615931b67ac9deb95b6112b67e3293b00eeaa38792
Instruction Fuzzy Hash: 8151F8712047418FD7208F28D8847A67BE4EB02368F68467FE599C72E2D778D48BC759

Uniqueness

Uniqueness Score: -1.00%

Function 0045323A, Relevance: 7.7, APIs: 5, Instructions: 161stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0045323F
lstrcmpA.KERNEL32(00000000,00000000), ref: 004532EC
lstrcmpA.KERNEL32(?,00000000), ref: 00453318
lstrcmpA.KERNEL32(?,00000000), ref: 0045333D

Part of subcall function 0043D6B5: GlobalFlags.KERNEL32(?), ref: 0043D6BF
Part of subcall function 0043D6B5: GlobalUnlock.KERNEL32(?,00000000,?,00437E60,?,00000000,?,?,00000000,00000000,00000002), ref: 0043D6D0
Part of subcall function 0043D6B5: GlobalFree.KERNEL32 ref: 0043D6DB

GlobalLock.KERNEL32 ref: 00453269

Part of subcall function 0042C886: __EH_prolog.LIBCMT ref: 0042C88B

Part of subcall function 0042C77F: PrintDlgA.COMDLG32(?), ref: 0042C789

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Global$lstrcmp$H_prolog$FlagsFreeLockPrintUnlock
String ID:
API String ID: 2564375162-0
Opcode ID: 4a4ce266744587c1f11dfb9a8b4b216112a95a46a11b823550104a08510c7419
Instruction ID: e432ba3015f44ba8da336f1a0d52bdd18cd8c428339e51e1ddec0ed8dfadd29b
Opcode Fuzzy Hash: 4a4ce266744587c1f11dfb9a8b4b216112a95a46a11b823550104a08510c7419
Instruction Fuzzy Hash: 7E51D471A002089BCB11EF65C885BAEB7F4BF04359F14429AEC25A73A3DB78DA44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8D8, Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8c7c0f10cf69ae4a01ab01952b64038eba01c11bb30bae17d03a4454578afb
Instruction ID: 104ace5cb48f0d02621d7baf080ba196f3e34b86f1bfc47d159e33050807ef24
Opcode Fuzzy Hash: aa8c7c0f10cf69ae4a01ab01952b64038eba01c11bb30bae17d03a4454578afb
Instruction Fuzzy Hash: 0541E9B1D02125AACF20BFB68D848EF7A64DF15364711462FF815A6251D33C4DE0CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004178E3, Relevance: 7.6, APIs: 5, Instructions: 105timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004178E8

Part of subcall function 00435D1B: GetDlgItem.USER32 ref: 00435D28

GetWindowTextLengthA.USER32(?), ref: 00417924
GetWindowTextA.USER32 ref: 00417952

Part of subcall function 00413996: _strlen.LIBCMT ref: 004139A9

Part of subcall function 00416B5D: lstrlenA.KERNEL32(mE), ref: 00416B88

SystemTimeToFileTime.KERNEL32(?,?,?,000000FF,?,?,?,?), ref: 0041799F

Part of subcall function 0044042F: __EH_prolog.LIBCMT ref: 00440434

Part of subcall function 00441BFB: SetFocus.USER32(00000000,?,?), ref: 00441C24
Part of subcall function 00441BFB: SendMessageA.USER32 ref: 00441C3C

FileTimeToSystemTime.KERNEL32(?,?,?,?,?), ref: 004179B7

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Time$FileH_prologSystemTextWindow$FocusItemLengthMessageSend_strlenlstrlen
String ID:
API String ID: 2772574852-0
Opcode ID: 0b10fd8db9c2242a107cb3766210330e0baf94f748d29f84fd5f2cf41bdaa553
Instruction ID: cc232e3b73d2be6e740e7c704dffb92c015103105c952fcb3555a7e21d54b56b
Opcode Fuzzy Hash: 0b10fd8db9c2242a107cb3766210330e0baf94f748d29f84fd5f2cf41bdaa553
Instruction Fuzzy Hash: B7416071500109EBCF00AF95DC55DFEBB79FF48325F00812AFA16A6191DB389A85DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004402DA, Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044023C: GetParent.USER32(?), ref: 0044028F
Part of subcall function 0044023C: GetLastActivePopup.USER32(?), ref: 0044029E
Part of subcall function 0044023C: IsWindowEnabled.USER32(?), ref: 004402B3
Part of subcall function 0044023C: EnableWindow.USER32(?,00000000), ref: 004402C6

EnableWindow.USER32(?,00000001), ref: 0044031A
SendMessageA.USER32 ref: 0044032E
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004403A4
MessageBoxA.USER32 ref: 004403C8
EnableWindow.USER32(?,00000001), ref: 004403E4

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$Enable$Message$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 489645344-0
Opcode ID: 006ab811bf245947a0d5d48dfe2171e54d09eb638471a6e76f9233a147eb262e
Instruction ID: e9828913b853a2fa7b79a579e81144f4f35444586e11306f5e80e0a485d182c9
Opcode Fuzzy Hash: 006ab811bf245947a0d5d48dfe2171e54d09eb638471a6e76f9233a147eb262e
Instruction Fuzzy Hash: 24318031A007489FFB319F65CC85BAE7BA4AF45704F24042EEB05EB282D7B89D50CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0044C4AB, Relevance: 7.6, APIs: 5, Instructions: 99keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetWindowRect.USER32 ref: 0044C4C5
GetSystemMetrics.USER32 ref: 0044C4D3
GetSystemMetrics.USER32 ref: 0044C4D9
GetKeyState.USER32(00000002), ref: 0044C4F6
InflateRect.USER32(?,00000000,00000000), ref: 0044C529

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 5c5fbbad6f36d260592d60f88fc408ac2ac18a4659965ef2b37c92f77a5565a2
Instruction ID: 4afe002b0c9c30cdd5949f680f8418ad17fbd6157a0efb66b9ec37a7e82a0534
Opcode Fuzzy Hash: 5c5fbbad6f36d260592d60f88fc408ac2ac18a4659965ef2b37c92f77a5565a2
Instruction Fuzzy Hash: 6831C332B02139BBEB509BBCC8CDBBE77A5EB49394F4C4417D402DB181DA38E940C658

Uniqueness

Uniqueness Score: -1.00%

Function 00449AF2, Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00449AF7
GetDlgCtrlID.USER32 ref: 00449B50
lstrcpynA.KERNEL32(?,?,00000050), ref: 00449B9B
MultiByteToWideChar.KERNEL32(00000000), ref: 00449BB7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00449BDB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharCtrlH_prologMultiWideWindowlstrcpyn
String ID:
API String ID: 61182112-0
Opcode ID: de87694dd00f9298dca946a7b08ece07719ea3d77ac6624b5c08cad3560c5d4e
Instruction ID: 8cbb8b9bd2f08393791e86cb7c881a082f3460727d911d5cb40d4706330bc0bb
Opcode Fuzzy Hash: de87694dd00f9298dca946a7b08ece07719ea3d77ac6624b5c08cad3560c5d4e
Instruction Fuzzy Hash: DF31CD719003499BDB209F64DC85BEBB7B9FF48314F000A6EF66697291C778AD809B14

Uniqueness

Uniqueness Score: -1.00%

Function 00434381, Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434386
GetTopWindow.USER32(?), ref: 004343B0
GetDlgCtrlID.USER32 ref: 004343C5
SendMessageA.USER32 ref: 00434421
GetWindow.USER32(00000000,00000002), ref: 0043445F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: feef5a078a818fd911ff2793b7484ec74848add76fc4b57362a6f76c5545aa45
Instruction ID: dec80a576b292a55306d617c6112636975e7d6365013b881159e531b29ceba35
Opcode Fuzzy Hash: feef5a078a818fd911ff2793b7484ec74848add76fc4b57362a6f76c5545aa45
Instruction Fuzzy Hash: D931F871800114ABCF21AF65DC45AEEB778EF9C314F20922BF415E7251DB386E45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042BDAD, Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042BDB2
GetParent.USER32(?), ref: 0042BDF7
SendMessageA.USER32 ref: 0042BE1D
GetParent.USER32(?), ref: 0042BE44
SendMessageA.USER32 ref: 0042BE61

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: d17ab77b22ffba6bc88b7efcbfb890d26f12175ca2e250a6d55500c02f2a79d3
Instruction ID: 31d2a28a42ff4047a9b58992e1f9a97814da6fef0a67ca5737f2530c6df65d51
Opcode Fuzzy Hash: d17ab77b22ffba6bc88b7efcbfb890d26f12175ca2e250a6d55500c02f2a79d3
Instruction Fuzzy Hash: 77319271A00619AFCB04EFA5DC45DEEB774FF04328F10421EF521972A2DB789951CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00451A24, Relevance: 7.6, APIs: 5, Instructions: 88stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00451A39
lstrlenW.KERNEL32(?), ref: 00451A50
GlobalAlloc.KERNEL32(00002042,?), ref: 00451A67
GlobalLock.KERNEL32 ref: 00451A79
GlobalUnlock.KERNEL32(?), ref: 00451AF5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Global$lstrlen$AllocLockUnlock
String ID:
API String ID: 3485620298-0
Opcode ID: 149f177295b0de1713d8913567d5d167b7f365e5580b6f21f448a70cdbdf14f8
Instruction ID: a93ba3bd7224ae6d2a81a21cce076ae9a30a5b90e859e7f995ac598f1f09a493
Opcode Fuzzy Hash: 149f177295b0de1713d8913567d5d167b7f365e5580b6f21f448a70cdbdf14f8
Instruction Fuzzy Hash: 58312971601209DFCB41CF59C984A9A77E8EF08316F11115AFC05DB256E3B8E985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004149EC, Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004149F1
GetEnvironmentVariableA.KERNEL32(?,00000000,00000000), ref: 00414A32
GetEnvironmentVariableA.KERNEL32(?,?,00000000), ref: 00414A90
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00414AAA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 00414AC7

Part of subcall function 004190E5: __lock.LIBCMT ref: 00419103
Part of subcall function 004190E5: HeapFree.KERNEL32(00000000,?,0045C778,0000000C,0041C46A,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001), ref: 0041914A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$FreeH_prologHeap__lock
String ID:
API String ID: 1826780888-0
Opcode ID: 1c57d277da245b779fdfdb0b0c08730cc9a53c43f40047f502e70339f66857a3
Instruction ID: 86e358562cc49a885798446446d5a8bc4cd7307985207540ebe7857a0f63b3a7
Opcode Fuzzy Hash: 1c57d277da245b779fdfdb0b0c08730cc9a53c43f40047f502e70339f66857a3
Instruction Fuzzy Hash: B1312D7190012CEBCF259B61CD45EDEBB79EF84354F0041AAE219A21A2DB744EC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401792, Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401797
GetEnvironmentVariableA.KERNEL32(?,00000000,00000000), ref: 004017D0
GetEnvironmentVariableA.KERNEL32(?,?,00000000), ref: 0040182E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00401848
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 00401865

Part of subcall function 004190E5: __lock.LIBCMT ref: 00419103
Part of subcall function 004190E5: HeapFree.KERNEL32(00000000,?,0045C778,0000000C,0041C46A,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001), ref: 0041914A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$FreeH_prologHeap__lock
String ID:
API String ID: 1826780888-0
Opcode ID: e00720264080bb621d723ba96d107cd57f62f740b0362cc4325dcbdc14f53818
Instruction ID: f1c6634c749f2704aa7945ecdf5bc28481aea504ce9ee8396c81072469b5cd1d
Opcode Fuzzy Hash: e00720264080bb621d723ba96d107cd57f62f740b0362cc4325dcbdc14f53818
Instruction Fuzzy Hash: 23312932800128AFCF25AB61CC45BDEBB79FB84315F0041BAE519A21A1DB744F84DE65

Uniqueness

Uniqueness Score: -1.00%

Function 0044E31E, Relevance: 7.6, APIs: 5, Instructions: 70registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E323
RegOpenKeyA.ADVAPI32(?,?,?), ref: 0044E34C
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0044E370
RegDeleteKeyA.ADVAPI32(?,?), ref: 0044E403
RegCloseKey.ADVAPI32(?), ref: 0044E411

Part of subcall function 00412B67: __EH_prolog.LIBCMT ref: 00412B6C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog$CloseDeleteEnumOpen
String ID:
API String ID: 4272528234-0
Opcode ID: 4ad063682219cb9ce74caa9d621bf32ef9f41a91f90c09b27fa96dae8843257c
Instruction ID: da6db9835a7e23721245754a4c1eb856a16c09a72ceb4262fc006e24f0b4fd35
Opcode Fuzzy Hash: 4ad063682219cb9ce74caa9d621bf32ef9f41a91f90c09b27fa96dae8843257c
Instruction Fuzzy Hash: 6D219C72D00528EBDB22EF58CC45AEDB7B4FF08321F0042AAFD45A72A1C7349E409B95

Uniqueness

Uniqueness Score: -1.00%

Function 00432BDC, Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00432BEA
GetWindowRect.USER32 ref: 00432C10
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 00432C3B
GetWindow.USER32(?,00000005), ref: 00432C44
ScrollWindow.USER32 ref: 00432C5D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: 3b80cceae8fef5efa21ddeccb48e40085fda7cd262afc16db22c08ed63475565
Instruction ID: 89bfee9c827c0a7c37fa881957d8a6833d5d3518ebec507e4ff49f367cd34f8b
Opcode Fuzzy Hash: 3b80cceae8fef5efa21ddeccb48e40085fda7cd262afc16db22c08ed63475565
Instruction Fuzzy Hash: E0218B31200A09EFDF268F54CD44EBF77BAEF48301F10542AFA0196260D7B5D911DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044F774, Relevance: 7.6, APIs: 5, Instructions: 68registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AD91: _strlen.LIBCMT ref: 0041AD9B
Part of subcall function 0041AD91: _strcat.LIBCMT ref: 0041ADAF

lstrlenA.KERNEL32(00000000), ref: 0044F79A
RegOpenKeyA.ADVAPI32(80000000,00000000,?), ref: 0044F7C0
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 0044F7DF
RegCloseKey.ADVAPI32(?), ref: 0044F7F0
RegDeleteKeyA.ADVAPI32(80000000,00000000), ref: 0044F7FC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CloseDeleteEnumOpen_strcat_strlenlstrlen
String ID:
API String ID: 3650123493-0
Opcode ID: 7e50a866592a75f3f9e1eb870a652677d43465f210afd78ae5c0d0460dd7eed3
Instruction ID: 3a467a66f72f02d870e5e9e0b9be56c37eea81f6ebfefc8a1bc76a5541d1bff4
Opcode Fuzzy Hash: 7e50a866592a75f3f9e1eb870a652677d43465f210afd78ae5c0d0460dd7eed3
Instruction Fuzzy Hash: 8E112732500618AEF721BB61AC45FFF7B6CEF01B1AF00007BF504D5191DB688D418AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0044988A, Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 004498A6
GetParent.USER32(?), ref: 004498B4
GetActiveWindow.USER32 ref: 00449903
SendMessageA.USER32 ref: 00449914
SendMessageA.USER32 ref: 00449929

Part of subcall function 00435FC2: EnableWindow.USER32(?,?), ref: 00435FCF

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSendWindow$ActiveEnableFocusParent
String ID:
API String ID: 3951091596-0
Opcode ID: 22a0376bff5be41c2fa80ea70c94a019f91a8316403278a5d10ccbf0e4cd490b
Instruction ID: 6a8dcf6dcfeb5dfa60012ed3ec5bf41e53d7e5015548d3a0d13f14d0c18a9e61
Opcode Fuzzy Hash: 22a0376bff5be41c2fa80ea70c94a019f91a8316403278a5d10ccbf0e4cd490b
Instruction Fuzzy Hash: 6E11D671200B019BEB306F29DCC4B2BB7E5AF55725F54092EF583967E2CB38AC409618

Uniqueness

Uniqueness Score: -1.00%

Function 00447C30, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00447C51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00447C68
DPtoLP.GDI32(00000000,?,00000001), ref: 00447C8F
DPtoLP.GDI32(00000000,?,00000001), ref: 00447C9E
ReleaseDC.USER32 ref: 00447CBA

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-0
Opcode ID: 1d9dc3849d8038d2c58d0b41ba7d8113287b9a735d461811534b112a52aa9514
Instruction ID: a0d020dad9adf71a51288055b6be82cb2ec8264ffe1d5969de18994a6cb3b79e
Opcode Fuzzy Hash: 1d9dc3849d8038d2c58d0b41ba7d8113287b9a735d461811534b112a52aa9514
Instruction Fuzzy Hash: 6821EA71A00218EFDB00DFE5DD85AEEBBB9FF48315F10402AE505EB291D7B4AD428B55

Uniqueness

Uniqueness Score: -1.00%

Function 00441CAD, Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435D1B: GetDlgItem.USER32 ref: 00435D28

SendMessageA.USER32 ref: 00441CEE
SendMessageA.USER32 ref: 00441D02
SendMessageA.USER32 ref: 00441D28
GetWindow.USER32(?,00000002), ref: 00441D32
GetWindowLongA.USER32 ref: 00441D42

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSend$Window$ItemLong
String ID:
API String ID: 1613074769-0
Opcode ID: 679fade2f9801486aed656abb8dbd42032a8d43c78874b3859416ff955eec575
Instruction ID: db68cfa95ea939f042468b13d8b6f6869370b335bac3cf94c69bbd63eae4c17d
Opcode Fuzzy Hash: 679fade2f9801486aed656abb8dbd42032a8d43c78874b3859416ff955eec575
Instruction Fuzzy Hash: CD112CB150020ABFEB109F54DC85EAA7B69FF053A4F148126F9298A2A0C734ED91DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00448438, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

SendMessageA.USER32 ref: 00448491
SendMessageA.USER32 ref: 004484A5
GetDesktopWindow.USER32 ref: 004484A9
SendMessageA.USER32 ref: 004484D1
GetWindow.USER32(00000000), ref: 004484D6

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: a08e5ec03bb11222856fa75d2c7da2b736794da07e692a7ef6983ab2a1ae4292
Instruction ID: a38436a14a428af11c73d2a351162ad18985ccf39f538fe65e6af469ccce38b5
Opcode Fuzzy Hash: a08e5ec03bb11222856fa75d2c7da2b736794da07e692a7ef6983ab2a1ae4292
Instruction Fuzzy Hash: 11113631240B0773F2325B219C12F2F6A5AAF84BA5F14011EB7416A6D1EF59DC0182AE

Uniqueness

Uniqueness Score: -1.00%

Function 00448BC1, Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 00448C2E
GlobalAddAtomA.KERNEL32 ref: 00448C3D
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 00448C55
GlobalAddAtomA.KERNEL32 ref: 00448C5E
SendMessageA.USER32 ref: 00448C85

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: c10b87f29cad846cced7e62ce6f7bcc3221981c412e42600f3665563855999d7
Instruction ID: 0e8920fd5fa5a57fd3338adc6f6de2e1ab7861d86d558998dea7d80fa9540b0e
Opcode Fuzzy Hash: c10b87f29cad846cced7e62ce6f7bcc3221981c412e42600f3665563855999d7
Instruction Fuzzy Hash: 9E117235500618ABEB20EFA5CC40AEAB3B8FB14705F40845AE599D7140EAB8EEC0CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004476F0, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 00447700
GetDeviceCaps.GDI32(?,00000058), ref: 0044773A
GetDeviceCaps.GDI32(?,0000005A), ref: 00447743

Part of subcall function 0043C09A: MulDiv.KERNEL32(?,00000000,00000000), ref: 0043C0DA
Part of subcall function 0043C09A: MulDiv.KERNEL32(?,00000000,00000000), ref: 0043C0F7

MulDiv.KERNEL32(?,000009EC,00000060), ref: 00447767
MulDiv.KERNEL32(?,000009EC,?), ref: 00447772

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: e7ff0dba981393d62971cf5cec914e473c003e79f413db01ed631b23d21b61fe
Instruction ID: 7b944ee75d206527b7d76e3afb489e3110edd7115175438fa29b194c2d7d0a69
Opcode Fuzzy Hash: e7ff0dba981393d62971cf5cec914e473c003e79f413db01ed631b23d21b61fe
Instruction Fuzzy Hash: E511E135600B04AFDB21AF65CC44D2EBBE9EF88750B11442AFA8697360C775EC428F84

Uniqueness

Uniqueness Score: -1.00%

Function 0044777E, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 0044778E
GetDeviceCaps.GDI32(?,00000058), ref: 004477C8
GetDeviceCaps.GDI32(?,0000005A), ref: 004477D1

Part of subcall function 0043C031: MulDiv.KERNEL32(?,00000000,00000000), ref: 0043C071
Part of subcall function 0043C031: MulDiv.KERNEL32(?,00000000,00000000), ref: 0043C08E

MulDiv.KERNEL32(?,00000060,000009EC), ref: 004477F5
MulDiv.KERNEL32(?,?,000009EC), ref: 00447800

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 0eb927f77ad5bb412d18c49af7b3880793e331d15519099cb4d2642a49551793
Instruction ID: 891713671e2ca17ee7910c50b27aaef2de145e58d6d3fd53146ddb9033acc4a9
Opcode Fuzzy Hash: 0eb927f77ad5bb412d18c49af7b3880793e331d15519099cb4d2642a49551793
Instruction Fuzzy Hash: E211C235600A04AFEB216F65CC44D1EBBE9EF88754B11442AF98557760C735EC42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0044B73F, Relevance: 7.6, APIs: 5, Instructions: 56stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044B744
lstrlenA.KERNEL32(?,?,00000000), ref: 0044B753
SendMessageA.USER32 ref: 0044B76B
lstrcmpA.KERNEL32(?,00000000,?,00000000), ref: 0044B7AC
lstrcmpiA.KERNEL32(?,00000000,?,00000000), ref: 0044B7D5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prologMessageSendlstrcmplstrcmpilstrlen
String ID:
API String ID: 301985528-0
Opcode ID: 072d1bffedc1bc49e337e7394c6a1ea116c8eb64f6865649e0987778ee799475
Instruction ID: d8faad47a0e9bad7985028912da477c106ac1c8dc674efd854f0b121d1440cfa
Opcode Fuzzy Hash: 072d1bffedc1bc49e337e7394c6a1ea116c8eb64f6865649e0987778ee799475
Instruction Fuzzy Hash: BA119132500215ABDB10EFA4C815ABFBBB9FF84315F00852AE512E7251DB38D944CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 004516BE, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 004516D5
GetDeviceCaps.GDI32(?,00000058), ref: 004516DE
GetDeviceCaps.GDI32(?,0000005A), ref: 004516E6
MulDiv.KERNEL32(?,?,000009EC), ref: 0045170E
MulDiv.KERNEL32(?,?,000009EC), ref: 0045171C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-0
Opcode ID: 8ef82595c4820055170b65da66a46e9b934e7e39e1367c2abb46990516e27ec9
Instruction ID: dd270a0f97774e2b1552d08714893c9df9991e5bf9ef9fec11a83103a9bbb52d
Opcode Fuzzy Hash: 8ef82595c4820055170b65da66a46e9b934e7e39e1367c2abb46990516e27ec9
Instruction Fuzzy Hash: F9014C35900618BBDB019F55CC80E6F7FB8EB95751B14802AFD0897261D7719801DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0042C790, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0042C7A8
GlobalLock.KERNEL32 ref: 0042C7B5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: GlobalLock
String ID:
API String ID: 2848605275-0
Opcode ID: 0d08c6537dac4b8c6d60fd208f2b6f77f84ea6b19277b57b6c6a8d528863aa76
Instruction ID: eab6c0e5f07e73c5dcc4547e0faaf7ed7774e892b33c31d0ad024b3ae84eaf02
Opcode Fuzzy Hash: 0d08c6537dac4b8c6d60fd208f2b6f77f84ea6b19277b57b6c6a8d528863aa76
Instruction Fuzzy Hash: 49F08662700733A7C6305B25ACC4A3B7ADCAFC4791B540826F845D2200D768CC05DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00451657, Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 0045166D
GetDeviceCaps.GDI32(?,00000058), ref: 00451676
GetDeviceCaps.GDI32(?,0000005A), ref: 0045167D
MulDiv.KERNEL32(000009EC,?,00000060), ref: 004516A1
MulDiv.KERNEL32(000009EC,?,?), ref: 004516AF

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-0
Opcode ID: bd986a8a2f1b495cb43192dbfecbc3e37562e85f01d289f1207471024aa53c2c
Instruction ID: 2f8fbbefa159cd91dcc0dc4e5d152858836caf2aa5c966e6d627b5a8092a8361
Opcode Fuzzy Hash: bd986a8a2f1b495cb43192dbfecbc3e37562e85f01d289f1207471024aa53c2c
Instruction Fuzzy Hash: 00018F75A00718BBDB109F25CC80E5B7FACEB59761B18802AFE0857251C671D805CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004482D4, Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 004482F5
PostMessageA.USER32 ref: 0044830B
GetCapture.USER32 ref: 0044830D
ReleaseCapture.USER32 ref: 00448318
PostMessageA.USER32 ref: 00448335

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 69c904ec4d5a664b96c13f511a762c1fc727b83242dc2f5972c6a4fe762c6446
Instruction ID: 15e2c0053e4a6a86276d1fc509de2ede083f09d010ec39ffcd9bd0c359a259ca
Opcode Fuzzy Hash: 69c904ec4d5a664b96c13f511a762c1fc727b83242dc2f5972c6a4fe762c6446
Instruction Fuzzy Hash: 65F08131501B08BFD6216F12EC44D2B7FBDFB81B49B41452EF54192621DA36E505C768

Uniqueness

Uniqueness Score: -1.00%

Function 004405DA, Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 004405E7
SendMessageA.USER32 ref: 00440603
ClientToScreen.USER32(?,?), ref: 00440610
GetWindowLongA.USER32 ref: 00440619
GetParent.USER32(?), ref: 00440627

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 0b9fbcd36d5850b221add9002afbffea8c641d88a42993163cf4f836edc791b7
Instruction ID: ed0a94f7f148d7c1e6acc9c1f203a6b8a98cd677c9b1c02db17a1ca1edff7dad
Opcode Fuzzy Hash: 0b9fbcd36d5850b221add9002afbffea8c641d88a42993163cf4f836edc791b7
Instruction Fuzzy Hash: 54F08636101A24B7E7110F14AC04ABF375CEF85762F114226FE16C6281DB34D911C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 00438FA4, Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 00438FC2
LoadResource.KERNEL32(?,00000000), ref: 00438FD2
LockResource.KERNEL32(00000000), ref: 00438FDB
SizeofResource.KERNEL32(?,00000000), ref: 00438FE5
FreeResource.KERNEL32(00000000,00000000,00000000), ref: 00438FF7

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: ea674846b0546b218ed9fcbcc41572dea3c523eba70cc7a97cc7c6b22ff765bd
Instruction ID: 55e58e986300225009e3ed557c75c39bce7feb8fd8cc79c601b8b7308a6c0668
Opcode Fuzzy Hash: ea674846b0546b218ed9fcbcc41572dea3c523eba70cc7a97cc7c6b22ff765bd
Instruction Fuzzy Hash: 38F06D72105B11BFD3115B71AC5CC3BBBACEF89716F11482FF90292212DA78DC018B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C523, Relevance: 7.5, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00100000,00004000,?,?), ref: 0041C55A
VirtualFree.KERNEL32(?,00000000,00008000,?,?), ref: 0041C565
HeapFree.KERNEL32(00000000,?,?,?), ref: 0041C572
HeapFree.KERNEL32(00000000), ref: 0041C590
HeapDestroy.KERNEL32 ref: 0041C59A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: a38e44b56dc6c5fd77030161dbff25367193b8ab797bc8b5ffe72fcb5fd2949c
Instruction ID: 822ce8e6704b7ef0e25170f83ec14b37c12ea2241ad7d201b9742c35cc620b6a
Opcode Fuzzy Hash: a38e44b56dc6c5fd77030161dbff25367193b8ab797bc8b5ffe72fcb5fd2949c
Instruction Fuzzy Hash: 1FF01932680214ABDA216F65EC86F66BB26E744751F21413AF648A21B186627890DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041651A, Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041651F
SysStringLen.OLEAUT32(?), ref: 0041653C
SysStringLen.OLEAUT32(?), ref: 0041654C
SysStringLen.OLEAUT32(?), ref: 00416553
SysFreeString.OLEAUT32(?), ref: 00416562

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: String$FreeH_prolog
String ID:
API String ID: 1748501836-0
Opcode ID: 5023673124db32a7c4394156cc55c440209f91733b0e6da76784e11744c5cdb1
Instruction ID: 9d9f937ffc3f4de4929d7871df5c1d493c13535497bbb7c815b91d33c5d26377
Opcode Fuzzy Hash: 5023673124db32a7c4394156cc55c440209f91733b0e6da76784e11744c5cdb1
Instruction Fuzzy Hash: F2F06D36600114BBCB01AB29E990BFE7BBDAF95B56F01401FF805D3205CB7CDA819A69

Uniqueness

Uniqueness Score: -1.00%

Function 0043BA1D, Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

SelectClipPath.GDI32(?,?), ref: 0043BA27
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0043BA46
GetClipRgn.GDI32(?,00000000), ref: 0043BA52
SelectClipRgn.GDI32(?,00000000), ref: 0043BA60
DeleteObject.GDI32(00000000), ref: 0043BA6D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Clip$Select$CreateDeleteObjectPathRect
String ID:
API String ID: 1230964757-0
Opcode ID: 35660a0dd092373d4ba298d12be4fe19021f1ccdd5a469c63597b81e18a83a36
Instruction ID: cd3a762bdc1a5ce2316581118cf70821877710142969c4d2bc79727d2e4b5324
Opcode Fuzzy Hash: 35660a0dd092373d4ba298d12be4fe19021f1ccdd5a469c63597b81e18a83a36
Instruction Fuzzy Hash: 84F01D31304B00AFE7305F62DC99F27BAA8FB84F56F105439F65AC55B1D760E800C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3BF, Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,0041BC41,0041C448,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001,00478DA0), ref: 0041E3C1
FlsGetValue.KERNEL32(?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E3CF
SetLastError.KERNEL32(00000000,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E425

Part of subcall function 0041C139: __lock.LIBCMT ref: 0041C17D
Part of subcall function 0041C139: RtlAllocateHeap.NTDLL(00000008,?,0045C8B8,00000010,0041E3E7,00000001,0000008C,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17), ref: 0041C1BB

FlsSetValue.KERNEL32(00000000,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E3F6
GetCurrentThreadId.KERNEL32 ref: 0041E40E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread__lock
String ID:
API String ID: 1487844433-0
Opcode ID: 766c9cda01c2485ee0a6817a78b0bc3a923c12363f033c38df0a1a89b4c54149
Instruction ID: e55714113cac68ff0966e7cd339825e2ca9e50f91fe9c1786a78d998c1f4fc1d
Opcode Fuzzy Hash: 766c9cda01c2485ee0a6817a78b0bc3a923c12363f033c38df0a1a89b4c54149
Instruction Fuzzy Hash: B3F0C835641B119BD7302F71AC096963BA4EF04766F00453AFD4596292CBB598C4479D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F0D9, Relevance: 7.5, APIs: 5, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(005B4E88,?,?,0044F16C,00000000,00000001), ref: 0044F0FF
GlobalHandle.KERNEL32(005A15D8), ref: 0044F10D
GlobalUnlock.KERNEL32(00000000,?,?,0044F16C,00000000,00000001), ref: 0044F116
GlobalFree.KERNEL32 ref: 0044F11D
DeleteCriticalSection.KERNEL32(0047B6BC,?,?,0044F16C,00000000,00000001), ref: 0044F127

Part of subcall function 0044EF41: EnterCriticalSection.KERNEL32(?), ref: 0044EF9E
Part of subcall function 0044EF41: LeaveCriticalSection.KERNEL32(?,?), ref: 0044EFAE
Part of subcall function 0044EF41: LocalFree.KERNEL32(?), ref: 0044EFB7
Part of subcall function 0044EF41: TlsSetValue.KERNEL32(?,00000000), ref: 0044EFC9

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: ebb61852112657514682d7a6ca464c92e47b5f5d5e997e64c70c5bfc2ff8d0c0
Instruction ID: 593d290c91d7e5f47e0130104d4c624effb0ff489bb563d2ffe64eaf750aaa60
Opcode Fuzzy Hash: ebb61852112657514682d7a6ca464c92e47b5f5d5e997e64c70c5bfc2ff8d0c0
Instruction Fuzzy Hash: 2FF0E935200A109BE3209B3CEC1CA3B72FCAF85752715012AF805D7352D778DC058769

Uniqueness

Uniqueness Score: -1.00%

Function 00443774, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00443821
GetWindowRect.USER32 ref: 004439D6
SetRectEmpty.USER32(?), ref: 00443A45

Strings

@, xrefs: 0044388C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: 81c50c40a6a0f46561052c9587dd1c1a5d40246b46a7927db710686100920ced
Instruction ID: 7c9d61ea9e282c1b650c485f9964505aea25d5ef395f07ce9bcf8b1c81d3a889
Opcode Fuzzy Hash: 81c50c40a6a0f46561052c9587dd1c1a5d40246b46a7927db710686100920ced
Instruction Fuzzy Hash: B8C13AB1A00209AFEF15DFA9C984AAEB7F5FF48705F14806AE815A7341D778AE01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00416C27, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416C2C
VariantClear.OLEAUT32(?), ref: 00416C79
SysStringByteLen.OLEAUT32(?), ref: 00416D06

Strings

`, xrefs: 00416C53

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteClearH_prologStringVariant
String ID: `
API String ID: 2994549436-2679148245
Opcode ID: bf61cc3dc551981a2f429e8b7d5a45f231c456fcf1aae27da260365d3022685b
Instruction ID: 03d5b11f5ab8b0a9bd661a03e599ca0084791930a695db9df101b3aee24d673a
Opcode Fuzzy Hash: bf61cc3dc551981a2f429e8b7d5a45f231c456fcf1aae27da260365d3022685b
Instruction Fuzzy Hash: 7B51A170600518EBCF05AFA1E905AEE7B76EF89704F11404EF806A7251DB39CD91DBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0042BC0D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042BC12
GetVersionExA.KERNEL32(?), ref: 0042BC78
lstrcpynA.KERNEL32(?,?,00000104), ref: 0042BD56

Strings

L, xrefs: 0042BC97

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prologVersionlstrcpyn
String ID: L
API String ID: 2508861242-2909332022
Opcode ID: a7e3d1c93c57dbcb96124d016b96ce81016c0715401a053f200d7df10ae0030c
Instruction ID: c3117ba0009bf9abc2bb7caf43c3d8f81f43e8a80124cf4d389d422c385b6f09
Opcode Fuzzy Hash: a7e3d1c93c57dbcb96124d016b96ce81016c0715401a053f200d7df10ae0030c
Instruction Fuzzy Hash: D7516DB0A00B14CFDB21DF65D885A9ABBE0FF48318F40466EF98997361C778E845CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044C105, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0044C148

Part of subcall function 0043617F: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00433017,?,00433017,00000000,?,?,000000FF,000000FF,00000015), ref: 004361A5

GetWindowLongA.USER32 ref: 0044C1E9
UpdateWindow.USER32(?), ref: 0044C202

Strings

P, xrefs: 0044C183

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: 3f4007b6359e8e5bf26f7250b3ab46f81b7b94c98f71c1464263963471a4d667
Instruction ID: 5d840f8d3223d603c82bc41cd748a86d651b29bff7e1a4e6ae8431601f36d906
Opcode Fuzzy Hash: 3f4007b6359e8e5bf26f7250b3ab46f81b7b94c98f71c1464263963471a4d667
Instruction Fuzzy Hash: 0C31C470201705AFEF219F21DC85B6F7BA5FF08354F04451AF956962A2CB78AC10CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004176DA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004176DF

Part of subcall function 00412B67: __EH_prolog.LIBCMT ref: 00412B6C

Strings

Invalid DateTime, xrefs: 0041773F, 004177B0

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog
String ID: Invalid DateTime
API String ID: 3519838083-2190634649
Opcode ID: 0aedd9fc82c8e08877031561f52b636a47daa21e85d41b4831ea5998b2d4386d
Instruction ID: 495d9c85b4f524eac8458cb63d47704f81f0a877d22eef13b3d851333acaae03
Opcode Fuzzy Hash: 0aedd9fc82c8e08877031561f52b636a47daa21e85d41b4831ea5998b2d4386d
Instruction Fuzzy Hash: 74319C30604109AFDB04EFA1C851AFE7775EF04319F10C51EF8269B282DB78AA94DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCBB, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 0041FCCD
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\aEdlObiYav.exe,00000104,75144DE0,00000000,?,?,?,?,00419CB4,?,0045C7A8,00000060), ref: 0041FCE5

Strings

C:\Users\user\Desktop\aEdlObiYav.exe, xrefs: 0041FCD7, 0041FCDC
83Y, xrefs: 0041FCEB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: FileModuleName___initmbctable
String ID: 83Y$C:\Users\user\Desktop\aEdlObiYav.exe
API String ID: 767393020-4130772036
Opcode ID: 7ffb291291752b0f69091e2ad4b324be410a21508fee2c332916dec66ac6ae92
Instruction ID: 25ac462d72638f804d795efbca788340042e5404cf3d8abea486fcd351914171
Opcode Fuzzy Hash: 7ffb291291752b0f69091e2ad4b324be410a21508fee2c332916dec66ac6ae92
Instruction Fuzzy Hash: 001127B2A04104ABC700CBA5EC41ADB7BFCEB45364B10007FFA0AD3251D774AD868798

Uniqueness

Uniqueness Score: -1.00%

Function 0043A7B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043A7BC

Part of subcall function 0043A735: wsprintfA.USER32 ref: 0043A790

Part of subcall function 0043A285: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0043A2BD
Part of subcall function 0043A285: RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0043A2D1
Part of subcall function 0043A285: RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0043A2EC
Part of subcall function 0043A285: RegQueryValueExA.ADVAPI32(?,00456DE0,00000000,?,?,?), ref: 0043A306
Part of subcall function 0043A285: RegCloseKey.ADVAPI32(?), ref: 0043A316
Part of subcall function 0043A285: RegCloseKey.ADVAPI32(00000001), ref: 0043A31B
Part of subcall function 0043A285: RegCloseKey.ADVAPI32(?), ref: 0043A320

LoadLibraryA.KERNEL32(00458094,00458094,00458094,?,0043A887,?,00460670,00000000,?,?,?,0043A93B,004580A4,00000000,00458094,?), ref: 0043A80B
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0043A81B

Strings

DllGetClassObject, xrefs: 0043A815

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
String ID: DllGetClassObject
API String ID: 821125782-1075368562
Opcode ID: af7ad3de74ec3a80c0c9a371719c5e25bb83794d881664af43c0362ca1a45e87
Instruction ID: f1d88cb63e4c6cda5629fe78ec4bdd6090c2810cdae06c6191e75c70925f52e3
Opcode Fuzzy Hash: af7ad3de74ec3a80c0c9a371719c5e25bb83794d881664af43c0362ca1a45e87
Instruction Fuzzy Hash: 3F118231540205AFCB04EFA5CC04BAE77B9FF48359F14852EF851A7291D738D916CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00447842, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F1DD: EnterCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F20B
Part of subcall function 0044F1DD: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F21D
Part of subcall function 0044F1DD: LeaveCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F226
Part of subcall function 0044F1DD: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4,00437F34), ref: 0044F238

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,MXD), ref: 00447886
CreatePatternBrush.GDI32(00000000), ref: 00447893
DeleteObject.GDI32(00000000), ref: 0044789F

Strings

MXD, xrefs: 0044787A, 0044787D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalSection$CreateEnter$BitmapBrushDeleteInitializeLeaveObjectPattern
String ID: MXD
API String ID: 3767330792-2228262228
Opcode ID: b032878c5a20c4328959fed4c3cb201a8ff2e0d139521090f5453c2b4ea6c928
Instruction ID: adf61a12b99a2b7e0bb60f14e593255604215f20cab4bea244e98927fe19fd17
Opcode Fuzzy Hash: b032878c5a20c4328959fed4c3cb201a8ff2e0d139521090f5453c2b4ea6c928
Instruction Fuzzy Hash: 4901FEB05456149BEB40B774ED1ABAD3654EB44715F00403AF701E63D1DBA84A8587AD

Uniqueness

Uniqueness Score: -1.00%

Function 0044DAF4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0044DB16
PathFindExtensionA.SHLWAPI(?), ref: 0044DB2D
lstrcpyA.KERNEL32(00000000,?), ref: 0044DB57

Part of subcall function 0044D7EE: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0044D811
Part of subcall function 0044D7EE: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0044D81C
Part of subcall function 0044D7EE: ConvertDefaultLocale.KERNEL32(?), ref: 0044D84D
Part of subcall function 0044D7EE: ConvertDefaultLocale.KERNEL32(?), ref: 0044D855
Part of subcall function 0044D7EE: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0044D862
Part of subcall function 0044D7EE: ConvertDefaultLocale.KERNEL32(?), ref: 0044D87C
Part of subcall function 0044D7EE: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0044D882

Strings

%s.dll, xrefs: 0044DB33

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
String ID: %s.dll
API String ID: 4178508759-3668843792
Opcode ID: ef92cfae8680370461277c0a43a8fedb9fa148ff0fa6fd9fcecb107502708a88
Instruction ID: fc36d490366ef33c0e330c76b28a0aff887939f3a970b3ba6c7b2f0df0f0de28
Opcode Fuzzy Hash: ef92cfae8680370461277c0a43a8fedb9fa148ff0fa6fd9fcecb107502708a88
Instruction Fuzzy Hash: 5701A771E0050CABDF15EBA4DC959FEB7BCEB48305F0048BFEA06D3151E674AA848B59

Uniqueness

Uniqueness Score: -1.00%

Function 0043D528, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 0043D541
GetClassNameA.USER32(00000000,?,0000000A), ref: 0043D55C
lstrcmpiA.KERNEL32(?,combobox), ref: 0043D56B

Strings

combobox, xrefs: 0043D562

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 01a471b00a89e67f4daa927a76da9f9cd0554cb648f5de566d61bea561f5181d
Instruction ID: e3d941c496cb8e14d7f5ce9a63f2b964ff301d39f54b49c6284712e2e027210b
Opcode Fuzzy Hash: 01a471b00a89e67f4daa927a76da9f9cd0554cb648f5de566d61bea561f5181d
Instruction Fuzzy Hash: 4FF0B431940208FBCF00EF64DC55ABE7BB4FB04355F504426F415D6191D734EA00CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00423C80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,0045D330,00000010,0041C437,00000000,00000FA0,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001), ref: 00423CA3
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 00423CB3

Strings

kernel32.dll, xrefs: 00423C9E
InitializeCriticalSectionAndSpinCount, xrefs: 00423CAD

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: 286e5b2d1556461b2aa03e192e413bf6ce3696c9887e7fb957be5cf429ff9339
Instruction ID: 826ac0c70ae00b5f012b0afa8bad4d875eee561dd1781931ca8e246cf8cd2537
Opcode Fuzzy Hash: 286e5b2d1556461b2aa03e192e413bf6ce3696c9887e7fb957be5cf429ff9339
Instruction Fuzzy Hash: B1F09071700215AACF209FA1AC097593AB0EF04B56B908466EC18E22A1D77DCA81871D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F67D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004199F0), ref: 0041F682
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0041F692

Strings

IsProcessorFeaturePresent, xrefs: 0041F68C
KERNEL32, xrefs: 0041F67D

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 5de3f18df002792674cf00f7d34d68e7523e86b0d9d98f2c1e7ac0379f92d44b
Instruction ID: 4c8513d913c6dab36690735ea2a21c3e6315e00c7d28f977f1fbefaa4687e268
Opcode Fuzzy Hash: 5de3f18df002792674cf00f7d34d68e7523e86b0d9d98f2c1e7ac0379f92d44b
Instruction Fuzzy Hash: D7C0123034070499DD105B715C59B6A15441B40B83F1040327C0ED01A1CA98C45B842D

Uniqueness

Uniqueness Score: -1.00%

Function 0041CEB4, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

IsBadWritePtr.KERNEL32(?), ref: 0041CECF

Strings

, xrefs: 0041D154

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Write
String ID:
API String ID: 3165279579-3916222277
Opcode ID: 39382a45e6f6533ebd26eefbd2ae844dbd4a54701e71c99624e7b221f35ba291
Instruction ID: 65ff6ab0defd5c0f2b03dcc9ccebb9924a8e5440ebbfd159657baaf6c6273323
Opcode Fuzzy Hash: 39382a45e6f6533ebd26eefbd2ae844dbd4a54701e71c99624e7b221f35ba291
Instruction Fuzzy Hash: D09179B1D40215ABDB24CF98C880AEEB7B1BB44324F24436BD526A62D4D73899C2CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00428EC7, Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 00428F41
GetLastError.KERNEL32(?,?,?), ref: 00428F4B
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 00429014
GetLastError.KERNEL32(?,?,?), ref: 0042901E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 8a2679a4a1a5844fc740426203e623fa0925a9d18b95ad58fed4e8722ed6f8b1
Instruction ID: f7c38d60d52cbf84ee477a75cb800241464e0c785c98fb131cee04dccff12f8b
Opcode Fuzzy Hash: 8a2679a4a1a5844fc740426203e623fa0925a9d18b95ad58fed4e8722ed6f8b1
Instruction Fuzzy Hash: 2861D4307043999FDB21CF68D884BAE7BB0AF01314F95409EE9658B392D778DD41CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00422629, Relevance: 6.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0042269D
_strlen.LIBCMT ref: 004226E5
_strcspn.LIBCMT ref: 00422705
_strncpy.LIBCMT ref: 00422725

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strcspn_strlen_strncpy_strpbrk
String ID:
API String ID: 635841138-0
Opcode ID: 0f7511ea8b2b085eff856125f4ff4e3890986e68d6f425f2abefd5b6b68f9f19
Instruction ID: 902014aae05fd0e7057af0f97b72d00e827c42a0b58ae3140385d2548b97e531
Opcode Fuzzy Hash: 0f7511ea8b2b085eff856125f4ff4e3890986e68d6f425f2abefd5b6b68f9f19
Instruction Fuzzy Hash: AC510072F082367ADF219AA4BA817BFB7A49B80354FA4046FDD04A2242D7FD4D41879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043E2A0, Relevance: 6.2, APIs: 4, Instructions: 162stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043E2A5
lstrcpynA.KERNEL32(?,?,00000104,?,?), ref: 0043E32C
lstrcpyA.KERNEL32(?,?,00000000,?,?,00000104,?,?,?,?), ref: 0043E38A

Part of subcall function 00417A81: __EH_prolog.LIBCMT ref: 00417A86

GetParent.USER32(?), ref: 0043E407

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog$Parentlstrcpylstrcpyn
String ID:
API String ID: 920876626-0
Opcode ID: caf602e010c9b2329e11dce37e724bb49feef95daeacf4a4aebcd72411b482a5
Instruction ID: 86020ff683b3aa938f71a769aa5410179d7b4564055bf711f1d68717bed32249
Opcode Fuzzy Hash: caf602e010c9b2329e11dce37e724bb49feef95daeacf4a4aebcd72411b482a5
Instruction Fuzzy Hash: 22514E71A012099FDB24EFB6C844AEE77B8AF08314F24152EF919DB292DB38D944CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00424E63, Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00478DA0,00000001), ref: 00424F4B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e5ef7195d86555f875a49c810bf4227f9e418c8038cf1bf2836acca55f7ca8e6
Instruction ID: 90a4a92926a013a4ab1d763c84b4336753dbd3dea6746d020de625a6822fcd2f
Opcode Fuzzy Hash: e5ef7195d86555f875a49c810bf4227f9e418c8038cf1bf2836acca55f7ca8e6
Instruction Fuzzy Hash: D6519E31A00258CFDB32DFA9DD80AEDBBB8FF85304F51415AE8599B252DB349A01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00445A2D, Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00445A9D
GetWindowRect.USER32 ref: 00445AA8
IntersectRect.USER32 ref: 00445AF3
IntersectRect.USER32 ref: 00445B47

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID:
API String ID: 123605412-0
Opcode ID: 807da9926d2fb4493c5f54faf6f62a82b7fd975c485d2663bf903b2de7f9b987
Instruction ID: d64e4d359f066a7b6bf93ec5dc9ce4a848ea10a8567bcadc5ee3f2d8211bb0cc
Opcode Fuzzy Hash: 807da9926d2fb4493c5f54faf6f62a82b7fd975c485d2663bf903b2de7f9b987
Instruction Fuzzy Hash: 1B517372A00609DFDF44DFACC5C5A9E7BB9FF08310B1441A6E905EB20AE634E984CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044F5AB, Relevance: 6.1, APIs: 4, Instructions: 116registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F5B0
RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0044F5F4
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0044F61E
RegCloseKey.ADVAPI32(?), ref: 0044F626

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: QueryValue$CloseH_prolog
String ID:
API String ID: 1759865455-0
Opcode ID: dda983a431ec53f08bd8b9b0f861c96e94d765fe4b75d567cd9f558c07a7f601
Instruction ID: f2200530332999fea2c2bf65eb6e3556c129dfccafe67ed9316915fd0e027329
Opcode Fuzzy Hash: dda983a431ec53f08bd8b9b0f861c96e94d765fe4b75d567cd9f558c07a7f601
Instruction Fuzzy Hash: 1941AFB2500119EFDB15DF68C8819EE7BA8EF08314B10812FFA15CB261DB349955CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00442912, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0044230D,?,?,?,#D,00442A61,?,?,?,#D,?,?,?,00442AB1,?,?), ref: 00442961
lstrcpyA.KERNEL32(00000000,0044230D,00000000,?,?,?,#D,00442A61,?,?,?,#D,?,?,?,00442AB1), ref: 004429D4
lstrlenA.KERNEL32(00000000,?,?,?,#D,00442A61,?,?,?,#D,?,?,?,00442AB1,?,?), ref: 004429DB

Strings

#D, xrefs: 00442912

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID: #D
API String ID: 805584807-948025513
Opcode ID: b69bd2c926ddd07615725587d5f90aab9cf9c2c4131d7002812ce245e76a286e
Instruction ID: b6435c4ea0a1fd351b4fda25a8c5154e40f6e1af29395d8866e18a55ef8b598b
Opcode Fuzzy Hash: b69bd2c926ddd07615725587d5f90aab9cf9c2c4131d7002812ce245e76a286e
Instruction Fuzzy Hash: C531F8B02086865AF7214E298A9437A7B95AB4B358FD4105BF4C2C6343C2DC8C93932E

Uniqueness

Uniqueness Score: -1.00%

Function 00428A1B, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00428A3D

Part of subcall function 0041C486: EnterCriticalSection.KERNEL32(00478DA0,00478DA0,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041C4AE

__lock.LIBCMT ref: 00428A89
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,0045E920,00000014), ref: 00428AD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0045E920,00000014), ref: 00428AE0

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalSection$Enter__lock$Leave
String ID:
API String ID: 885841014-0
Opcode ID: 5eee73868591a982254cea555b16d803eee884c78d76ef6dc99e31147a571eb7
Instruction ID: 6872d09f8e36810ea49ef885412d58bcf818ca3348d75930be8b2bd0cd5396e3
Opcode Fuzzy Hash: 5eee73868591a982254cea555b16d803eee884c78d76ef6dc99e31147a571eb7
Instruction Fuzzy Hash: 70414771A013268BDB209F75E8457AE7BA0AF05334F64832FE125962D2CF7C9981CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0044BACB, Relevance: 6.1, APIs: 4, Instructions: 109windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044BAD0

Part of subcall function 0044EC5B: __EH_prolog.LIBCMT ref: 0044EC60

SetActiveWindow.USER32(0045102D,0045102D), ref: 0044BB02

Part of subcall function 00435F86: ShowWindow.USER32(?,?,00438612,?,?,00000363,00000001,00000000,00000001,00000001,?,?,00000363,00000001,00000000), ref: 00435F93

SendMessageA.USER32 ref: 0044BB24
SetActiveWindow.USER32(0045102D,?,0045102D), ref: 0044BBD3

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$ActiveH_prolog$MessageSendShow
String ID:
API String ID: 3358699446-0
Opcode ID: cbfd2c3cd5d6dfe596d1ecd183db19bbeb0c86c625e2cca6f22a6f5f9219dd62
Instruction ID: c8cb45078981d19654bccd025da7bd28b2d72a173ca039ebdf502d673e2ef08e
Opcode Fuzzy Hash: cbfd2c3cd5d6dfe596d1ecd183db19bbeb0c86c625e2cca6f22a6f5f9219dd62
Instruction Fuzzy Hash: 2E41D471A00645DFDB14EFA5C895AAFB7B5FF08304F10882EF11697692DB38E940CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00445821, Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 00445837

Part of subcall function 00447842: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,MXD), ref: 00447886
Part of subcall function 00447842: CreatePatternBrush.GDI32(00000000), ref: 00447893
Part of subcall function 00447842: DeleteObject.GDI32(00000000), ref: 0044789F

InflateRect.USER32(?,000000FF,000000FF), ref: 004458CC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CreateObject$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 3923860780-0
Opcode ID: dc44af8f02bc16e594642b473235d3a3492b7646b098fec440cd8723381d0688
Instruction ID: 8dc0ceb402c331c526f370a23d28a71039d8dbaa3add53fc9dbc8157563c8cde
Opcode Fuzzy Hash: dc44af8f02bc16e594642b473235d3a3492b7646b098fec440cd8723381d0688
Instruction Fuzzy Hash: B1412771D00619EBEF10DFA8C984AAE7BF4AF08310F1502A6ED10AB296D7759E51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004364D0, Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00436504
SendMessageA.USER32 ref: 00436569
SendMessageA.USER32 ref: 004365AE
SendMessageA.USER32 ref: 004365D7

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 921ce21e34b7839efdbbbacbcaa53cd0e3cb4b865897c28f710a033f94748604
Instruction ID: 2217d65772d4ee0cce2a03cd5a120ea262780da84c53e4da9f54219d1033c350
Opcode Fuzzy Hash: 921ce21e34b7839efdbbbacbcaa53cd0e3cb4b865897c28f710a033f94748604
Instruction Fuzzy Hash: 4C31A13054011AFBCB24DF55D880EAB3BA9EF05354F11907BF5058B256DA38EE80DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043B16D, Relevance: 6.1, APIs: 4, Instructions: 103stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000104), ref: 0043B198
GetFileTime.KERNEL32(?,?,?,?), ref: 0043B1BA
GetFileSize.KERNEL32(?,00000000), ref: 0043B1C8
GetFileAttributesA.KERNEL32(?), ref: 0043B1F2

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 7e74d28faf73bd5aa7f71fac9a00b32d3eaffc7d88ba26098864637426e67fcb
Instruction ID: a4d1a498919dbad6d024253846dec2ffc3f202889047349a0fe2af8b5f2562ed
Opcode Fuzzy Hash: 7e74d28faf73bd5aa7f71fac9a00b32d3eaffc7d88ba26098864637426e67fcb
Instruction Fuzzy Hash: 1D415B715007059FCB24DF64C895CABBBF8FB083507104B2EE6A6936A1EB34F904CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414897, Relevance: 6.1, APIs: 4, Instructions: 93stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041489C
lstrlenW.KERNEL32(?), ref: 004148CE
lstrlenW.KERNEL32(?), ref: 0041491B
CompareStringA.KERNEL32(?,?,?,?,00000000,?), ref: 00414975

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: lstrlen$CompareH_prologString
String ID:
API String ID: 2824397935-0
Opcode ID: 17d27a3aa7493fb7ecb7d8a23dc8a3d88f84494154e5b492bfb1e652e5447d7a
Instruction ID: 5c9ae6b659badee0e404090425cfe742a6fdbf12efeb44eceed77ff2261444a7
Opcode Fuzzy Hash: 17d27a3aa7493fb7ecb7d8a23dc8a3d88f84494154e5b492bfb1e652e5447d7a
Instruction Fuzzy Hash: 8C3181B290011AABCF11AFB4DC469EF7B74EF44314F04012AF915F32A1D7388A91CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401649, Relevance: 6.1, APIs: 4, Instructions: 93stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040164E
lstrlenW.KERNEL32(?), ref: 00401680
lstrlenW.KERNEL32(?), ref: 004016CD
CompareStringA.KERNEL32(?,?,?,?,00000000,?), ref: 00401727

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: lstrlen$CompareH_prologString
String ID:
API String ID: 2824397935-0
Opcode ID: b1816ea3cf6c972e129d19b48ce94c19fe9759b84c6ecc0e9de68037c12d471a
Instruction ID: 38763f91721efddecf063f417bdd5d95504776030d709c35067cb3221bd4e868
Opcode Fuzzy Hash: b1816ea3cf6c972e129d19b48ce94c19fe9759b84c6ecc0e9de68037c12d471a
Instruction Fuzzy Hash: DA318F7290011AABCF11AFA4DC469EF7B64EF05354F04053AF911F32A2D7398A60DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044AF29, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0043B755: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043B779
Part of subcall function 0043B755: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043B78F

GetDeviceCaps.GDI32(?,00000008), ref: 0044AF81
GetDeviceCaps.GDI32(?,0000000A), ref: 0044AF8F
SetRect.USER32 ref: 0044AFA0
DPtoLP.GDI32(?,?,00000002), ref: 0044AFAE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Rect$CapsClipDeviceIntersect
String ID:
API String ID: 2536322604-0
Opcode ID: 6984cf44b9c367715ddf87efe21e6cab5f44e02fdc710be7d430f2a08dc7cc54
Instruction ID: 9ee8f3c20c9977b085a481a8c28c0f8eb6cf99b023bcfd19e3e686239e7793d9
Opcode Fuzzy Hash: 6984cf44b9c367715ddf87efe21e6cab5f44e02fdc710be7d430f2a08dc7cc54
Instruction Fuzzy Hash: 72310475A00604EFDB05DF68D984AAEBBFAFF09311F108065FD09DB251D770EA518B91

Uniqueness

Uniqueness Score: -1.00%

Function 004174F2, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004174F7

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 55223ed69a862f5ee785227b74d371fc1cee7b1ea9c31c6c669e78f52498e4c9
Instruction ID: 7e98fc469639de1a4b9c34bf89da2550f82167ab0fe68f9bcc28aa188ee56bdd
Opcode Fuzzy Hash: 55223ed69a862f5ee785227b74d371fc1cee7b1ea9c31c6c669e78f52498e4c9
Instruction Fuzzy Hash: D9316F7190020AABCF10EFA1C885EEEB779FF04318F10481AF511A7291D778DA45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00438659, Relevance: 6.1, APIs: 4, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043865E

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

Part of subcall function 00438522: GetCurrentThreadId.KERNEL32 ref: 00438535
Part of subcall function 00438522: SetWindowsHookExA.USER32 ref: 00438545

SetEvent.KERNEL32(?,Function_0004D523), ref: 0043871A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00438723
CloseHandle.KERNEL32(?), ref: 0043872A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog$CloseCurrentEventHandleHookObjectSingleThreadWaitWindows
String ID:
API String ID: 2789817125-0
Opcode ID: 234dca78356ffcecfab7653091b55683e8f69887e45975aaa82e87dce581644b
Instruction ID: 6193c5cdfbfa06214e0606c6fa21f8748cfa421d0d0f67a1432b46abc5233d96
Opcode Fuzzy Hash: 234dca78356ffcecfab7653091b55683e8f69887e45975aaa82e87dce581644b
Instruction Fuzzy Hash: 4D314930A00705DFCB14EFA5C985A9DF7B1BF08315F20956EF01697292CB38EA45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00450D94, Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F1), ref: 00450DAE
LoadResource.KERNEL32(?,00000000), ref: 00450DBA
LockResource.KERNEL32(00000000), ref: 00450DC8
FreeResource.KERNEL32(?), ref: 00450E4B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 1971d945b6e44f5dd74037333a4939e35218bac19dc0838dd16ba1864c40d5e4
Instruction ID: 4f86f653c3520568694ec64d98aec450067ba8234150793ac0c3b4c6c8a54c68
Opcode Fuzzy Hash: 1971d945b6e44f5dd74037333a4939e35218bac19dc0838dd16ba1864c40d5e4
Instruction Fuzzy Hash: 4A21D376500610BBC7249FA2CC448BFB7BCEF45706710842EFD46D7252EA38E945D768

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA88, Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 0041FA95
_strlen.LIBCMT ref: 0041FAAE
_strlen.LIBCMT ref: 0041FAE7
_strcat.LIBCMT ref: 0041FB04

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: _strlen$___initmbctable_strcat
String ID:
API String ID: 109824703-0
Opcode ID: 58d19ad6be1d0d07a718ce22bad5c72d72148dbbd9c2b9cb9464735099b7d300
Instruction ID: 56c6985917b6e10bcd83428bcc6720b31842242bc27c3ef5bbf3782341827d52
Opcode Fuzzy Hash: 58d19ad6be1d0d07a718ce22bad5c72d72148dbbd9c2b9cb9464735099b7d300
Instruction Fuzzy Hash: 6011D2F240A1154ED7206F21AC506D77BA5EB45378724063FE29D43252DB3E68CB9BCD

Uniqueness

Uniqueness Score: -1.00%

Function 0044E980, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,00000001,?,00000001,00000000,00000000), ref: 0044E9C7
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 0044E9D9
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 0044E9EB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 0044E9FD

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 440ca55411f3eb67cb07367baee8992a5be6b8b86c657a542c0817ebfd35c97f
Instruction ID: 77bdaba1d00404e6d18f7a7ff7345b5d069986789cf29112c8d10026780bed53
Opcode Fuzzy Hash: 440ca55411f3eb67cb07367baee8992a5be6b8b86c657a542c0817ebfd35c97f
Instruction Fuzzy Hash: 37116D7224060C7FE250EA52CC81FE7BB9CFB4A788F820416F705D6881D2A2F954C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 0043AF4B, Relevance: 6.1, APIs: 4, Instructions: 67timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 0043AFCD
GetLastError.KERNEL32(00000000), ref: 0043AFDE
LocalFileTimeToFileTime.KERNEL32(?,0000FFFF), ref: 0043AFED
GetLastError.KERNEL32(00000000), ref: 0043AFF8

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: c5765ad88efcfcc70b83ff8a0bc5b8746a5f0d1555a4d46d2ac63f4b09ab1b03
Instruction ID: 226d52641a4a1b36584305c8edc7bf94fb764e0dfcb3f679671b918d7b12d757
Opcode Fuzzy Hash: c5765ad88efcfcc70b83ff8a0bc5b8746a5f0d1555a4d46d2ac63f4b09ab1b03
Instruction Fuzzy Hash: AF119D68A40619A68F10BBA68C018FF777CEF48355B00905FF845E3211EB3C8642CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 0042C520, Relevance: 6.1, APIs: 4, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,00000000,00000080), ref: 0042C589
lstrcpynA.KERNEL32(?,?,00000080), ref: 0042C59C
FindTextA.COMDLG32(?), ref: 0042C5AE
ReplaceTextA.COMDLG32(?), ref: 0042C5B6

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Textlstrcpyn$FindReplace
String ID:
API String ID: 38701251-0
Opcode ID: 4ba84f1a53416ed09f1a6bf9d3ff6dc8432da32ce58b1dc35dab4ad11a99244f
Instruction ID: c1da3444947088873f260f49b6d69de29417c103fa745dd9ad9aa1c74fef4962
Opcode Fuzzy Hash: 4ba84f1a53416ed09f1a6bf9d3ff6dc8432da32ce58b1dc35dab4ad11a99244f
Instruction Fuzzy Hash: FE218170200B19ABD720DF74D885BDB77E8BF04354F40442AE959C3250DB38F945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00414B35, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414B3A
WideCharToMultiByte.KERNEL32(00000000), ref: 00414B73
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00414B9A
GetStringTypeA.KERNEL32(?,?,?,00000000,?), ref: 00414BB5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharMultiWide$H_prologStringType
String ID:
API String ID: 2088138148-0
Opcode ID: 7edea53b1129ea2bc59c899dc5bfe0db457c67f83fa02c34144f902730ab7173
Instruction ID: 7f07e105d1c3c75ba6467eabad54b2c191e8ac336323d7a3a0b80ca00416f6cf
Opcode Fuzzy Hash: 7edea53b1129ea2bc59c899dc5bfe0db457c67f83fa02c34144f902730ab7173
Instruction Fuzzy Hash: 4B117F71801128ABCB219FA5DD44EEFBF79FF05364F00016AF619A21A1C7758E51DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044597A, Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 004459A3
OffsetRect.USER32(?,?,?), ref: 004459AE
OffsetRect.USER32(?,?,?), ref: 004459B9
OffsetRect.USER32(?,?,?), ref: 004459C4

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 1ab10672e00488976748e8098a62b6efdaff540296e7cdd3a8ac75e7e89e5525
Instruction ID: 7088babf2d498276c39137268bf44da7fec364cc6e9bf7e726423925e5236f1f
Opcode Fuzzy Hash: 1ab10672e00488976748e8098a62b6efdaff540296e7cdd3a8ac75e7e89e5525
Instruction Fuzzy Hash: A311FAB2600608AFDB10EFEDC985DABB7ECEB48210B10482AF546D7610E674FE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 00431314, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 0043133A
LoadResource.KERNEL32(?,00000000), ref: 00431342
LockResource.KERNEL32(00000000), ref: 00431354
FreeResource.KERNEL32(00000000), ref: 0043139E

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: cf62371c89410eed651ab7bc9a5b780898f0221130fca4ee2fd6a04c1507b6e0
Instruction ID: 697a7456634bd751cf7345a9cb5bf64695b6d6545dae8979859041b25fbf9e82
Opcode Fuzzy Hash: cf62371c89410eed651ab7bc9a5b780898f0221130fca4ee2fd6a04c1507b6e0
Instruction Fuzzy Hash: E9118F3A500B01EFD7209FA4C958ABBB7B8FF08759F04506AEC4253B61D778AD44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004018CB, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004018D0
WideCharToMultiByte.KERNEL32(00000000), ref: 00401901
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00401928
GetStringTypeA.KERNEL32(?,?,?,00000000,?), ref: 00401943

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharMultiWide$H_prologStringType
String ID:
API String ID: 2088138148-0
Opcode ID: cc79d9fa2b4f5a07f6e9c36756d0079718122001db144ef10744fb5ed5cc0a1d
Instruction ID: 6b7d29ee94f23849c23ad31d89f2b890037c0b428db1af7ca9169197dba5e721
Opcode Fuzzy Hash: cc79d9fa2b4f5a07f6e9c36756d0079718122001db144ef10744fb5ed5cc0a1d
Instruction Fuzzy Hash: 90113D72801128AFCB219FA5DC48ADBBF79FF053A5F00416AF519A21A1C7748E50DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044C3D6, Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetForegroundWindow.USER32 ref: 0044C3FA
GetLastActivePopup.USER32(?), ref: 0044C415
SendMessageA.USER32 ref: 0044C431
SendMessageA.USER32 ref: 0044C457

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: 186d86e1bb963998237b7a736ea5499e4c11d518e37746bf39770847421075bb
Instruction ID: 5487f9e960b537acd162726a438ef349b049046759a06f1788ac177a2798c895
Opcode Fuzzy Hash: 186d86e1bb963998237b7a736ea5499e4c11d518e37746bf39770847421075bb
Instruction Fuzzy Hash: 8701F2723117003BFB617FB1ADB5B3B76499B84385F44443ABB02C22A2EE69D911829C

Uniqueness

Uniqueness Score: -1.00%

Function 0044271E, Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435D1B: GetDlgItem.USER32 ref: 00435D28

SendMessageA.USER32 ref: 00442756
SendMessageA.USER32 ref: 0044276A
SendMessageA.USER32 ref: 0044277F
SendMessageA.USER32 ref: 004427A7

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 7f41dbfbf8ef9c8d126ce108dcb7240f5cd3241689d2781002a55b914dfb6c6b
Instruction ID: 8041d22320b68c721f3673dc4c96feccd1c6170c8bb1ab664d201b69bfeca2ac
Opcode Fuzzy Hash: 7f41dbfbf8ef9c8d126ce108dcb7240f5cd3241689d2781002a55b914dfb6c6b
Instruction Fuzzy Hash: C511A131200258BBEF11AF54CC01FEE3B69EB44730F54821AF9255B1E0CAB4AA51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043A1F3, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0043A227
GetCurrentProcess.KERNEL32(?,00000000), ref: 0043A22D
DuplicateHandle.KERNEL32(00000000), ref: 0043A230
GetLastError.KERNEL32(?), ref: 0043A24B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: f43501c3ad00d979ca8949cb0b5f2fb4eb75575df92d0f543ee4709812707c9a
Instruction ID: d19c58c811fe869435c673ebef52d2a589f64447806e85ebeac7f0d803b75d8d
Opcode Fuzzy Hash: f43501c3ad00d979ca8949cb0b5f2fb4eb75575df92d0f543ee4709812707c9a
Instruction Fuzzy Hash: 1F01D471780300BFDB109BA5CC49F1B7BADEF88760F244566B918CB282DA79DC108B65

Uniqueness

Uniqueness Score: -1.00%

Function 0043514E, Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00435178
SendMessageA.USER32 ref: 0043519A
GetCapture.USER32 ref: 004351AC
SendMessageA.USER32 ref: 004351BB

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 275c7470fd92f4db9bea6f84a4e2efcf8c2a6b156ae9a6bf5841001c49007eea
Instruction ID: 0a548c32f2a49e1ca95ef3edf2df1b9e3ade186cb478b6fd28bdccdf70a56fdb
Opcode Fuzzy Hash: 275c7470fd92f4db9bea6f84a4e2efcf8c2a6b156ae9a6bf5841001c49007eea
Instruction Fuzzy Hash: F30181703407087FFA302B519CC9FBB76ADDF8CB99F150439F741AA1D2CA959C019A64

Uniqueness

Uniqueness Score: -1.00%

Function 0042F0C0, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 0042F0D7
GetParent.USER32(00000000), ref: 0042F0E5
ScreenToClient.USER32 ref: 0042F106
IsWindowEnabled.USER32(00000000), ref: 0042F11F

Part of subcall function 0043D528: GetWindowLongA.USER32 ref: 0043D541

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 7af2d92b0e4e6fe1c4986829b38481c096636f8d09cc349725e32c715e8149c6
Instruction ID: be6a2684098ef9029235d31d2a2595e08044e56b0ffe46fe9dc2f4dfdd85837a
Opcode Fuzzy Hash: 7af2d92b0e4e6fe1c4986829b38481c096636f8d09cc349725e32c715e8149c6
Instruction Fuzzy Hash: 1B015E35700A24FF87129B98EC14D7E7ABAEF89741B94003AF901D7311EB39DD159768

Uniqueness

Uniqueness Score: -1.00%

Function 004340A4, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 004340B2
GetTopWindow.USER32(00000000), ref: 004340F1
GetWindow.USER32(00000000,00000002), ref: 0043410F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4c7675546fed4c68ff6b2959f0bb60fc012f474acdb2a04c82075ef66a8a8ce5
Instruction ID: 259b82e19fe315ce6f40e17c40c9f9583afda0cdad1ce1555e6fbf2ece579630
Opcode Fuzzy Hash: 4c7675546fed4c68ff6b2959f0bb60fc012f474acdb2a04c82075ef66a8a8ce5
Instruction Fuzzy Hash: 43012D32100619BBCF266F919C04DDF3B65EF9D361F005012FA1155161C739DA71EFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00440C80, Relevance: 6.0, APIs: 4, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 00440CB4
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00440CBD
wsprintfA.USER32 ref: 00440CD9
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00440CEF

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: 5a829fc43b19d6576071f952581df4ceec643a62c395a179110bffa97fd79806
Instruction ID: e364b23941fd1f50c9e455df84a575aa998c447550a51376d72d6155b1379767
Opcode Fuzzy Hash: 5a829fc43b19d6576071f952581df4ceec643a62c395a179110bffa97fd79806
Instruction Fuzzy Hash: 05019231400609FBCB11AF64DD09EAF7BB9AF04754F00402AFA05A61A1EB74D9148B99

Uniqueness

Uniqueness Score: -1.00%

Function 004338FC, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00433907
GetTopWindow.USER32(00000000), ref: 0043391A

Part of subcall function 004338FC: GetWindow.USER32(00000000,00000002), ref: 00433961

GetTopWindow.USER32(?), ref: 0043394A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 0d335ed389427392818e4ac0b4fa56036e47f9b7d7f79eb9b1aba6258f3520ee
Instruction ID: cedcbbc76a9d9117bb6fd0ee1b81328325acbc97ad7fa6fafe37df62d5a4d860
Opcode Fuzzy Hash: 0d335ed389427392818e4ac0b4fa56036e47f9b7d7f79eb9b1aba6258f3520ee
Instruction Fuzzy Hash: FD012C72402615FB9F222E669C01FAF3B69AF0C7B6F015026FD10A5221D7B9CB11969D

Uniqueness

Uniqueness Score: -1.00%

Function 00415963, Relevance: 6.0, APIs: 4, Instructions: 48memorystringCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00415976
lstrlenA.KERNEL32(?), ref: 0041598D
SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 0041599C
SysAllocString.OLEAUT32(00000000), ref: 004159C3

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocString$ByteClearVariantlstrlen
String ID:
API String ID: 3864056903-0
Opcode ID: 162874bfcd7814589c3108c23330328cc28d22b5e972f5ba0e71e4b298c39305
Instruction ID: da371277d8098f3739051392471783398f8ca82d58b996819eee844438878c08
Opcode Fuzzy Hash: 162874bfcd7814589c3108c23330328cc28d22b5e972f5ba0e71e4b298c39305
Instruction Fuzzy Hash: 6B01D8B2510704EBC7006B66DC89AEBB77CFF41366B10442AF415C2111E778D9808BB9

Uniqueness

Uniqueness Score: -1.00%

Function 00448AD7, Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00448AEE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00448B09
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 00448B31
DragFinish.SHELL32(?), ref: 00448B50

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 46547077bcd133510ec4924af27e508996734cbab59f10683b2010f327a4193a
Instruction ID: 811eb5ae18ced5a33dd0d22ad501efbf9176d3b1dcfe12d23c63cd1a34373c17
Opcode Fuzzy Hash: 46547077bcd133510ec4924af27e508996734cbab59f10683b2010f327a4193a
Instruction Fuzzy Hash: AB0180B0900218BFDB00AF64DC95DEE7B79EB44358F0081AAF14497161CB74AE81CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044E7A8, Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0044E7BC
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0044E7D2
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0044E7DA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 0044E7EF

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 6beb052cbc144f6f04b3814d5c9ae83ad362a7e9b15841d5c27456f2ecfc3060
Instruction ID: 0a7df2b0e4a7b2320b0d1227de3961cdb3e9df72f2d6397e8c28316157d3c472
Opcode Fuzzy Hash: 6beb052cbc144f6f04b3814d5c9ae83ad362a7e9b15841d5c27456f2ecfc3060
Instruction Fuzzy Hash: ECF03A721062287F92219B679C88CBBBF9CFE8B2A6B01092AF549C2101D6659801CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00450BA4, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00450BAD
SendMessageA.USER32 ref: 00450BD6
SendMessageA.USER32 ref: 00450BF0
InvalidateRect.USER32(?,00000000,00000001), ref: 00450BF9

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 900c92f147fee0f123edb7998ee78f6a9c0137c69f237fd7a3feb4c04f5052cd
Instruction ID: 6be21cc921ab488fe83cdb2aaebf5af216ca1324879f092a9d8742b9e9ab487e
Opcode Fuzzy Hash: 900c92f147fee0f123edb7998ee78f6a9c0137c69f237fd7a3feb4c04f5052cd
Instruction Fuzzy Hash: 67014C70200718AFE7208F19DC01BBBBBE8FB44711F10492AF995D6291E6B0F815DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043258A, Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 004325C8
SetBkColor.GDI32(00000000,00000000), ref: 004325D4
GetSysColor.USER32(00000008), ref: 004325E4
SetTextColor.GDI32(00000000,?), ref: 004325EE

Part of subcall function 0043D528: GetWindowLongA.USER32 ref: 0043D541

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: b7142684bdcea25886398c842aec33319ee83e2b88264cebe4716ecc218c793c
Instruction ID: 899486bf84d7be424ba47e0dad8f9707cf811990ace3e460cb2a9a148db9a957
Opcode Fuzzy Hash: b7142684bdcea25886398c842aec33319ee83e2b88264cebe4716ecc218c793c
Instruction Fuzzy Hash: EF014B30500A09FBDF215F64DE69BAF3B64FB08316F106522F902C41E0C7B5CA91EA59

Uniqueness

Uniqueness Score: -1.00%

Function 004359A8, Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 004359CA
LoadResource.KERNEL32(?,00000000,?,?,?,?,004312CD,?,00000000,004125C7), ref: 004359D6
LockResource.KERNEL32(00000000,?,?,?,?,004312CD,?,00000000,004125C7), ref: 004359E3
FreeResource.KERNEL32(00000000,?,?,?,?,004312CD,?,00000000,004125C7), ref: 004359FE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: a10749b99f42ac4d26b017111bf9010b5b6487ba49065666e8cc57a2beef0ea4
Instruction ID: df9a14aebce41b513c92fdd87bbcc745da4ed2a9850a2890d94a6f6a25383e47
Opcode Fuzzy Hash: a10749b99f42ac4d26b017111bf9010b5b6487ba49065666e8cc57a2beef0ea4
Instruction Fuzzy Hash: 68F0F636201A015B83102BA65C84A3BB75CAFC96A6F05003BFD05D3212CF24CC0197AD

Uniqueness

Uniqueness Score: -1.00%

Function 00436A58, Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 00436A83
GetFocus.USER32 ref: 00436A96
GetParent.USER32(?), ref: 00436AA4
SendMessageA.USER32 ref: 00436AB9

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: 5c8adbf52efe4bab700ff7f9670f21ab973b1f9946edbed9e4f69596a0f66013
Instruction ID: 47d18d4e09eb640d0724fce8ff488ff96568a87c080486eef87d0d843262678a
Opcode Fuzzy Hash: 5c8adbf52efe4bab700ff7f9670f21ab973b1f9946edbed9e4f69596a0f66013
Instruction Fuzzy Hash: FA015E30100B01BFDB249F10DC19B26BBB1EF55312F15D62EF146961E0C775E844CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004365E0, Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004365E5
GetWindowTextA.USER32 ref: 004365FD
lstrcpynA.KERNEL32(?,?,?,?,00447079,?,00000104), ref: 00436633
lstrlenA.KERNEL32(?,?,00447079,?,00000104), ref: 0043663C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prologTextWindowlstrcpynlstrlen
String ID:
API String ID: 3022380644-0
Opcode ID: fcfc9e4c5a51c01e947fd4ec5bd7c33908cb81bfa05d587a785a486351c207b0
Instruction ID: 513485dc15bc5937fdad1ec73cc70a4ece73e4ebfb768c1dfe87799239e38278
Opcode Fuzzy Hash: fcfc9e4c5a51c01e947fd4ec5bd7c33908cb81bfa05d587a785a486351c207b0
Instruction Fuzzy Hash: DB018C31510614EFCF009FA4C818AADBBB2FF08315F00C66DF5129B262CB759910DF84

Uniqueness

Uniqueness Score: -1.00%

Function 0043179E, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 004317B8
LoadResource.KERNEL32(?,00000000), ref: 004317C0
LockResource.KERNEL32(00000000), ref: 004317CD
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 004317E5

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ebf91bd9bf8a41106eaa89ca42d9caf435e3ff325f93b6a55d8f3318078830f7
Instruction ID: 3ab5ec5a54c8587120c49d393a101d194460f70bbb1c1fdc2cb11f4887e345f0
Opcode Fuzzy Hash: ebf91bd9bf8a41106eaa89ca42d9caf435e3ff325f93b6a55d8f3318078830f7
Instruction Fuzzy Hash: B2F05436500614BBC7015BE59C48CAFBB6CDF496A2F004066F605D3222DA74D9008BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414C4E, Relevance: 6.0, APIs: 4, Instructions: 36memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00414C5E
CoTaskMemAlloc.OLE32(00000000), ref: 00414C6B
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00414C80
CoTaskMemFree.OLE32(00000000), ref: 00414C8B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Task$AllocByteCharFreeMultiWidelstrlen
String ID:
API String ID: 1031297831-0
Opcode ID: d9fcdb4e81432dfe2e19a30d6e4d67446f60bb26955e24c4bc6fe731ea92e3d9
Instruction ID: 544606fc187c06161ef729f5156908492f206a0bbee31cd4e8b966ed0bede971
Opcode Fuzzy Hash: d9fcdb4e81432dfe2e19a30d6e4d67446f60bb26955e24c4bc6fe731ea92e3d9
Instruction Fuzzy Hash: 60F0A072301B0177D3201BAAEC88FAB7AACDFC5763F11013AF519C62A5EB24C8008964

Uniqueness

Uniqueness Score: -1.00%

Function 0043D5BD, Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0043D5D2
GetWindowTextA.USER32 ref: 0043D5EE
lstrcmpA.KERNEL32(?,?), ref: 0043D602
SetWindowTextA.USER32(?,?), ref: 0043D612

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: bbb3d7b975ff194cb257aea3f5de31d9addc332e14293837c6138cadbaa285f9
Instruction ID: de742755b52b3a8bff379346f05b4b7aacceaf209b80c918914f735cb9d5d4d0
Opcode Fuzzy Hash: bbb3d7b975ff194cb257aea3f5de31d9addc332e14293837c6138cadbaa285f9
Instruction Fuzzy Hash: 3DF06DB5800208BBCF11AF60EC489EE7B79FB08355F408062F959D2261D738DE80CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00431713, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000001), ref: 00431726
GetActiveWindow.USER32 ref: 00431731
SetActiveWindow.USER32(00000000), ref: 0043173F
FreeResource.KERNEL32(00000000), ref: 0043175B

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$Active$EnableFreeResource
String ID:
API String ID: 3751187028-0
Opcode ID: 963bacca36a14f3d3701e697436b72b45a52e00a8cf64d3aaf9fd96f1ed3cb6d
Instruction ID: 9ffee9eb48b2e9b9ba8dbdb29ec06767e2b060e2fd059737e1ce27870a1a1e1e
Opcode Fuzzy Hash: 963bacca36a14f3d3701e697436b72b45a52e00a8cf64d3aaf9fd96f1ed3cb6d
Instruction Fuzzy Hash: 68F04F35900745DFCF21EFA4D9995AEBBB1FF08312F14056AE102B22A1CB359D01CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00445B8A, Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00445821: GetStockObject.GDI32(00000000), ref: 00445837
Part of subcall function 00445821: InflateRect.USER32(?,000000FF,000000FF), ref: 004458CC

ReleaseCapture.USER32(?,?,00445BDD), ref: 00445B95
GetDesktopWindow.USER32 ref: 00445B9B
LockWindowUpdate.USER32(00000000,00000000,?,?,00445BDD), ref: 00445BAB
ReleaseDC.USER32 ref: 00445BC3

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 99a9ca9a32cb8ab269c45f06c55c165410f3549155a374d7e23da0f3062d7793
Instruction ID: 8ccc48cc6135e675e75bd0ebac52abe8a78effebf7b2575483cdb178f92d11fb
Opcode Fuzzy Hash: 99a9ca9a32cb8ab269c45f06c55c165410f3549155a374d7e23da0f3062d7793
Instruction Fuzzy Hash: 05E01A32500711ABDB212F65EC1DB1A7EB5FF4071BF150439F5418A1A3EA7AD8508B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4B6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0041B4D2

Strings

, xrefs: 0041B4F9
, xrefs: 0041B520

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: b9d7742f0d687b9507fae7ecca0d0c4dce2f1495c6ce05c83b244f66533a1e56
Instruction ID: 3cece0b747b5dfe9e4ee91e28d7e92a175b810417601d5da7d1a0f647cb4a04d
Opcode Fuzzy Hash: b9d7742f0d687b9507fae7ecca0d0c4dce2f1495c6ce05c83b244f66533a1e56
Instruction Fuzzy Hash: 5C418D305002987EEB119B24DC99BFB7BA9EF06308F1408E6D549D7152C3694DC59BDD

Uniqueness

Uniqueness Score: -1.00%

Function 0041F328, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__shift.LIBCMT ref: 0041F34B

Part of subcall function 0041F30B: _strlen.LIBCMT ref: 0041F313

_strcat.LIBCMT ref: 0041F388

Strings

e+000, xrefs: 0041F37A

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: __shift_strcat_strlen
String ID: e+000
API String ID: 208078240-1027065040
Opcode ID: 875e55a9c64274ed01c054211ec61591270a626eb8f2cf2ea0d2932a9a59f3e3
Instruction ID: 10dd06bfe5233906032f42402e65a8300de7b1c3d025f13929c72fdbf92f1e96
Opcode Fuzzy Hash: 875e55a9c64274ed01c054211ec61591270a626eb8f2cf2ea0d2932a9a59f3e3
Instruction Fuzzy Hash: E321D5322083989FDB1A8E389C903D63BD05B02358F1C44BFE899CB292D67DD9CAC355

Uniqueness

Uniqueness Score: -1.00%

Function 00416B5D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(mE), ref: 00416B88
VarDateFromStr.OLEAUT32(00000000,?,?), ref: 00416BE9

Strings

mE, xrefs: 00416B85

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: DateFromlstrlen
String ID: mE
API String ID: 3083244965-852767849
Opcode ID: 21236a63205d3c610e0caf2d6ec9922e4dc7df269fe6eeac49355a1a8804db29
Instruction ID: c9c3653280e534b12a607a29e002e4b7e8b5001cc8de6abf38bf35f728cf013b
Opcode Fuzzy Hash: 21236a63205d3c610e0caf2d6ec9922e4dc7df269fe6eeac49355a1a8804db29
Instruction Fuzzy Hash: 8E21FF72100204EBCB109F65DC85AEF7BA8EF0035AF21842AF845D7261D739EAC4CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AF0D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00423D86
DeleteCriticalSection.KERNEL32(02631C38,0045D340,00000010,00000003), ref: 00423DD4

Strings

csm, xrefs: 0041AF0F

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalDeleteSection__lock
String ID: csm
API String ID: 590241456-1018135373
Opcode ID: 72e3b7236b32f5d339321de57c6609f757999602fafbac578acfb188ccc614ae
Instruction ID: d5757be441aae5840aabba58e7df4775a35bafef4b674f724e490e16ffbc9297
Opcode Fuzzy Hash: 72e3b7236b32f5d339321de57c6609f757999602fafbac578acfb188ccc614ae
Instruction Fuzzy Hash: CB21A1316102149FD725AF66E886BAD33A0AF05726F90051AF815972E2C77C9D829A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00432960, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 004329BF

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 004329AB
Afx:%p:%x, xrefs: 00432990

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 3534257612-2801496823
Opcode ID: 5a6ecf764b755fafe288c511cbc0af2046ea21260e69a38337e23847647d8f8a
Instruction ID: 71333daf6e53f7061f0a2f5fb7ad414b963afdaae8e7c258016f27abd0a4e414
Opcode Fuzzy Hash: 5a6ecf764b755fafe288c511cbc0af2046ea21260e69a38337e23847647d8f8a
Instruction Fuzzy Hash: C1211571900209EF9F11EF95D941ADFBBB8EF0C754F54402BF904A3201E7749A518BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428B97, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,?,0045E938,00000010), ref: 00428BC3
GetLastError.KERNEL32(?,?,0045E938,00000010), ref: 00428BCD

Strings

@, xrefs: 00428BAE

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ErrorFileLastType
String ID: @
API String ID: 1621975986-2766056989
Opcode ID: a58c7fe9f6e6cd8ea95554f3b77d2d2b968d1fd669286dd6fcdc1e0dffa9d69b
Instruction ID: dc55c15812bcf55b5a31ac393ab05fe854771c4cf6b567790ce8dd56b42e6323
Opcode Fuzzy Hash: a58c7fe9f6e6cd8ea95554f3b77d2d2b968d1fd669286dd6fcdc1e0dffa9d69b
Instruction Fuzzy Hash: 8A11E1707072245ADF246B35E8063DD3F50AB01324F98464EF9615B2E3DF3C5A819B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401D5A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000064,00000000,Characters: %c %c ,000007B9,?,004120B2,00000000), ref: 00401D82

Strings

Characters: %c %c , xrefs: 00401D68

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Characters: %c %c
API String ID: 626452242-719169735
Opcode ID: 72f10fdf0b57e0b512a5d0e9c103bfafc63cbff2d43168b2775ca2bb198ed049
Instruction ID: 238bf9ca43ba9bb5b0f70404969d3f1b5b2265df0c4910519177c563da3de049
Opcode Fuzzy Hash: 72f10fdf0b57e0b512a5d0e9c103bfafc63cbff2d43168b2775ca2bb198ed049
Instruction Fuzzy Hash: 03F0683110A2317E863055669C48C9BBF9CEE8A3B17200B3BF569D21D0D635A401C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 0043BE44, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 0043BE58
ScreenToClient.USER32 ref: 0043BE61

Part of subcall function 00435E7B: GetWindowLongA.USER32 ref: 00435E86

Strings

!,C, xrefs: 0043BE4E, 0043BE54

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClientScreen$LongWindow
String ID: !,C
API String ID: 3170764692-271224385
Opcode ID: 1a856b7bda9edefcf9937d4313955bc606bce2cc4d6abcda3325ed39850c7d05
Instruction ID: 8dd1201638dab662032530d7434eae04ee0a0875763a5c590bbbddcad545924a
Opcode Fuzzy Hash: 1a856b7bda9edefcf9937d4313955bc606bce2cc4d6abcda3325ed39850c7d05
Instruction Fuzzy Hash: 68E06D76100718AFC7209F4AEC81D67F7A8EF99750B10402AE60143260DB30BC15CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004396C4, Relevance: 5.1, APIs: 4, Instructions: 107stringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(00000000,?,?,?), ref: 0043972D
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0043975B
lstrcpynA.KERNEL32(00000000,?,00000104,?,?,00000104), ref: 0043978F

Part of subcall function 0043A0A7: GetFileTitleA.COMDLG32(?,?,00000000,00000000,00000104), ref: 0043A0D7

lstrcpynA.KERNEL32(00000000,?,?,?,?,00000104,00000000,00000000,00000000), ref: 004397C9

Part of subcall function 004394D7: lstrlenA.KERNEL32(?), ref: 004394E2
Part of subcall function 004394D7: lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 00439563

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: lstrcpyn$FileTitlelstrcmpilstrcpylstrlen
String ID:
API String ID: 1551867014-0
Opcode ID: efd324a3f7a3833a0e76154c72ac7dc63b4354c57db374625157ce5ac82a2cf8
Instruction ID: 49ef6d968ea52ec2849cba88a3609b41fe830442dfa4a7995cda9854ab5d925b
Opcode Fuzzy Hash: efd324a3f7a3833a0e76154c72ac7dc63b4354c57db374625157ce5ac82a2cf8
Instruction Fuzzy Hash: 80419176900119DFCB21DF68CC80EEA77B8EF49314F0041AAF99897291D7B4DE81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044E8FF, Relevance: 5.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 0044E945
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 0044E955
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 0044E965
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 0044E975

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 230db3f02c2b4d33a1f1149295bc099b439d4cf158d66aa02b203a68de4277dc
Instruction ID: 16091c942826140615f5f6159e83aadbb5d87404f9aaeb989487e2677a1adb25
Opcode Fuzzy Hash: 230db3f02c2b4d33a1f1149295bc099b439d4cf158d66aa02b203a68de4277dc
Instruction Fuzzy Hash: FC116D7324460C7EE290A6A1DC81FB7B39CFB4CB04F50091AFB4AD6880E260F90487B9

Uniqueness

Uniqueness Score: -1.00%

Function 0044EF41, Relevance: 5.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0044EF9E
LeaveCriticalSection.KERNEL32(?,?), ref: 0044EFAE
LocalFree.KERNEL32(?), ref: 0044EFB7
TlsSetValue.KERNEL32(?,00000000), ref: 0044EFC9

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: c4633e0bd8bdf9a850104e2a539da053a2a06415692cc4456e0187cf9023bed2
Instruction ID: 3be043c67c09bb75a6237c3996a36536f15ec3ef990194b2d65087d099a9e09d
Opcode Fuzzy Hash: c4633e0bd8bdf9a850104e2a539da053a2a06415692cc4456e0187cf9023bed2
Instruction Fuzzy Hash: E7116731600B05EFE724CF56D884F6AB7B4FF0535AF10842AF5468B6A2CBB4E844CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041C947, Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,?,?,0041D37D,?,?,00000000), ref: 0041C96E
HeapAlloc.KERNEL32(00000008,000041C4,00000000,?,0041D37D,?,?,00000000), ref: 0041C9A7
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,0041D37D,?,?,00000000), ref: 0041C9C5
HeapFree.KERNEL32(00000000,?,?,0041D37D,?,?,00000000), ref: 0041C9DC

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: ad83cb98e11d12c31e8bd914c5f30b11e71b8074a9adf87749378c44b0c77e47
Instruction ID: b06f7167849a2c346c4febfd77e7389f94a7d8b5d83d0225e4c1a3a83ebe4785
Opcode Fuzzy Hash: ad83cb98e11d12c31e8bd914c5f30b11e71b8074a9adf87749378c44b0c77e47
Instruction Fuzzy Hash: 8B112B71280601EFC7318F69EC95D66BBB7FB85755B50462EF55AC61F0C370A885CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0044F1DD, Relevance: 5.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F20B
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F21D
LeaveCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F226
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4,00437F34), ref: 0044F238

Part of subcall function 0044F174: InitializeCriticalSection.KERNEL32(0047B754,0044F1EB,0044EC7C,00000010,75144DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4,00437F34,0043B484,75144DE0), ref: 0044F18C

Memory Dump Source

Source File: 00000000.00000002.221134648.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.221128891.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221174680.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.221183605.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.221192422.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221196116.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221198996.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.221201771.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 3b11186741ab5f92f4e9157304ee343cd161919b5d1cb659cb08613b51adbfa1
Instruction ID: e0a91512c71e7208316553512d16b5441200be99d7561811c4e93602965cf57e
Opcode Fuzzy Hash: 3b11186741ab5f92f4e9157304ee343cd161919b5d1cb659cb08613b51adbfa1
Instruction Fuzzy Hash: 8CF06D7140060EDFE7109F94EC84B62B3ACFB94316F104837E60883011D778A499CAE8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aEdlObiYav.exe PID: 5528 Parent PID: 5064 aEdlObiYav.exeCOMMON

Executed Functions

Function 00420406, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000203B8), ref: 0042040B

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bd62c4e1d80563d32ea440ce6060cb46cd4ae1cee373a393b7e2554c0fa64008
Instruction ID: 1b1c346f4f04dce3418a89abf90b8b8a101ec60d6b84e6121621e05be0691acb
Opcode Fuzzy Hash: bd62c4e1d80563d32ea440ce6060cb46cd4ae1cee373a393b7e2554c0fa64008
Instruction Fuzzy Hash: E2A011B0220320CBA300CF30AC0A2083AE0E380202B0082BAA800C2A22EF308080AA08

Uniqueness

Uniqueness Score: -1.00%

Function 00401E04, Relevance: 36.5, APIs: 1, Strings: 10, Instructions: 19977memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D3B: LoadStringW.USER32(00000005,0000000A,00000000,00000000), ref: 00401D4F

Part of subcall function 00401D5A: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000064,00000000,Characters: %c %c ,000007B9,?,004120B2,00000000), ref: 00401D82

VirtualAlloc.KERNELBASE(00000000,0000E944,00001000,00000040), ref: 004120E2

Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401C9A
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CA1
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CA8
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CAF
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CB6
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CBD
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CC4
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CCB
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CD2
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CD9
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CE0
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CE7
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CEE
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CF5

Strings

A string, xrefs: 00401EFB, 00401F76, 00401FF1, 0040206C, 004020E7, 00402162, 004021DD, 00402258, 004022D3, 0040234E, 004023C9, 00402444, 004024BF, 0040253A, 004025B5, 00402630, 004026AB, 00402726, 004027A1, 0040281C, 00402897, 00402912, 0040298D, 00402A08, 00402A83, 00402AFE, 00402B79, 00402BF4, 00402C6F, 00402CEA, 00402D65, 00402DE0, 00402E5B, 00402ED6, 00402F51, 00402FCC, 00403047, 004030C2, 0040313D, 004031B8, 00403233, 004032AE, 00403329, 004033A4, 0040341F, 0040349A, 00403515, 00403590, 0040360B, 00403686, 00403701, 0040377C, 004037F7, 00403872, 004038ED, 00403968, 004039E3, 00403A5E, 00403AD9, 00403B54, 00403BCF, 00403C4A, 00403CC5, 00403D40, 00403DBB, 00403E36, 00403EB1, 00403F2C, 00403FA7, 00404022, 0040409D, 00404118, 00404193, 0040420E, 00404289, 00404304, 0040437F, 004043FA, 00404475, 004044F0, 0040456B, 004045E6, 00404661, 004046DC, 00404757, 004047D2, 0040484D, 004048C8, 00404943, 004049BE, 00404A39, 00404AB4, 00404B2F, 00404BAA, 00404C25, 00404CA0, 00404D1B, 00404D96, 00404E11, 00404E8C, 00404F07, 00404F82, 00404FFD, 00405078, 004050F3, 0040516E, 004051E9, 00405264, 004052DF, 0040535A, 004053D5, 00405450, 004054CB, 00405546, 004055C1, 0040563C, 004056B7, 00405732, 004057AD, 00405828, 004058A3, 0040591E, 00405999, 00405A14, 00405A8F, 00405B0A, 00405B85, 00405C00, 00405C7B, 00405CF6, 00405D71, 00405DEC, 00405E67, 00405EE2, 00405F5D, 00405FD8, 00406053, 004060CE, 00406149, 004061C4, 0040623F, 004062BA, 00406335, 004063B0, 0040642B, 004064A6, 00406521, 0040659C, 00406617, 00406692, 0040670D, 00406788, 00406803, 0040687E, 004068F9, 00406974, 004069EF, 00406A6A, 00406AE5, 00406B60, 00406BDB, 00406C56, 00406CD1, 00406D4C, 00406DC7, 00406E42, 00406EBD, 00406F38, 00406FB3, 0040702E, 004070A9, 00407124, 0040719F, 0040721A, 00407295, 00407310, 0040738B, 00407406, 00407481, 004074FC, 00407577, 004075F2, 0040766D, 004076E8, 00407763, 004077DE, 00407859, 004078D4, 0040794F, 004079CA, 00407A45, 00407AC0, 00407B3B, 00407BB6, 00407C31, 00407CAC, 00407D27, 00407DA2, 00407E1D, 00407E98, 00407F13, 00407F8E, 00408009, 00408084, 004080FF, 0040817A, 004081F5, 00408270, 004082EB, 00408366, 004083E1, 0040845C, 004084D7, 00408552, 004085CD, 00408648, 004086C3, 0040873E, 004087B9, 00408834, 004088AF, 0040892A, 004089A5, 00408A20, 00408A9B, 00408B16, 00408B91, 00408C0C, 00408C87, 00408D02, 00408D7D, 00408DF8, 00408E73, 00408EEE, 00408F69, 00408FE4, 0040905F, 004090DA, 00409155, 004091D0, 0040924B, 004092C6, 00409341, 004093BC, 00409437, 004094B2, 0040952D, 004095A8, 00409623, 0040969E, 00409719, 00409794, 0040980F, 0040988A, 00409905, 00409980, 004099FB, 00409A76, 00409AF1, 00409B6C, 00409BE7, 00409C62, 00409CDD, 00409D58, 00409DD3, 00409E4E, 00409EC9, 00409F44, 00409FBF, 0040A03A, 0040A0B5, 0040A130, 0040A1AB, 0040A226, 0040A2A1, 0040A31C, 0040A397, 0040A412, 0040A48D, 0040A508, 0040A583, 0040A5FE, 0040A679, 0040A6F4, 0040A76F, 0040A7EA, 0040A865, 0040A8E0, 0040A95B, 0040A9D6, 0040AA51, 0040AACC, 0040AB47, 0040ABC2, 0040AC3D, 0040ACB8, 0040AD33, 0040ADAE, 0040AE29, 0040AEA4, 0040AF1F, 0040AF9A, 0040B015, 0040B090, 0040B10B, 0040B186, 0040B201, 0040B27C, 0040B2F7, 0040B372, 0040B3ED, 0040B468, 0040B4E3, 0040B55E, 0040B5D9, 0040B654, 0040B6CF, 0040B74A, 0040B7C5, 0040B840, 0040B8BB, 0040B936, 0040B9B1, 0040BA2C, 0040BAA7, 0040BB22, 0040BB9D, 0040BC18, 0040BC93, 0040BD0E, 0040BD89, 0040BE04, 0040BE7F, 0040BEFA, 0040BF75, 0040BFF0, 0040C06B, 0040C0E6, 0040C161, 0040C1DC, 0040C257, 0040C2D2, 0040C34D, 0040C3C8, 0040C443, 0040C4BE, 0040C539, 0040C5B4, 0040C62F, 0040C6AA, 0040C725, 0040C7A0, 0040C81B, 0040C896, 0040C911, 0040C98C, 0040CA07, 0040CA82, 0040CAFD, 0040CB78, 0040CBF3, 0040CC6E, 0040CCE9, 0040CD64, 0040CDDF, 0040CE5A, 0040CED5, 0040CF50, 0040CFCB, 0040D046, 0040D0C1, 0040D13C, 0040D1B7, 0040D232, 0040D2AD, 0040D328, 0040D3A3, 0040D41E, 0040D499, 0040D514, 0040D58F, 0040D60A, 0040D685, 0040D700, 0040D77B, 0040D7F6, 0040D871, 0040D8EC, 0040D967, 0040D9E2, 0040DA5D, 0040DAD8, 0040DB53, 0040DBCE, 0040DC49, 0040DCC4, 0040DD3F, 0040DDBA, 0040DE35, 0040DEB0, 0040DF2B, 0040DFA6, 0040E021, 0040E09C, 0040E117, 0040E192, 0040E20D, 0040E288, 0040E303, 0040E37E, 0040E3F9, 0040E474, 0040E4EF, 0040E56A, 0040E5E5, 0040E660, 0040E6DB, 0040E756, 0040E7D1, 0040E84C, 0040E8C7, 0040E942, 0040E9BD, 0040EA38, 0040EAB3, 0040EB2E, 0040EBA9, 0040EC24, 0040EC9F, 0040ED1A, 0040ED95, 0040EE10, 0040EE8B, 0040EF06, 0040EF81, 0040EFFC, 0040F077, 0040F0F2, 0040F16D, 0040F1E8, 0040F263, 0040F2DE, 0040F359, 0040F3D4, 0040F44F, 0040F4CA, 0040F545, 0040F5C0, 0040F63B, 0040F6B6, 0040F731, 0040F7AC, 0040F827, 0040F8A2, 0040F91D, 0040F998, 0040FA13, 0040FA8E, 0040FB09, 0040FB84, 0040FBFF, 0040FC7A, 0040FCF5, 0040FD70, 0040FDEB, 0040FE66, 0040FEE1, 0040FF5C, 0040FFD7, 00410052, 004100CD, 00410148, 004101C3, 0041023E, 004102B9, 00410334, 004103AF, 0041042A, 004104A5, 00410520, 0041059B, 00410616, 00410691, 0041070C, 00410787, 00410802, 0041087D, 004108F8, 00410973, 004109EE, 00410A69, 00410AE4, 00410B5F, 00410BDA, 00410C55, 00410CD0, 00410D4B, 00410DC6, 00410E41, 00410EBC, 00410F37, 00410FB2, 0041102D, 004110A8, 00411123, 0041119E, 00411219, 00411294, 0041130F, 0041138A, 00411405, 00411480, 004114FB, 00411576, 004115F1, 0041166C, 004116E7, 00411762, 004117DD, 00411858, 004118D3, 0041194E, 004119C9, 00411A44, 00411ABF, 00411B3A, 00411BB5, 00411C30, 00411CAB, 00411D26, 00411DA1, 00411E1C, 00411E97, 00411F12, 00411F8D, 00412008, 00412083
Width trick: %*d , xrefs: 00401EF1, 00401F6C, 00401FE7, 00402062, 004020DD, 00402158, 004021D3, 0040224E, 004022C9, 00402344, 004023BF, 0040243A, 004024B5, 00402530, 004025AB, 00402626, 004026A1, 0040271C, 00402797, 00402812, 0040288D, 00402908, 00402983, 004029FE, 00402A79, 00402AF4, 00402B6F, 00402BEA, 00402C65, 00402CE0, 00402D5B, 00402DD6, 00402E51, 00402ECC, 00402F47, 00402FC2, 0040303D, 004030B8, 00403133, 004031AE, 00403229, 004032A4, 0040331F, 0040339A, 00403415, 00403490, 0040350B, 00403586, 00403601, 0040367C, 004036F7, 00403772, 004037ED, 00403868, 004038E3, 0040395E, 004039D9, 00403A54, 00403ACF, 00403B4A, 00403BC5, 00403C40, 00403CBB, 00403D36, 00403DB1, 00403E2C, 00403EA7, 00403F22, 00403F9D, 00404018, 00404093, 0040410E, 00404189, 00404204, 0040427F, 004042FA, 00404375, 004043F0, 0040446B, 004044E6, 00404561, 004045DC, 00404657, 004046D2, 0040474D, 004047C8, 00404843, 004048BE, 00404939, 004049B4, 00404A2F, 00404AAA, 00404B25, 00404BA0, 00404C1B, 00404C96, 00404D11, 00404D8C, 00404E07, 00404E82, 00404EFD, 00404F78, 00404FF3, 0040506E, 004050E9, 00405164, 004051DF, 0040525A, 004052D5, 00405350, 004053CB, 00405446, 004054C1, 0040553C, 004055B7, 00405632, 004056AD, 00405728, 004057A3, 0040581E, 00405899, 00405914, 0040598F, 00405A0A, 00405A85, 00405B00, 00405B7B, 00405BF6, 00405C71, 00405CEC, 00405D67, 00405DE2, 00405E5D, 00405ED8, 00405F53, 00405FCE, 00406049, 004060C4, 0040613F, 004061BA, 00406235, 004062B0, 0040632B, 004063A6, 00406421, 0040649C, 00406517, 00406592, 0040660D, 00406688, 00406703, 0040677E, 004067F9, 00406874, 004068EF, 0040696A, 004069E5, 00406A60, 00406ADB, 00406B56, 00406BD1, 00406C4C, 00406CC7, 00406D42, 00406DBD, 00406E38, 00406EB3, 00406F2E, 00406FA9, 00407024, 0040709F, 0040711A, 00407195, 00407210, 0040728B, 00407306, 00407381, 004073FC, 00407477, 004074F2, 0040756D, 004075E8, 00407663, 004076DE, 00407759, 004077D4, 0040784F, 004078CA, 00407945, 004079C0, 00407A3B, 00407AB6, 00407B31, 00407BAC, 00407C27, 00407CA2, 00407D1D, 00407D98, 00407E13, 00407E8E, 00407F09, 00407F84, 00407FFF, 0040807A, 004080F5, 00408170, 004081EB, 00408266, 004082E1, 0040835C, 004083D7, 00408452, 004084CD, 00408548, 004085C3, 0040863E, 004086B9, 00408734, 004087AF, 0040882A, 004088A5, 00408920, 0040899B, 00408A16, 00408A91, 00408B0C, 00408B87, 00408C02, 00408C7D, 00408CF8, 00408D73, 00408DEE, 00408E69, 00408EE4, 00408F5F, 00408FDA, 00409055, 004090D0, 0040914B, 004091C6, 00409241, 004092BC, 00409337, 004093B2, 0040942D, 004094A8, 00409523, 0040959E, 00409619, 00409694, 0040970F, 0040978A, 00409805, 00409880, 004098FB, 00409976, 004099F1, 00409A6C, 00409AE7, 00409B62, 00409BDD, 00409C58, 00409CD3, 00409D4E, 00409DC9, 00409E44, 00409EBF, 00409F3A, 00409FB5, 0040A030, 0040A0AB, 0040A126, 0040A1A1, 0040A21C, 0040A297, 0040A312, 0040A38D, 0040A408, 0040A483, 0040A4FE, 0040A579, 0040A5F4, 0040A66F, 0040A6EA, 0040A765, 0040A7E0, 0040A85B, 0040A8D6, 0040A951, 0040A9CC, 0040AA47, 0040AAC2, 0040AB3D, 0040ABB8, 0040AC33, 0040ACAE, 0040AD29, 0040ADA4, 0040AE1F, 0040AE9A, 0040AF15, 0040AF90, 0040B00B, 0040B086, 0040B101, 0040B17C, 0040B1F7, 0040B272, 0040B2ED, 0040B368, 0040B3E3, 0040B45E, 0040B4D9, 0040B554, 0040B5CF, 0040B64A, 0040B6C5, 0040B740, 0040B7BB, 0040B836, 0040B8B1, 0040B92C, 0040B9A7, 0040BA22, 0040BA9D, 0040BB18, 0040BB93, 0040BC0E, 0040BC89, 0040BD04, 0040BD7F, 0040BDFA, 0040BE75, 0040BEF0, 0040BF6B, 0040BFE6, 0040C061, 0040C0DC, 0040C157, 0040C1D2, 0040C24D, 0040C2C8, 0040C343, 0040C3BE, 0040C439, 0040C4B4, 0040C52F, 0040C5AA, 0040C625, 0040C6A0, 0040C71B, 0040C796, 0040C811, 0040C88C, 0040C907, 0040C982, 0040C9FD, 0040CA78, 0040CAF3, 0040CB6E, 0040CBE9, 0040CC64, 0040CCDF, 0040CD5A, 0040CDD5, 0040CE50, 0040CECB, 0040CF46, 0040CFC1, 0040D03C, 0040D0B7, 0040D132, 0040D1AD, 0040D228, 0040D2A3, 0040D31E, 0040D399, 0040D414, 0040D48F, 0040D50A, 0040D585, 0040D600, 0040D67B, 0040D6F6, 0040D771, 0040D7EC, 0040D867, 0040D8E2, 0040D95D, 0040D9D8, 0040DA53, 0040DACE, 0040DB49, 0040DBC4, 0040DC3F, 0040DCBA, 0040DD35, 0040DDB0, 0040DE2B, 0040DEA6, 0040DF21, 0040DF9C, 0040E017, 0040E092, 0040E10D, 0040E188, 0040E203, 0040E27E, 0040E2F9, 0040E374, 0040E3EF, 0040E46A, 0040E4E5, 0040E560, 0040E5DB, 0040E656, 0040E6D1, 0040E74C, 0040E7C7, 0040E842, 0040E8BD, 0040E938, 0040E9B3, 0040EA2E, 0040EAA9, 0040EB24, 0040EB9F, 0040EC1A, 0040EC95, 0040ED10, 0040ED8B, 0040EE06, 0040EE81, 0040EEFC, 0040EF77, 0040EFF2, 0040F06D, 0040F0E8, 0040F163, 0040F1DE, 0040F259, 0040F2D4, 0040F34F, 0040F3CA, 0040F445, 0040F4C0, 0040F53B, 0040F5B6, 0040F631, 0040F6AC, 0040F727, 0040F7A2, 0040F81D, 0040F898, 0040F913, 0040F98E, 0040FA09, 0040FA84, 0040FAFF, 0040FB7A, 0040FBF5, 0040FC70, 0040FCEB, 0040FD66, 0040FDE1, 0040FE5C, 0040FED7, 0040FF52, 0040FFCD, 00410048, 004100C3, 0041013E, 004101B9, 00410234, 004102AF, 0041032A, 004103A5, 00410420, 0041049B, 00410516, 00410591, 0041060C, 00410687, 00410702, 0041077D, 004107F8, 00410873, 004108EE, 00410969, 004109E4, 00410A5F, 00410ADA, 00410B55, 00410BD0, 00410C4B, 00410CC6, 00410D41, 00410DBC, 00410E37, 00410EB2, 00410F2D, 00410FA8, 00411023, 0041109E, 00411119, 00411194, 0041120F, 0041128A, 00411305, 00411380, 004113FB, 00411476, 004114F1, 0041156C, 004115E7, 00411662, 004116DD, 00411758, 004117D3, 0041184E, 004118C9, 00411944, 004119BF, 00411A3A, 00411AB5, 00411B30, 00411BAB, 00411C26, 00411CA1, 00411D1C, 00411D97, 00411E12, 00411E8D, 00411F08, 00411F83, 00411FFE, 00412079
Preceding with zeros: %010d , xrefs: 00401EB0, 00401F2F, 00401FAA, 00402025, 004020A0, 0040211B, 00402196, 00402211, 0040228C, 00402307, 00402382, 004023FD, 00402478, 004024F3, 0040256E, 004025E9, 00402664, 004026DF, 0040275A, 004027D5, 00402850, 004028CB, 00402946, 004029C1, 00402A3C, 00402AB7, 00402B32, 00402BAD, 00402C28, 00402CA3, 00402D1E, 00402D99, 00402E14, 00402E8F, 00402F0A, 00402F85, 00403000, 0040307B, 004030F6, 00403171, 004031EC, 00403267, 004032E2, 0040335D, 004033D8, 00403453, 004034CE, 00403549, 004035C4, 0040363F, 004036BA, 00403735, 004037B0, 0040382B, 004038A6, 00403921, 0040399C, 00403A17, 00403A92, 00403B0D, 00403B88, 00403C03, 00403C7E, 00403CF9, 00403D74, 00403DEF, 00403E6A, 00403EE5, 00403F60, 00403FDB, 00404056, 004040D1, 0040414C, 004041C7, 00404242, 004042BD, 00404338, 004043B3, 0040442E, 004044A9, 00404524, 0040459F, 0040461A, 00404695, 00404710, 0040478B, 00404806, 00404881, 004048FC, 00404977, 004049F2, 00404A6D, 00404AE8, 00404B63, 00404BDE, 00404C59, 00404CD4, 00404D4F, 00404DCA, 00404E45, 00404EC0, 00404F3B, 00404FB6, 00405031, 004050AC, 00405127, 004051A2, 0040521D, 00405298, 00405313, 0040538E, 00405409, 00405484, 004054FF, 0040557A, 004055F5, 00405670, 004056EB, 00405766, 004057E1, 0040585C, 004058D7, 00405952, 004059CD, 00405A48, 00405AC3, 00405B3E, 00405BB9, 00405C34, 00405CAF, 00405D2A, 00405DA5, 00405E20, 00405E9B, 00405F16, 00405F91, 0040600C, 00406087, 00406102, 0040617D, 004061F8, 00406273, 004062EE, 00406369, 004063E4, 0040645F, 004064DA, 00406555, 004065D0, 0040664B, 004066C6, 00406741, 004067BC, 00406837, 004068B2, 0040692D, 004069A8, 00406A23, 00406A9E, 00406B19, 00406B94, 00406C0F, 00406C8A, 00406D05, 00406D80, 00406DFB, 00406E76, 00406EF1, 00406F6C, 00406FE7, 00407062, 004070DD, 00407158, 004071D3, 0040724E, 004072C9, 00407344, 004073BF, 0040743A, 004074B5, 00407530, 004075AB, 00407626, 004076A1, 0040771C, 00407797, 00407812, 0040788D, 00407908, 00407983, 004079FE, 00407A79, 00407AF4, 00407B6F, 00407BEA, 00407C65, 00407CE0, 00407D5B, 00407DD6, 00407E51, 00407ECC, 00407F47, 00407FC2, 0040803D, 004080B8, 00408133, 004081AE, 00408229, 004082A4, 0040831F, 0040839A, 00408415, 00408490, 0040850B, 00408586, 00408601, 0040867C, 004086F7, 00408772, 004087ED, 00408868, 004088E3, 0040895E, 004089D9, 00408A54, 00408ACF, 00408B4A, 00408BC5, 00408C40, 00408CBB, 00408D36, 00408DB1, 00408E2C, 00408EA7, 00408F22, 00408F9D, 00409018, 00409093, 0040910E, 00409189, 00409204, 0040927F, 004092FA, 00409375, 004093F0, 0040946B, 004094E6, 00409561, 004095DC, 00409657, 004096D2, 0040974D, 004097C8, 00409843, 004098BE, 00409939, 004099B4, 00409A2F, 00409AAA, 00409B25, 00409BA0, 00409C1B, 00409C96, 00409D11, 00409D8C, 00409E07, 00409E82, 00409EFD, 00409F78, 00409FF3, 0040A06E, 0040A0E9, 0040A164, 0040A1DF, 0040A25A, 0040A2D5, 0040A350, 0040A3CB, 0040A446, 0040A4C1, 0040A53C, 0040A5B7, 0040A632, 0040A6AD, 0040A728, 0040A7A3, 0040A81E, 0040A899, 0040A914, 0040A98F, 0040AA0A, 0040AA85, 0040AB00, 0040AB7B, 0040ABF6, 0040AC71, 0040ACEC, 0040AD67, 0040ADE2, 0040AE5D, 0040AED8, 0040AF53, 0040AFCE, 0040B049, 0040B0C4, 0040B13F, 0040B1BA, 0040B235, 0040B2B0, 0040B32B, 0040B3A6, 0040B421, 0040B49C, 0040B517, 0040B592, 0040B60D, 0040B688, 0040B703, 0040B77E, 0040B7F9, 0040B874, 0040B8EF, 0040B96A, 0040B9E5, 0040BA60, 0040BADB, 0040BB56, 0040BBD1, 0040BC4C, 0040BCC7, 0040BD42, 0040BDBD, 0040BE38, 0040BEB3, 0040BF2E, 0040BFA9, 0040C024, 0040C09F, 0040C11A, 0040C195, 0040C210, 0040C28B, 0040C306, 0040C381, 0040C3FC, 0040C477, 0040C4F2, 0040C56D, 0040C5E8, 0040C663, 0040C6DE, 0040C759, 0040C7D4, 0040C84F, 0040C8CA, 0040C945, 0040C9C0, 0040CA3B, 0040CAB6, 0040CB31, 0040CBAC, 0040CC27, 0040CCA2, 0040CD1D, 0040CD98, 0040CE13, 0040CE8E, 0040CF09, 0040CF84, 0040CFFF, 0040D07A, 0040D0F5, 0040D170, 0040D1EB, 0040D266, 0040D2E1, 0040D35C, 0040D3D7, 0040D452, 0040D4CD, 0040D548, 0040D5C3, 0040D63E, 0040D6B9, 0040D734, 0040D7AF, 0040D82A, 0040D8A5, 0040D920, 0040D99B, 0040DA16, 0040DA91, 0040DB0C, 0040DB87, 0040DC02, 0040DC7D, 0040DCF8, 0040DD73, 0040DDEE, 0040DE69, 0040DEE4, 0040DF5F, 0040DFDA, 0040E055, 0040E0D0, 0040E14B, 0040E1C6, 0040E241, 0040E2BC, 0040E337, 0040E3B2, 0040E42D, 0040E4A8, 0040E523, 0040E59E, 0040E619, 0040E694, 0040E70F, 0040E78A, 0040E805, 0040E880, 0040E8FB, 0040E976, 0040E9F1, 0040EA6C, 0040EAE7, 0040EB62, 0040EBDD, 0040EC58, 0040ECD3, 0040ED4E, 0040EDC9, 0040EE44, 0040EEBF, 0040EF3A, 0040EFB5, 0040F030, 0040F0AB, 0040F126, 0040F1A1, 0040F21C, 0040F297, 0040F312, 0040F38D, 0040F408, 0040F483, 0040F4FE, 0040F579, 0040F5F4, 0040F66F, 0040F6EA, 0040F765, 0040F7E0, 0040F85B, 0040F8D6, 0040F951, 0040F9CC, 0040FA47, 0040FAC2, 0040FB3D, 0040FBB8, 0040FC33, 0040FCAE, 0040FD29, 0040FDA4, 0040FE1F, 0040FE9A, 0040FF15, 0040FF90, 0041000B, 00410086, 00410101, 0041017C, 004101F7, 00410272, 004102ED, 00410368, 004103E3, 0041045E, 004104D9, 00410554, 004105CF, 0041064A, 004106C5, 00410740, 004107BB, 00410836, 004108B1, 0041092C, 004109A7, 00410A22, 00410A9D, 00410B18, 00410B93, 00410C0E, 00410C89, 00410D04, 00410D7F, 00410DFA, 00410E75, 00410EF0, 00410F6B, 00410FE6, 00411061, 004110DC, 00411157, 004111D2, 0041124D, 004112C8, 00411343, 004113BE, 00411439, 004114B4, 0041152F, 004115AA, 00411625, 004116A0, 0041171B, 00411796, 00411811, 0041188C, 00411907, 00411982, 004119FD, 00411A78, 00411AF3, 00411B6E, 00411BE9, 00411C64, 00411CDF, 00411D5A, 00411DD5, 00411E50, 00411ECB, 00411F46, 00411FC1, 0041203C
floats: %4.2f %+.0e %E , xrefs: 00401EE3, 00401F5E, 00401FD9, 00402054, 004020CF, 0040214A, 004021C5, 00402240, 004022BB, 00402336, 004023B1, 0040242C, 004024A7, 00402522, 0040259D, 00402618, 00402693, 0040270E, 00402789, 00402804, 0040287F, 004028FA, 00402975, 004029F0, 00402A6B, 00402AE6, 00402B61, 00402BDC, 00402C57, 00402CD2, 00402D4D, 00402DC8, 00402E43, 00402EBE, 00402F39, 00402FB4, 0040302F, 004030AA, 00403125, 004031A0, 0040321B, 00403296, 00403311, 0040338C, 00403407, 00403482, 004034FD, 00403578, 004035F3, 0040366E, 004036E9, 00403764, 004037DF, 0040385A, 004038D5, 00403950, 004039CB, 00403A46, 00403AC1, 00403B3C, 00403BB7, 00403C32, 00403CAD, 00403D28, 00403DA3, 00403E1E, 00403E99, 00403F14, 00403F8F, 0040400A, 00404085, 00404100, 0040417B, 004041F6, 00404271, 004042EC, 00404367, 004043E2, 0040445D, 004044D8, 00404553, 004045CE, 00404649, 004046C4, 0040473F, 004047BA, 00404835, 004048B0, 0040492B, 004049A6, 00404A21, 00404A9C, 00404B17, 00404B92, 00404C0D, 00404C88, 00404D03, 00404D7E, 00404DF9, 00404E74, 00404EEF, 00404F6A, 00404FE5, 00405060, 004050DB, 00405156, 004051D1, 0040524C, 004052C7, 00405342, 004053BD, 00405438, 004054B3, 0040552E, 004055A9, 00405624, 0040569F, 0040571A, 00405795, 00405810, 0040588B, 00405906, 00405981, 004059FC, 00405A77, 00405AF2, 00405B6D, 00405BE8, 00405C63, 00405CDE, 00405D59, 00405DD4, 00405E4F, 00405ECA, 00405F45, 00405FC0, 0040603B, 004060B6, 00406131, 004061AC, 00406227, 004062A2, 0040631D, 00406398, 00406413, 0040648E, 00406509, 00406584, 004065FF, 0040667A, 004066F5, 00406770, 004067EB, 00406866, 004068E1, 0040695C, 004069D7, 00406A52, 00406ACD, 00406B48, 00406BC3, 00406C3E, 00406CB9, 00406D34, 00406DAF, 00406E2A, 00406EA5, 00406F20, 00406F9B, 00407016, 00407091, 0040710C, 00407187, 00407202, 0040727D, 004072F8, 00407373, 004073EE, 00407469, 004074E4, 0040755F, 004075DA, 00407655, 004076D0, 0040774B, 004077C6, 00407841, 004078BC, 00407937, 004079B2, 00407A2D, 00407AA8, 00407B23, 00407B9E, 00407C19, 00407C94, 00407D0F, 00407D8A, 00407E05, 00407E80, 00407EFB, 00407F76, 00407FF1, 0040806C, 004080E7, 00408162, 004081DD, 00408258, 004082D3, 0040834E, 004083C9, 00408444, 004084BF, 0040853A, 004085B5, 00408630, 004086AB, 00408726, 004087A1, 0040881C, 00408897, 00408912, 0040898D, 00408A08, 00408A83, 00408AFE, 00408B79, 00408BF4, 00408C6F, 00408CEA, 00408D65, 00408DE0, 00408E5B, 00408ED6, 00408F51, 00408FCC, 00409047, 004090C2, 0040913D, 004091B8, 00409233, 004092AE, 00409329, 004093A4, 0040941F, 0040949A, 00409515, 00409590, 0040960B, 00409686, 00409701, 0040977C, 004097F7, 00409872, 004098ED, 00409968, 004099E3, 00409A5E, 00409AD9, 00409B54, 00409BCF, 00409C4A, 00409CC5, 00409D40, 00409DBB, 00409E36, 00409EB1, 00409F2C, 00409FA7, 0040A022, 0040A09D, 0040A118, 0040A193, 0040A20E, 0040A289, 0040A304, 0040A37F, 0040A3FA, 0040A475, 0040A4F0, 0040A56B, 0040A5E6, 0040A661, 0040A6DC, 0040A757, 0040A7D2, 0040A84D, 0040A8C8, 0040A943, 0040A9BE, 0040AA39, 0040AAB4, 0040AB2F, 0040ABAA, 0040AC25, 0040ACA0, 0040AD1B, 0040AD96, 0040AE11, 0040AE8C, 0040AF07, 0040AF82, 0040AFFD, 0040B078, 0040B0F3, 0040B16E, 0040B1E9, 0040B264, 0040B2DF, 0040B35A, 0040B3D5, 0040B450, 0040B4CB, 0040B546, 0040B5C1, 0040B63C, 0040B6B7, 0040B732, 0040B7AD, 0040B828, 0040B8A3, 0040B91E, 0040B999, 0040BA14, 0040BA8F, 0040BB0A, 0040BB85, 0040BC00, 0040BC7B, 0040BCF6, 0040BD71, 0040BDEC, 0040BE67, 0040BEE2, 0040BF5D, 0040BFD8, 0040C053, 0040C0CE, 0040C149, 0040C1C4, 0040C23F, 0040C2BA, 0040C335, 0040C3B0, 0040C42B, 0040C4A6, 0040C521, 0040C59C, 0040C617, 0040C692, 0040C70D, 0040C788, 0040C803, 0040C87E, 0040C8F9, 0040C974, 0040C9EF, 0040CA6A, 0040CAE5, 0040CB60, 0040CBDB, 0040CC56, 0040CCD1, 0040CD4C, 0040CDC7, 0040CE42, 0040CEBD, 0040CF38, 0040CFB3, 0040D02E, 0040D0A9, 0040D124, 0040D19F, 0040D21A, 0040D295, 0040D310, 0040D38B, 0040D406, 0040D481, 0040D4FC, 0040D577, 0040D5F2, 0040D66D, 0040D6E8, 0040D763, 0040D7DE, 0040D859, 0040D8D4, 0040D94F, 0040D9CA, 0040DA45, 0040DAC0, 0040DB3B, 0040DBB6, 0040DC31, 0040DCAC, 0040DD27, 0040DDA2, 0040DE1D, 0040DE98, 0040DF13, 0040DF8E, 0040E009, 0040E084, 0040E0FF, 0040E17A, 0040E1F5, 0040E270, 0040E2EB, 0040E366, 0040E3E1, 0040E45C, 0040E4D7, 0040E552, 0040E5CD, 0040E648, 0040E6C3, 0040E73E, 0040E7B9, 0040E834, 0040E8AF, 0040E92A, 0040E9A5, 0040EA20, 0040EA9B, 0040EB16, 0040EB91, 0040EC0C, 0040EC87, 0040ED02, 0040ED7D, 0040EDF8, 0040EE73, 0040EEEE, 0040EF69, 0040EFE4, 0040F05F, 0040F0DA, 0040F155, 0040F1D0, 0040F24B, 0040F2C6, 0040F341, 0040F3BC, 0040F437, 0040F4B2, 0040F52D, 0040F5A8, 0040F623, 0040F69E, 0040F719, 0040F794, 0040F80F, 0040F88A, 0040F905, 0040F980, 0040F9FB, 0040FA76, 0040FAF1, 0040FB6C, 0040FBE7, 0040FC62, 0040FCDD, 0040FD58, 0040FDD3, 0040FE4E, 0040FEC9, 0040FF44, 0040FFBF, 0041003A, 004100B5, 00410130, 004101AB, 00410226, 004102A1, 0041031C, 00410397, 00410412, 0041048D, 00410508, 00410583, 004105FE, 00410679, 004106F4, 0041076F, 004107EA, 00410865, 004108E0, 0041095B, 004109D6, 00410A51, 00410ACC, 00410B47, 00410BC2, 00410C3D, 00410CB8, 00410D33, 00410DAE, 00410E29, 00410EA4, 00410F1F, 00410F9A, 00411015, 00411090, 0041110B, 00411186, 00411201, 0041127C, 004112F7, 00411372, 004113ED, 00411468, 004114E3, 0041155E, 004115D9, 00411654, 004116CF, 0041174A, 004117C5, 00411840, 004118BB, 00411936, 004119B1, 00411A2C, 00411AA7, 00411B22, 00411B9D, 00411C18, 00411C93, 00411D0E, 00411D89, 00411E04, 00411E7F, 00411EFA, 00411F75, 00411FF0, 0041206B
Some different radices: %d %x %o %#x %#o , xrefs: 00401EC2, 00401F3E, 00401FB9, 00402034, 004020AF, 0040212A, 004021A5, 00402220, 0040229B, 00402316, 00402391, 0040240C, 00402487, 00402502, 0040257D, 004025F8, 00402673, 004026EE, 00402769, 004027E4, 0040285F, 004028DA, 00402955, 004029D0, 00402A4B, 00402AC6, 00402B41, 00402BBC, 00402C37, 00402CB2, 00402D2D, 00402DA8, 00402E23, 00402E9E, 00402F19, 00402F94, 0040300F, 0040308A, 00403105, 00403180, 004031FB, 00403276, 004032F1, 0040336C, 004033E7, 00403462, 004034DD, 00403558, 004035D3, 0040364E, 004036C9, 00403744, 004037BF, 0040383A, 004038B5, 00403930, 004039AB, 00403A26, 00403AA1, 00403B1C, 00403B97, 00403C12, 00403C8D, 00403D08, 00403D83, 00403DFE, 00403E79, 00403EF4, 00403F6F, 00403FEA, 00404065, 004040E0, 0040415B, 004041D6, 00404251, 004042CC, 00404347, 004043C2, 0040443D, 004044B8, 00404533, 004045AE, 00404629, 004046A4, 0040471F, 0040479A, 00404815, 00404890, 0040490B, 00404986, 00404A01, 00404A7C, 00404AF7, 00404B72, 00404BED, 00404C68, 00404CE3, 00404D5E, 00404DD9, 00404E54, 00404ECF, 00404F4A, 00404FC5, 00405040, 004050BB, 00405136, 004051B1, 0040522C, 004052A7, 00405322, 0040539D, 00405418, 00405493, 0040550E, 00405589, 00405604, 0040567F, 004056FA, 00405775, 004057F0, 0040586B, 004058E6, 00405961, 004059DC, 00405A57, 00405AD2, 00405B4D, 00405BC8, 00405C43, 00405CBE, 00405D39, 00405DB4, 00405E2F, 00405EAA, 00405F25, 00405FA0, 0040601B, 00406096, 00406111, 0040618C, 00406207, 00406282, 004062FD, 00406378, 004063F3, 0040646E, 004064E9, 00406564, 004065DF, 0040665A, 004066D5, 00406750, 004067CB, 00406846, 004068C1, 0040693C, 004069B7, 00406A32, 00406AAD, 00406B28, 00406BA3, 00406C1E, 00406C99, 00406D14, 00406D8F, 00406E0A, 00406E85, 00406F00, 00406F7B, 00406FF6, 00407071, 004070EC, 00407167, 004071E2, 0040725D, 004072D8, 00407353, 004073CE, 00407449, 004074C4, 0040753F, 004075BA, 00407635, 004076B0, 0040772B, 004077A6, 00407821, 0040789C, 00407917, 00407992, 00407A0D, 00407A88, 00407B03, 00407B7E, 00407BF9, 00407C74, 00407CEF, 00407D6A, 00407DE5, 00407E60, 00407EDB, 00407F56, 00407FD1, 0040804C, 004080C7, 00408142, 004081BD, 00408238, 004082B3, 0040832E, 004083A9, 00408424, 0040849F, 0040851A, 00408595, 00408610, 0040868B, 00408706, 00408781, 004087FC, 00408877, 004088F2, 0040896D, 004089E8, 00408A63, 00408ADE, 00408B59, 00408BD4, 00408C4F, 00408CCA, 00408D45, 00408DC0, 00408E3B, 00408EB6, 00408F31, 00408FAC, 00409027, 004090A2, 0040911D, 00409198, 00409213, 0040928E, 00409309, 00409384, 004093FF, 0040947A, 004094F5, 00409570, 004095EB, 00409666, 004096E1, 0040975C, 004097D7, 00409852, 004098CD, 00409948, 004099C3, 00409A3E, 00409AB9, 00409B34, 00409BAF, 00409C2A, 00409CA5, 00409D20, 00409D9B, 00409E16, 00409E91, 00409F0C, 00409F87, 0040A002, 0040A07D, 0040A0F8, 0040A173, 0040A1EE, 0040A269, 0040A2E4, 0040A35F, 0040A3DA, 0040A455, 0040A4D0, 0040A54B, 0040A5C6, 0040A641, 0040A6BC, 0040A737, 0040A7B2, 0040A82D, 0040A8A8, 0040A923, 0040A99E, 0040AA19, 0040AA94, 0040AB0F, 0040AB8A, 0040AC05, 0040AC80, 0040ACFB, 0040AD76, 0040ADF1, 0040AE6C, 0040AEE7, 0040AF62, 0040AFDD, 0040B058, 0040B0D3, 0040B14E, 0040B1C9, 0040B244, 0040B2BF, 0040B33A, 0040B3B5, 0040B430, 0040B4AB, 0040B526, 0040B5A1, 0040B61C, 0040B697, 0040B712, 0040B78D, 0040B808, 0040B883, 0040B8FE, 0040B979, 0040B9F4, 0040BA6F, 0040BAEA, 0040BB65, 0040BBE0, 0040BC5B, 0040BCD6, 0040BD51, 0040BDCC, 0040BE47, 0040BEC2, 0040BF3D, 0040BFB8, 0040C033, 0040C0AE, 0040C129, 0040C1A4, 0040C21F, 0040C29A, 0040C315, 0040C390, 0040C40B, 0040C486, 0040C501, 0040C57C, 0040C5F7, 0040C672, 0040C6ED, 0040C768, 0040C7E3, 0040C85E, 0040C8D9, 0040C954, 0040C9CF, 0040CA4A, 0040CAC5, 0040CB40, 0040CBBB, 0040CC36, 0040CCB1, 0040CD2C, 0040CDA7, 0040CE22, 0040CE9D, 0040CF18, 0040CF93, 0040D00E, 0040D089, 0040D104, 0040D17F, 0040D1FA, 0040D275, 0040D2F0, 0040D36B, 0040D3E6, 0040D461, 0040D4DC, 0040D557, 0040D5D2, 0040D64D, 0040D6C8, 0040D743, 0040D7BE, 0040D839, 0040D8B4, 0040D92F, 0040D9AA, 0040DA25, 0040DAA0, 0040DB1B, 0040DB96, 0040DC11, 0040DC8C, 0040DD07, 0040DD82, 0040DDFD, 0040DE78, 0040DEF3, 0040DF6E, 0040DFE9, 0040E064, 0040E0DF, 0040E15A, 0040E1D5, 0040E250, 0040E2CB, 0040E346, 0040E3C1, 0040E43C, 0040E4B7, 0040E532, 0040E5AD, 0040E628, 0040E6A3, 0040E71E, 0040E799, 0040E814, 0040E88F, 0040E90A, 0040E985, 0040EA00, 0040EA7B, 0040EAF6, 0040EB71, 0040EBEC, 0040EC67, 0040ECE2, 0040ED5D, 0040EDD8, 0040EE53, 0040EECE, 0040EF49, 0040EFC4, 0040F03F, 0040F0BA, 0040F135, 0040F1B0, 0040F22B, 0040F2A6, 0040F321, 0040F39C, 0040F417, 0040F492, 0040F50D, 0040F588, 0040F603, 0040F67E, 0040F6F9, 0040F774, 0040F7EF, 0040F86A, 0040F8E5, 0040F960, 0040F9DB, 0040FA56, 0040FAD1, 0040FB4C, 0040FBC7, 0040FC42, 0040FCBD, 0040FD38, 0040FDB3, 0040FE2E, 0040FEA9, 0040FF24, 0040FF9F, 0041001A, 00410095, 00410110, 0041018B, 00410206, 00410281, 004102FC, 00410377, 004103F2, 0041046D, 004104E8, 00410563, 004105DE, 00410659, 004106D4, 0041074F, 004107CA, 00410845, 004108C0, 0041093B, 004109B6, 00410A31, 00410AAC, 00410B27, 00410BA2, 00410C1D, 00410C98, 00410D13, 00410D8E, 00410E09, 00410E84, 00410EFF, 00410F7A, 00410FF5, 00411070, 004110EB, 00411166, 004111E1, 0041125C, 004112D7, 00411352, 004113CD, 00411448, 004114C3, 0041153E, 004115B9, 00411634, 004116AF, 0041172A, 004117A5, 00411820, 0041189B, 00411916, 00411991, 00411A0C, 00411A87, 00411B02, 00411B7D, 00411BF8, 00411C73, 00411CEE, 00411D69, 00411DE4, 00411E5F, 00411EDA, 00411F55, 00411FD0, 0041204B
%s , xrefs: 00401F00, 00401F7B, 00401FF6, 00402071, 004020EC, 00402167, 004021E2, 0040225D, 004022D8, 00402353, 004023CE, 00402449, 004024C4, 0040253F, 004025BA, 00402635, 004026B0, 0040272B, 004027A6, 00402821, 0040289C, 00402917, 00402992, 00402A0D, 00402A88, 00402B03, 00402B7E, 00402BF9, 00402C74, 00402CEF, 00402D6A, 00402DE5, 00402E60, 00402EDB, 00402F56, 00402FD1, 0040304C, 004030C7, 00403142, 004031BD, 00403238, 004032B3, 0040332E, 004033A9, 00403424, 0040349F, 0040351A, 00403595, 00403610, 0040368B, 00403706, 00403781, 004037FC, 00403877, 004038F2, 0040396D, 004039E8, 00403A63, 00403ADE, 00403B59, 00403BD4, 00403C4F, 00403CCA, 00403D45, 00403DC0, 00403E3B, 00403EB6, 00403F31, 00403FAC, 00404027, 004040A2, 0040411D, 00404198, 00404213, 0040428E, 00404309, 00404384, 004043FF, 0040447A, 004044F5, 00404570, 004045EB, 00404666, 004046E1, 0040475C, 004047D7, 00404852, 004048CD, 00404948, 004049C3, 00404A3E, 00404AB9, 00404B34, 00404BAF, 00404C2A, 00404CA5, 00404D20, 00404D9B, 00404E16, 00404E91, 00404F0C, 00404F87, 00405002, 0040507D, 004050F8, 00405173, 004051EE, 00405269, 004052E4, 0040535F, 004053DA, 00405455, 004054D0, 0040554B, 004055C6, 00405641, 004056BC, 00405737, 004057B2, 0040582D, 004058A8, 00405923, 0040599E, 00405A19, 00405A94, 00405B0F, 00405B8A, 00405C05, 00405C80, 00405CFB, 00405D76, 00405DF1, 00405E6C, 00405EE7, 00405F62, 00405FDD, 00406058, 004060D3, 0040614E, 004061C9, 00406244, 004062BF, 0040633A, 004063B5, 00406430, 004064AB, 00406526, 004065A1, 0040661C, 00406697, 00406712, 0040678D, 00406808, 00406883, 004068FE, 00406979, 004069F4, 00406A6F, 00406AEA, 00406B65, 00406BE0, 00406C5B, 00406CD6, 00406D51, 00406DCC, 00406E47, 00406EC2, 00406F3D, 00406FB8, 00407033, 004070AE, 00407129, 004071A4, 0040721F, 0040729A, 00407315, 00407390, 0040740B, 00407486, 00407501, 0040757C, 004075F7, 00407672, 004076ED, 00407768, 004077E3, 0040785E, 004078D9, 00407954, 004079CF, 00407A4A, 00407AC5, 00407B40, 00407BBB, 00407C36, 00407CB1, 00407D2C, 00407DA7, 00407E22, 00407E9D, 00407F18, 00407F93, 0040800E, 00408089, 00408104, 0040817F, 004081FA, 00408275, 004082F0, 0040836B, 004083E6, 00408461, 004084DC, 00408557, 004085D2, 0040864D, 004086C8, 00408743, 004087BE, 00408839, 004088B4, 0040892F, 004089AA, 00408A25, 00408AA0, 00408B1B, 00408B96, 00408C11, 00408C8C, 00408D07, 00408D82, 00408DFD, 00408E78, 00408EF3, 00408F6E, 00408FE9, 00409064, 004090DF, 0040915A, 004091D5, 00409250, 004092CB, 00409346, 004093C1, 0040943C, 004094B7, 00409532, 004095AD, 00409628, 004096A3, 0040971E, 00409799, 00409814, 0040988F, 0040990A, 00409985, 00409A00, 00409A7B, 00409AF6, 00409B71, 00409BEC, 00409C67, 00409CE2, 00409D5D, 00409DD8, 00409E53, 00409ECE, 00409F49, 00409FC4, 0040A03F, 0040A0BA, 0040A135, 0040A1B0, 0040A22B, 0040A2A6, 0040A321, 0040A39C, 0040A417, 0040A492, 0040A50D, 0040A588, 0040A603, 0040A67E, 0040A6F9, 0040A774, 0040A7EF, 0040A86A, 0040A8E5, 0040A960, 0040A9DB, 0040AA56, 0040AAD1, 0040AB4C, 0040ABC7, 0040AC42, 0040ACBD, 0040AD38, 0040ADB3, 0040AE2E, 0040AEA9, 0040AF24, 0040AF9F, 0040B01A, 0040B095, 0040B110, 0040B18B, 0040B206, 0040B281, 0040B2FC, 0040B377, 0040B3F2, 0040B46D, 0040B4E8, 0040B563, 0040B5DE, 0040B659, 0040B6D4, 0040B74F, 0040B7CA, 0040B845, 0040B8C0, 0040B93B, 0040B9B6, 0040BA31, 0040BAAC, 0040BB27, 0040BBA2, 0040BC1D, 0040BC98, 0040BD13, 0040BD8E, 0040BE09, 0040BE84, 0040BEFF, 0040BF7A, 0040BFF5, 0040C070, 0040C0EB, 0040C166, 0040C1E1, 0040C25C, 0040C2D7, 0040C352, 0040C3CD, 0040C448, 0040C4C3, 0040C53E, 0040C5B9, 0040C634, 0040C6AF, 0040C72A, 0040C7A5, 0040C820, 0040C89B, 0040C916, 0040C991, 0040CA0C, 0040CA87, 0040CB02, 0040CB7D, 0040CBF8, 0040CC73, 0040CCEE, 0040CD69, 0040CDE4, 0040CE5F, 0040CEDA, 0040CF55, 0040CFD0, 0040D04B, 0040D0C6, 0040D141, 0040D1BC, 0040D237, 0040D2B2, 0040D32D, 0040D3A8, 0040D423, 0040D49E, 0040D519, 0040D594, 0040D60F, 0040D68A, 0040D705, 0040D780, 0040D7FB, 0040D876, 0040D8F1, 0040D96C, 0040D9E7, 0040DA62, 0040DADD, 0040DB58, 0040DBD3, 0040DC4E, 0040DCC9, 0040DD44, 0040DDBF, 0040DE3A, 0040DEB5, 0040DF30, 0040DFAB, 0040E026, 0040E0A1, 0040E11C, 0040E197, 0040E212, 0040E28D, 0040E308, 0040E383, 0040E3FE, 0040E479, 0040E4F4, 0040E56F, 0040E5EA, 0040E665, 0040E6E0, 0040E75B, 0040E7D6, 0040E851, 0040E8CC, 0040E947, 0040E9C2, 0040EA3D, 0040EAB8, 0040EB33, 0040EBAE, 0040EC29, 0040ECA4, 0040ED1F, 0040ED9A, 0040EE15, 0040EE90, 0040EF0B, 0040EF86, 0040F001, 0040F07C, 0040F0F7, 0040F172, 0040F1ED, 0040F268, 0040F2E3, 0040F35E, 0040F3D9, 0040F454, 0040F4CF, 0040F54A, 0040F5C5, 0040F640, 0040F6BB, 0040F736, 0040F7B1, 0040F82C, 0040F8A7, 0040F922, 0040F99D, 0040FA18, 0040FA93, 0040FB0E, 0040FB89, 0040FC04, 0040FC7F, 0040FCFA, 0040FD75, 0040FDF0, 0040FE6B, 0040FEE6, 0040FF61, 0040FFDC, 00410057, 004100D2, 0041014D, 004101C8, 00410243, 004102BE, 00410339, 004103B4, 0041042F, 004104AA, 00410525, 004105A0, 0041061B, 00410696, 00410711, 0041078C, 00410807, 00410882, 004108FD, 00410978, 004109F3, 00410A6E, 00410AE9, 00410B64, 00410BDF, 00410C5A, 00410CD5, 00410D50, 00410DCB, 00410E46, 00410EC1, 00410F3C, 00410FB7, 00411032, 004110AD, 00411128, 004111A3, 0041121E, 00411299, 00411314, 0041138F, 0041140A, 00411485, 00411500, 0041157B, 004115F6, 00411671, 004116EC, 00411767, 004117E2, 0041185D, 004118D8, 00411953, 004119CE, 00411A49, 00411AC4, 00411B3F, 00411BBA, 00411C35, 00411CB0, 00411D2B, 00411DA6, 00411E21, 00411E9C, 00411F17, 00411F92, 0041200D, 00412088
Characters: %c %c , xrefs: 00401E0C, 00401E11, 00401E32, 00401E4F, 00401E64, 00401E81, 00401E96, 00401F0E, 00401F89, 00402004, 0040207F, 004020FA, 00402175, 004021F0, 0040226B, 004022E6, 00402361, 004023DC, 00402457, 004024D2, 0040254D, 004025C8, 00402643, 004026BE, 00402739, 004027B4, 0040282F, 004028AA, 00402925, 004029A0, 00402A1B, 00402A96, 00402B11, 00402B8C, 00402C07, 00402C82, 00402CFD, 00402D78, 00402DF3, 00402E6E, 00402EE9, 00402F64, 00402FDF, 0040305A, 004030D5, 00403150, 004031CB, 00403246, 004032C1, 0040333C, 004033B7, 00403432, 004034AD, 00403528, 004035A3, 0040361E, 00403699, 00403714, 0040378F, 0040380A, 00403885, 00403900, 0040397B, 004039F6, 00403A71, 00403AEC, 00403B67, 00403BE2, 00403C5D, 00403CD8, 00403D53, 00403DCE, 00403E49, 00403EC4, 00403F3F, 00403FBA, 00404035, 004040B0, 0040412B, 004041A6, 00404221, 0040429C, 00404317, 00404392, 0040440D, 00404488, 00404503, 0040457E, 004045F9, 00404674, 004046EF, 0040476A, 004047E5, 00404860, 004048DB, 00404956, 004049D1, 00404A4C, 00404AC7, 00404B42, 00404BBD, 00404C38, 00404CB3, 00404D2E, 00404DA9, 00404E24, 00404E9F, 00404F1A, 00404F95, 00405010, 0040508B, 00405106, 00405181, 004051FC, 00405277, 004052F2, 0040536D, 004053E8, 00405463, 004054DE, 00405559, 004055D4, 0040564F, 004056CA, 00405745, 004057C0, 0040583B, 004058B6, 00405931, 004059AC, 00405A27, 00405AA2, 00405B1D, 00405B98, 00405C13, 00405C8E, 00405D09, 00405D84, 00405DFF, 00405E7A, 00405EF5, 00405F70, 00405FEB, 00406066, 004060E1, 0040615C, 004061D7, 00406252, 004062CD, 00406348, 004063C3, 0040643E, 004064B9, 00406534, 004065AF, 0040662A, 004066A5, 00406720, 0040679B, 00406816, 00406891, 0040690C, 00406987, 00406A02, 00406A7D, 00406AF8, 00406B73, 00406BEE, 00406C69, 00406CE4, 00406D5F, 00406DDA, 00406E55, 00406ED0, 00406F4B, 00406FC6, 00407041, 004070BC, 00407137, 004071B2, 0040722D, 004072A8, 00407323, 0040739E, 00407419, 00407494, 0040750F, 0040758A, 00407605, 00407680, 004076FB, 00407776, 004077F1, 0040786C, 004078E7, 00407962, 004079DD, 00407A58, 00407AD3, 00407B4E, 00407BC9, 00407C44, 00407CBF, 00407D3A, 00407DB5, 00407E30, 00407EAB, 00407F26, 00407FA1, 0040801C, 00408097, 00408112, 0040818D, 00408208, 00408283, 004082FE, 00408379, 004083F4, 0040846F, 004084EA, 00408565, 004085E0, 0040865B, 004086D6, 00408751, 004087CC, 00408847, 004088C2, 0040893D, 004089B8, 00408A33, 00408AAE, 00408B29, 00408BA4, 00408C1F, 00408C9A, 00408D15, 00408D90, 00408E0B, 00408E86, 00408F01, 00408F7C, 00408FF7, 00409072, 004090ED, 00409168, 004091E3, 0040925E, 004092D9, 00409354, 004093CF, 0040944A, 004094C5, 00409540, 004095BB, 00409636, 004096B1, 0040972C, 004097A7, 00409822, 0040989D, 00409918, 00409993, 00409A0E, 00409A89, 00409B04, 00409B7F, 00409BFA, 00409C75, 00409CF0, 00409D6B, 00409DE6, 00409E61, 00409EDC, 00409F57, 00409FD2, 0040A04D, 0040A0C8, 0040A143, 0040A1BE, 0040A239, 0040A2B4, 0040A32F, 0040A3AA, 0040A425, 0040A4A0, 0040A51B, 0040A596, 0040A611, 0040A68C, 0040A707, 0040A782, 0040A7FD, 0040A878, 0040A8F3, 0040A96E, 0040A9E9, 0040AA64, 0040AADF, 0040AB5A, 0040ABD5, 0040AC50, 0040ACCB, 0040AD46, 0040ADC1, 0040AE3C, 0040AEB7, 0040AF32, 0040AFAD, 0040B028, 0040B0A3, 0040B11E, 0040B199, 0040B214, 0040B28F, 0040B30A, 0040B385, 0040B400, 0040B47B, 0040B4F6, 0040B571, 0040B5EC, 0040B667, 0040B6E2, 0040B75D, 0040B7D8, 0040B853, 0040B8CE, 0040B949, 0040B9C4, 0040BA3F, 0040BABA, 0040BB35, 0040BBB0, 0040BC2B, 0040BCA6, 0040BD21, 0040BD9C, 0040BE17, 0040BE92, 0040BF0D, 0040BF88, 0040C003, 0040C07E, 0040C0F9, 0040C174, 0040C1EF, 0040C26A, 0040C2E5, 0040C360, 0040C3DB, 0040C456, 0040C4D1, 0040C54C, 0040C5C7, 0040C642, 0040C6BD, 0040C738, 0040C7B3, 0040C82E, 0040C8A9, 0040C924, 0040C99F, 0040CA1A, 0040CA95, 0040CB10, 0040CB8B, 0040CC06, 0040CC81, 0040CCFC, 0040CD77, 0040CDF2, 0040CE6D, 0040CEE8, 0040CF63, 0040CFDE, 0040D059, 0040D0D4, 0040D14F, 0040D1CA, 0040D245, 0040D2C0, 0040D33B, 0040D3B6, 0040D431, 0040D4AC, 0040D527, 0040D5A2, 0040D61D, 0040D698, 0040D713, 0040D78E, 0040D809, 0040D884, 0040D8FF, 0040D97A, 0040D9F5, 0040DA70, 0040DAEB, 0040DB66, 0040DBE1, 0040DC5C, 0040DCD7, 0040DD52, 0040DDCD, 0040DE48, 0040DEC3, 0040DF3E, 0040DFB9, 0040E034, 0040E0AF, 0040E12A, 0040E1A5, 0040E220, 0040E29B, 0040E316, 0040E391, 0040E40C, 0040E487, 0040E502, 0040E57D, 0040E5F8, 0040E673, 0040E6EE, 0040E769, 0040E7E4, 0040E85F, 0040E8DA, 0040E955, 0040E9D0, 0040EA4B, 0040EAC6, 0040EB41, 0040EBBC, 0040EC37, 0040ECB2, 0040ED2D, 0040EDA8, 0040EE23, 0040EE9E, 0040EF19, 0040EF94, 0040F00F, 0040F08A, 0040F105, 0040F180, 0040F1FB, 0040F276, 0040F2F1, 0040F36C, 0040F3E7, 0040F462, 0040F4DD, 0040F558, 0040F5D3, 0040F64E, 0040F6C9, 0040F744, 0040F7BF, 0040F83A, 0040F8B5, 0040F930, 0040F9AB, 0040FA26, 0040FAA1, 0040FB1C, 0040FB97, 0040FC12, 0040FC8D, 0040FD08, 0040FD83, 0040FDFE, 0040FE79, 0040FEF4, 0040FF6F, 0040FFEA, 00410065, 004100E0, 0041015B, 004101D6, 00410251, 004102CC, 00410347, 004103C2, 0041043D, 004104B8, 00410533, 004105AE, 00410629, 004106A4, 0041071F, 0041079A, 00410815, 00410890, 0041090B, 00410986, 00410A01, 00410A7C, 00410AF7, 00410B72, 00410BED, 00410C68, 00410CE3, 00410D5E, 00410DD9, 00410E54, 00410ECF, 00410F4A, 00410FC5, 00411040, 004110BB, 00411136, 004111B1, 0041122C, 004112A7, 00411322, 0041139D, 00411418, 00411493, 0041150E, 00411589, 00411604, 0041167F, 004116FA, 00411775, 004117F0, 0041186B, 004118E6, 00411961, 004119DC, 00411A57, 00411AD2, 00411B4D, 00411BC8, 00411C43, 00411CBE, 00411D39, 00411DB4, 00411E2F, 00411EAA, 00411F25, 00411FA0, 0041201B, 00412096
Preceding with blanks: %10d , xrefs: 00401E41, 00401E73, 00401EA5, 00401F24, 00401F9F, 0040201A, 00402095, 00402110, 0040218B, 00402206, 00402281, 004022FC, 00402377, 004023F2, 0040246D, 004024E8, 00402563, 004025DE, 00402659, 004026D4, 0040274F, 004027CA, 00402845, 004028C0, 0040293B, 004029B6, 00402A31, 00402AAC, 00402B27, 00402BA2, 00402C1D, 00402C98, 00402D13, 00402D8E, 00402E09, 00402E84, 00402EFF, 00402F7A, 00402FF5, 00403070, 004030EB, 00403166, 004031E1, 0040325C, 004032D7, 00403352, 004033CD, 00403448, 004034C3, 0040353E, 004035B9, 00403634, 004036AF, 0040372A, 004037A5, 00403820, 0040389B, 00403916, 00403991, 00403A0C, 00403A87, 00403B02, 00403B7D, 00403BF8, 00403C73, 00403CEE, 00403D69, 00403DE4, 00403E5F, 00403EDA, 00403F55, 00403FD0, 0040404B, 004040C6, 00404141, 004041BC, 00404237, 004042B2, 0040432D, 004043A8, 00404423, 0040449E, 00404519, 00404594, 0040460F, 0040468A, 00404705, 00404780, 004047FB, 00404876, 004048F1, 0040496C, 004049E7, 00404A62, 00404ADD, 00404B58, 00404BD3, 00404C4E, 00404CC9, 00404D44, 00404DBF, 00404E3A, 00404EB5, 00404F30, 00404FAB, 00405026, 004050A1, 0040511C, 00405197, 00405212, 0040528D, 00405308, 00405383, 004053FE, 00405479, 004054F4, 0040556F, 004055EA, 00405665, 004056E0, 0040575B, 004057D6, 00405851, 004058CC, 00405947, 004059C2, 00405A3D, 00405AB8, 00405B33, 00405BAE, 00405C29, 00405CA4, 00405D1F, 00405D9A, 00405E15, 00405E90, 00405F0B, 00405F86, 00406001, 0040607C, 004060F7, 00406172, 004061ED, 00406268, 004062E3, 0040635E, 004063D9, 00406454, 004064CF, 0040654A, 004065C5, 00406640, 004066BB, 00406736, 004067B1, 0040682C, 004068A7, 00406922, 0040699D, 00406A18, 00406A93, 00406B0E, 00406B89, 00406C04, 00406C7F, 00406CFA, 00406D75, 00406DF0, 00406E6B, 00406EE6, 00406F61, 00406FDC, 00407057, 004070D2, 0040714D, 004071C8, 00407243, 004072BE, 00407339, 004073B4, 0040742F, 004074AA, 00407525, 004075A0, 0040761B, 00407696, 00407711, 0040778C, 00407807, 00407882, 004078FD, 00407978, 004079F3, 00407A6E, 00407AE9, 00407B64, 00407BDF, 00407C5A, 00407CD5, 00407D50, 00407DCB, 00407E46, 00407EC1, 00407F3C, 00407FB7, 00408032, 004080AD, 00408128, 004081A3, 0040821E, 00408299, 00408314, 0040838F, 0040840A, 00408485, 00408500, 0040857B, 004085F6, 00408671, 004086EC, 00408767, 004087E2, 0040885D, 004088D8, 00408953, 004089CE, 00408A49, 00408AC4, 00408B3F, 00408BBA, 00408C35, 00408CB0, 00408D2B, 00408DA6, 00408E21, 00408E9C, 00408F17, 00408F92, 0040900D, 00409088, 00409103, 0040917E, 004091F9, 00409274, 004092EF, 0040936A, 004093E5, 00409460, 004094DB, 00409556, 004095D1, 0040964C, 004096C7, 00409742, 004097BD, 00409838, 004098B3, 0040992E, 004099A9, 00409A24, 00409A9F, 00409B1A, 00409B95, 00409C10, 00409C8B, 00409D06, 00409D81, 00409DFC, 00409E77, 00409EF2, 00409F6D, 00409FE8, 0040A063, 0040A0DE, 0040A159, 0040A1D4, 0040A24F, 0040A2CA, 0040A345, 0040A3C0, 0040A43B, 0040A4B6, 0040A531, 0040A5AC, 0040A627, 0040A6A2, 0040A71D, 0040A798, 0040A813, 0040A88E, 0040A909, 0040A984, 0040A9FF, 0040AA7A, 0040AAF5, 0040AB70, 0040ABEB, 0040AC66, 0040ACE1, 0040AD5C, 0040ADD7, 0040AE52, 0040AECD, 0040AF48, 0040AFC3, 0040B03E, 0040B0B9, 0040B134, 0040B1AF, 0040B22A, 0040B2A5, 0040B320, 0040B39B, 0040B416, 0040B491, 0040B50C, 0040B587, 0040B602, 0040B67D, 0040B6F8, 0040B773, 0040B7EE, 0040B869, 0040B8E4, 0040B95F, 0040B9DA, 0040BA55, 0040BAD0, 0040BB4B, 0040BBC6, 0040BC41, 0040BCBC, 0040BD37, 0040BDB2, 0040BE2D, 0040BEA8, 0040BF23, 0040BF9E, 0040C019, 0040C094, 0040C10F, 0040C18A, 0040C205, 0040C280, 0040C2FB, 0040C376, 0040C3F1, 0040C46C, 0040C4E7, 0040C562, 0040C5DD, 0040C658, 0040C6D3, 0040C74E, 0040C7C9, 0040C844, 0040C8BF, 0040C93A, 0040C9B5, 0040CA30, 0040CAAB, 0040CB26, 0040CBA1, 0040CC1C, 0040CC97, 0040CD12, 0040CD8D, 0040CE08, 0040CE83, 0040CEFE, 0040CF79, 0040CFF4, 0040D06F, 0040D0EA, 0040D165, 0040D1E0, 0040D25B, 0040D2D6, 0040D351, 0040D3CC, 0040D447, 0040D4C2, 0040D53D, 0040D5B8, 0040D633, 0040D6AE, 0040D729, 0040D7A4, 0040D81F, 0040D89A, 0040D915, 0040D990, 0040DA0B, 0040DA86, 0040DB01, 0040DB7C, 0040DBF7, 0040DC72, 0040DCED, 0040DD68, 0040DDE3, 0040DE5E, 0040DED9, 0040DF54, 0040DFCF, 0040E04A, 0040E0C5, 0040E140, 0040E1BB, 0040E236, 0040E2B1, 0040E32C, 0040E3A7, 0040E422, 0040E49D, 0040E518, 0040E593, 0040E60E, 0040E689, 0040E704, 0040E77F, 0040E7FA, 0040E875, 0040E8F0, 0040E96B, 0040E9E6, 0040EA61, 0040EADC, 0040EB57, 0040EBD2, 0040EC4D, 0040ECC8, 0040ED43, 0040EDBE, 0040EE39, 0040EEB4, 0040EF2F, 0040EFAA, 0040F025, 0040F0A0, 0040F11B, 0040F196, 0040F211, 0040F28C, 0040F307, 0040F382, 0040F3FD, 0040F478, 0040F4F3, 0040F56E, 0040F5E9, 0040F664, 0040F6DF, 0040F75A, 0040F7D5, 0040F850, 0040F8CB, 0040F946, 0040F9C1, 0040FA3C, 0040FAB7, 0040FB32, 0040FBAD, 0040FC28, 0040FCA3, 0040FD1E, 0040FD99, 0040FE14, 0040FE8F, 0040FF0A, 0040FF85, 00410000, 0041007B, 004100F6, 00410171, 004101EC, 00410267, 004102E2, 0041035D, 004103D8, 00410453, 004104CE, 00410549, 004105C4, 0041063F, 004106BA, 00410735, 004107B0, 0041082B, 004108A6, 00410921, 0041099C, 00410A17, 00410A92, 00410B0D, 00410B88, 00410C03, 00410C7E, 00410CF9, 00410D74, 00410DEF, 00410E6A, 00410EE5, 00410F60, 00410FDB, 00411056, 004110D1, 0041114C, 004111C7, 00411242, 004112BD, 00411338, 004113B3, 0041142E, 004114A9, 00411524, 0041159F, 0041161A, 00411695, 00411710, 0041178B, 00411806, 00411881, 004118FC, 00411977, 004119F2, 00411A6D, 00411AE8, 00411B63, 00411BDE, 00411C59, 00411CD4, 00411D4F, 00411DCA, 00411E45, 00411EC0, 00411F3B, 00411FB6, 00412031
Decimals: %d %ld, xrefs: 00401E23, 00401E28, 00401E3A, 00401E5A, 00401E6C, 00401E89, 00401E9E, 00401F1A, 00401F95, 00402010, 0040208B, 00402106, 00402181, 004021FC, 00402277, 004022F2, 0040236D, 004023E8, 00402463, 004024DE, 00402559, 004025D4, 0040264F, 004026CA, 00402745, 004027C0, 0040283B, 004028B6, 00402931, 004029AC, 00402A27, 00402AA2, 00402B1D, 00402B98, 00402C13, 00402C8E, 00402D09, 00402D84, 00402DFF, 00402E7A, 00402EF5, 00402F70, 00402FEB, 00403066, 004030E1, 0040315C, 004031D7, 00403252, 004032CD, 00403348, 004033C3, 0040343E, 004034B9, 00403534, 004035AF, 0040362A, 004036A5, 00403720, 0040379B, 00403816, 00403891, 0040390C, 00403987, 00403A02, 00403A7D, 00403AF8, 00403B73, 00403BEE, 00403C69, 00403CE4, 00403D5F, 00403DDA, 00403E55, 00403ED0, 00403F4B, 00403FC6, 00404041, 004040BC, 00404137, 004041B2, 0040422D, 004042A8, 00404323, 0040439E, 00404419, 00404494, 0040450F, 0040458A, 00404605, 00404680, 004046FB, 00404776, 004047F1, 0040486C, 004048E7, 00404962, 004049DD, 00404A58, 00404AD3, 00404B4E, 00404BC9, 00404C44, 00404CBF, 00404D3A, 00404DB5, 00404E30, 00404EAB, 00404F26, 00404FA1, 0040501C, 00405097, 00405112, 0040518D, 00405208, 00405283, 004052FE, 00405379, 004053F4, 0040546F, 004054EA, 00405565, 004055E0, 0040565B, 004056D6, 00405751, 004057CC, 00405847, 004058C2, 0040593D, 004059B8, 00405A33, 00405AAE, 00405B29, 00405BA4, 00405C1F, 00405C9A, 00405D15, 00405D90, 00405E0B, 00405E86, 00405F01, 00405F7C, 00405FF7, 00406072, 004060ED, 00406168, 004061E3, 0040625E, 004062D9, 00406354, 004063CF, 0040644A, 004064C5, 00406540, 004065BB, 00406636, 004066B1, 0040672C, 004067A7, 00406822, 0040689D, 00406918, 00406993, 00406A0E, 00406A89, 00406B04, 00406B7F, 00406BFA, 00406C75, 00406CF0, 00406D6B, 00406DE6, 00406E61, 00406EDC, 00406F57, 00406FD2, 0040704D, 004070C8, 00407143, 004071BE, 00407239, 004072B4, 0040732F, 004073AA, 00407425, 004074A0, 0040751B, 00407596, 00407611, 0040768C, 00407707, 00407782, 004077FD, 00407878, 004078F3, 0040796E, 004079E9, 00407A64, 00407ADF, 00407B5A, 00407BD5, 00407C50, 00407CCB, 00407D46, 00407DC1, 00407E3C, 00407EB7, 00407F32, 00407FAD, 00408028, 004080A3, 0040811E, 00408199, 00408214, 0040828F, 0040830A, 00408385, 00408400, 0040847B, 004084F6, 00408571, 004085EC, 00408667, 004086E2, 0040875D, 004087D8, 00408853, 004088CE, 00408949, 004089C4, 00408A3F, 00408ABA, 00408B35, 00408BB0, 00408C2B, 00408CA6, 00408D21, 00408D9C, 00408E17, 00408E92, 00408F0D, 00408F88, 00409003, 0040907E, 004090F9, 00409174, 004091EF, 0040926A, 004092E5, 00409360, 004093DB, 00409456, 004094D1, 0040954C, 004095C7, 00409642, 004096BD, 00409738, 004097B3, 0040982E, 004098A9, 00409924, 0040999F, 00409A1A, 00409A95, 00409B10, 00409B8B, 00409C06, 00409C81, 00409CFC, 00409D77, 00409DF2, 00409E6D, 00409EE8, 00409F63, 00409FDE, 0040A059, 0040A0D4, 0040A14F, 0040A1CA, 0040A245, 0040A2C0, 0040A33B, 0040A3B6, 0040A431, 0040A4AC, 0040A527, 0040A5A2, 0040A61D, 0040A698, 0040A713, 0040A78E, 0040A809, 0040A884, 0040A8FF, 0040A97A, 0040A9F5, 0040AA70, 0040AAEB, 0040AB66, 0040ABE1, 0040AC5C, 0040ACD7, 0040AD52, 0040ADCD, 0040AE48, 0040AEC3, 0040AF3E, 0040AFB9, 0040B034, 0040B0AF, 0040B12A, 0040B1A5, 0040B220, 0040B29B, 0040B316, 0040B391, 0040B40C, 0040B487, 0040B502, 0040B57D, 0040B5F8, 0040B673, 0040B6EE, 0040B769, 0040B7E4, 0040B85F, 0040B8DA, 0040B955, 0040B9D0, 0040BA4B, 0040BAC6, 0040BB41, 0040BBBC, 0040BC37, 0040BCB2, 0040BD2D, 0040BDA8, 0040BE23, 0040BE9E, 0040BF19, 0040BF94, 0040C00F, 0040C08A, 0040C105, 0040C180, 0040C1FB, 0040C276, 0040C2F1, 0040C36C, 0040C3E7, 0040C462, 0040C4DD, 0040C558, 0040C5D3, 0040C64E, 0040C6C9, 0040C744, 0040C7BF, 0040C83A, 0040C8B5, 0040C930, 0040C9AB, 0040CA26, 0040CAA1, 0040CB1C, 0040CB97, 0040CC12, 0040CC8D, 0040CD08, 0040CD83, 0040CDFE, 0040CE79, 0040CEF4, 0040CF6F, 0040CFEA, 0040D065, 0040D0E0, 0040D15B, 0040D1D6, 0040D251, 0040D2CC, 0040D347, 0040D3C2, 0040D43D, 0040D4B8, 0040D533, 0040D5AE, 0040D629, 0040D6A4, 0040D71F, 0040D79A, 0040D815, 0040D890, 0040D90B, 0040D986, 0040DA01, 0040DA7C, 0040DAF7, 0040DB72, 0040DBED, 0040DC68, 0040DCE3, 0040DD5E, 0040DDD9, 0040DE54, 0040DECF, 0040DF4A, 0040DFC5, 0040E040, 0040E0BB, 0040E136, 0040E1B1, 0040E22C, 0040E2A7, 0040E322, 0040E39D, 0040E418, 0040E493, 0040E50E, 0040E589, 0040E604, 0040E67F, 0040E6FA, 0040E775, 0040E7F0, 0040E86B, 0040E8E6, 0040E961, 0040E9DC, 0040EA57, 0040EAD2, 0040EB4D, 0040EBC8, 0040EC43, 0040ECBE, 0040ED39, 0040EDB4, 0040EE2F, 0040EEAA, 0040EF25, 0040EFA0, 0040F01B, 0040F096, 0040F111, 0040F18C, 0040F207, 0040F282, 0040F2FD, 0040F378, 0040F3F3, 0040F46E, 0040F4E9, 0040F564, 0040F5DF, 0040F65A, 0040F6D5, 0040F750, 0040F7CB, 0040F846, 0040F8C1, 0040F93C, 0040F9B7, 0040FA32, 0040FAAD, 0040FB28, 0040FBA3, 0040FC1E, 0040FC99, 0040FD14, 0040FD8F, 0040FE0A, 0040FE85, 0040FF00, 0040FF7B, 0040FFF6, 00410071, 004100EC, 00410167, 004101E2, 0041025D, 004102D8, 00410353, 004103CE, 00410449, 004104C4, 0041053F, 004105BA, 00410635, 004106B0, 0041072B, 004107A6, 00410821, 0041089C, 00410917, 00410992, 00410A0D, 00410A88, 00410B03, 00410B7E, 00410BF9, 00410C74, 00410CEF, 00410D6A, 00410DE5, 00410E60, 00410EDB, 00410F56, 00410FD1, 0041104C, 004110C7, 00411142, 004111BD, 00411238, 004112B3, 0041132E, 004113A9, 00411424, 0041149F, 0041151A, 00411595, 00411610, 0041168B, 00411706, 00411781, 004117FC, 00411877, 004118F2, 0041196D, 004119E8, 00411A63, 00411ADE, 00411B59, 00411BD4, 00411C4F, 00411CCA, 00411D45, 00411DC0, 00411E3B, 00411EB6, 00411F31, 00411FAC, 00412027
SysWOW64\picturerus.exe, xrefs: 00401E17, 00401E1C, 00401E38, 00401E58, 00401E6A, 00401E87, 00401E9C, 00401F14, 00401F8F, 0040200A, 00402085, 00402100, 0040217B, 004021F6, 00402271, 004022EC, 00402367, 004023E2, 0040245D, 004024D8, 00402553, 004025CE, 00402649, 004026C4, 0040273F, 004027BA, 00402835, 004028B0, 0040292B, 004029A6, 00402A21, 00402A9C, 00402B17, 00402B92, 00402C0D, 00402C88, 00402D03, 00402D7E, 00402DF9, 00402E74, 00402EEF, 00402F6A, 00402FE5, 00403060, 004030DB, 00403156, 004031D1, 0040324C, 004032C7, 00403342, 004033BD, 00403438, 004034B3, 0040352E, 004035A9, 00403624, 0040369F, 0040371A, 00403795, 00403810, 0040388B, 00403906, 00403981, 004039FC, 00403A77, 00403AF2, 00403B6D, 00403BE8, 00403C63, 00403CDE, 00403D59, 00403DD4, 00403E4F, 00403ECA, 00403F45, 00403FC0, 0040403B, 004040B6, 00404131, 004041AC, 00404227, 004042A2, 0040431D, 00404398, 00404413, 0040448E, 00404509, 00404584, 004045FF, 0040467A, 004046F5, 00404770, 004047EB, 00404866, 004048E1, 0040495C, 004049D7, 00404A52, 00404ACD, 00404B48, 00404BC3, 00404C3E, 00404CB9, 00404D34, 00404DAF, 00404E2A, 00404EA5, 00404F20, 00404F9B, 00405016, 00405091, 0040510C, 00405187, 00405202, 0040527D, 004052F8, 00405373, 004053EE, 00405469, 004054E4, 0040555F, 004055DA, 00405655, 004056D0, 0040574B, 004057C6, 00405841, 004058BC, 00405937, 004059B2, 00405A2D, 00405AA8, 00405B23, 00405B9E, 00405C19, 00405C94, 00405D0F, 00405D8A, 00405E05, 00405E80, 00405EFB, 00405F76, 00405FF1, 0040606C, 004060E7, 00406162, 004061DD, 00406258, 004062D3, 0040634E, 004063C9, 00406444, 004064BF, 0040653A, 004065B5, 00406630, 004066AB, 00406726, 004067A1, 0040681C, 00406897, 00406912, 0040698D, 00406A08, 00406A83, 00406AFE, 00406B79, 00406BF4, 00406C6F, 00406CEA, 00406D65, 00406DE0, 00406E5B, 00406ED6, 00406F51, 00406FCC, 00407047, 004070C2, 0040713D, 004071B8, 00407233, 004072AE, 00407329, 004073A4, 0040741F, 0040749A, 00407515, 00407590, 0040760B, 00407686, 00407701, 0040777C, 004077F7, 00407872, 004078ED, 00407968, 004079E3, 00407A5E, 00407AD9, 00407B54, 00407BCF, 00407C4A, 00407CC5, 00407D40, 00407DBB, 00407E36, 00407EB1, 00407F2C, 00407FA7, 00408022, 0040809D, 00408118, 00408193, 0040820E, 00408289, 00408304, 0040837F, 004083FA, 00408475, 004084F0, 0040856B, 004085E6, 00408661, 004086DC, 00408757, 004087D2, 0040884D, 004088C8, 00408943, 004089BE, 00408A39, 00408AB4, 00408B2F, 00408BAA, 00408C25, 00408CA0, 00408D1B, 00408D96, 00408E11, 00408E8C, 00408F07, 00408F82, 00408FFD, 00409078, 004090F3, 0040916E, 004091E9, 00409264, 004092DF, 0040935A, 004093D5, 00409450, 004094CB, 00409546, 004095C1, 0040963C, 004096B7, 00409732, 004097AD, 00409828, 004098A3, 0040991E, 00409999, 00409A14, 00409A8F, 00409B0A, 00409B85, 00409C00, 00409C7B, 00409CF6, 00409D71, 00409DEC, 00409E67, 00409EE2, 00409F5D, 00409FD8, 0040A053, 0040A0CE, 0040A149, 0040A1C4, 0040A23F, 0040A2BA, 0040A335, 0040A3B0, 0040A42B, 0040A4A6, 0040A521, 0040A59C, 0040A617, 0040A692, 0040A70D, 0040A788, 0040A803, 0040A87E, 0040A8F9, 0040A974, 0040A9EF, 0040AA6A, 0040AAE5, 0040AB60, 0040ABDB, 0040AC56, 0040ACD1, 0040AD4C, 0040ADC7, 0040AE42, 0040AEBD, 0040AF38, 0040AFB3, 0040B02E, 0040B0A9, 0040B124, 0040B19F, 0040B21A, 0040B295, 0040B310, 0040B38B, 0040B406, 0040B481, 0040B4FC, 0040B577, 0040B5F2, 0040B66D, 0040B6E8, 0040B763, 0040B7DE, 0040B859, 0040B8D4, 0040B94F, 0040B9CA, 0040BA45, 0040BAC0, 0040BB3B, 0040BBB6, 0040BC31, 0040BCAC, 0040BD27, 0040BDA2, 0040BE1D, 0040BE98, 0040BF13, 0040BF8E, 0040C009, 0040C084, 0040C0FF, 0040C17A, 0040C1F5, 0040C270, 0040C2EB, 0040C366, 0040C3E1, 0040C45C, 0040C4D7, 0040C552, 0040C5CD, 0040C648, 0040C6C3, 0040C73E, 0040C7B9, 0040C834, 0040C8AF, 0040C92A, 0040C9A5, 0040CA20, 0040CA9B, 0040CB16, 0040CB91, 0040CC0C, 0040CC87, 0040CD02, 0040CD7D, 0040CDF8, 0040CE73, 0040CEEE, 0040CF69, 0040CFE4, 0040D05F, 0040D0DA, 0040D155, 0040D1D0, 0040D24B, 0040D2C6, 0040D341, 0040D3BC, 0040D437, 0040D4B2, 0040D52D, 0040D5A8, 0040D623, 0040D69E, 0040D719, 0040D794, 0040D80F, 0040D88A, 0040D905, 0040D980, 0040D9FB, 0040DA76, 0040DAF1, 0040DB6C, 0040DBE7, 0040DC62, 0040DCDD, 0040DD58, 0040DDD3, 0040DE4E, 0040DEC9, 0040DF44, 0040DFBF, 0040E03A, 0040E0B5, 0040E130, 0040E1AB, 0040E226, 0040E2A1, 0040E31C, 0040E397, 0040E412, 0040E48D, 0040E508, 0040E583, 0040E5FE, 0040E679, 0040E6F4, 0040E76F, 0040E7EA, 0040E865, 0040E8E0, 0040E95B, 0040E9D6, 0040EA51, 0040EACC, 0040EB47, 0040EBC2, 0040EC3D, 0040ECB8, 0040ED33, 0040EDAE, 0040EE29, 0040EEA4, 0040EF1F, 0040EF9A, 0040F015, 0040F090, 0040F10B, 0040F186, 0040F201, 0040F27C, 0040F2F7, 0040F372, 0040F3ED, 0040F468, 0040F4E3, 0040F55E, 0040F5D9, 0040F654, 0040F6CF, 0040F74A, 0040F7C5, 0040F840, 0040F8BB, 0040F936, 0040F9B1, 0040FA2C, 0040FAA7, 0040FB22, 0040FB9D, 0040FC18, 0040FC93, 0040FD0E, 0040FD89, 0040FE04, 0040FE7F, 0040FEFA, 0040FF75, 0040FFF0, 0041006B, 004100E6, 00410161, 004101DC, 00410257, 004102D2, 0041034D, 004103C8, 00410443, 004104BE, 00410539, 004105B4, 0041062F, 004106AA, 00410725, 004107A0, 0041081B, 00410896, 00410911, 0041098C, 00410A07, 00410A82, 00410AFD, 00410B78, 00410BF3, 00410C6E, 00410CE9, 00410D64, 00410DDF, 00410E5A, 00410ED5, 00410F50, 00410FCB, 00411046, 004110C1, 0041113C, 004111B7, 00411232, 004112AD, 00411328, 004113A3, 0041141E, 00411499, 00411514, 0041158F, 0041160A, 00411685, 00411700, 0041177B, 004117F6, 00411871, 004118EC, 00411967, 004119E2, 00411A5D, 00411AD8, 00411B53, 00411BCE, 00411C49, 00411CC4, 00411D3F, 00411DBA, 00411E35, 00411EB0, 00411F2B, 00411FA6, 00412021

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CallProcWindow$AllocByteCharLoadMultiStringVirtualWide
String ID: %s $A string$Characters: %c %c $Decimals: %d %ld$Preceding with blanks: %10d $Preceding with zeros: %010d $Some different radices: %d %x %o %#x %#o $SysWOW64\picturerus.exe$Width trick: %*d $floats: %4.2f %+.0e %E
API String ID: 965092674-2533761222
Opcode ID: 4faedc87637a6878093169c4d3d605fe4ab5dc08f946da224ed09edfd01ae1de
Instruction ID: 0aebab6a80ce3fde290079580919b52b1e3247745899e55c1e150ea4edafc8a6
Opcode Fuzzy Hash: 4faedc87637a6878093169c4d3d605fe4ab5dc08f946da224ed09edfd01ae1de
Instruction Fuzzy Hash: EF3422F0794B0170DD217A728D7BFBF1A189F61B8AF20084FF9D4342E3999D5AA4416E

Uniqueness

Uniqueness Score: -1.00%

Function 004315F6, Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004315FB
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00431633
LoadResource.KERNEL32(?,00000000), ref: 0043163B

Part of subcall function 00433622: UnhookWindowsHookEx.USER32(?), ref: 00433647

LockResource.KERNEL32(00000000), ref: 0043164D
GetDesktopWindow.USER32 ref: 0043167A
IsWindowEnabled.USER32(00000000), ref: 00431688
EnableWindow.USER32(00000000,00000000), ref: 00431697
EnableWindow.USER32(00000000,00000001), ref: 00431726
GetActiveWindow.USER32 ref: 00431731
SetActiveWindow.USER32(00000000), ref: 0043173F
FreeResource.KERNEL32(00000000), ref: 0043175B

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: ce71086b03d54d9c65edfdc0c6feb1ec0fe07aa3cb5f2fb9872758785c552c6d
Instruction ID: c80a947bf2f6b874c5c82c51990a73349f493b2a6f47a5415102d4061b6d75a7
Opcode Fuzzy Hash: ce71086b03d54d9c65edfdc0c6feb1ec0fe07aa3cb5f2fb9872758785c552c6d
Instruction Fuzzy Hash: A8418030900705DFDB21AFA5C95A7BEBBB5AF08716F14102FF102A22A1CB789941CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00434CC5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434CCA
GetPropA.USER32 ref: 00434CE2
CallWindowProcA.USER32 ref: 00434D40

Part of subcall function 00433D23: GetWindowRect.USER32 ref: 00433D48
Part of subcall function 00433D23: GetWindow.USER32(?,00000004), ref: 00433D65

SetWindowLongA.USER32 ref: 00434D70
RemovePropA.USER32 ref: 00434D78
GlobalFindAtomA.KERNEL32 ref: 00434D7F
GlobalDeleteAtom.KERNEL32 ref: 00434D86

Part of subcall function 00432754: GetWindowRect.USER32 ref: 00432760

CallWindowProcA.USER32 ref: 00434DDA

Strings

AfxOldWndProc423, xrefs: 00434CDB, 00434CE0, 00434D76, 00434D7E

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ff15bca09e0eb7e406143482a3ef9c335fcd6e55898f3d77f75a080db70639e7
Instruction ID: 12abf3a039a44a727739dfb4959889e1be9217344ea0f0b479962cac14099a61
Opcode Fuzzy Hash: ff15bca09e0eb7e406143482a3ef9c335fcd6e55898f3d77f75a080db70639e7
Instruction Fuzzy Hash: 0C316172800219BBCB119FA5DD49EFF7F78FF49316F00412AF501A2161C739AA119BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044EAAF, Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0047B6F4,75144DE0,?,?,0047B6D8,0047B6D8,?,0044F06F,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484), ref: 0044EAC0
GlobalAlloc.KERNELBASE(00000002,00000040,?,?,0047B6D8,0047B6D8,?,0044F06F,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484), ref: 0044EB11
GlobalHandle.KERNEL32(004BA078), ref: 0044EB1A
GlobalUnlock.KERNEL32(00000000,?,?,0047B6D8,0047B6D8,?,0044F06F,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,75144DE0), ref: 0044EB24
GlobalReAlloc.KERNEL32 ref: 0044EB38
GlobalHandle.KERNEL32(004BA078), ref: 0044EB4A
GlobalLock.KERNEL32 ref: 0044EB51
LeaveCriticalSection.KERNEL32(?,?,?,0047B6D8,0047B6D8,?,0044F06F,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,75144DE0), ref: 0044EB5A
GlobalLock.KERNEL32 ref: 0044EB66
LeaveCriticalSection.KERNEL32(?), ref: 0044EBAE

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: b04793688510a88f67e5c568a89932a2d6769de8e8383a32167a042d3a654f9b
Instruction ID: f7f23203b9efe10dc177ef4e6959b102c6c9f186cb83817a26fe115b791422a3
Opcode Fuzzy Hash: b04793688510a88f67e5c568a89932a2d6769de8e8383a32167a042d3a654f9b
Instruction Fuzzy Hash: B431EE30A00B05AFD720CF6ADC98A6ABBF9FF40345B01496EE956D3621D778F940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004313E9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004313EE
GetSystemMetrics.USER32 ref: 004314B2
GlobalLock.KERNEL32 ref: 0043151D
CreateDialogIndirectParamA.USER32(?,?,?,Function_00030DE2,00000000), ref: 0043154C

Strings

MS Shell Dlg, xrefs: 004314BC

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: b1838b986e74c8f40b3d4ecf676eea66dee448865fa6d39ddd366ea3ccbe1829
Instruction ID: e0f64d9ec0343e99e2e9ee4d9acaebb91454337ed0347725652701e1449b16bc
Opcode Fuzzy Hash: b1838b986e74c8f40b3d4ecf676eea66dee448865fa6d39ddd366ea3ccbe1829
Instruction Fuzzy Hash: 6751A431900205EFCF119FA4C8859EEBBB5EF48315F24556BF412A72A2DB389E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00432655, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(COMCTL32.DLL,00008000,00000000,00000400,0043346D,00000000,00040000,00000000,?), ref: 0043265E
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 00432667
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0043267B
#17.COMCTL32(?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 00432696
#17.COMCTL32(?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 004326B2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 004326BF

Strings

InitCommonControlsEx, xrefs: 00432673
COMCTL32.DLL, xrefs: 00432658, 0043265D, 00432664

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: fbc869dff4a4af753050b1c1a6b0d85685cb09798fd04b456239473298ed4885
Instruction ID: 5fa1d96a4472cd52907bff507a2bc74d54206005f978a52e19e2591faae4ea83
Opcode Fuzzy Hash: fbc869dff4a4af753050b1c1a6b0d85685cb09798fd04b456239473298ed4885
Instruction Fuzzy Hash: 23F0A9326007229787115B659D59A2FB6ECBF94753B451436F805F3211CFA8EC0586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00450457, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00450498
PathFindExtensionA.KERNELBASE(?), ref: 004504B2
lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045054C
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00450579

Strings

.CHM, xrefs: 0045053D
.HLP, xrefs: 00450544
.INI, xrefs: 0045056D

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
String ID: .CHM$.HLP$.INI
API String ID: 2140653559-4017452060
Opcode ID: 77cb3e02a1d5fd2dcdfbfdbf5264098ea0434eb04d60befdb6af3fc4bd62b3ee
Instruction ID: b6df33e5751ea74f5826cc98093051f0f3abe019c6a471caf1ebe553c2435343
Opcode Fuzzy Hash: 77cb3e02a1d5fd2dcdfbfdbf5264098ea0434eb04d60befdb6af3fc4bd62b3ee
Instruction Fuzzy Hash: 70412875500B09AFCB71EFA5D845BDA77E8AB08306F10482FFA89C6242EB38D5448F25

Uniqueness

Uniqueness Score: -1.00%

Function 0043918C, Relevance: 12.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 00439199
GetSystemMetrics.USER32 ref: 004391A0
GetSystemMetrics.USER32 ref: 004391A7
GetSystemMetrics.USER32 ref: 004391B1
GetDC.USER32(00000000), ref: 004391BB
GetDeviceCaps.GDI32(00000000,00000058), ref: 004391CC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004391D4
ReleaseDC.USER32 ref: 004391DC

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 2dbb417450004d57444fbcb471158f4b0ee786ac08df754a132355d1f0c5ae34
Instruction ID: 042a91b24d9d83c6ebad07df20038e5cd2289658d9ba2151f457e89fbd6056d9
Opcode Fuzzy Hash: 2dbb417450004d57444fbcb471158f4b0ee786ac08df754a132355d1f0c5ae34
Instruction Fuzzy Hash: A0F03671A40B04AEE7206F729C59F277BB4EB95B12F11442AE6418B1D1D6B5D8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0044F45C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F461
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F4DA
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F50D
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F528
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 0044F57B

Strings

mE, xrefs: 0044F572

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: QueryValue$CloseH_prologPrivateProfileString
String ID: mE
API String ID: 1022837590-852767849
Opcode ID: 249ea3ed76278fdc5f2ad60c9f866fb1f1cab811b581774d5f974148515f067f
Instruction ID: f1cded26cd753e4b897d3bf62b173a12f1a3ee0e8f92eae1bcd43dace040cb53
Opcode Fuzzy Hash: 249ea3ed76278fdc5f2ad60c9f866fb1f1cab811b581774d5f974148515f067f
Instruction Fuzzy Hash: 0D416770800259FBDF20DF11CC408EEBB79FF48354F0084AAF959A6261D7B89A95EF54

Uniqueness

Uniqueness Score: -1.00%

Function 004505A5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0043B4A3,?,?,?,?,75144DE0,00000000,?,00419D19,00000000), ref: 004505AE
SetErrorMode.KERNELBASE(00000000,?,00419D19,00000000), ref: 004505B6
GetModuleHandleA.KERNEL32(user32.dll,00419D19,00000000), ref: 00450601
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00450611

Part of subcall function 00450457: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00450498
Part of subcall function 00450457: PathFindExtensionA.KERNELBASE(?), ref: 004504B2
Part of subcall function 00450457: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045054C
Part of subcall function 00450457: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00450579

Strings

NotifyWinEvent, xrefs: 0045060B
user32.dll, xrefs: 004505FC

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
String ID: NotifyWinEvent$user32.dll
API String ID: 4004864024-597752486
Opcode ID: b50bf68e2b5de257a348941957a5666d38a24f24bd2454486d7854c91595e3bd
Instruction ID: 74da4d911cd3c67dbcb73de4fb85063a1f61eb744a766c99006dd413cafa1df5
Opcode Fuzzy Hash: b50bf68e2b5de257a348941957a5666d38a24f24bd2454486d7854c91595e3bd
Instruction Fuzzy Hash: 94014BB4A10710AFD710EF619804A1A7B94AF08706F05886FF84997363DF78C844CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044DB78, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044DB7D

Part of subcall function 00439945: __EH_prolog.LIBCMT ref: 0043994A

Strings

PreviewPages, xrefs: 0044DBE0
Settings, xrefs: 0044DBE5
Recent File List, xrefs: 0044DBBF
File%d, xrefs: 0044DBBA

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: f06a5cb311d69bc97bd4333ebde88718be601381b48ec27b8e411bc5b28f1ba3
Instruction ID: 6ecb9a6e47c6ed6da365f7f5841e959e2fb76d13caa31787ec29dc486ad6f34b
Opcode Fuzzy Hash: f06a5cb311d69bc97bd4333ebde88718be601381b48ec27b8e411bc5b28f1ba3
Instruction Fuzzy Hash: 5D014971E04340ABDB25DF689C01BAF7AB1FB85B10F20452FF821A7382CBB80900C758

Uniqueness

Uniqueness Score: -1.00%

Function 0041257E, Relevance: 7.6, APIs: 5, Instructions: 70windowencryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412583
CertOpenStore.CRYPT32(00000000,00000000,00000000,00000000,00000000), ref: 00412595
GetSystemMenu.USER32(?,00000000), ref: 004125CB
AppendMenuA.USER32 ref: 00412610
AppendMenuA.USER32 ref: 0041261B

Part of subcall function 00401D3B: LoadStringW.USER32(00000005,0000000A,00000000,00000000), ref: 00401D4F

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Menu$Append$CertH_prologLoadOpenStoreStringSystem
String ID:
API String ID: 2154892219-0
Opcode ID: 11bb417483d622feea004db716fe9203556d7dc3c7520d62cdc46bb90d24d3f2
Instruction ID: acac48fb911abb386090c21b2f7dd5dbfc6e7f2fbe9a5444ef82efc6a18a4669
Opcode Fuzzy Hash: 11bb417483d622feea004db716fe9203556d7dc3c7520d62cdc46bb90d24d3f2
Instruction Fuzzy Hash: 2C110B70900114AFDB107BB6CC55EAFBB35FF44324F00452EF115E72A2CB7898108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044D9CA, Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,004781F0,00000000,00000001,?), ref: 0044DA0D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 0044DA2D
RegCloseKey.ADVAPI32(?), ref: 0044DA71
RegCloseKey.ADVAPI32(00000000), ref: 0044DA87

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: e5fe929cb7eb099dfd86e2b72a41db03c230be63d796b1944a5c0b7d55085c9c
Instruction ID: 7605e3d858354b6adad4e8cc50f48b23ac3a8088f01cb4c1ddeff153822fe4fb
Opcode Fuzzy Hash: e5fe929cb7eb099dfd86e2b72a41db03c230be63d796b1944a5c0b7d55085c9c
Instruction Fuzzy Hash: DD2138B1D04208EFEB14CF96CC45AAEBBB8EF90705F1040ABE505B6261D7745A00CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3F3, Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0044F42C
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0044F435
GetPrivateProfileIntA.KERNEL32 ref: 0044F451

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ClosePrivateProfileQueryValue
String ID:
API String ID: 1423431592-0
Opcode ID: a5adae195a35fa4e73bf76f32d84e35c62258e7142751bb22f96dca9acb772e9
Instruction ID: 74f09bcaac624bead4b59f43faef543b983ea7b1c8e5fdb6f0ea1876ef778dd1
Opcode Fuzzy Hash: a5adae195a35fa4e73bf76f32d84e35c62258e7142751bb22f96dca9acb772e9
Instruction Fuzzy Hash: 49014672100218FBDB129F80DC04EEF3BB8EF54755F10803AFA05AA110DB75EA199B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C139, Relevance: 3.1, APIs: 2, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041C17D
RtlAllocateHeap.NTDLL(00000008,?,0045C8B8,00000010,0041E3E7,00000001,0000008C,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17), ref: 0041C1BB

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocateHeap__lock
String ID:
API String ID: 4078605025-0
Opcode ID: 1c62fde75f761435134d66b5f4cffda9508f87cd5b6bc7cb12e4df8c1025f6b6
Instruction ID: c1d28866222c0dc6414e7fea66e701ef6e43db6b2debc05eda2622e8d1883d5a
Opcode Fuzzy Hash: 1c62fde75f761435134d66b5f4cffda9508f87cd5b6bc7cb12e4df8c1025f6b6
Instruction Fuzzy Hash: 1611E632DC0615A6CB21AB658C816DE7B21AF90724F15421BEC24A73D3CB3C8AC18F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004398A4, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004398A9
wsprintfA.USER32 ref: 004398E6

Part of subcall function 0044F45C: __EH_prolog.LIBCMT ref: 0044F461

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog$wsprintf
String ID:
API String ID: 172397338-0
Opcode ID: 3de8a07d2760c78c032f7f6cf612e55542b580be98464b1f87c14e7a0f445d2a
Instruction ID: b58df83bfa8cb1f87c15a047e07b73912b99d9eb8ca075b9dcc5624172093b3b
Opcode Fuzzy Hash: 3de8a07d2760c78c032f7f6cf612e55542b580be98464b1f87c14e7a0f445d2a
Instruction Fuzzy Hash: 8511B671900605DFCB14EFA9D8819AEB7F5FF48318F10452EF461E7691CB34A904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041902C, Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041904E

Part of subcall function 0041C486: EnterCriticalSection.KERNEL32(00478DA0,00478DA0,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041C4AE

RtlAllocateHeap.NTDLL(00000000,?,0045C768,0000000C,004190B7,000000E0,004190E2,?,0041C409,00000018,0045C8C8,00000008,0041C49F,?,00478DA0), ref: 0041908F

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 915dc4749733b52090c7e78aff1820d60ee7a4f24177a6b31d71a6b438375017
Instruction ID: dc5206d65ac73eaf864f438a6c0f78885cd20580cda411dd0d3dda0f5c44dbbb
Opcode Fuzzy Hash: 915dc4749733b52090c7e78aff1820d60ee7a4f24177a6b31d71a6b438375017
Instruction Fuzzy Hash: 85F0F631C80211D6DB24BB759C567DE7B60AB08324F25422EEC58672E1C73C5DC0CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00431AAC, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00431AD3
CallWindowProcA.USER32 ref: 00431AE8

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: a8875d60b43fa694f0911aa7ee2c2c2b59b12663bbda4821a0ac7331270e0a87
Instruction ID: 9a5d0fe453fd5e5d442d397c126565b24aef5118643a609f3f89f8589eb6a085
Opcode Fuzzy Hash: a8875d60b43fa694f0911aa7ee2c2c2b59b12663bbda4821a0ac7331270e0a87
Instruction Fuzzy Hash: 01F01536101609EFCF219F95DC18DAA7BBAFF0C352F048429FA0586630D372E820AB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4D1, Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00419C63,00000001,?,0045C7A8,00000060), ref: 0041C4E2

Part of subcall function 0041C5BC: HeapAlloc.KERNEL32(00000000,00000140,0041C50A,000003F8,?,0045C7A8,00000060), ref: 0041C5C9

HeapDestroy.KERNEL32(?,0045C7A8,00000060), ref: 0041C515

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 87bbc2843d472829b2ef89704e86d8af703d01ada110c1709cc2f7aeb2b71cc2
Instruction ID: 7c3bd9f5b4b46e9794cf6a332750d5066d7fd5e8b96e20f30908588fd1cd5013
Opcode Fuzzy Hash: 87bbc2843d472829b2ef89704e86d8af703d01ada110c1709cc2f7aeb2b71cc2
Instruction Fuzzy Hash: C7E04FB1695310EADB10AF719D8DBAA3AD6DB4478AF00043FF404C51E1EB78D5C0EA1D

Uniqueness

Uniqueness Score: -1.00%

Function 0043503C, Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

GetCurrentThreadId.KERNEL32 ref: 0043505E
SetWindowsHookExA.USER32 ref: 0043506E

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: fa57018b2061f09c2615cee7a7a8ab451c877c7e69fac4a8b5c0bd024d663bfc
Instruction ID: 63aff0302d2982f97e3b76b7288842a291ddd2f00c7bfc238e4339544eb3de98
Opcode Fuzzy Hash: fa57018b2061f09c2615cee7a7a8ab451c877c7e69fac4a8b5c0bd024d663bfc
Instruction Fuzzy Hash: 7CE06531740B109ED2306B92AC15F5776A4DBC8726F51552FE50986141C335A84486BD

Uniqueness

Uniqueness Score: -1.00%

Function 00438522, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00438535
SetWindowsHookExA.USER32 ref: 00438545

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 60a374326582e6fd45de703582bfe03cc6b3e523ebf7321959d28aa07a968d44
Instruction ID: ccc9c6806e51c4b76788036dcd35ea03a28c57b756b3c0db120f588d1f581546
Opcode Fuzzy Hash: 60a374326582e6fd45de703582bfe03cc6b3e523ebf7321959d28aa07a968d44
Instruction Fuzzy Hash: F2D0A771C047607FFB102B746C19B293A505B05739F54175EF424961D2CE7CD5404B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00433D9C, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00433DA1

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1f4f402cad16baa03feb8c9b8df4c1ff7379fb18e5b1fbac80ea2e244e1f3584
Instruction ID: 217b5259fde65db3885a56b274e9404f905c368ae3fa042c110acc6f53840b47
Opcode Fuzzy Hash: 1f4f402cad16baa03feb8c9b8df4c1ff7379fb18e5b1fbac80ea2e244e1f3584
Instruction Fuzzy Hash: BF2168B2900219EFCF05DF59C4829EE7BB5FB48354F10402AF801AB241D374AE85CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0044F02F, Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F034

Part of subcall function 0044ED79: TlsAlloc.KERNEL32(?,0044F05E,75144DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,75144DE0,00000000,?,00419D19,00000000), ref: 0044ED9B

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: 08853716338d5d36f3402c2a6b0b7152c1237e78638d7e359c55b01d012e747f
Instruction ID: b0c5c036e64a4565b7a51127bc03cc4d744149bd569e55b8a23d2c6ab39c094b
Opcode Fuzzy Hash: 08853716338d5d36f3402c2a6b0b7152c1237e78638d7e359c55b01d012e747f
Instruction Fuzzy Hash: 3D0181356006019FEB29EF26D81176DB7B2FBD0365F10417EE58697391DB388D40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412675, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041267A

Part of subcall function 0044DB78: __EH_prolog.LIBCMT ref: 0044DB7D

Part of subcall function 00412137: __EH_prolog.LIBCMT ref: 0041213C

Part of subcall function 004315F6: __EH_prolog.LIBCMT ref: 004315FB
Part of subcall function 004315F6: FindResourceA.KERNEL32(?,00000000,00000005), ref: 00431633
Part of subcall function 004315F6: LoadResource.KERNEL32(?,00000000), ref: 0043163B
Part of subcall function 004315F6: LockResource.KERNEL32(00000000), ref: 0043164D

Part of subcall function 00430E44: __EH_prolog.LIBCMT ref: 00430E49

Memory Dump Source

Source File: 00000001.00000002.241010397.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.241007014.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241044402.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.241059751.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.241069773.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241075800.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241080211.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.241084393.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aEdlObiYav.jbxd

Similarity

API ID: H_prolog$Resource$FindLoadLock
String ID:
API String ID: 807587585-0
Opcode ID: 440cd8fa29eb9ee4f3801710ff5bdcedb7e66363f248bb282ecd869aaa0fc82a
Instruction ID: b45528432e8057bea371eba47b4c80f828b5add35470d5ee7ebcf6187e48438f
Opcode Fuzzy Hash: 440cd8fa29eb9ee4f3801710ff5bdcedb7e66363f248bb282ecd869aaa0fc82a
Instruction Fuzzy Hash: B9F08CB1E002199BCB24EB71CA027D8B770AF04329F0086AE9246A2581DF785F04CB44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report aEdlObiYav

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre