Play interactive tour

Edit tour

Analysis Report BnJvVt951o.exe

Overview

General Information

Sample Name:	BnJvVt951o.exe
Analysis ID:	382018
MD5:	ae03a6f8fb74d401b403647d28e21574
SHA1:	6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256:	1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Emotet e-Banking trojan

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Emotet

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

BnJvVt951o.exe (PID: 7148 cmdline: 'C:\Users\user\Desktop\BnJvVt951o.exe' MD5: AE03A6F8FB74D401B403647D28E21574)

BnJvVt951o.exe (PID: 6224 cmdline: --132eeff2 MD5: AE03A6F8FB74D401B403647D28E21574)

bushexa.exe (PID: 6064 cmdline: C:\Windows\SysWOW64\bushexa.exe MD5: AE03A6F8FB74D401B403647D28E21574)

bushexa.exe (PID: 5856 cmdline: --22f27ebc MD5: AE03A6F8FB74D401B403647D28E21574)

svchost.exe (PID: 900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6996 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6060 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA F5 00 85 C0 0x50d4:$snippet6: 33 C0 21 05 EC 10 F6 00 A3 E8 10 F6 00 39 05 A0 E3 F5 00 74 18 40 A3 E8 10 F6 00 83 3C C5 A0 E3 ...
00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 2F 02 85 C0 0x50d4:$snippet6: 33 C0 21 05 EC 10 30 02 A3 E8 10 30 02 39 05 A0 E3 2F 02 74 18 40 A3 E8 10 30 02 83 3C C5 A0 E3 ...
00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x5a13:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x5a13:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x5a13:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 2E 02 85 C0 0x50d4:$snippet6: 33 C0 21 05 EC 10 2F 02 A3 E8 10 2F 02 39 05 A0 E3 2E 02 74 18 40 A3 E8 10 2F 02 83 3C C5 A0 E3 ...
00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA F6 00 85 C0 0x50d4:$snippet6: 33 C0 21 05 EC 10 F7 00 A3 E8 10 F7 00 39 05 A0 E3 F6 00 74 18 40 A3 E8 10 F7 00 83 3C C5 A0 E3 ...
00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x5a13:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.bushexa.exe.f4053f.1.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
6.2.bushexa.exe.f4053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.bushexa.exe.f4053f.1.unpack	Emotet	Emotet Payload	kevoreilly	0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
0.2.BnJvVt951o.exe.22d053f.2.raw.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
0.2.BnJvVt951o.exe.22d053f.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.BnJvVt951o.exe.22d053f.2.raw.unpack	Emotet	Emotet Payload	kevoreilly	0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x54d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
0.2.BnJvVt951o.exe.22d053f.2.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ... 0xb23e:$generate_filename_v1: 56 57 33 C0 BF 08 16 41 00 57 50 50 6A 1C 50 FF 15 68 04 41 00 BA 9A DB 40 5A B9 60 EE 40 00 E8 ...
6.2.bushexa.exe.f4053f.1.raw.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
6.2.bushexa.exe.f4053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.bushexa.exe.f4053f.1.raw.unpack	Emotet	Emotet Payload	kevoreilly	0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x54d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
6.2.bushexa.exe.f4053f.1.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ... 0xb23e:$generate_filename_v1: 56 57 33 C0 BF 08 16 41 00 57 50 50 6A 1C 50 FF 15 68 04 41 00 BA 9A DB 40 5A B9 60 EE 40 00 E8 ...
1.2.BnJvVt951o.exe.22c053f.1.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
1.2.BnJvVt951o.exe.22c053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.BnJvVt951o.exe.22c053f.1.unpack	Emotet	Emotet Payload	kevoreilly	0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
0.2.BnJvVt951o.exe.22d053f.2.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
0.2.BnJvVt951o.exe.22d053f.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.BnJvVt951o.exe.22d053f.2.unpack	Emotet	Emotet Payload	kevoreilly	0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
5.2.bushexa.exe.f4053f.2.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
5.2.bushexa.exe.f4053f.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.bushexa.exe.f4053f.2.unpack	Emotet	Emotet Payload	kevoreilly	0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x48d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
5.2.bushexa.exe.f4053f.2.raw.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
5.2.bushexa.exe.f4053f.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.bushexa.exe.f4053f.2.raw.unpack	Emotet	Emotet Payload	kevoreilly	0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x54d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
5.2.bushexa.exe.f4053f.2.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ... 0xb23e:$generate_filename_v1: 56 57 33 C0 BF 08 16 41 00 57 50 50 6A 1C 50 FF 15 68 04 41 00 BA 9A DB 40 5A B9 60 EE 40 00 E8 ...
1.2.BnJvVt951o.exe.22c053f.1.raw.unpack	MAL_Emotet_Jan20_1	Detects Emotet malware	Florian Roth	0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
1.2.BnJvVt951o.exe.22c053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.BnJvVt951o.exe.22c053f.1.raw.unpack	Emotet	Emotet Payload	kevoreilly	0x13ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 FA 40 00 85 C0 0x54d4:$snippet6: 33 C0 21 05 EC 10 41 00 A3 E8 10 41 00 39 05 A0 E3 40 00 74 18 40 A3 E8 10 41 00 83 3C C5 A0 E3 ...
1.2.BnJvVt951o.exe.22c053f.1.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0xe52:$decrypt_resource_v1: 55 8B EC 83 EC 18 53 8B D9 8B C2 56 57 89 45 F0 8B 3B 33 F8 8B C7 89 7D EC 83 E0 03 75 05 8D 77 ... 0xb23e:$generate_filename_v1: 56 57 33 C0 BF 08 16 41 00 57 50 50 6A 1C 50 FF 15 68 04 41 00 BA 9A DB 40 5A B9 60 EE 40 00 E8 ...
Click to see the 23 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: BnJvVt951o.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: BnJvVt951o.exe	Virustotal: Detection: 84%			Perma Link
Source: BnJvVt951o.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: BnJvVt951o.exe

Joe Sandbox ML: detected

Source: 6.2.bushexa.exe.f4053f.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.bushexa.exe.f4053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F5207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	6_2_00F5207B
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F51FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	6_2_00F51FFC
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F51F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,	6_2_00F51F75
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F51F11 CryptExportKey,	6_2_00F51F11
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F51F56 CryptGetHashParam,	6_2_00F51F56
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F5215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	6_2_00F5215A

Source: BnJvVt951o.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: BnJvVt951o.exe

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	0_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,	0_2_0043AE3F
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	1_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,	1_2_0043AE3F

Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 209.141.41.136:8080
Source: global traffic	TCP traffic: 192.168.2.4:49762 -> 104.236.246.93:8080
Source: global traffic	TCP traffic: 192.168.2.4:49768 -> 198.199.114.69:8080
Source: global traffic	TCP traffic: 192.168.2.4:49771 -> 152.89.236.214:8080
Source: global traffic	TCP traffic: 192.168.2.4:49772 -> 87.106.136.232:8080
Source: global traffic	TCP traffic: 192.168.2.4:49773 -> 178.210.51.222:8080
Source: global traffic	TCP traffic: 192.168.2.4:49775 -> 201.251.43.69:8080

Source: Joe Sandbox View	IP Address: 198.199.114.69 198.199.114.69
Source: Joe Sandbox View	IP Address: 104.236.246.93 104.236.246.93
Source: Joe Sandbox View	IP Address: 104.236.246.93 104.236.246.93

Source: unknown	TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown	TCP traffic detected without corresponding DNS query: 45.33.54.74
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.41.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown	TCP traffic detected without corresponding DNS query: 198.199.114.69
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.236.214
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknown	TCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknown	TCP traffic detected without corresponding DNS query: 115.78.95.230
Source: unknown	TCP traffic detected without corresponding DNS query: 201.251.43.69
Source: unknown	TCP traffic detected without corresponding DNS query: 201.251.43.69
Source: unknown	TCP traffic detected without corresponding DNS query: 201.251.43.69

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 6_2_00F51383 InternetReadFile,

6_2_00F51383

Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z\|\|.\|\|646da06c-a69a-4aff-bcc8-3f5a349348ca\|\|1152921505693336001\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-01T08:42:55.8407457Z\|\|.\|\|646da06c-a69a-4aff-bcc8-3f5a349348ca\|\|1152921505693336001\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",E equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000002.749204665.0000022BADD4F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",E equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.737786853.0000022BADD64000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",lh., equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.737786853.0000022BADD64000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI",lh., equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.731906019.0000022BADD7D000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z\|\|.\|\|1ad32855-590c-405c-8d49-1a557bf58211\|\|1152921505693277189\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.729528651.0000022BADD8E000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 0000000F.00000003.731935379.0000022BADD64000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-15T21:09:58.8377117Z\|\|.\|\|1ad32855-590c-405c-8d49-1a557bf58211\|\|1152921505693277189\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-15T21:09:05.1816176Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 0000000F.00000003.731926795.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: bushexa.exe, 00000006.00000002.1033372208.0000000000199000.00000004.00000001.sdmp	String found in binary or memory: http://201.251.43.69/usbccid/iplk/pdf/merge/
Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000000F.00000003.739088462.0000022BADD42000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_0043814C
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0044C334 GetKeyState,GetKeyState,GetKeyState,	0_2_0044C334
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_004450BA
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	0_2_0042F3FF
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0043814C GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_0043814C
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0044C334 GetKeyState,GetKeyState,GetKeyState,	1_2_0044C334
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_004450BA ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	1_2_004450BA
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0042F3FF __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	1_2_0042F3FF
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00449796 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	1_2_00449796
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00433B4D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	1_2_00433B4D

E-Banking Fraud:

Detected Emotet e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 6_2_00F5C11B

6_2_00F5C11B

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 6_2_00F51F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,

6_2_00F51F75

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 6_2_00F5C2E7 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,

6_2_00F5C2E7

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 6_2_00F51D2B CreateProcessAsUserW,CreateProcessW,

6_2_00F51D2B

Source: C:\Windows\SysWOW64\bushexa.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe

File deleted: C:\Windows\SysWOW64\bushexa.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0041CB04	0_2_0041CB04
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_004351C1	0_2_004351C1
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_00419288	0_2_00419288
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0041CB04	1_2_0041CB04
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_004351C1	1_2_004351C1
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00419288	1_2_00419288
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F430E4	5_2_00F430E4
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F430E8	5_2_00F430E8
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F428C1	5_2_00F428C1
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F637A5	5_2_00F637A5
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F637A9	5_2_00F637A9
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F62F82	5_2_00F62F82
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F430E4	6_2_00F430E4
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F430E8	6_2_00F430E8
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F428C1	6_2_00F428C1
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F537A5	6_2_00F537A5
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F537A9	6_2_00F537A9
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F52F82	6_2_00F52F82

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 00401AB4 appears 35 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 0041C3B9 appears 42 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 004334D7 appears 59 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 0044D589 appears 65 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 00419937 appears 8618 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 00419918 appears 400 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 0041923C appears 91 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 0041E3BF appears 51 times
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: String function: 0044D5AF appears 36 times

Source: BnJvVt951o.exe, 00000000.00000002.641090215.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.654977559.0000000002B10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.654977559.0000000002B10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs BnJvVt951o.exe
Source: BnJvVt951o.exe, 00000001.00000002.654810432.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs BnJvVt951o.exe

Source: BnJvVt951o.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan

Source: classification engine

Classification label: mal96.bank.troj.evad.winEXE@10/0@0/10

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 1_2_0043F939 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

1_2_0043F939

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

6_2_00F5C3B7

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 5_2_00F61943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00F61943

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 0_2_00416DE7 __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,

0_2_00416DE7

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 0_2_004315F6 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

0_2_004315F6

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 6_2_00F5C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

6_2_00F5C3B7

Source: C:\Users\user\Desktop\BnJvVt951o.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MB16D1E68
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\IB16D1E68
Source: C:\Windows\SysWOW64\bushexa.exe	Mutant created: \BaseNamedObjects\Global\IB16D1E68

Source: BnJvVt951o.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BnJvVt951o.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: BnJvVt951o.exe	Virustotal: Detection: 84%
Source: BnJvVt951o.exe	ReversingLabs: Detection: 96%

Source: C:\Windows\SysWOW64\bushexa.exe

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Source: unknown	Process created: C:\Users\user\Desktop\BnJvVt951o.exe 'C:\Users\user\Desktop\BnJvVt951o.exe'
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Process created: C:\Users\user\Desktop\BnJvVt951o.exe --132eeff2
Source: unknown	Process created: C:\Windows\SysWOW64\bushexa.exe C:\Windows\SysWOW64\bushexa.exe
Source: C:\Windows\SysWOW64\bushexa.exe	Process created: C:\Windows\SysWOW64\bushexa.exe --22f27ebc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Process created: C:\Users\user\Desktop\BnJvVt951o.exe --132eeff2	Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe	Process created: C:\Windows\SysWOW64\bushexa.exe --22f27ebc	Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: BnJvVt951o.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Users\User\Desktop\2003\modeless\Release\modeless.pdb source: BnJvVt951o.exe

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

0_2_00432655

Source: BnJvVt951o.exe

Static PE information: real checksum: 0x7ffed should be: 0x800e5

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_00419277 push ecx; ret	0_2_00419287
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_004193A0 push eax; ret	0_2_004193B4
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_004193A0 push eax; ret	0_2_004193DC
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00419277 push ecx; ret	1_2_00419287
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_004193A0 push eax; ret	1_2_004193B4
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_004193A0 push eax; ret	1_2_004193DC
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00419918 push eax; ret	1_2_00419936
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F4E190 push BB276B01h; ret	5_2_00F4E1C2
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F4E190 push BB276B01h; ret	6_2_00F4E1C2

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\bushexa.exe

Executable created and started: C:\Windows\SysWOW64\bushexa.exe

Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe

PE file moved: C:\Windows\SysWOW64\bushexa.exe

Jump to behavior

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 6_2_00F5C3B7 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

6_2_00F5C3B7

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\BnJvVt951o.exe

File opened: C:\Windows\SysWOW64\bushexa.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	0_2_004121E0
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0043ED39 GetParent,GetParent,IsIconic,GetParent,	0_2_0043ED39
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00412F6C
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	0_2_004415C2
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_004121E0 IsIconic,SetFileSecurityW,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	1_2_004121E0
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0043ED39 GetParent,GetParent,IsIconic,GetParent,	1_2_0043ED39
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00412F6C IsIconic,GetWindowPlacement,GetWindowRect,	1_2_00412F6C
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_004415C2 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	1_2_004415C2
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00449839 IsWindowVisible,IsIconic,	1_2_00449839

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\SysWOW64\bushexa.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\BnJvVt951o.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,

6_2_00F5C11B

Source: C:\Windows\SysWOW64\bushexa.exe

API coverage: 9.5 %

Source: C:\Windows\System32\svchost.exe TID: 4492

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\BnJvVt951o.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	0_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,	0_2_0043AE3F
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0043A377 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	1_2_0043A377
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0043AE3F lstrlenA,FindFirstFileA,FindClose,	1_2_0043AE3F

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 0_2_00419156 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_00419156

Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000000F.00000002.748940503.0000022BAD4FA000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000F.00000002.748929810.0000022BAD4EB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000F.00000002.748881279.0000022BAD4A5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: svchost.exe, 00000007.00000002.665296056.0000027608E70000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.709817759.00000218D4260000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.723300627.000001BF11A80000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.749546426.0000022BAE400000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\bushexa.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\bushexa.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\bushexa.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\bushexa.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 0_2_00432655 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

0_2_00432655

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00401B93 mov eax, dword ptr fs:[00000030h]	1_2_00401B93
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00401BA2 mov eax, dword ptr fs:[00000030h]	1_2_00401BA2
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F40467 mov eax, dword ptr fs:[00000030h]	5_2_00F40467
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F40C0C mov eax, dword ptr fs:[00000030h]	5_2_00F40C0C
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F41743 mov eax, dword ptr fs:[00000030h]	5_2_00F41743
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F612CD mov eax, dword ptr fs:[00000030h]	5_2_00F612CD
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 5_2_00F61E04 mov eax, dword ptr fs:[00000030h]	5_2_00F61E04
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F40467 mov eax, dword ptr fs:[00000030h]	6_2_00F40467
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F40C0C mov eax, dword ptr fs:[00000030h]	6_2_00F40C0C
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F41743 mov eax, dword ptr fs:[00000030h]	6_2_00F41743
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F512CD mov eax, dword ptr fs:[00000030h]	6_2_00F512CD
Source: C:\Windows\SysWOW64\bushexa.exe	Code function: 6_2_00F51E04 mov eax, dword ptr fs:[00000030h]	6_2_00F51E04

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 5_2_00F614F2 GetProcessHeap,RtlAllocateHeap,

5_2_00F614F2

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_00420406 SetUnhandledExceptionFilter,	0_2_00420406
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_0042041A SetUnhandledExceptionFilter,	0_2_0042041A
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00420406 SetUnhandledExceptionFilter,	1_2_00420406
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_0042041A SetUnhandledExceptionFilter,	1_2_0042041A

Source: C:\Windows\SysWOW64\bushexa.exe

Code function: 5_2_00F4C477 cpuid

5_2_00F4C477

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoA,_strncpy,	0_2_00426F2A
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_00401069
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_00427449
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	0_2_00427480
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,	0_2_0042755B
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_00427506
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoA,_strncpy,	1_2_00426F2A
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	1_2_00401069
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: _strlen,EnumSystemLocalesA,	1_2_00427449
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	1_2_00427480
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,	1_2_0042755B
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: _strlen,EnumSystemLocalesA,	1_2_00427506
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoA,	1_2_00427749
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	1_2_0044D759
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,	1_2_004299EE
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,	1_2_00429AAA
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	1_2_00429B1E
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,	1_2_00429BD1

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\bushexa.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 0_2_00420151 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00420151

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 0_2_004231DB __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,

0_2_004231DB

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Code function: 0_2_0044A5CB GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterWindowMessageA,

0_2_0044A5CB

Source: C:\Users\user\Desktop\BnJvVt951o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.bushexa.exe.f4053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BnJvVt951o.exe.22d053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bushexa.exe.f4053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BnJvVt951o.exe.22c053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BnJvVt951o.exe.22d053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.bushexa.exe.f4053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.bushexa.exe.f4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BnJvVt951o.exe.22c053f.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 0_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,	0_2_004514EB
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_004514EB CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,	1_2_004514EB
Source: C:\Users\user\Desktop\BnJvVt951o.exe	Code function: 1_2_00451B05 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,	1_2_00451B05

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API111	Valid Accounts1	Valid Accounts1	Deobfuscate/Decode Files or Information1	Input Capture1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Command and Scripting Interpreter2	Windows Service12	Access Token Manipulation1	Obfuscated Files or Information2	LSASS Memory	System Service Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution12	Logon Script (Windows)	Windows Service12	Software Packing1	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection1	File Deletion1	NTDS	System Information Discovery37	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading121	LSA Secrets	Security Software Discovery21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Virtualization/Sandbox Evasion2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion2	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BnJvVt951o.exe	84%	Virustotal		Browse
BnJvVt951o.exe	96%	ReversingLabs	Win32.Trojan.Emotet
BnJvVt951o.exe	100%	Avira	HEUR/AGEN.1111753
BnJvVt951o.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.0.bushexa.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
5.0.bushexa.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
5.2.bushexa.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
6.2.bushexa.exe.f4053f.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
6.2.bushexa.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
1.2.BnJvVt951o.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
1.0.BnJvVt951o.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
0.0.BnJvVt951o.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
1.2.BnJvVt951o.exe.22c053f.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.BnJvVt951o.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1111753	Download File
0.2.BnJvVt951o.exe.22d053f.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.2.bushexa.exe.f4053f.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://201.251.43.69/usbccid/iplk/pdf/merge/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://201.251.43.69/usbccid/iplk/pdf/merge/	bushexa.exe, 00000006.00000002.1033372208.0000000000199000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hulu.com/privacy	svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	false		high
https://www.hulu.com/do-not-sell-my-info	svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp	false		high
http://www.hulu.com/terms	svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	false		high
https://www.roblox.com/develop	svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000000F.00000003.729578858.0000022BADD5C000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 0000000F.00000003.736838195.0000022BADD94000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.736817048.0000022BADD60000.00000004.00000001.sdmp	false		high
https://www.hulu.com/ca-privacy-rights	svchost.exe, 0000000F.00000003.728341949.0000022BADD5C000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
152.89.236.214	unknown	Germany	31400	ACCELERATED-ITDE	false
198.199.114.69	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
104.236.246.93	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
178.210.51.222	unknown	Russian Federation	43727	KVANT-TELECOMRU	false
115.78.95.230	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
201.251.43.69	unknown	Argentina	27927	CoopPopulardeElecObrasyServiciosPubdeSantaRosa	false
45.33.54.74	unknown	United States	63949	LINODE-APLinodeLLCUS	false
209.141.41.136	unknown	United States	53667	PONYNETUS	false
87.106.136.232	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	382018
Start date:	05.04.2021
Start time:	18:57:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BnJvVt951o.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.bank.troj.evad.winEXE@10/0@0/10
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 93.2% Quality standard deviation: 6.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 170
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 92.122.145.220, 104.43.139.144, 40.88.32.150, 13.88.21.125, 20.82.209.183, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
152.89.236.214	SMtbg7yHyR.exe	Get hash	malicious	Browse
152.89.236.214	aEdlObiYav.exe	Get hash	malicious	Browse
198.199.114.69	VYHauUUCLr.exe	Get hash	malicious	Browse	198.199.114.69:8080/badge/report/xian/
	http://infraturkey.com/deletecomment/parts_service/daaMnHeDzR/	Get hash	malicious	Browse	198.199.114.69:8080/jit/
	https://newwell.studio/test/DOC/NtnDpOmWbTdPEdBxrLyy/	Get hash	malicious	Browse	198.199.114.69:8080/json/
104.236.246.93	form.doc	Get hash	malicious	Browse	104.236.246.93:8080/hZhNeaDm/dcUDNcyqQW/niVKRU29uscA3Ju/
	UAr7Xz5JWr.exe	Get hash	malicious	Browse	104.236.246.93:8080/ZxZomdMT6G9XK/ghoypfynUN/
	invoice #865119.doc	Get hash	malicious	Browse	104.236.246.93:8080/XzlcYaBSUK0cswU/pzKYcLCk/PbvwO3hXkaN7W/WM9ZNIP/
	XY8707573112TQ.doc	Get hash	malicious	Browse	104.236.246.93:8080/att30xZ/YONUKbuNJ8IOQjL/G34JI8e3LEFl/jaWgrB/
	test-emotet.exe	Get hash	malicious	Browse	104.236.246.93/
178.210.51.222	BnJvVt951o.exe	Get hash	malicious	Browse
	SMtbg7yHyR.exe	Get hash	malicious	Browse
	aEdlObiYav.exe	Get hash	malicious	Browse
115.78.95.230	pM54o4Q47b.exe	Get hash	malicious	Browse
115.78.95.230	minimumthemes.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ACCELERATED-ITDE	BnJvVt951o.exe	Get hash	malicious	Browse	152.89.236.214
	SMtbg7yHyR.exe	Get hash	malicious	Browse	152.89.236.214
	KAsJ2r4XYY.dll	Get hash	malicious	Browse	185.243.114.196
	swlsGbeQwT.dll	Get hash	malicious	Browse	185.243.114.196
	document-1048628209.xls	Get hash	malicious	Browse	185.243.114.196
	document-1771131239.xls	Get hash	malicious	Browse	185.243.114.196
	document-1370071295.xls	Get hash	malicious	Browse	185.243.114.196
	document-69564892.xls	Get hash	malicious	Browse	185.243.114.196
	document-1320073816.xls	Get hash	malicious	Browse	185.243.114.196
	document-184653858.xls	Get hash	malicious	Browse	185.243.114.196
	document-1729033050.xls	Get hash	malicious	Browse	185.243.114.196
	document-540475316.xls	Get hash	malicious	Browse	185.243.114.196
	document-1456634656.xls	Get hash	malicious	Browse	185.243.114.196
	document-1376447212.xls	Get hash	malicious	Browse	185.243.114.196
	document-1813856412.xls	Get hash	malicious	Browse	185.243.114.196
	document-1776123548.xls	Get hash	malicious	Browse	185.243.114.196
	document-684762271.xls	Get hash	malicious	Browse	185.243.114.196
	document-1590815978.xls	Get hash	malicious	Browse	185.243.114.196
	document-66411652.xls	Get hash	malicious	Browse	185.243.114.196
	document-415601328.xls	Get hash	malicious	Browse	185.243.114.196
DIGITALOCEAN-ASNUS	BnJvVt951o.exe	Get hash	malicious	Browse	104.236.246.93
	0M53tHsUDg.dll	Get hash	malicious	Browse	161.35.99.181
	Sample.doc	Get hash	malicious	Browse	159.65.129.33
	Sample.doc	Get hash	malicious	Browse	159.65.129.33
	SMtbg7yHyR.exe	Get hash	malicious	Browse	104.236.246.93
	TW#9898748948-TZE.exe	Get hash	malicious	Browse	162.243.129.169
	xqtEOiEeHh.exe	Get hash	malicious	Browse	159.89.4.33
	5AKljISD4v.exe	Get hash	malicious	Browse	206.189.80.59
	nnrlOwKZlc.exe	Get hash	malicious	Browse	104.248.119.44
	documents-575751901.xlsm	Get hash	malicious	Browse	138.197.197.35
	MIpyc881Ka.dll	Get hash	malicious	Browse	138.197.197.35
	278.xlsm	Get hash	malicious	Browse	138.197.197.35
	1449.xlsm	Get hash	malicious	Browse	138.197.197.35
	documents-1987093434.xlsm	Get hash	malicious	Browse	138.197.197.35
	1737.xlsm	Get hash	malicious	Browse	138.197.197.35
	492.xlsm	Get hash	malicious	Browse	138.197.197.35
	3205.xlsm	Get hash	malicious	Browse	138.197.197.35
	1984.xlsm	Get hash	malicious	Browse	138.197.197.35
	2503.xlsm	Get hash	malicious	Browse	138.197.197.35
	3032.xlsm	Get hash	malicious	Browse	138.197.197.35
DIGITALOCEAN-ASNUS	BnJvVt951o.exe	Get hash	malicious	Browse	104.236.246.93
	0M53tHsUDg.dll	Get hash	malicious	Browse	161.35.99.181
	Sample.doc	Get hash	malicious	Browse	159.65.129.33
	Sample.doc	Get hash	malicious	Browse	159.65.129.33
	SMtbg7yHyR.exe	Get hash	malicious	Browse	104.236.246.93
	TW#9898748948-TZE.exe	Get hash	malicious	Browse	162.243.129.169
	xqtEOiEeHh.exe	Get hash	malicious	Browse	159.89.4.33
	5AKljISD4v.exe	Get hash	malicious	Browse	206.189.80.59
	nnrlOwKZlc.exe	Get hash	malicious	Browse	104.248.119.44
	documents-575751901.xlsm	Get hash	malicious	Browse	138.197.197.35
	MIpyc881Ka.dll	Get hash	malicious	Browse	138.197.197.35
	278.xlsm	Get hash	malicious	Browse	138.197.197.35
	1449.xlsm	Get hash	malicious	Browse	138.197.197.35
	documents-1987093434.xlsm	Get hash	malicious	Browse	138.197.197.35
	1737.xlsm	Get hash	malicious	Browse	138.197.197.35
	492.xlsm	Get hash	malicious	Browse	138.197.197.35
	3205.xlsm	Get hash	malicious	Browse	138.197.197.35
	1984.xlsm	Get hash	malicious	Browse	138.197.197.35
	2503.xlsm	Get hash	malicious	Browse	138.197.197.35
	3032.xlsm	Get hash	malicious	Browse	138.197.197.35

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.625638741868008
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BnJvVt951o.exe
File size:	516346
MD5:	ae03a6f8fb74d401b403647d28e21574
SHA1:	6ee320cedc77499f5df9ae9c93ef42c0d91f3ce8
SHA256:	1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
SHA512:	ab2a30d32722419c72808032ae01b9443bfb8ea80ec52426aeb42ac21a84f0a2b04dd6f311c13b06bcaa37b7874b4e311ff8dc0c94ccfa42cbf6dcac0e2facab
SSDEEP:	6144:PebeJq15KNVIjux9tE9dVyAhwoajYPNo4ahRFPhpxOtYS0xefNPf+R6axxVccVPo:W5KNgux9t0VyAShUPCRdUi8cVRPw17i
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*1..Db..Db..Dbd..b..Db..]b..Db...b..Db..Kb..Db...ba.Db..cb..Dbd..b..Db..Eb..Db..$b..Db...b..Db...b..Db...b..DbRich..Db.......

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x419b95
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5D9A0326 [Sun Oct 6 15:07:18 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	92bdfd5dfdc574760c27f87d6f10fe98

Entrypoint Preview

Instruction
push 00000060h
push 0045C7A8h
call 00007F8C80767BC0h
mov edi, 00000094h
mov eax, edi
call 00007F8C80767D18h
mov dword ptr [ebp-18h], esp
mov esi, esp
mov dword ptr [esi], edi
push esi
call dword ptr [004552A0h]
mov ecx, dword ptr [esi+10h]
mov dword ptr [0047B960h], ecx
mov eax, dword ptr [esi+04h]
mov dword ptr [0047B96Ch], eax
mov edx, dword ptr [esi+08h]
mov dword ptr [0047B970h], edx
mov esi, dword ptr [esi+0Ch]
and esi, 00007FFFh
mov dword ptr [0047B964h], esi
cmp ecx, 02h
je 00007F8C8076852Eh
or esi, 00008000h
mov dword ptr [0047B964h], esi
shl eax, 08h
add eax, edx
mov dword ptr [0047B968h], eax
xor esi, esi
push esi
mov edi, dword ptr [00455320h]
call edi
cmp word ptr [eax], 5A4Dh
jne 00007F8C80768541h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007F8C80768534h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007F8C80768541h
cmp eax, 0000020Bh
je 00007F8C80768527h
mov dword ptr [ebp-1Ch], esi
jmp 00007F8C80768549h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007F8C80768514h
xor eax, eax
cmp dword ptr [ecx+000000F8h], esi
jmp 00007F8C80768530h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007F8C80768504h
xor eax, eax
cmp dword ptr [ecx+000000E8h], esi
setne al
mov dword ptr [ebp-1Ch], eax

Rich Headers

Programming Language:

[ASM] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) build 3077
[RES] VS2003 (.NET) build 3077
[EXP] VS2003 (.NET) build 3077
[C++] VS2003 (.NET) build 3077
[ C ] VS2003 (.NET) build 3077

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x68cf0	0x53	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x66224	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x3ebc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x55880	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x60ed0	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x55000	0x878	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x66174	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x53ee9	0x54000	False	0.505048479353	DOS executable (COM)	6.50788658927	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x55000	0x13d43	0x14000	False	0.315026855469	data	5.20395932053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x69000	0x14234	0x11000	False	0.795568129596	data	7.54511629913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x3ebc	0x4000	False	0.259643554688	data	3.45842321085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x7eb68	0x134	data	English	United States
RT_CURSOR	0x7ec9c	0xb4	data	English	United States
RT_CURSOR	0x7ed50	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x7ee84	0x134	data	English	United States
RT_CURSOR	0x7efb8	0x134	data	English	United States
RT_CURSOR	0x7f0ec	0x134	data	English	United States
RT_CURSOR	0x7f220	0x134	data	English	United States
RT_CURSOR	0x7f354	0x134	data	English	United States
RT_CURSOR	0x7f488	0x134	data	English	United States
RT_CURSOR	0x7f5bc	0x134	data	English	United States
RT_CURSOR	0x7f6f0	0x134	data	English	United States
RT_CURSOR	0x7f824	0x134	data	English	United States
RT_CURSOR	0x7f958	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x7fa8c	0x134	data	English	United States
RT_CURSOR	0x7fbc0	0x134	data	English	United States
RT_CURSOR	0x7fcf4	0x134	data	English	United States
RT_BITMAP	0x7fe28	0xb8	data	English	United States
RT_BITMAP	0x7fee0	0x144	data	English	United States
RT_DIALOG	0x80024	0x184	data	English	United States
RT_DIALOG	0x801a8	0xf4	data	English	United States
RT_DIALOG	0x8029c	0x100	data	English	United States
RT_DIALOG	0x8039c	0xe8	data	English	United States
RT_STRING	0x80484	0x44	data	English	United States
RT_STRING	0x804c8	0x48	data	English	United States
RT_STRING	0x80510	0x2c	data	English	United States
RT_STRING	0x8053c	0x38	data	English	United States
RT_STRING	0x80574	0x48	data	English	United States
RT_STRING	0x805bc	0x64	data	English	United States
RT_STRING	0x80620	0x46	data	English	United States
RT_STRING	0x80668	0x82	data	English	United States
RT_STRING	0x806ec	0x2a	data	English	United States
RT_STRING	0x80718	0x192	data	English	United States
RT_STRING	0x808ac	0x4e2	data	English	United States
RT_STRING	0x80d90	0x31a	data	English	United States
RT_STRING	0x810ac	0x2dc	data	English	United States
RT_STRING	0x81388	0x8a	data	English	United States
RT_STRING	0x81414	0xac	data	English	United States
RT_STRING	0x814c0	0xde	data	English	United States
RT_STRING	0x815a0	0x4c4	data	English	United States
RT_STRING	0x81a64	0x264	data	English	United States
RT_STRING	0x81cc8	0x2c	data	English	United States
RT_STRING	0x81cf4	0x42	data	English	United States
RT_STRING	0x81d38	0x48	data	English	United States
RT_GROUP_CURSOR	0x81d80	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x81da4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81db8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81dcc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81de0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81df4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e08	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e30	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e44	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e58	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e80	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81e94	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x81ea8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States

Imports

DLL	Import
CRYPT32.dll	CertOpenStore
KERNEL32.dll	GetStartupInfoA, GetCommandLineA, ExitProcess, HeapReAlloc, TerminateProcess, ExitThread, CreateThread, HeapSize, FatalAppExitA, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, SetConsoleCtrlHandler, RtlUnwind, GetLocaleInfoW, SetEnvironmentVariableA, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, MultiByteToWideChar, WideCharToMultiByte, GetLastError, GetVersion, lstrcmpiA, lstrlenW, lstrcmpiW, lstrlenA, CompareStringA, CompareStringW, GetEnvironmentVariableA, GetEnvironmentVariableW, GetStringTypeExA, GetStringTypeExW, SizeofResource, LockResource, LoadResource, FindResourceA, FreeResource, GlobalFree, GlobalUnlock, GlobalLock, LocalFree, lstrcpynA, FormatMessageA, GlobalAlloc, GlobalSize, MulDiv, CopyFileA, SetLastError, GetProcAddress, GetModuleHandleA, lstrcmpW, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapFree, HeapAlloc, GetDiskFreeSpaceA, GetTempFileNameA, LocalLock, LocalUnlock, GetFileTime, GetFileAttributesA, SetFileAttributesA, SetFileTime, LocalFileTimeToFileTime, FileTimeToLocalFileTime, SetErrorMode, GetShortPathNameA, CreateFileA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, GetCurrentDirectoryA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, SystemTimeToFileTime, FileTimeToSystemTime, GetOEMCP, GetCPInfo, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GlobalFlags, DeleteCriticalSection, InitializeCriticalSection, RaiseException, CreateEventA, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, GetCurrentThread, lstrcmpA, GetModuleFileNameA, lstrcatA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, InterlockedDecrement, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, LoadLibraryA, FreeLibrary, SetStdHandle
USER32.dll	IsClipboardFormatAvailable, MessageBeep, GetTabbedTextExtentA, GetDCEx, LockWindowUpdate, SetParent, InvalidateRect, InsertMenuItemA, CreatePopupMenu, SetRectEmpty, BringWindowToTop, SetMenu, TranslateAcceleratorA, DestroyIcon, DeleteMenu, wsprintfA, WaitMessage, GetWindowThreadProcessId, ReleaseCapture, WindowFromPoint, SetCapture, LoadCursorA, GetSysColorBrush, GetDialogBaseUnits, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, ShowOwnedPopups, SetCursor, PostQuitMessage, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, DestroyMenu, GetMenuItemInfoA, InflateRect, SetMenuItemBitmaps, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, ScrollWindowEx, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, IsDlgButtonChecked, SetDlgItemInt, GetDlgItemTextA, GetDlgItemInt, CheckRadioButton, CheckDlgButton, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, KillTimer, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, GetFocus, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetLastActivePopup, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, ScrollWindow, MessageBoxA, TrackPopupMenuEx, TrackPopupMenu, GetKeyState, SetScrollRange, SetDlgItemTextA, CharLowerA, CharLowerW, CharUpperA, CharUpperW, SendMessageA, EnableWindow, DrawIcon, AppendMenuA, GetSystemMenu, IsIconic, GetClientRect, SetActiveWindow, LoadIconA, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, IsWindowVisible, UpdateWindow, GetMenu, PostMessageA, GetSysColor, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetTimer, SetRect, UnionRect, IsRectEmpty, MapVirtualKeyA, GetClassInfoA, RegisterClassA, UnregisterClassA, SetWindowPlacement, GetDlgCtrlID, DefWindowProcA, SetWindowLongA, SetWindowPos, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetKeyNameTextA, LoadMenuA, UnpackDDElParam, ReuseDDElParam, GetClassLongA, LoadAcceleratorsA, CallWindowProcA, LoadStringW, GetSystemMetrics, EndDialog, GetNextDlgTabItem, GetParent, IsWindowEnabled, GetDlgItem, GetWindowLongA, IsWindow, DestroyWindow, CreateDialogIndirectParamA, GetActiveWindow, GetDesktopWindow, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuA, GetWindowRect, CopyRect, PtInRect, GetWindow, GetMenuState, GetMenuStringA, GetMenuItemID
GDI32.dll	SetMapperFlags, SetArcDirection, SetColorAdjustment, DeleteObject, SelectClipRgn, GetClipRgn, CreateRectRgn, SelectClipPath, GetViewportExtEx, GetWindowExtEx, GetPixel, StartDocA, PtVisible, RectVisible, TextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetCurrentPositionEx, ArcTo, PolyDraw, PolylineTo, PolyBezierTo, SetTextCharacterExtra, DeleteDC, CreateDIBPatternBrushPt, CreatePatternBrush, GetStockObject, SelectPalette, PlayMetaFileRecord, GetObjectType, EnumMetaFile, PlayMetaFile, CreatePen, ExtCreatePen, CreateSolidBrush, CreateHatchBrush, GetTextMetricsA, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, CreateCompatibleBitmap, StretchDIBits, GetCharWidthA, CreateFontA, GetBkColor, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, SetTextJustification, SetTextAlign, MoveToEx, LineTo, OffsetClipRgn, IntersectClipRect, ExcludeClipRect, SetMapMode, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32A, ExtTextOutA, BitBlt, CreateCompatibleDC, CreateFontIndirectA, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDCOrgEx, CreateDCA, CopyMetaFileA, ExtSelectClipRgn, GetDeviceCaps
comdlg32.dll	PageSetupDlgA, FindTextA, ReplaceTextA, GetOpenFileNameA, CommDlgExtendedError, PrintDlgA, GetFileTitleA, GetSaveFileNameA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter, GetJobA
ADVAPI32.dll	GetFileSecurityA, RegCloseKey, RegSetValueA, RegOpenKeyA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyA, SetFileSecurityW, SetFileSecurityA
SHELL32.dll	SHGetFileInfoA, DragFinish, DragQueryFileA, ExtractIconA
COMCTL32.dll	ImageList_Draw, ImageList_GetImageInfo, ImageList_Read, ImageList_Write, ImageList_Destroy, ImageList_Create, ImageList_LoadImageA, ImageList_Merge
SHLWAPI.dll	PathRemoveExtensionA, PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
ole32.dll	WriteClassStg, OleRegGetUserType, SetConvertStg, CoTaskMemFree, ReadFmtUserTypeStg, ReadClassStg, StringFromCLSID, CoTreatAsClass, CreateBindCtx, CoTaskMemAlloc, ReleaseStgMedium, OleDuplicateData, CoDisconnectObject, CoCreateInstance, StringFromGUID2, CLSIDFromString, WriteFmtUserTypeStg
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysFreeString, SysStringLen, SysAllocStringByteLen, SysStringByteLen, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, SafeArrayRedim, VariantCopy, SafeArrayAllocData, SafeArrayAllocDescriptor, SafeArrayCopy, SafeArrayGetElement, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayLock, SafeArrayUnlock, SafeArrayDestroy, SafeArrayDestroyData, SafeArrayDestroyDescriptor, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocString, SysReAllocStringLen, VarDateFromStr, VarBstrFromDec, VarDecFromStr, VarCyFromStr, VarBstrFromCy, VarBstrFromDate

Exports

Name	Ordinal	Address
mcfGvgupamvngNBNmgO	1	0x401e04

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2021 18:58:16.818489075 CEST	49744	443	192.168.2.4	45.33.54.74
Apr 5, 2021 18:58:17.015979052 CEST	443	49744	45.33.54.74	192.168.2.4
Apr 5, 2021 18:58:17.528825045 CEST	49744	443	192.168.2.4	45.33.54.74
Apr 5, 2021 18:58:17.726278067 CEST	443	49744	45.33.54.74	192.168.2.4
Apr 5, 2021 18:58:18.231250048 CEST	49744	443	192.168.2.4	45.33.54.74
Apr 5, 2021 18:58:18.428585052 CEST	443	49744	45.33.54.74	192.168.2.4
Apr 5, 2021 18:58:23.506542921 CEST	49746	8080	192.168.2.4	209.141.41.136
Apr 5, 2021 18:58:26.513185024 CEST	49746	8080	192.168.2.4	209.141.41.136
Apr 5, 2021 18:58:32.513686895 CEST	49746	8080	192.168.2.4	209.141.41.136
Apr 5, 2021 18:58:48.771401882 CEST	49762	8080	192.168.2.4	104.236.246.93
Apr 5, 2021 18:58:51.780920029 CEST	49762	8080	192.168.2.4	104.236.246.93
Apr 5, 2021 18:58:57.781426907 CEST	49762	8080	192.168.2.4	104.236.246.93
Apr 5, 2021 18:59:15.261616945 CEST	49768	8080	192.168.2.4	198.199.114.69
Apr 5, 2021 18:59:18.267710924 CEST	49768	8080	192.168.2.4	198.199.114.69
Apr 5, 2021 18:59:24.268013954 CEST	49768	8080	192.168.2.4	198.199.114.69
Apr 5, 2021 18:59:41.196846008 CEST	49771	8080	192.168.2.4	152.89.236.214
Apr 5, 2021 18:59:41.235383034 CEST	8080	49771	152.89.236.214	192.168.2.4
Apr 5, 2021 18:59:41.738214970 CEST	49771	8080	192.168.2.4	152.89.236.214
Apr 5, 2021 18:59:41.776612043 CEST	8080	49771	152.89.236.214	192.168.2.4
Apr 5, 2021 18:59:42.285279989 CEST	49771	8080	192.168.2.4	152.89.236.214
Apr 5, 2021 18:59:42.323508978 CEST	8080	49771	152.89.236.214	192.168.2.4
Apr 5, 2021 18:59:47.306583881 CEST	49772	8080	192.168.2.4	87.106.136.232
Apr 5, 2021 18:59:47.349000931 CEST	8080	49772	87.106.136.232	192.168.2.4
Apr 5, 2021 18:59:47.863733053 CEST	49772	8080	192.168.2.4	87.106.136.232
Apr 5, 2021 18:59:47.906204939 CEST	8080	49772	87.106.136.232	192.168.2.4
Apr 5, 2021 18:59:48.410700083 CEST	49772	8080	192.168.2.4	87.106.136.232
Apr 5, 2021 18:59:48.453253984 CEST	8080	49772	87.106.136.232	192.168.2.4
Apr 5, 2021 18:59:53.536737919 CEST	49773	8080	192.168.2.4	178.210.51.222
Apr 5, 2021 18:59:56.536341906 CEST	49773	8080	192.168.2.4	178.210.51.222
Apr 5, 2021 19:00:02.537121058 CEST	49773	8080	192.168.2.4	178.210.51.222
Apr 5, 2021 19:00:18.758183956 CEST	49774	443	192.168.2.4	115.78.95.230
Apr 5, 2021 19:00:21.757378101 CEST	49774	443	192.168.2.4	115.78.95.230
Apr 5, 2021 19:00:27.757694960 CEST	49774	443	192.168.2.4	115.78.95.230
Apr 5, 2021 19:00:45.126122952 CEST	49775	8080	192.168.2.4	201.251.43.69
Apr 5, 2021 19:00:48.134350061 CEST	49775	8080	192.168.2.4	201.251.43.69
Apr 5, 2021 19:00:54.134931087 CEST	49775	8080	192.168.2.4	201.251.43.69

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 5, 2021 18:57:41.224035025 CEST	59123	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:41.279380083 CEST	53	59123	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:41.973491907 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:42.020072937 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:42.788090944 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:42.834229946 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:43.351897955 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:43.410505056 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:43.509006977 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:43.557866096 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:44.338733912 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:44.397749901 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:45.304169893 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:45.359034061 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:46.500598907 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:46.549711943 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:47.893172979 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:47.941817999 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:48.903186083 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:48.949871063 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:49.989537954 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:50.035583019 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:50.741766930 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:50.790760994 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 5, 2021 18:57:51.580369949 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:57:51.629301071 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:06.118351936 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:06.164377928 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:07.409759998 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:07.456058025 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:08.859622002 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:08.909094095 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:10.836987019 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:10.883091927 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:11.601049900 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:11.650021076 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:12.360377073 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:12.406294107 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:13.911045074 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:13.957274914 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:17.331192017 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:17.387782097 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:29.081444025 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:29.163309097 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:29.634037018 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:29.689038038 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:30.124311924 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:30.178725004 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:30.345561028 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:30.400163889 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:30.580789089 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:30.643409014 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:31.145641088 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:31.261267900 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:31.770155907 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:31.829598904 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:32.244858027 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:32.369906902 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:33.038053036 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:33.092544079 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:34.060686111 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:34.123255968 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:34.535834074 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:34.595232010 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:36.544984102 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:36.605249882 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:47.978492975 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:48.025485039 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:48.152729034 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:48.224684954 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 5, 2021 18:58:50.196233034 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:58:50.254884005 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 5, 2021 18:59:23.702003002 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:59:23.767357111 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 5, 2021 18:59:25.829446077 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 5, 2021 18:59:25.883848906 CEST	53	59794	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: BnJvVt951o.exe PID: 7148 Parent PID: 5936

General

Start time:	18:57:48
Start date:	05/04/2021
Path:	C:\Users\user\Desktop\BnJvVt951o.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\BnJvVt951o.exe'
Imagebase:	0x400000
File size:	516346 bytes
MD5 hash:	AE03A6F8FB74D401B403647D28E21574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.641142570.00000000022D0000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.641176442.00000000022E1000.00000020.00000001.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: BnJvVt951o.exe PID: 6224 Parent PID: 7148

General

Start time:	18:57:49
Start date:	05/04/2021
Path:	C:\Users\user\Desktop\BnJvVt951o.exe
Wow64 process (32bit):	true
Commandline:	--132eeff2
Imagebase:	0x400000
File size:	516346 bytes
MD5 hash:	AE03A6F8FB74D401B403647D28E21574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.653627913.00000000022F1000.00000020.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.653606214.00000000022C0000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: bushexa.exe PID: 6064 Parent PID: 568

General

Start time:	18:57:54
Start date:	05/04/2021
Path:	C:\Windows\SysWOW64\bushexa.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\bushexa.exe
Imagebase:	0x400000
File size:	516346 bytes
MD5 hash:	AE03A6F8FB74D401B403647D28E21574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000005.00000002.652667047.0000000000F61000.00000020.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000005.00000002.652651550.0000000000F40000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: bushexa.exe PID: 5856 Parent PID: 6064

General

Start time:	18:57:54
Start date:	05/04/2021
Path:	C:\Windows\SysWOW64\bushexa.exe
Wow64 process (32bit):	true
Commandline:	--22f27ebc
Imagebase:	0x400000
File size:	516346 bytes
MD5 hash:	AE03A6F8FB74D401B403647D28E21574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000006.00000002.1033773851.0000000000F51000.00000020.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000006.00000002.1033749046.0000000000F40000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	low

Analysis Process: svchost.exe PID: 900 Parent PID: 568

General

Start time:	18:57:55
Start date:	05/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6996 Parent PID: 568

General

Start time:	18:58:14
Start date:	05/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6060 Parent PID: 568

General

Start time:	18:58:21
Start date:	05/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4164 Parent PID: 568

General

Start time:	18:58:28
Start date:	05/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: BnJvVt951o.exe PID: 7148 Parent PID: 5936 BnJvVt951o.exeCOMMON

Executed Functions

Function 004315F6, Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004315FB
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00431633
LoadResource.KERNEL32(?,00000000), ref: 0043163B

Part of subcall function 00433622: UnhookWindowsHookEx.USER32(?), ref: 00433647

LockResource.KERNEL32(00000000), ref: 0043164D
GetDesktopWindow.USER32 ref: 0043167A
IsWindowEnabled.USER32(00000000), ref: 00431688
EnableWindow.USER32(00000000,00000000), ref: 00431697
EnableWindow.USER32(00000000,00000001), ref: 00431726
GetActiveWindow.USER32 ref: 00431731
SetActiveWindow.USER32(00000000), ref: 0043173F
FreeResource.KERNEL32(00000000), ref: 0043175B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: ce71086b03d54d9c65edfdc0c6feb1ec0fe07aa3cb5f2fb9872758785c552c6d
Instruction ID: c80a947bf2f6b874c5c82c51990a73349f493b2a6f47a5415102d4061b6d75a7
Opcode Fuzzy Hash: ce71086b03d54d9c65edfdc0c6feb1ec0fe07aa3cb5f2fb9872758785c552c6d
Instruction Fuzzy Hash: A8418030900705DFDB21AFA5C95A7BEBBB5AF08716F14102FF102A22A1CB789941CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00432655, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(COMCTL32.DLL,00008000,00000000,00000400,0043346D,00000000,00040000,00000000,?), ref: 0043265E
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 00432667
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0043267B
#17.COMCTL32(?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 00432696
#17.COMCTL32(?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 004326B2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 004326BF

Strings

COMCTL32.DLL, xrefs: 00432658, 0043265D, 00432664
InitCommonControlsEx, xrefs: 00432673

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: fbc869dff4a4af753050b1c1a6b0d85685cb09798fd04b456239473298ed4885
Instruction ID: 5fa1d96a4472cd52907bff507a2bc74d54206005f978a52e19e2591faae4ea83
Opcode Fuzzy Hash: fbc869dff4a4af753050b1c1a6b0d85685cb09798fd04b456239473298ed4885
Instruction Fuzzy Hash: 23F0A9326007229787115B659D59A2FB6ECBF94753B451436F805F3211CFA8EC0586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00420406, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000203B8), ref: 0042040B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bd62c4e1d80563d32ea440ce6060cb46cd4ae1cee373a393b7e2554c0fa64008
Instruction ID: 1b1c346f4f04dce3418a89abf90b8b8a101ec60d6b84e6121621e05be0691acb
Opcode Fuzzy Hash: bd62c4e1d80563d32ea440ce6060cb46cd4ae1cee373a393b7e2554c0fa64008
Instruction Fuzzy Hash: E2A011B0220320CBA300CF30AC0A2083AE0E380202B0082BAA800C2A22EF308080AA08

Uniqueness

Uniqueness Score: -1.00%

Function 00401E04, Relevance: 35.0, APIs: 1, Strings: 9, Instructions: 19977memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D3B: LoadStringW.USER32(00000005,0000000A,00000000,00000000), ref: 00401D4F

Part of subcall function 00401D5A: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000064,00000000,Characters: %c %c ,000007B9,?,004120B2,00000000), ref: 00401D82

VirtualAlloc.KERNELBASE(00000000,0000E944,00001000,00000040), ref: 004120E2

Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401C9A
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CA1
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CA8
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CAF
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CB6
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CBD
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CC4
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CCB
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CD2
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CD9
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CE0
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CE7
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CEE
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CF5

Strings

Some different radices: %d %x %o %#x %#o , xrefs: 00401EC2, 00401F3E, 00401FB9, 00402034, 004020AF, 0040212A, 004021A5, 00402220, 0040229B, 00402316, 00402391, 0040240C, 00402487, 00402502, 0040257D, 004025F8, 00402673, 004026EE, 00402769, 004027E4, 0040285F, 004028DA, 00402955, 004029D0, 00402A4B, 00402AC6, 00402B41, 00402BBC, 00402C37, 00402CB2, 00402D2D, 00402DA8, 00402E23, 00402E9E, 00402F19, 00402F94, 0040300F, 0040308A, 00403105, 00403180, 004031FB, 00403276, 004032F1, 0040336C, 004033E7, 00403462, 004034DD, 00403558, 004035D3, 0040364E, 004036C9, 00403744, 004037BF, 0040383A, 004038B5, 00403930, 004039AB, 00403A26, 00403AA1, 00403B1C, 00403B97, 00403C12, 00403C8D, 00403D08, 00403D83, 00403DFE, 00403E79, 00403EF4, 00403F6F, 00403FEA, 00404065, 004040E0, 0040415B, 004041D6, 00404251, 004042CC, 00404347, 004043C2, 0040443D, 004044B8, 00404533, 004045AE, 00404629, 004046A4, 0040471F, 0040479A, 00404815, 00404890, 0040490B, 00404986, 00404A01, 00404A7C, 00404AF7, 00404B72, 00404BED, 00404C68, 00404CE3, 00404D5E, 00404DD9, 00404E54, 00404ECF, 00404F4A, 00404FC5, 00405040, 004050BB, 00405136, 004051B1, 0040522C, 004052A7, 00405322, 0040539D, 00405418, 00405493, 0040550E, 00405589, 00405604, 0040567F, 004056FA, 00405775, 004057F0, 0040586B, 004058E6, 00405961, 004059DC, 00405A57, 00405AD2, 00405B4D, 00405BC8, 00405C43, 00405CBE, 00405D39, 00405DB4, 00405E2F, 00405EAA, 00405F25, 00405FA0, 0040601B, 00406096, 00406111, 0040618C, 00406207, 00406282, 004062FD, 00406378, 004063F3, 0040646E, 004064E9, 00406564, 004065DF, 0040665A, 004066D5, 00406750, 004067CB, 00406846, 004068C1, 0040693C, 004069B7, 00406A32, 00406AAD, 00406B28, 00406BA3, 00406C1E, 00406C99, 00406D14, 00406D8F, 00406E0A, 00406E85, 00406F00, 00406F7B, 00406FF6, 00407071, 004070EC, 00407167, 004071E2, 0040725D, 004072D8, 00407353, 004073CE, 00407449, 004074C4, 0040753F, 004075BA, 00407635, 004076B0, 0040772B, 004077A6, 00407821, 0040789C, 00407917, 00407992, 00407A0D, 00407A88, 00407B03, 00407B7E, 00407BF9, 00407C74, 00407CEF, 00407D6A, 00407DE5, 00407E60, 00407EDB, 00407F56, 00407FD1, 0040804C, 004080C7, 00408142, 004081BD, 00408238, 004082B3, 0040832E, 004083A9, 00408424, 0040849F, 0040851A, 00408595, 00408610, 0040868B, 00408706, 00408781, 004087FC, 00408877, 004088F2, 0040896D, 004089E8, 00408A63, 00408ADE, 00408B59, 00408BD4, 00408C4F, 00408CCA, 00408D45, 00408DC0, 00408E3B, 00408EB6, 00408F31, 00408FAC, 00409027, 004090A2, 0040911D, 00409198, 00409213, 0040928E, 00409309, 00409384, 004093FF, 0040947A, 004094F5, 00409570, 004095EB, 00409666, 004096E1, 0040975C, 004097D7, 00409852, 004098CD, 00409948, 004099C3, 00409A3E, 00409AB9, 00409B34, 00409BAF, 00409C2A, 00409CA5, 00409D20, 00409D9B, 00409E16, 00409E91, 00409F0C, 00409F87, 0040A002, 0040A07D, 0040A0F8, 0040A173, 0040A1EE, 0040A269, 0040A2E4, 0040A35F, 0040A3DA, 0040A455, 0040A4D0, 0040A54B, 0040A5C6, 0040A641, 0040A6BC, 0040A737, 0040A7B2, 0040A82D, 0040A8A8, 0040A923, 0040A99E, 0040AA19, 0040AA94, 0040AB0F, 0040AB8A, 0040AC05, 0040AC80, 0040ACFB, 0040AD76, 0040ADF1, 0040AE6C, 0040AEE7, 0040AF62, 0040AFDD, 0040B058, 0040B0D3, 0040B14E, 0040B1C9, 0040B244, 0040B2BF, 0040B33A, 0040B3B5, 0040B430, 0040B4AB, 0040B526, 0040B5A1, 0040B61C, 0040B697, 0040B712, 0040B78D, 0040B808, 0040B883, 0040B8FE, 0040B979, 0040B9F4, 0040BA6F, 0040BAEA, 0040BB65, 0040BBE0, 0040BC5B, 0040BCD6, 0040BD51, 0040BDCC, 0040BE47, 0040BEC2, 0040BF3D, 0040BFB8, 0040C033, 0040C0AE, 0040C129, 0040C1A4, 0040C21F, 0040C29A, 0040C315, 0040C390, 0040C40B, 0040C486, 0040C501, 0040C57C, 0040C5F7, 0040C672, 0040C6ED, 0040C768, 0040C7E3, 0040C85E, 0040C8D9, 0040C954, 0040C9CF, 0040CA4A, 0040CAC5, 0040CB40, 0040CBBB, 0040CC36, 0040CCB1, 0040CD2C, 0040CDA7, 0040CE22, 0040CE9D, 0040CF18, 0040CF93, 0040D00E, 0040D089, 0040D104, 0040D17F, 0040D1FA, 0040D275, 0040D2F0, 0040D36B, 0040D3E6, 0040D461, 0040D4DC, 0040D557, 0040D5D2, 0040D64D, 0040D6C8, 0040D743, 0040D7BE, 0040D839, 0040D8B4, 0040D92F, 0040D9AA, 0040DA25, 0040DAA0, 0040DB1B, 0040DB96, 0040DC11, 0040DC8C, 0040DD07, 0040DD82, 0040DDFD, 0040DE78, 0040DEF3, 0040DF6E, 0040DFE9, 0040E064, 0040E0DF, 0040E15A, 0040E1D5, 0040E250, 0040E2CB, 0040E346, 0040E3C1, 0040E43C, 0040E4B7, 0040E532, 0040E5AD, 0040E628, 0040E6A3, 0040E71E, 0040E799, 0040E814, 0040E88F, 0040E90A, 0040E985, 0040EA00, 0040EA7B, 0040EAF6, 0040EB71, 0040EBEC, 0040EC67, 0040ECE2, 0040ED5D, 0040EDD8, 0040EE53, 0040EECE, 0040EF49, 0040EFC4, 0040F03F, 0040F0BA, 0040F135, 0040F1B0, 0040F22B, 0040F2A6, 0040F321, 0040F39C, 0040F417, 0040F492, 0040F50D, 0040F588, 0040F603, 0040F67E, 0040F6F9, 0040F774, 0040F7EF, 0040F86A, 0040F8E5, 0040F960, 0040F9DB, 0040FA56, 0040FAD1, 0040FB4C, 0040FBC7, 0040FC42, 0040FCBD, 0040FD38, 0040FDB3, 0040FE2E, 0040FEA9, 0040FF24, 0040FF9F, 0041001A, 00410095, 00410110, 0041018B, 00410206, 00410281, 004102FC, 00410377, 004103F2, 0041046D, 004104E8, 00410563, 004105DE, 00410659, 004106D4, 0041074F, 004107CA, 00410845, 004108C0, 0041093B, 004109B6, 00410A31, 00410AAC, 00410B27, 00410BA2, 00410C1D, 00410C98, 00410D13, 00410D8E, 00410E09, 00410E84, 00410EFF, 00410F7A, 00410FF5, 00411070, 004110EB, 00411166, 004111E1, 0041125C, 004112D7, 00411352, 004113CD, 00411448, 004114C3, 0041153E, 004115B9, 00411634, 004116AF, 0041172A, 004117A5, 00411820, 0041189B, 00411916, 00411991, 00411A0C, 00411A87, 00411B02, 00411B7D, 00411BF8, 00411C73, 00411CEE, 00411D69, 00411DE4, 00411E5F, 00411EDA, 00411F55, 00411FD0, 0041204B
Decimals: %d %ld, xrefs: 00401E23, 00401E28, 00401E3A, 00401E5A, 00401E6C, 00401E89, 00401E9E, 00401F1A, 00401F95, 00402010, 0040208B, 00402106, 00402181, 004021FC, 00402277, 004022F2, 0040236D, 004023E8, 00402463, 004024DE, 00402559, 004025D4, 0040264F, 004026CA, 00402745, 004027C0, 0040283B, 004028B6, 00402931, 004029AC, 00402A27, 00402AA2, 00402B1D, 00402B98, 00402C13, 00402C8E, 00402D09, 00402D84, 00402DFF, 00402E7A, 00402EF5, 00402F70, 00402FEB, 00403066, 004030E1, 0040315C, 004031D7, 00403252, 004032CD, 00403348, 004033C3, 0040343E, 004034B9, 00403534, 004035AF, 0040362A, 004036A5, 00403720, 0040379B, 00403816, 00403891, 0040390C, 00403987, 00403A02, 00403A7D, 00403AF8, 00403B73, 00403BEE, 00403C69, 00403CE4, 00403D5F, 00403DDA, 00403E55, 00403ED0, 00403F4B, 00403FC6, 00404041, 004040BC, 00404137, 004041B2, 0040422D, 004042A8, 00404323, 0040439E, 00404419, 00404494, 0040450F, 0040458A, 00404605, 00404680, 004046FB, 00404776, 004047F1, 0040486C, 004048E7, 00404962, 004049DD, 00404A58, 00404AD3, 00404B4E, 00404BC9, 00404C44, 00404CBF, 00404D3A, 00404DB5, 00404E30, 00404EAB, 00404F26, 00404FA1, 0040501C, 00405097, 00405112, 0040518D, 00405208, 00405283, 004052FE, 00405379, 004053F4, 0040546F, 004054EA, 00405565, 004055E0, 0040565B, 004056D6, 00405751, 004057CC, 00405847, 004058C2, 0040593D, 004059B8, 00405A33, 00405AAE, 00405B29, 00405BA4, 00405C1F, 00405C9A, 00405D15, 00405D90, 00405E0B, 00405E86, 00405F01, 00405F7C, 00405FF7, 00406072, 004060ED, 00406168, 004061E3, 0040625E, 004062D9, 00406354, 004063CF, 0040644A, 004064C5, 00406540, 004065BB, 00406636, 004066B1, 0040672C, 004067A7, 00406822, 0040689D, 00406918, 00406993, 00406A0E, 00406A89, 00406B04, 00406B7F, 00406BFA, 00406C75, 00406CF0, 00406D6B, 00406DE6, 00406E61, 00406EDC, 00406F57, 00406FD2, 0040704D, 004070C8, 00407143, 004071BE, 00407239, 004072B4, 0040732F, 004073AA, 00407425, 004074A0, 0040751B, 00407596, 00407611, 0040768C, 00407707, 00407782, 004077FD, 00407878, 004078F3, 0040796E, 004079E9, 00407A64, 00407ADF, 00407B5A, 00407BD5, 00407C50, 00407CCB, 00407D46, 00407DC1, 00407E3C, 00407EB7, 00407F32, 00407FAD, 00408028, 004080A3, 0040811E, 00408199, 00408214, 0040828F, 0040830A, 00408385, 00408400, 0040847B, 004084F6, 00408571, 004085EC, 00408667, 004086E2, 0040875D, 004087D8, 00408853, 004088CE, 00408949, 004089C4, 00408A3F, 00408ABA, 00408B35, 00408BB0, 00408C2B, 00408CA6, 00408D21, 00408D9C, 00408E17, 00408E92, 00408F0D, 00408F88, 00409003, 0040907E, 004090F9, 00409174, 004091EF, 0040926A, 004092E5, 00409360, 004093DB, 00409456, 004094D1, 0040954C, 004095C7, 00409642, 004096BD, 00409738, 004097B3, 0040982E, 004098A9, 00409924, 0040999F, 00409A1A, 00409A95, 00409B10, 00409B8B, 00409C06, 00409C81, 00409CFC, 00409D77, 00409DF2, 00409E6D, 00409EE8, 00409F63, 00409FDE, 0040A059, 0040A0D4, 0040A14F, 0040A1CA, 0040A245, 0040A2C0, 0040A33B, 0040A3B6, 0040A431, 0040A4AC, 0040A527, 0040A5A2, 0040A61D, 0040A698, 0040A713, 0040A78E, 0040A809, 0040A884, 0040A8FF, 0040A97A, 0040A9F5, 0040AA70, 0040AAEB, 0040AB66, 0040ABE1, 0040AC5C, 0040ACD7, 0040AD52, 0040ADCD, 0040AE48, 0040AEC3, 0040AF3E, 0040AFB9, 0040B034, 0040B0AF, 0040B12A, 0040B1A5, 0040B220, 0040B29B, 0040B316, 0040B391, 0040B40C, 0040B487, 0040B502, 0040B57D, 0040B5F8, 0040B673, 0040B6EE, 0040B769, 0040B7E4, 0040B85F, 0040B8DA, 0040B955, 0040B9D0, 0040BA4B, 0040BAC6, 0040BB41, 0040BBBC, 0040BC37, 0040BCB2, 0040BD2D, 0040BDA8, 0040BE23, 0040BE9E, 0040BF19, 0040BF94, 0040C00F, 0040C08A, 0040C105, 0040C180, 0040C1FB, 0040C276, 0040C2F1, 0040C36C, 0040C3E7, 0040C462, 0040C4DD, 0040C558, 0040C5D3, 0040C64E, 0040C6C9, 0040C744, 0040C7BF, 0040C83A, 0040C8B5, 0040C930, 0040C9AB, 0040CA26, 0040CAA1, 0040CB1C, 0040CB97, 0040CC12, 0040CC8D, 0040CD08, 0040CD83, 0040CDFE, 0040CE79, 0040CEF4, 0040CF6F, 0040CFEA, 0040D065, 0040D0E0, 0040D15B, 0040D1D6, 0040D251, 0040D2CC, 0040D347, 0040D3C2, 0040D43D, 0040D4B8, 0040D533, 0040D5AE, 0040D629, 0040D6A4, 0040D71F, 0040D79A, 0040D815, 0040D890, 0040D90B, 0040D986, 0040DA01, 0040DA7C, 0040DAF7, 0040DB72, 0040DBED, 0040DC68, 0040DCE3, 0040DD5E, 0040DDD9, 0040DE54, 0040DECF, 0040DF4A, 0040DFC5, 0040E040, 0040E0BB, 0040E136, 0040E1B1, 0040E22C, 0040E2A7, 0040E322, 0040E39D, 0040E418, 0040E493, 0040E50E, 0040E589, 0040E604, 0040E67F, 0040E6FA, 0040E775, 0040E7F0, 0040E86B, 0040E8E6, 0040E961, 0040E9DC, 0040EA57, 0040EAD2, 0040EB4D, 0040EBC8, 0040EC43, 0040ECBE, 0040ED39, 0040EDB4, 0040EE2F, 0040EEAA, 0040EF25, 0040EFA0, 0040F01B, 0040F096, 0040F111, 0040F18C, 0040F207, 0040F282, 0040F2FD, 0040F378, 0040F3F3, 0040F46E, 0040F4E9, 0040F564, 0040F5DF, 0040F65A, 0040F6D5, 0040F750, 0040F7CB, 0040F846, 0040F8C1, 0040F93C, 0040F9B7, 0040FA32, 0040FAAD, 0040FB28, 0040FBA3, 0040FC1E, 0040FC99, 0040FD14, 0040FD8F, 0040FE0A, 0040FE85, 0040FF00, 0040FF7B, 0040FFF6, 00410071, 004100EC, 00410167, 004101E2, 0041025D, 004102D8, 00410353, 004103CE, 00410449, 004104C4, 0041053F, 004105BA, 00410635, 004106B0, 0041072B, 004107A6, 00410821, 0041089C, 00410917, 00410992, 00410A0D, 00410A88, 00410B03, 00410B7E, 00410BF9, 00410C74, 00410CEF, 00410D6A, 00410DE5, 00410E60, 00410EDB, 00410F56, 00410FD1, 0041104C, 004110C7, 00411142, 004111BD, 00411238, 004112B3, 0041132E, 004113A9, 00411424, 0041149F, 0041151A, 00411595, 00411610, 0041168B, 00411706, 00411781, 004117FC, 00411877, 004118F2, 0041196D, 004119E8, 00411A63, 00411ADE, 00411B59, 00411BD4, 00411C4F, 00411CCA, 00411D45, 00411DC0, 00411E3B, 00411EB6, 00411F31, 00411FAC, 00412027
%s , xrefs: 00401F00, 00401F7B, 00401FF6, 00402071, 004020EC, 00402167, 004021E2, 0040225D, 004022D8, 00402353, 004023CE, 00402449, 004024C4, 0040253F, 004025BA, 00402635, 004026B0, 0040272B, 004027A6, 00402821, 0040289C, 00402917, 00402992, 00402A0D, 00402A88, 00402B03, 00402B7E, 00402BF9, 00402C74, 00402CEF, 00402D6A, 00402DE5, 00402E60, 00402EDB, 00402F56, 00402FD1, 0040304C, 004030C7, 00403142, 004031BD, 00403238, 004032B3, 0040332E, 004033A9, 00403424, 0040349F, 0040351A, 00403595, 00403610, 0040368B, 00403706, 00403781, 004037FC, 00403877, 004038F2, 0040396D, 004039E8, 00403A63, 00403ADE, 00403B59, 00403BD4, 00403C4F, 00403CCA, 00403D45, 00403DC0, 00403E3B, 00403EB6, 00403F31, 00403FAC, 00404027, 004040A2, 0040411D, 00404198, 00404213, 0040428E, 00404309, 00404384, 004043FF, 0040447A, 004044F5, 00404570, 004045EB, 00404666, 004046E1, 0040475C, 004047D7, 00404852, 004048CD, 00404948, 004049C3, 00404A3E, 00404AB9, 00404B34, 00404BAF, 00404C2A, 00404CA5, 00404D20, 00404D9B, 00404E16, 00404E91, 00404F0C, 00404F87, 00405002, 0040507D, 004050F8, 00405173, 004051EE, 00405269, 004052E4, 0040535F, 004053DA, 00405455, 004054D0, 0040554B, 004055C6, 00405641, 004056BC, 00405737, 004057B2, 0040582D, 004058A8, 00405923, 0040599E, 00405A19, 00405A94, 00405B0F, 00405B8A, 00405C05, 00405C80, 00405CFB, 00405D76, 00405DF1, 00405E6C, 00405EE7, 00405F62, 00405FDD, 00406058, 004060D3, 0040614E, 004061C9, 00406244, 004062BF, 0040633A, 004063B5, 00406430, 004064AB, 00406526, 004065A1, 0040661C, 00406697, 00406712, 0040678D, 00406808, 00406883, 004068FE, 00406979, 004069F4, 00406A6F, 00406AEA, 00406B65, 00406BE0, 00406C5B, 00406CD6, 00406D51, 00406DCC, 00406E47, 00406EC2, 00406F3D, 00406FB8, 00407033, 004070AE, 00407129, 004071A4, 0040721F, 0040729A, 00407315, 00407390, 0040740B, 00407486, 00407501, 0040757C, 004075F7, 00407672, 004076ED, 00407768, 004077E3, 0040785E, 004078D9, 00407954, 004079CF, 00407A4A, 00407AC5, 00407B40, 00407BBB, 00407C36, 00407CB1, 00407D2C, 00407DA7, 00407E22, 00407E9D, 00407F18, 00407F93, 0040800E, 00408089, 00408104, 0040817F, 004081FA, 00408275, 004082F0, 0040836B, 004083E6, 00408461, 004084DC, 00408557, 004085D2, 0040864D, 004086C8, 00408743, 004087BE, 00408839, 004088B4, 0040892F, 004089AA, 00408A25, 00408AA0, 00408B1B, 00408B96, 00408C11, 00408C8C, 00408D07, 00408D82, 00408DFD, 00408E78, 00408EF3, 00408F6E, 00408FE9, 00409064, 004090DF, 0040915A, 004091D5, 00409250, 004092CB, 00409346, 004093C1, 0040943C, 004094B7, 00409532, 004095AD, 00409628, 004096A3, 0040971E, 00409799, 00409814, 0040988F, 0040990A, 00409985, 00409A00, 00409A7B, 00409AF6, 00409B71, 00409BEC, 00409C67, 00409CE2, 00409D5D, 00409DD8, 00409E53, 00409ECE, 00409F49, 00409FC4, 0040A03F, 0040A0BA, 0040A135, 0040A1B0, 0040A22B, 0040A2A6, 0040A321, 0040A39C, 0040A417, 0040A492, 0040A50D, 0040A588, 0040A603, 0040A67E, 0040A6F9, 0040A774, 0040A7EF, 0040A86A, 0040A8E5, 0040A960, 0040A9DB, 0040AA56, 0040AAD1, 0040AB4C, 0040ABC7, 0040AC42, 0040ACBD, 0040AD38, 0040ADB3, 0040AE2E, 0040AEA9, 0040AF24, 0040AF9F, 0040B01A, 0040B095, 0040B110, 0040B18B, 0040B206, 0040B281, 0040B2FC, 0040B377, 0040B3F2, 0040B46D, 0040B4E8, 0040B563, 0040B5DE, 0040B659, 0040B6D4, 0040B74F, 0040B7CA, 0040B845, 0040B8C0, 0040B93B, 0040B9B6, 0040BA31, 0040BAAC, 0040BB27, 0040BBA2, 0040BC1D, 0040BC98, 0040BD13, 0040BD8E, 0040BE09, 0040BE84, 0040BEFF, 0040BF7A, 0040BFF5, 0040C070, 0040C0EB, 0040C166, 0040C1E1, 0040C25C, 0040C2D7, 0040C352, 0040C3CD, 0040C448, 0040C4C3, 0040C53E, 0040C5B9, 0040C634, 0040C6AF, 0040C72A, 0040C7A5, 0040C820, 0040C89B, 0040C916, 0040C991, 0040CA0C, 0040CA87, 0040CB02, 0040CB7D, 0040CBF8, 0040CC73, 0040CCEE, 0040CD69, 0040CDE4, 0040CE5F, 0040CEDA, 0040CF55, 0040CFD0, 0040D04B, 0040D0C6, 0040D141, 0040D1BC, 0040D237, 0040D2B2, 0040D32D, 0040D3A8, 0040D423, 0040D49E, 0040D519, 0040D594, 0040D60F, 0040D68A, 0040D705, 0040D780, 0040D7FB, 0040D876, 0040D8F1, 0040D96C, 0040D9E7, 0040DA62, 0040DADD, 0040DB58, 0040DBD3, 0040DC4E, 0040DCC9, 0040DD44, 0040DDBF, 0040DE3A, 0040DEB5, 0040DF30, 0040DFAB, 0040E026, 0040E0A1, 0040E11C, 0040E197, 0040E212, 0040E28D, 0040E308, 0040E383, 0040E3FE, 0040E479, 0040E4F4, 0040E56F, 0040E5EA, 0040E665, 0040E6E0, 0040E75B, 0040E7D6, 0040E851, 0040E8CC, 0040E947, 0040E9C2, 0040EA3D, 0040EAB8, 0040EB33, 0040EBAE, 0040EC29, 0040ECA4, 0040ED1F, 0040ED9A, 0040EE15, 0040EE90, 0040EF0B, 0040EF86, 0040F001, 0040F07C, 0040F0F7, 0040F172, 0040F1ED, 0040F268, 0040F2E3, 0040F35E, 0040F3D9, 0040F454, 0040F4CF, 0040F54A, 0040F5C5, 0040F640, 0040F6BB, 0040F736, 0040F7B1, 0040F82C, 0040F8A7, 0040F922, 0040F99D, 0040FA18, 0040FA93, 0040FB0E, 0040FB89, 0040FC04, 0040FC7F, 0040FCFA, 0040FD75, 0040FDF0, 0040FE6B, 0040FEE6, 0040FF61, 0040FFDC, 00410057, 004100D2, 0041014D, 004101C8, 00410243, 004102BE, 00410339, 004103B4, 0041042F, 004104AA, 00410525, 004105A0, 0041061B, 00410696, 00410711, 0041078C, 00410807, 00410882, 004108FD, 00410978, 004109F3, 00410A6E, 00410AE9, 00410B64, 00410BDF, 00410C5A, 00410CD5, 00410D50, 00410DCB, 00410E46, 00410EC1, 00410F3C, 00410FB7, 00411032, 004110AD, 00411128, 004111A3, 0041121E, 00411299, 00411314, 0041138F, 0041140A, 00411485, 00411500, 0041157B, 004115F6, 00411671, 004116EC, 00411767, 004117E2, 0041185D, 004118D8, 00411953, 004119CE, 00411A49, 00411AC4, 00411B3F, 00411BBA, 00411C35, 00411CB0, 00411D2B, 00411DA6, 00411E21, 00411E9C, 00411F17, 00411F92, 0041200D, 00412088
Width trick: %*d , xrefs: 00401EF1, 00401F6C, 00401FE7, 00402062, 004020DD, 00402158, 004021D3, 0040224E, 004022C9, 00402344, 004023BF, 0040243A, 004024B5, 00402530, 004025AB, 00402626, 004026A1, 0040271C, 00402797, 00402812, 0040288D, 00402908, 00402983, 004029FE, 00402A79, 00402AF4, 00402B6F, 00402BEA, 00402C65, 00402CE0, 00402D5B, 00402DD6, 00402E51, 00402ECC, 00402F47, 00402FC2, 0040303D, 004030B8, 00403133, 004031AE, 00403229, 004032A4, 0040331F, 0040339A, 00403415, 00403490, 0040350B, 00403586, 00403601, 0040367C, 004036F7, 00403772, 004037ED, 00403868, 004038E3, 0040395E, 004039D9, 00403A54, 00403ACF, 00403B4A, 00403BC5, 00403C40, 00403CBB, 00403D36, 00403DB1, 00403E2C, 00403EA7, 00403F22, 00403F9D, 00404018, 00404093, 0040410E, 00404189, 00404204, 0040427F, 004042FA, 00404375, 004043F0, 0040446B, 004044E6, 00404561, 004045DC, 00404657, 004046D2, 0040474D, 004047C8, 00404843, 004048BE, 00404939, 004049B4, 00404A2F, 00404AAA, 00404B25, 00404BA0, 00404C1B, 00404C96, 00404D11, 00404D8C, 00404E07, 00404E82, 00404EFD, 00404F78, 00404FF3, 0040506E, 004050E9, 00405164, 004051DF, 0040525A, 004052D5, 00405350, 004053CB, 00405446, 004054C1, 0040553C, 004055B7, 00405632, 004056AD, 00405728, 004057A3, 0040581E, 00405899, 00405914, 0040598F, 00405A0A, 00405A85, 00405B00, 00405B7B, 00405BF6, 00405C71, 00405CEC, 00405D67, 00405DE2, 00405E5D, 00405ED8, 00405F53, 00405FCE, 00406049, 004060C4, 0040613F, 004061BA, 00406235, 004062B0, 0040632B, 004063A6, 00406421, 0040649C, 00406517, 00406592, 0040660D, 00406688, 00406703, 0040677E, 004067F9, 00406874, 004068EF, 0040696A, 004069E5, 00406A60, 00406ADB, 00406B56, 00406BD1, 00406C4C, 00406CC7, 00406D42, 00406DBD, 00406E38, 00406EB3, 00406F2E, 00406FA9, 00407024, 0040709F, 0040711A, 00407195, 00407210, 0040728B, 00407306, 00407381, 004073FC, 00407477, 004074F2, 0040756D, 004075E8, 00407663, 004076DE, 00407759, 004077D4, 0040784F, 004078CA, 00407945, 004079C0, 00407A3B, 00407AB6, 00407B31, 00407BAC, 00407C27, 00407CA2, 00407D1D, 00407D98, 00407E13, 00407E8E, 00407F09, 00407F84, 00407FFF, 0040807A, 004080F5, 00408170, 004081EB, 00408266, 004082E1, 0040835C, 004083D7, 00408452, 004084CD, 00408548, 004085C3, 0040863E, 004086B9, 00408734, 004087AF, 0040882A, 004088A5, 00408920, 0040899B, 00408A16, 00408A91, 00408B0C, 00408B87, 00408C02, 00408C7D, 00408CF8, 00408D73, 00408DEE, 00408E69, 00408EE4, 00408F5F, 00408FDA, 00409055, 004090D0, 0040914B, 004091C6, 00409241, 004092BC, 00409337, 004093B2, 0040942D, 004094A8, 00409523, 0040959E, 00409619, 00409694, 0040970F, 0040978A, 00409805, 00409880, 004098FB, 00409976, 004099F1, 00409A6C, 00409AE7, 00409B62, 00409BDD, 00409C58, 00409CD3, 00409D4E, 00409DC9, 00409E44, 00409EBF, 00409F3A, 00409FB5, 0040A030, 0040A0AB, 0040A126, 0040A1A1, 0040A21C, 0040A297, 0040A312, 0040A38D, 0040A408, 0040A483, 0040A4FE, 0040A579, 0040A5F4, 0040A66F, 0040A6EA, 0040A765, 0040A7E0, 0040A85B, 0040A8D6, 0040A951, 0040A9CC, 0040AA47, 0040AAC2, 0040AB3D, 0040ABB8, 0040AC33, 0040ACAE, 0040AD29, 0040ADA4, 0040AE1F, 0040AE9A, 0040AF15, 0040AF90, 0040B00B, 0040B086, 0040B101, 0040B17C, 0040B1F7, 0040B272, 0040B2ED, 0040B368, 0040B3E3, 0040B45E, 0040B4D9, 0040B554, 0040B5CF, 0040B64A, 0040B6C5, 0040B740, 0040B7BB, 0040B836, 0040B8B1, 0040B92C, 0040B9A7, 0040BA22, 0040BA9D, 0040BB18, 0040BB93, 0040BC0E, 0040BC89, 0040BD04, 0040BD7F, 0040BDFA, 0040BE75, 0040BEF0, 0040BF6B, 0040BFE6, 0040C061, 0040C0DC, 0040C157, 0040C1D2, 0040C24D, 0040C2C8, 0040C343, 0040C3BE, 0040C439, 0040C4B4, 0040C52F, 0040C5AA, 0040C625, 0040C6A0, 0040C71B, 0040C796, 0040C811, 0040C88C, 0040C907, 0040C982, 0040C9FD, 0040CA78, 0040CAF3, 0040CB6E, 0040CBE9, 0040CC64, 0040CCDF, 0040CD5A, 0040CDD5, 0040CE50, 0040CECB, 0040CF46, 0040CFC1, 0040D03C, 0040D0B7, 0040D132, 0040D1AD, 0040D228, 0040D2A3, 0040D31E, 0040D399, 0040D414, 0040D48F, 0040D50A, 0040D585, 0040D600, 0040D67B, 0040D6F6, 0040D771, 0040D7EC, 0040D867, 0040D8E2, 0040D95D, 0040D9D8, 0040DA53, 0040DACE, 0040DB49, 0040DBC4, 0040DC3F, 0040DCBA, 0040DD35, 0040DDB0, 0040DE2B, 0040DEA6, 0040DF21, 0040DF9C, 0040E017, 0040E092, 0040E10D, 0040E188, 0040E203, 0040E27E, 0040E2F9, 0040E374, 0040E3EF, 0040E46A, 0040E4E5, 0040E560, 0040E5DB, 0040E656, 0040E6D1, 0040E74C, 0040E7C7, 0040E842, 0040E8BD, 0040E938, 0040E9B3, 0040EA2E, 0040EAA9, 0040EB24, 0040EB9F, 0040EC1A, 0040EC95, 0040ED10, 0040ED8B, 0040EE06, 0040EE81, 0040EEFC, 0040EF77, 0040EFF2, 0040F06D, 0040F0E8, 0040F163, 0040F1DE, 0040F259, 0040F2D4, 0040F34F, 0040F3CA, 0040F445, 0040F4C0, 0040F53B, 0040F5B6, 0040F631, 0040F6AC, 0040F727, 0040F7A2, 0040F81D, 0040F898, 0040F913, 0040F98E, 0040FA09, 0040FA84, 0040FAFF, 0040FB7A, 0040FBF5, 0040FC70, 0040FCEB, 0040FD66, 0040FDE1, 0040FE5C, 0040FED7, 0040FF52, 0040FFCD, 00410048, 004100C3, 0041013E, 004101B9, 00410234, 004102AF, 0041032A, 004103A5, 00410420, 0041049B, 00410516, 00410591, 0041060C, 00410687, 00410702, 0041077D, 004107F8, 00410873, 004108EE, 00410969, 004109E4, 00410A5F, 00410ADA, 00410B55, 00410BD0, 00410C4B, 00410CC6, 00410D41, 00410DBC, 00410E37, 00410EB2, 00410F2D, 00410FA8, 00411023, 0041109E, 00411119, 00411194, 0041120F, 0041128A, 00411305, 00411380, 004113FB, 00411476, 004114F1, 0041156C, 004115E7, 00411662, 004116DD, 00411758, 004117D3, 0041184E, 004118C9, 00411944, 004119BF, 00411A3A, 00411AB5, 00411B30, 00411BAB, 00411C26, 00411CA1, 00411D1C, 00411D97, 00411E12, 00411E8D, 00411F08, 00411F83, 00411FFE, 00412079
Preceding with blanks: %10d , xrefs: 00401E41, 00401E73, 00401EA5, 00401F24, 00401F9F, 0040201A, 00402095, 00402110, 0040218B, 00402206, 00402281, 004022FC, 00402377, 004023F2, 0040246D, 004024E8, 00402563, 004025DE, 00402659, 004026D4, 0040274F, 004027CA, 00402845, 004028C0, 0040293B, 004029B6, 00402A31, 00402AAC, 00402B27, 00402BA2, 00402C1D, 00402C98, 00402D13, 00402D8E, 00402E09, 00402E84, 00402EFF, 00402F7A, 00402FF5, 00403070, 004030EB, 00403166, 004031E1, 0040325C, 004032D7, 00403352, 004033CD, 00403448, 004034C3, 0040353E, 004035B9, 00403634, 004036AF, 0040372A, 004037A5, 00403820, 0040389B, 00403916, 00403991, 00403A0C, 00403A87, 00403B02, 00403B7D, 00403BF8, 00403C73, 00403CEE, 00403D69, 00403DE4, 00403E5F, 00403EDA, 00403F55, 00403FD0, 0040404B, 004040C6, 00404141, 004041BC, 00404237, 004042B2, 0040432D, 004043A8, 00404423, 0040449E, 00404519, 00404594, 0040460F, 0040468A, 00404705, 00404780, 004047FB, 00404876, 004048F1, 0040496C, 004049E7, 00404A62, 00404ADD, 00404B58, 00404BD3, 00404C4E, 00404CC9, 00404D44, 00404DBF, 00404E3A, 00404EB5, 00404F30, 00404FAB, 00405026, 004050A1, 0040511C, 00405197, 00405212, 0040528D, 00405308, 00405383, 004053FE, 00405479, 004054F4, 0040556F, 004055EA, 00405665, 004056E0, 0040575B, 004057D6, 00405851, 004058CC, 00405947, 004059C2, 00405A3D, 00405AB8, 00405B33, 00405BAE, 00405C29, 00405CA4, 00405D1F, 00405D9A, 00405E15, 00405E90, 00405F0B, 00405F86, 00406001, 0040607C, 004060F7, 00406172, 004061ED, 00406268, 004062E3, 0040635E, 004063D9, 00406454, 004064CF, 0040654A, 004065C5, 00406640, 004066BB, 00406736, 004067B1, 0040682C, 004068A7, 00406922, 0040699D, 00406A18, 00406A93, 00406B0E, 00406B89, 00406C04, 00406C7F, 00406CFA, 00406D75, 00406DF0, 00406E6B, 00406EE6, 00406F61, 00406FDC, 00407057, 004070D2, 0040714D, 004071C8, 00407243, 004072BE, 00407339, 004073B4, 0040742F, 004074AA, 00407525, 004075A0, 0040761B, 00407696, 00407711, 0040778C, 00407807, 00407882, 004078FD, 00407978, 004079F3, 00407A6E, 00407AE9, 00407B64, 00407BDF, 00407C5A, 00407CD5, 00407D50, 00407DCB, 00407E46, 00407EC1, 00407F3C, 00407FB7, 00408032, 004080AD, 00408128, 004081A3, 0040821E, 00408299, 00408314, 0040838F, 0040840A, 00408485, 00408500, 0040857B, 004085F6, 00408671, 004086EC, 00408767, 004087E2, 0040885D, 004088D8, 00408953, 004089CE, 00408A49, 00408AC4, 00408B3F, 00408BBA, 00408C35, 00408CB0, 00408D2B, 00408DA6, 00408E21, 00408E9C, 00408F17, 00408F92, 0040900D, 00409088, 00409103, 0040917E, 004091F9, 00409274, 004092EF, 0040936A, 004093E5, 00409460, 004094DB, 00409556, 004095D1, 0040964C, 004096C7, 00409742, 004097BD, 00409838, 004098B3, 0040992E, 004099A9, 00409A24, 00409A9F, 00409B1A, 00409B95, 00409C10, 00409C8B, 00409D06, 00409D81, 00409DFC, 00409E77, 00409EF2, 00409F6D, 00409FE8, 0040A063, 0040A0DE, 0040A159, 0040A1D4, 0040A24F, 0040A2CA, 0040A345, 0040A3C0, 0040A43B, 0040A4B6, 0040A531, 0040A5AC, 0040A627, 0040A6A2, 0040A71D, 0040A798, 0040A813, 0040A88E, 0040A909, 0040A984, 0040A9FF, 0040AA7A, 0040AAF5, 0040AB70, 0040ABEB, 0040AC66, 0040ACE1, 0040AD5C, 0040ADD7, 0040AE52, 0040AECD, 0040AF48, 0040AFC3, 0040B03E, 0040B0B9, 0040B134, 0040B1AF, 0040B22A, 0040B2A5, 0040B320, 0040B39B, 0040B416, 0040B491, 0040B50C, 0040B587, 0040B602, 0040B67D, 0040B6F8, 0040B773, 0040B7EE, 0040B869, 0040B8E4, 0040B95F, 0040B9DA, 0040BA55, 0040BAD0, 0040BB4B, 0040BBC6, 0040BC41, 0040BCBC, 0040BD37, 0040BDB2, 0040BE2D, 0040BEA8, 0040BF23, 0040BF9E, 0040C019, 0040C094, 0040C10F, 0040C18A, 0040C205, 0040C280, 0040C2FB, 0040C376, 0040C3F1, 0040C46C, 0040C4E7, 0040C562, 0040C5DD, 0040C658, 0040C6D3, 0040C74E, 0040C7C9, 0040C844, 0040C8BF, 0040C93A, 0040C9B5, 0040CA30, 0040CAAB, 0040CB26, 0040CBA1, 0040CC1C, 0040CC97, 0040CD12, 0040CD8D, 0040CE08, 0040CE83, 0040CEFE, 0040CF79, 0040CFF4, 0040D06F, 0040D0EA, 0040D165, 0040D1E0, 0040D25B, 0040D2D6, 0040D351, 0040D3CC, 0040D447, 0040D4C2, 0040D53D, 0040D5B8, 0040D633, 0040D6AE, 0040D729, 0040D7A4, 0040D81F, 0040D89A, 0040D915, 0040D990, 0040DA0B, 0040DA86, 0040DB01, 0040DB7C, 0040DBF7, 0040DC72, 0040DCED, 0040DD68, 0040DDE3, 0040DE5E, 0040DED9, 0040DF54, 0040DFCF, 0040E04A, 0040E0C5, 0040E140, 0040E1BB, 0040E236, 0040E2B1, 0040E32C, 0040E3A7, 0040E422, 0040E49D, 0040E518, 0040E593, 0040E60E, 0040E689, 0040E704, 0040E77F, 0040E7FA, 0040E875, 0040E8F0, 0040E96B, 0040E9E6, 0040EA61, 0040EADC, 0040EB57, 0040EBD2, 0040EC4D, 0040ECC8, 0040ED43, 0040EDBE, 0040EE39, 0040EEB4, 0040EF2F, 0040EFAA, 0040F025, 0040F0A0, 0040F11B, 0040F196, 0040F211, 0040F28C, 0040F307, 0040F382, 0040F3FD, 0040F478, 0040F4F3, 0040F56E, 0040F5E9, 0040F664, 0040F6DF, 0040F75A, 0040F7D5, 0040F850, 0040F8CB, 0040F946, 0040F9C1, 0040FA3C, 0040FAB7, 0040FB32, 0040FBAD, 0040FC28, 0040FCA3, 0040FD1E, 0040FD99, 0040FE14, 0040FE8F, 0040FF0A, 0040FF85, 00410000, 0041007B, 004100F6, 00410171, 004101EC, 00410267, 004102E2, 0041035D, 004103D8, 00410453, 004104CE, 00410549, 004105C4, 0041063F, 004106BA, 00410735, 004107B0, 0041082B, 004108A6, 00410921, 0041099C, 00410A17, 00410A92, 00410B0D, 00410B88, 00410C03, 00410C7E, 00410CF9, 00410D74, 00410DEF, 00410E6A, 00410EE5, 00410F60, 00410FDB, 00411056, 004110D1, 0041114C, 004111C7, 00411242, 004112BD, 00411338, 004113B3, 0041142E, 004114A9, 00411524, 0041159F, 0041161A, 00411695, 00411710, 0041178B, 00411806, 00411881, 004118FC, 00411977, 004119F2, 00411A6D, 00411AE8, 00411B63, 00411BDE, 00411C59, 00411CD4, 00411D4F, 00411DCA, 00411E45, 00411EC0, 00411F3B, 00411FB6, 00412031
A string, xrefs: 00401EFB, 00401F76, 00401FF1, 0040206C, 004020E7, 00402162, 004021DD, 00402258, 004022D3, 0040234E, 004023C9, 00402444, 004024BF, 0040253A, 004025B5, 00402630, 004026AB, 00402726, 004027A1, 0040281C, 00402897, 00402912, 0040298D, 00402A08, 00402A83, 00402AFE, 00402B79, 00402BF4, 00402C6F, 00402CEA, 00402D65, 00402DE0, 00402E5B, 00402ED6, 00402F51, 00402FCC, 00403047, 004030C2, 0040313D, 004031B8, 00403233, 004032AE, 00403329, 004033A4, 0040341F, 0040349A, 00403515, 00403590, 0040360B, 00403686, 00403701, 0040377C, 004037F7, 00403872, 004038ED, 00403968, 004039E3, 00403A5E, 00403AD9, 00403B54, 00403BCF, 00403C4A, 00403CC5, 00403D40, 00403DBB, 00403E36, 00403EB1, 00403F2C, 00403FA7, 00404022, 0040409D, 00404118, 00404193, 0040420E, 00404289, 00404304, 0040437F, 004043FA, 00404475, 004044F0, 0040456B, 004045E6, 00404661, 004046DC, 00404757, 004047D2, 0040484D, 004048C8, 00404943, 004049BE, 00404A39, 00404AB4, 00404B2F, 00404BAA, 00404C25, 00404CA0, 00404D1B, 00404D96, 00404E11, 00404E8C, 00404F07, 00404F82, 00404FFD, 00405078, 004050F3, 0040516E, 004051E9, 00405264, 004052DF, 0040535A, 004053D5, 00405450, 004054CB, 00405546, 004055C1, 0040563C, 004056B7, 00405732, 004057AD, 00405828, 004058A3, 0040591E, 00405999, 00405A14, 00405A8F, 00405B0A, 00405B85, 00405C00, 00405C7B, 00405CF6, 00405D71, 00405DEC, 00405E67, 00405EE2, 00405F5D, 00405FD8, 00406053, 004060CE, 00406149, 004061C4, 0040623F, 004062BA, 00406335, 004063B0, 0040642B, 004064A6, 00406521, 0040659C, 00406617, 00406692, 0040670D, 00406788, 00406803, 0040687E, 004068F9, 00406974, 004069EF, 00406A6A, 00406AE5, 00406B60, 00406BDB, 00406C56, 00406CD1, 00406D4C, 00406DC7, 00406E42, 00406EBD, 00406F38, 00406FB3, 0040702E, 004070A9, 00407124, 0040719F, 0040721A, 00407295, 00407310, 0040738B, 00407406, 00407481, 004074FC, 00407577, 004075F2, 0040766D, 004076E8, 00407763, 004077DE, 00407859, 004078D4, 0040794F, 004079CA, 00407A45, 00407AC0, 00407B3B, 00407BB6, 00407C31, 00407CAC, 00407D27, 00407DA2, 00407E1D, 00407E98, 00407F13, 00407F8E, 00408009, 00408084, 004080FF, 0040817A, 004081F5, 00408270, 004082EB, 00408366, 004083E1, 0040845C, 004084D7, 00408552, 004085CD, 00408648, 004086C3, 0040873E, 004087B9, 00408834, 004088AF, 0040892A, 004089A5, 00408A20, 00408A9B, 00408B16, 00408B91, 00408C0C, 00408C87, 00408D02, 00408D7D, 00408DF8, 00408E73, 00408EEE, 00408F69, 00408FE4, 0040905F, 004090DA, 00409155, 004091D0, 0040924B, 004092C6, 00409341, 004093BC, 00409437, 004094B2, 0040952D, 004095A8, 00409623, 0040969E, 00409719, 00409794, 0040980F, 0040988A, 00409905, 00409980, 004099FB, 00409A76, 00409AF1, 00409B6C, 00409BE7, 00409C62, 00409CDD, 00409D58, 00409DD3, 00409E4E, 00409EC9, 00409F44, 00409FBF, 0040A03A, 0040A0B5, 0040A130, 0040A1AB, 0040A226, 0040A2A1, 0040A31C, 0040A397, 0040A412, 0040A48D, 0040A508, 0040A583, 0040A5FE, 0040A679, 0040A6F4, 0040A76F, 0040A7EA, 0040A865, 0040A8E0, 0040A95B, 0040A9D6, 0040AA51, 0040AACC, 0040AB47, 0040ABC2, 0040AC3D, 0040ACB8, 0040AD33, 0040ADAE, 0040AE29, 0040AEA4, 0040AF1F, 0040AF9A, 0040B015, 0040B090, 0040B10B, 0040B186, 0040B201, 0040B27C, 0040B2F7, 0040B372, 0040B3ED, 0040B468, 0040B4E3, 0040B55E, 0040B5D9, 0040B654, 0040B6CF, 0040B74A, 0040B7C5, 0040B840, 0040B8BB, 0040B936, 0040B9B1, 0040BA2C, 0040BAA7, 0040BB22, 0040BB9D, 0040BC18, 0040BC93, 0040BD0E, 0040BD89, 0040BE04, 0040BE7F, 0040BEFA, 0040BF75, 0040BFF0, 0040C06B, 0040C0E6, 0040C161, 0040C1DC, 0040C257, 0040C2D2, 0040C34D, 0040C3C8, 0040C443, 0040C4BE, 0040C539, 0040C5B4, 0040C62F, 0040C6AA, 0040C725, 0040C7A0, 0040C81B, 0040C896, 0040C911, 0040C98C, 0040CA07, 0040CA82, 0040CAFD, 0040CB78, 0040CBF3, 0040CC6E, 0040CCE9, 0040CD64, 0040CDDF, 0040CE5A, 0040CED5, 0040CF50, 0040CFCB, 0040D046, 0040D0C1, 0040D13C, 0040D1B7, 0040D232, 0040D2AD, 0040D328, 0040D3A3, 0040D41E, 0040D499, 0040D514, 0040D58F, 0040D60A, 0040D685, 0040D700, 0040D77B, 0040D7F6, 0040D871, 0040D8EC, 0040D967, 0040D9E2, 0040DA5D, 0040DAD8, 0040DB53, 0040DBCE, 0040DC49, 0040DCC4, 0040DD3F, 0040DDBA, 0040DE35, 0040DEB0, 0040DF2B, 0040DFA6, 0040E021, 0040E09C, 0040E117, 0040E192, 0040E20D, 0040E288, 0040E303, 0040E37E, 0040E3F9, 0040E474, 0040E4EF, 0040E56A, 0040E5E5, 0040E660, 0040E6DB, 0040E756, 0040E7D1, 0040E84C, 0040E8C7, 0040E942, 0040E9BD, 0040EA38, 0040EAB3, 0040EB2E, 0040EBA9, 0040EC24, 0040EC9F, 0040ED1A, 0040ED95, 0040EE10, 0040EE8B, 0040EF06, 0040EF81, 0040EFFC, 0040F077, 0040F0F2, 0040F16D, 0040F1E8, 0040F263, 0040F2DE, 0040F359, 0040F3D4, 0040F44F, 0040F4CA, 0040F545, 0040F5C0, 0040F63B, 0040F6B6, 0040F731, 0040F7AC, 0040F827, 0040F8A2, 0040F91D, 0040F998, 0040FA13, 0040FA8E, 0040FB09, 0040FB84, 0040FBFF, 0040FC7A, 0040FCF5, 0040FD70, 0040FDEB, 0040FE66, 0040FEE1, 0040FF5C, 0040FFD7, 00410052, 004100CD, 00410148, 004101C3, 0041023E, 004102B9, 00410334, 004103AF, 0041042A, 004104A5, 00410520, 0041059B, 00410616, 00410691, 0041070C, 00410787, 00410802, 0041087D, 004108F8, 00410973, 004109EE, 00410A69, 00410AE4, 00410B5F, 00410BDA, 00410C55, 00410CD0, 00410D4B, 00410DC6, 00410E41, 00410EBC, 00410F37, 00410FB2, 0041102D, 004110A8, 00411123, 0041119E, 00411219, 00411294, 0041130F, 0041138A, 00411405, 00411480, 004114FB, 00411576, 004115F1, 0041166C, 004116E7, 00411762, 004117DD, 00411858, 004118D3, 0041194E, 004119C9, 00411A44, 00411ABF, 00411B3A, 00411BB5, 00411C30, 00411CAB, 00411D26, 00411DA1, 00411E1C, 00411E97, 00411F12, 00411F8D, 00412008, 00412083
Preceding with zeros: %010d , xrefs: 00401EB0, 00401F2F, 00401FAA, 00402025, 004020A0, 0040211B, 00402196, 00402211, 0040228C, 00402307, 00402382, 004023FD, 00402478, 004024F3, 0040256E, 004025E9, 00402664, 004026DF, 0040275A, 004027D5, 00402850, 004028CB, 00402946, 004029C1, 00402A3C, 00402AB7, 00402B32, 00402BAD, 00402C28, 00402CA3, 00402D1E, 00402D99, 00402E14, 00402E8F, 00402F0A, 00402F85, 00403000, 0040307B, 004030F6, 00403171, 004031EC, 00403267, 004032E2, 0040335D, 004033D8, 00403453, 004034CE, 00403549, 004035C4, 0040363F, 004036BA, 00403735, 004037B0, 0040382B, 004038A6, 00403921, 0040399C, 00403A17, 00403A92, 00403B0D, 00403B88, 00403C03, 00403C7E, 00403CF9, 00403D74, 00403DEF, 00403E6A, 00403EE5, 00403F60, 00403FDB, 00404056, 004040D1, 0040414C, 004041C7, 00404242, 004042BD, 00404338, 004043B3, 0040442E, 004044A9, 00404524, 0040459F, 0040461A, 00404695, 00404710, 0040478B, 00404806, 00404881, 004048FC, 00404977, 004049F2, 00404A6D, 00404AE8, 00404B63, 00404BDE, 00404C59, 00404CD4, 00404D4F, 00404DCA, 00404E45, 00404EC0, 00404F3B, 00404FB6, 00405031, 004050AC, 00405127, 004051A2, 0040521D, 00405298, 00405313, 0040538E, 00405409, 00405484, 004054FF, 0040557A, 004055F5, 00405670, 004056EB, 00405766, 004057E1, 0040585C, 004058D7, 00405952, 004059CD, 00405A48, 00405AC3, 00405B3E, 00405BB9, 00405C34, 00405CAF, 00405D2A, 00405DA5, 00405E20, 00405E9B, 00405F16, 00405F91, 0040600C, 00406087, 00406102, 0040617D, 004061F8, 00406273, 004062EE, 00406369, 004063E4, 0040645F, 004064DA, 00406555, 004065D0, 0040664B, 004066C6, 00406741, 004067BC, 00406837, 004068B2, 0040692D, 004069A8, 00406A23, 00406A9E, 00406B19, 00406B94, 00406C0F, 00406C8A, 00406D05, 00406D80, 00406DFB, 00406E76, 00406EF1, 00406F6C, 00406FE7, 00407062, 004070DD, 00407158, 004071D3, 0040724E, 004072C9, 00407344, 004073BF, 0040743A, 004074B5, 00407530, 004075AB, 00407626, 004076A1, 0040771C, 00407797, 00407812, 0040788D, 00407908, 00407983, 004079FE, 00407A79, 00407AF4, 00407B6F, 00407BEA, 00407C65, 00407CE0, 00407D5B, 00407DD6, 00407E51, 00407ECC, 00407F47, 00407FC2, 0040803D, 004080B8, 00408133, 004081AE, 00408229, 004082A4, 0040831F, 0040839A, 00408415, 00408490, 0040850B, 00408586, 00408601, 0040867C, 004086F7, 00408772, 004087ED, 00408868, 004088E3, 0040895E, 004089D9, 00408A54, 00408ACF, 00408B4A, 00408BC5, 00408C40, 00408CBB, 00408D36, 00408DB1, 00408E2C, 00408EA7, 00408F22, 00408F9D, 00409018, 00409093, 0040910E, 00409189, 00409204, 0040927F, 004092FA, 00409375, 004093F0, 0040946B, 004094E6, 00409561, 004095DC, 00409657, 004096D2, 0040974D, 004097C8, 00409843, 004098BE, 00409939, 004099B4, 00409A2F, 00409AAA, 00409B25, 00409BA0, 00409C1B, 00409C96, 00409D11, 00409D8C, 00409E07, 00409E82, 00409EFD, 00409F78, 00409FF3, 0040A06E, 0040A0E9, 0040A164, 0040A1DF, 0040A25A, 0040A2D5, 0040A350, 0040A3CB, 0040A446, 0040A4C1, 0040A53C, 0040A5B7, 0040A632, 0040A6AD, 0040A728, 0040A7A3, 0040A81E, 0040A899, 0040A914, 0040A98F, 0040AA0A, 0040AA85, 0040AB00, 0040AB7B, 0040ABF6, 0040AC71, 0040ACEC, 0040AD67, 0040ADE2, 0040AE5D, 0040AED8, 0040AF53, 0040AFCE, 0040B049, 0040B0C4, 0040B13F, 0040B1BA, 0040B235, 0040B2B0, 0040B32B, 0040B3A6, 0040B421, 0040B49C, 0040B517, 0040B592, 0040B60D, 0040B688, 0040B703, 0040B77E, 0040B7F9, 0040B874, 0040B8EF, 0040B96A, 0040B9E5, 0040BA60, 0040BADB, 0040BB56, 0040BBD1, 0040BC4C, 0040BCC7, 0040BD42, 0040BDBD, 0040BE38, 0040BEB3, 0040BF2E, 0040BFA9, 0040C024, 0040C09F, 0040C11A, 0040C195, 0040C210, 0040C28B, 0040C306, 0040C381, 0040C3FC, 0040C477, 0040C4F2, 0040C56D, 0040C5E8, 0040C663, 0040C6DE, 0040C759, 0040C7D4, 0040C84F, 0040C8CA, 0040C945, 0040C9C0, 0040CA3B, 0040CAB6, 0040CB31, 0040CBAC, 0040CC27, 0040CCA2, 0040CD1D, 0040CD98, 0040CE13, 0040CE8E, 0040CF09, 0040CF84, 0040CFFF, 0040D07A, 0040D0F5, 0040D170, 0040D1EB, 0040D266, 0040D2E1, 0040D35C, 0040D3D7, 0040D452, 0040D4CD, 0040D548, 0040D5C3, 0040D63E, 0040D6B9, 0040D734, 0040D7AF, 0040D82A, 0040D8A5, 0040D920, 0040D99B, 0040DA16, 0040DA91, 0040DB0C, 0040DB87, 0040DC02, 0040DC7D, 0040DCF8, 0040DD73, 0040DDEE, 0040DE69, 0040DEE4, 0040DF5F, 0040DFDA, 0040E055, 0040E0D0, 0040E14B, 0040E1C6, 0040E241, 0040E2BC, 0040E337, 0040E3B2, 0040E42D, 0040E4A8, 0040E523, 0040E59E, 0040E619, 0040E694, 0040E70F, 0040E78A, 0040E805, 0040E880, 0040E8FB, 0040E976, 0040E9F1, 0040EA6C, 0040EAE7, 0040EB62, 0040EBDD, 0040EC58, 0040ECD3, 0040ED4E, 0040EDC9, 0040EE44, 0040EEBF, 0040EF3A, 0040EFB5, 0040F030, 0040F0AB, 0040F126, 0040F1A1, 0040F21C, 0040F297, 0040F312, 0040F38D, 0040F408, 0040F483, 0040F4FE, 0040F579, 0040F5F4, 0040F66F, 0040F6EA, 0040F765, 0040F7E0, 0040F85B, 0040F8D6, 0040F951, 0040F9CC, 0040FA47, 0040FAC2, 0040FB3D, 0040FBB8, 0040FC33, 0040FCAE, 0040FD29, 0040FDA4, 0040FE1F, 0040FE9A, 0040FF15, 0040FF90, 0041000B, 00410086, 00410101, 0041017C, 004101F7, 00410272, 004102ED, 00410368, 004103E3, 0041045E, 004104D9, 00410554, 004105CF, 0041064A, 004106C5, 00410740, 004107BB, 00410836, 004108B1, 0041092C, 004109A7, 00410A22, 00410A9D, 00410B18, 00410B93, 00410C0E, 00410C89, 00410D04, 00410D7F, 00410DFA, 00410E75, 00410EF0, 00410F6B, 00410FE6, 00411061, 004110DC, 00411157, 004111D2, 0041124D, 004112C8, 00411343, 004113BE, 00411439, 004114B4, 0041152F, 004115AA, 00411625, 004116A0, 0041171B, 00411796, 00411811, 0041188C, 00411907, 00411982, 004119FD, 00411A78, 00411AF3, 00411B6E, 00411BE9, 00411C64, 00411CDF, 00411D5A, 00411DD5, 00411E50, 00411ECB, 00411F46, 00411FC1, 0041203C
Characters: %c %c , xrefs: 00401E0C, 00401E11, 00401E32, 00401E4F, 00401E64, 00401E81, 00401E96, 00401F0E, 00401F89, 00402004, 0040207F, 004020FA, 00402175, 004021F0, 0040226B, 004022E6, 00402361, 004023DC, 00402457, 004024D2, 0040254D, 004025C8, 00402643, 004026BE, 00402739, 004027B4, 0040282F, 004028AA, 00402925, 004029A0, 00402A1B, 00402A96, 00402B11, 00402B8C, 00402C07, 00402C82, 00402CFD, 00402D78, 00402DF3, 00402E6E, 00402EE9, 00402F64, 00402FDF, 0040305A, 004030D5, 00403150, 004031CB, 00403246, 004032C1, 0040333C, 004033B7, 00403432, 004034AD, 00403528, 004035A3, 0040361E, 00403699, 00403714, 0040378F, 0040380A, 00403885, 00403900, 0040397B, 004039F6, 00403A71, 00403AEC, 00403B67, 00403BE2, 00403C5D, 00403CD8, 00403D53, 00403DCE, 00403E49, 00403EC4, 00403F3F, 00403FBA, 00404035, 004040B0, 0040412B, 004041A6, 00404221, 0040429C, 00404317, 00404392, 0040440D, 00404488, 00404503, 0040457E, 004045F9, 00404674, 004046EF, 0040476A, 004047E5, 00404860, 004048DB, 00404956, 004049D1, 00404A4C, 00404AC7, 00404B42, 00404BBD, 00404C38, 00404CB3, 00404D2E, 00404DA9, 00404E24, 00404E9F, 00404F1A, 00404F95, 00405010, 0040508B, 00405106, 00405181, 004051FC, 00405277, 004052F2, 0040536D, 004053E8, 00405463, 004054DE, 00405559, 004055D4, 0040564F, 004056CA, 00405745, 004057C0, 0040583B, 004058B6, 00405931, 004059AC, 00405A27, 00405AA2, 00405B1D, 00405B98, 00405C13, 00405C8E, 00405D09, 00405D84, 00405DFF, 00405E7A, 00405EF5, 00405F70, 00405FEB, 00406066, 004060E1, 0040615C, 004061D7, 00406252, 004062CD, 00406348, 004063C3, 0040643E, 004064B9, 00406534, 004065AF, 0040662A, 004066A5, 00406720, 0040679B, 00406816, 00406891, 0040690C, 00406987, 00406A02, 00406A7D, 00406AF8, 00406B73, 00406BEE, 00406C69, 00406CE4, 00406D5F, 00406DDA, 00406E55, 00406ED0, 00406F4B, 00406FC6, 00407041, 004070BC, 00407137, 004071B2, 0040722D, 004072A8, 00407323, 0040739E, 00407419, 00407494, 0040750F, 0040758A, 00407605, 00407680, 004076FB, 00407776, 004077F1, 0040786C, 004078E7, 00407962, 004079DD, 00407A58, 00407AD3, 00407B4E, 00407BC9, 00407C44, 00407CBF, 00407D3A, 00407DB5, 00407E30, 00407EAB, 00407F26, 00407FA1, 0040801C, 00408097, 00408112, 0040818D, 00408208, 00408283, 004082FE, 00408379, 004083F4, 0040846F, 004084EA, 00408565, 004085E0, 0040865B, 004086D6, 00408751, 004087CC, 00408847, 004088C2, 0040893D, 004089B8, 00408A33, 00408AAE, 00408B29, 00408BA4, 00408C1F, 00408C9A, 00408D15, 00408D90, 00408E0B, 00408E86, 00408F01, 00408F7C, 00408FF7, 00409072, 004090ED, 00409168, 004091E3, 0040925E, 004092D9, 00409354, 004093CF, 0040944A, 004094C5, 00409540, 004095BB, 00409636, 004096B1, 0040972C, 004097A7, 00409822, 0040989D, 00409918, 00409993, 00409A0E, 00409A89, 00409B04, 00409B7F, 00409BFA, 00409C75, 00409CF0, 00409D6B, 00409DE6, 00409E61, 00409EDC, 00409F57, 00409FD2, 0040A04D, 0040A0C8, 0040A143, 0040A1BE, 0040A239, 0040A2B4, 0040A32F, 0040A3AA, 0040A425, 0040A4A0, 0040A51B, 0040A596, 0040A611, 0040A68C, 0040A707, 0040A782, 0040A7FD, 0040A878, 0040A8F3, 0040A96E, 0040A9E9, 0040AA64, 0040AADF, 0040AB5A, 0040ABD5, 0040AC50, 0040ACCB, 0040AD46, 0040ADC1, 0040AE3C, 0040AEB7, 0040AF32, 0040AFAD, 0040B028, 0040B0A3, 0040B11E, 0040B199, 0040B214, 0040B28F, 0040B30A, 0040B385, 0040B400, 0040B47B, 0040B4F6, 0040B571, 0040B5EC, 0040B667, 0040B6E2, 0040B75D, 0040B7D8, 0040B853, 0040B8CE, 0040B949, 0040B9C4, 0040BA3F, 0040BABA, 0040BB35, 0040BBB0, 0040BC2B, 0040BCA6, 0040BD21, 0040BD9C, 0040BE17, 0040BE92, 0040BF0D, 0040BF88, 0040C003, 0040C07E, 0040C0F9, 0040C174, 0040C1EF, 0040C26A, 0040C2E5, 0040C360, 0040C3DB, 0040C456, 0040C4D1, 0040C54C, 0040C5C7, 0040C642, 0040C6BD, 0040C738, 0040C7B3, 0040C82E, 0040C8A9, 0040C924, 0040C99F, 0040CA1A, 0040CA95, 0040CB10, 0040CB8B, 0040CC06, 0040CC81, 0040CCFC, 0040CD77, 0040CDF2, 0040CE6D, 0040CEE8, 0040CF63, 0040CFDE, 0040D059, 0040D0D4, 0040D14F, 0040D1CA, 0040D245, 0040D2C0, 0040D33B, 0040D3B6, 0040D431, 0040D4AC, 0040D527, 0040D5A2, 0040D61D, 0040D698, 0040D713, 0040D78E, 0040D809, 0040D884, 0040D8FF, 0040D97A, 0040D9F5, 0040DA70, 0040DAEB, 0040DB66, 0040DBE1, 0040DC5C, 0040DCD7, 0040DD52, 0040DDCD, 0040DE48, 0040DEC3, 0040DF3E, 0040DFB9, 0040E034, 0040E0AF, 0040E12A, 0040E1A5, 0040E220, 0040E29B, 0040E316, 0040E391, 0040E40C, 0040E487, 0040E502, 0040E57D, 0040E5F8, 0040E673, 0040E6EE, 0040E769, 0040E7E4, 0040E85F, 0040E8DA, 0040E955, 0040E9D0, 0040EA4B, 0040EAC6, 0040EB41, 0040EBBC, 0040EC37, 0040ECB2, 0040ED2D, 0040EDA8, 0040EE23, 0040EE9E, 0040EF19, 0040EF94, 0040F00F, 0040F08A, 0040F105, 0040F180, 0040F1FB, 0040F276, 0040F2F1, 0040F36C, 0040F3E7, 0040F462, 0040F4DD, 0040F558, 0040F5D3, 0040F64E, 0040F6C9, 0040F744, 0040F7BF, 0040F83A, 0040F8B5, 0040F930, 0040F9AB, 0040FA26, 0040FAA1, 0040FB1C, 0040FB97, 0040FC12, 0040FC8D, 0040FD08, 0040FD83, 0040FDFE, 0040FE79, 0040FEF4, 0040FF6F, 0040FFEA, 00410065, 004100E0, 0041015B, 004101D6, 00410251, 004102CC, 00410347, 004103C2, 0041043D, 004104B8, 00410533, 004105AE, 00410629, 004106A4, 0041071F, 0041079A, 00410815, 00410890, 0041090B, 00410986, 00410A01, 00410A7C, 00410AF7, 00410B72, 00410BED, 00410C68, 00410CE3, 00410D5E, 00410DD9, 00410E54, 00410ECF, 00410F4A, 00410FC5, 00411040, 004110BB, 00411136, 004111B1, 0041122C, 004112A7, 00411322, 0041139D, 00411418, 00411493, 0041150E, 00411589, 00411604, 0041167F, 004116FA, 00411775, 004117F0, 0041186B, 004118E6, 00411961, 004119DC, 00411A57, 00411AD2, 00411B4D, 00411BC8, 00411C43, 00411CBE, 00411D39, 00411DB4, 00411E2F, 00411EAA, 00411F25, 00411FA0, 0041201B, 00412096
floats: %4.2f %+.0e %E , xrefs: 00401EE3, 00401F5E, 00401FD9, 00402054, 004020CF, 0040214A, 004021C5, 00402240, 004022BB, 00402336, 004023B1, 0040242C, 004024A7, 00402522, 0040259D, 00402618, 00402693, 0040270E, 00402789, 00402804, 0040287F, 004028FA, 00402975, 004029F0, 00402A6B, 00402AE6, 00402B61, 00402BDC, 00402C57, 00402CD2, 00402D4D, 00402DC8, 00402E43, 00402EBE, 00402F39, 00402FB4, 0040302F, 004030AA, 00403125, 004031A0, 0040321B, 00403296, 00403311, 0040338C, 00403407, 00403482, 004034FD, 00403578, 004035F3, 0040366E, 004036E9, 00403764, 004037DF, 0040385A, 004038D5, 00403950, 004039CB, 00403A46, 00403AC1, 00403B3C, 00403BB7, 00403C32, 00403CAD, 00403D28, 00403DA3, 00403E1E, 00403E99, 00403F14, 00403F8F, 0040400A, 00404085, 00404100, 0040417B, 004041F6, 00404271, 004042EC, 00404367, 004043E2, 0040445D, 004044D8, 00404553, 004045CE, 00404649, 004046C4, 0040473F, 004047BA, 00404835, 004048B0, 0040492B, 004049A6, 00404A21, 00404A9C, 00404B17, 00404B92, 00404C0D, 00404C88, 00404D03, 00404D7E, 00404DF9, 00404E74, 00404EEF, 00404F6A, 00404FE5, 00405060, 004050DB, 00405156, 004051D1, 0040524C, 004052C7, 00405342, 004053BD, 00405438, 004054B3, 0040552E, 004055A9, 00405624, 0040569F, 0040571A, 00405795, 00405810, 0040588B, 00405906, 00405981, 004059FC, 00405A77, 00405AF2, 00405B6D, 00405BE8, 00405C63, 00405CDE, 00405D59, 00405DD4, 00405E4F, 00405ECA, 00405F45, 00405FC0, 0040603B, 004060B6, 00406131, 004061AC, 00406227, 004062A2, 0040631D, 00406398, 00406413, 0040648E, 00406509, 00406584, 004065FF, 0040667A, 004066F5, 00406770, 004067EB, 00406866, 004068E1, 0040695C, 004069D7, 00406A52, 00406ACD, 00406B48, 00406BC3, 00406C3E, 00406CB9, 00406D34, 00406DAF, 00406E2A, 00406EA5, 00406F20, 00406F9B, 00407016, 00407091, 0040710C, 00407187, 00407202, 0040727D, 004072F8, 00407373, 004073EE, 00407469, 004074E4, 0040755F, 004075DA, 00407655, 004076D0, 0040774B, 004077C6, 00407841, 004078BC, 00407937, 004079B2, 00407A2D, 00407AA8, 00407B23, 00407B9E, 00407C19, 00407C94, 00407D0F, 00407D8A, 00407E05, 00407E80, 00407EFB, 00407F76, 00407FF1, 0040806C, 004080E7, 00408162, 004081DD, 00408258, 004082D3, 0040834E, 004083C9, 00408444, 004084BF, 0040853A, 004085B5, 00408630, 004086AB, 00408726, 004087A1, 0040881C, 00408897, 00408912, 0040898D, 00408A08, 00408A83, 00408AFE, 00408B79, 00408BF4, 00408C6F, 00408CEA, 00408D65, 00408DE0, 00408E5B, 00408ED6, 00408F51, 00408FCC, 00409047, 004090C2, 0040913D, 004091B8, 00409233, 004092AE, 00409329, 004093A4, 0040941F, 0040949A, 00409515, 00409590, 0040960B, 00409686, 00409701, 0040977C, 004097F7, 00409872, 004098ED, 00409968, 004099E3, 00409A5E, 00409AD9, 00409B54, 00409BCF, 00409C4A, 00409CC5, 00409D40, 00409DBB, 00409E36, 00409EB1, 00409F2C, 00409FA7, 0040A022, 0040A09D, 0040A118, 0040A193, 0040A20E, 0040A289, 0040A304, 0040A37F, 0040A3FA, 0040A475, 0040A4F0, 0040A56B, 0040A5E6, 0040A661, 0040A6DC, 0040A757, 0040A7D2, 0040A84D, 0040A8C8, 0040A943, 0040A9BE, 0040AA39, 0040AAB4, 0040AB2F, 0040ABAA, 0040AC25, 0040ACA0, 0040AD1B, 0040AD96, 0040AE11, 0040AE8C, 0040AF07, 0040AF82, 0040AFFD, 0040B078, 0040B0F3, 0040B16E, 0040B1E9, 0040B264, 0040B2DF, 0040B35A, 0040B3D5, 0040B450, 0040B4CB, 0040B546, 0040B5C1, 0040B63C, 0040B6B7, 0040B732, 0040B7AD, 0040B828, 0040B8A3, 0040B91E, 0040B999, 0040BA14, 0040BA8F, 0040BB0A, 0040BB85, 0040BC00, 0040BC7B, 0040BCF6, 0040BD71, 0040BDEC, 0040BE67, 0040BEE2, 0040BF5D, 0040BFD8, 0040C053, 0040C0CE, 0040C149, 0040C1C4, 0040C23F, 0040C2BA, 0040C335, 0040C3B0, 0040C42B, 0040C4A6, 0040C521, 0040C59C, 0040C617, 0040C692, 0040C70D, 0040C788, 0040C803, 0040C87E, 0040C8F9, 0040C974, 0040C9EF, 0040CA6A, 0040CAE5, 0040CB60, 0040CBDB, 0040CC56, 0040CCD1, 0040CD4C, 0040CDC7, 0040CE42, 0040CEBD, 0040CF38, 0040CFB3, 0040D02E, 0040D0A9, 0040D124, 0040D19F, 0040D21A, 0040D295, 0040D310, 0040D38B, 0040D406, 0040D481, 0040D4FC, 0040D577, 0040D5F2, 0040D66D, 0040D6E8, 0040D763, 0040D7DE, 0040D859, 0040D8D4, 0040D94F, 0040D9CA, 0040DA45, 0040DAC0, 0040DB3B, 0040DBB6, 0040DC31, 0040DCAC, 0040DD27, 0040DDA2, 0040DE1D, 0040DE98, 0040DF13, 0040DF8E, 0040E009, 0040E084, 0040E0FF, 0040E17A, 0040E1F5, 0040E270, 0040E2EB, 0040E366, 0040E3E1, 0040E45C, 0040E4D7, 0040E552, 0040E5CD, 0040E648, 0040E6C3, 0040E73E, 0040E7B9, 0040E834, 0040E8AF, 0040E92A, 0040E9A5, 0040EA20, 0040EA9B, 0040EB16, 0040EB91, 0040EC0C, 0040EC87, 0040ED02, 0040ED7D, 0040EDF8, 0040EE73, 0040EEEE, 0040EF69, 0040EFE4, 0040F05F, 0040F0DA, 0040F155, 0040F1D0, 0040F24B, 0040F2C6, 0040F341, 0040F3BC, 0040F437, 0040F4B2, 0040F52D, 0040F5A8, 0040F623, 0040F69E, 0040F719, 0040F794, 0040F80F, 0040F88A, 0040F905, 0040F980, 0040F9FB, 0040FA76, 0040FAF1, 0040FB6C, 0040FBE7, 0040FC62, 0040FCDD, 0040FD58, 0040FDD3, 0040FE4E, 0040FEC9, 0040FF44, 0040FFBF, 0041003A, 004100B5, 00410130, 004101AB, 00410226, 004102A1, 0041031C, 00410397, 00410412, 0041048D, 00410508, 00410583, 004105FE, 00410679, 004106F4, 0041076F, 004107EA, 00410865, 004108E0, 0041095B, 004109D6, 00410A51, 00410ACC, 00410B47, 00410BC2, 00410C3D, 00410CB8, 00410D33, 00410DAE, 00410E29, 00410EA4, 00410F1F, 00410F9A, 00411015, 00411090, 0041110B, 00411186, 00411201, 0041127C, 004112F7, 00411372, 004113ED, 00411468, 004114E3, 0041155E, 004115D9, 00411654, 004116CF, 0041174A, 004117C5, 00411840, 004118BB, 00411936, 004119B1, 00411A2C, 00411AA7, 00411B22, 00411B9D, 00411C18, 00411C93, 00411D0E, 00411D89, 00411E04, 00411E7F, 00411EFA, 00411F75, 00411FF0, 0041206B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CallProcWindow$AllocByteCharLoadMultiStringVirtualWide
String ID: %s $A string$Characters: %c %c $Decimals: %d %ld$Preceding with blanks: %10d $Preceding with zeros: %010d $Some different radices: %d %x %o %#x %#o $Width trick: %*d $floats: %4.2f %+.0e %E
API String ID: 965092674-1380062066
Opcode ID: 4faedc87637a6878093169c4d3d605fe4ab5dc08f946da224ed09edfd01ae1de
Instruction ID: 0aebab6a80ce3fde290079580919b52b1e3247745899e55c1e150ea4edafc8a6
Opcode Fuzzy Hash: 4faedc87637a6878093169c4d3d605fe4ab5dc08f946da224ed09edfd01ae1de
Instruction Fuzzy Hash: EF3422F0794B0170DD217A728D7BFBF1A189F61B8AF20084FF9D4342E3999D5AA4416E

Uniqueness

Uniqueness Score: -1.00%

Function 00434CC5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434CCA
GetPropA.USER32 ref: 00434CE2
CallWindowProcA.USER32 ref: 00434D40

Part of subcall function 00433D23: GetWindowRect.USER32 ref: 00433D48
Part of subcall function 00433D23: GetWindow.USER32(?,00000004), ref: 00433D65

SetWindowLongA.USER32 ref: 00434D70
RemovePropA.USER32 ref: 00434D78
GlobalFindAtomA.KERNEL32 ref: 00434D7F
GlobalDeleteAtom.KERNEL32 ref: 00434D86

Part of subcall function 00432754: GetWindowRect.USER32 ref: 00432760

CallWindowProcA.USER32 ref: 00434DDA

Strings

AfxOldWndProc423, xrefs: 00434CDB, 00434CE0, 00434D76, 00434D7E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ff15bca09e0eb7e406143482a3ef9c335fcd6e55898f3d77f75a080db70639e7
Instruction ID: 12abf3a039a44a727739dfb4959889e1be9217344ea0f0b479962cac14099a61
Opcode Fuzzy Hash: ff15bca09e0eb7e406143482a3ef9c335fcd6e55898f3d77f75a080db70639e7
Instruction Fuzzy Hash: 0C316172800219BBCB119FA5DD49EFF7F78FF49316F00412AF501A2161C739AA119BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044EAAF, Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0047B6F4,73B74DE0,?,?,0047B6D8,0047B6D8,?,0044F06F,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484), ref: 0044EAC0
GlobalAlloc.KERNELBASE(00000002,00000040,?,?,0047B6D8,0047B6D8,?,0044F06F,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484), ref: 0044EB11
GlobalHandle.KERNEL32 ref: 0044EB1A
GlobalUnlock.KERNEL32(00000000,?,?,0047B6D8,0047B6D8,?,0044F06F,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,73B74DE0), ref: 0044EB24
GlobalReAlloc.KERNEL32(?,00000040,00002002), ref: 0044EB38
GlobalHandle.KERNEL32 ref: 0044EB4A
GlobalLock.KERNEL32 ref: 0044EB51
LeaveCriticalSection.KERNEL32(?,?,?,0047B6D8,0047B6D8,?,0044F06F,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,73B74DE0), ref: 0044EB5A
GlobalLock.KERNEL32 ref: 0044EB66
LeaveCriticalSection.KERNEL32(?), ref: 0044EBAE

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: b04793688510a88f67e5c568a89932a2d6769de8e8383a32167a042d3a654f9b
Instruction ID: f7f23203b9efe10dc177ef4e6959b102c6c9f186cb83817a26fe115b791422a3
Opcode Fuzzy Hash: b04793688510a88f67e5c568a89932a2d6769de8e8383a32167a042d3a654f9b
Instruction Fuzzy Hash: B431EE30A00B05AFD720CF6ADC98A6ABBF9FF40345B01496EE956D3621D778F940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004313E9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004313EE
GetSystemMetrics.USER32 ref: 004314B2
GlobalLock.KERNEL32 ref: 0043151D
CreateDialogIndirectParamA.USER32(?,?,?,Function_00030DE2,00000000), ref: 0043154C

Strings

MS Shell Dlg, xrefs: 004314BC

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: b1838b986e74c8f40b3d4ecf676eea66dee448865fa6d39ddd366ea3ccbe1829
Instruction ID: e0f64d9ec0343e99e2e9ee4d9acaebb91454337ed0347725652701e1449b16bc
Opcode Fuzzy Hash: b1838b986e74c8f40b3d4ecf676eea66dee448865fa6d39ddd366ea3ccbe1829
Instruction Fuzzy Hash: 6751A431900205EFCF119FA4C8859EEBBB5EF48315F24556BF412A72A2DB389E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00450457, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00450498
PathFindExtensionA.KERNELBASE(?), ref: 004504B2
lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045054C
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00450579

Strings

.CHM, xrefs: 0045053D
.INI, xrefs: 0045056D
.HLP, xrefs: 00450544

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
String ID: .CHM$.HLP$.INI
API String ID: 2140653559-4017452060
Opcode ID: 77cb3e02a1d5fd2dcdfbfdbf5264098ea0434eb04d60befdb6af3fc4bd62b3ee
Instruction ID: b6df33e5751ea74f5826cc98093051f0f3abe019c6a471caf1ebe553c2435343
Opcode Fuzzy Hash: 77cb3e02a1d5fd2dcdfbfdbf5264098ea0434eb04d60befdb6af3fc4bd62b3ee
Instruction Fuzzy Hash: 70412875500B09AFCB71EFA5D845BDA77E8AB08306F10482FFA89C6242EB38D5448F25

Uniqueness

Uniqueness Score: -1.00%

Function 0043918C, Relevance: 12.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 00439199
GetSystemMetrics.USER32 ref: 004391A0
GetSystemMetrics.USER32 ref: 004391A7
GetSystemMetrics.USER32 ref: 004391B1
GetDC.USER32(00000000), ref: 004391BB
GetDeviceCaps.GDI32(00000000,00000058), ref: 004391CC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004391D4
ReleaseDC.USER32 ref: 004391DC

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 2dbb417450004d57444fbcb471158f4b0ee786ac08df754a132355d1f0c5ae34
Instruction ID: 042a91b24d9d83c6ebad07df20038e5cd2289658d9ba2151f457e89fbd6056d9
Opcode Fuzzy Hash: 2dbb417450004d57444fbcb471158f4b0ee786ac08df754a132355d1f0c5ae34
Instruction Fuzzy Hash: A0F03671A40B04AEE7206F729C59F277BB4EB95B12F11442AE6418B1D1D6B5D8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0044F45C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F461
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F4DA
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F50D
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F528
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 0044F57B

Strings

mE, xrefs: 0044F572

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: QueryValue$CloseH_prologPrivateProfileString
String ID: mE
API String ID: 1022837590-852767849
Opcode ID: 249ea3ed76278fdc5f2ad60c9f866fb1f1cab811b581774d5f974148515f067f
Instruction ID: f1cded26cd753e4b897d3bf62b173a12f1a3ee0e8f92eae1bcd43dace040cb53
Opcode Fuzzy Hash: 249ea3ed76278fdc5f2ad60c9f866fb1f1cab811b581774d5f974148515f067f
Instruction Fuzzy Hash: 0D416770800259FBDF20DF11CC408EEBB79FF48354F0084AAF959A6261D7B89A95EF54

Uniqueness

Uniqueness Score: -1.00%

Function 004505A5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0043B4A3,?,?,?,?,73B74DE0,00000000,?,00419D19,00000000), ref: 004505AE
SetErrorMode.KERNELBASE(00000000,?,00419D19,00000000), ref: 004505B6
GetModuleHandleA.KERNEL32(user32.dll,00419D19,00000000), ref: 00450601
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00450611

Part of subcall function 00450457: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00450498
Part of subcall function 00450457: PathFindExtensionA.KERNELBASE(?), ref: 004504B2
Part of subcall function 00450457: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045054C
Part of subcall function 00450457: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00450579

Strings

NotifyWinEvent, xrefs: 0045060B
user32.dll, xrefs: 004505FC

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
String ID: NotifyWinEvent$user32.dll
API String ID: 4004864024-597752486
Opcode ID: b50bf68e2b5de257a348941957a5666d38a24f24bd2454486d7854c91595e3bd
Instruction ID: 74da4d911cd3c67dbcb73de4fb85063a1f61eb744a766c99006dd413cafa1df5
Opcode Fuzzy Hash: b50bf68e2b5de257a348941957a5666d38a24f24bd2454486d7854c91595e3bd
Instruction Fuzzy Hash: 94014BB4A10710AFD710EF619804A1A7B94AF08706F05886FF84997363DF78C844CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044DB78, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044DB7D

Part of subcall function 00439945: __EH_prolog.LIBCMT ref: 0043994A

Strings

File%d, xrefs: 0044DBBA
PreviewPages, xrefs: 0044DBE0
Recent File List, xrefs: 0044DBBF
Settings, xrefs: 0044DBE5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: f06a5cb311d69bc97bd4333ebde88718be601381b48ec27b8e411bc5b28f1ba3
Instruction ID: 6ecb9a6e47c6ed6da365f7f5841e959e2fb76d13caa31787ec29dc486ad6f34b
Opcode Fuzzy Hash: f06a5cb311d69bc97bd4333ebde88718be601381b48ec27b8e411bc5b28f1ba3
Instruction Fuzzy Hash: 5D014971E04340ABDB25DF689C01BAF7AB1FB85B10F20452FF821A7382CBB80900C758

Uniqueness

Uniqueness Score: -1.00%

Function 0041257E, Relevance: 7.6, APIs: 5, Instructions: 70windowencryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412583
CertOpenStore.CRYPT32(00000000,00000000,00000000,00000000,00000000), ref: 00412595
GetSystemMenu.USER32(?,00000000), ref: 004125CB
AppendMenuA.USER32 ref: 00412610
AppendMenuA.USER32 ref: 0041261B

Part of subcall function 00401D3B: LoadStringW.USER32(00000005,0000000A,00000000,00000000), ref: 00401D4F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Menu$Append$CertH_prologLoadOpenStoreStringSystem
String ID:
API String ID: 2154892219-0
Opcode ID: 11bb417483d622feea004db716fe9203556d7dc3c7520d62cdc46bb90d24d3f2
Instruction ID: acac48fb911abb386090c21b2f7dd5dbfc6e7f2fbe9a5444ef82efc6a18a4669
Opcode Fuzzy Hash: 11bb417483d622feea004db716fe9203556d7dc3c7520d62cdc46bb90d24d3f2
Instruction Fuzzy Hash: 2C110B70900114AFDB107BB6CC55EAFBB35FF44324F00452EF115E72A2CB7898108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044D9CA, Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,004781F0,00000000,00000001,?), ref: 0044DA0D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 0044DA2D
RegCloseKey.ADVAPI32(?), ref: 0044DA71
RegCloseKey.ADVAPI32(00000000), ref: 0044DA87

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: e5fe929cb7eb099dfd86e2b72a41db03c230be63d796b1944a5c0b7d55085c9c
Instruction ID: 7605e3d858354b6adad4e8cc50f48b23ac3a8088f01cb4c1ddeff153822fe4fb
Opcode Fuzzy Hash: e5fe929cb7eb099dfd86e2b72a41db03c230be63d796b1944a5c0b7d55085c9c
Instruction Fuzzy Hash: DD2138B1D04208EFEB14CF96CC45AAEBBB8EF90705F1040ABE505B6261D7745A00CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3F3, Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0044F42C
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0044F435
GetPrivateProfileIntA.KERNEL32 ref: 0044F451

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClosePrivateProfileQueryValue
String ID:
API String ID: 1423431592-0
Opcode ID: a5adae195a35fa4e73bf76f32d84e35c62258e7142751bb22f96dca9acb772e9
Instruction ID: 74f09bcaac624bead4b59f43faef543b983ea7b1c8e5fdb6f0ea1876ef778dd1
Opcode Fuzzy Hash: a5adae195a35fa4e73bf76f32d84e35c62258e7142751bb22f96dca9acb772e9
Instruction Fuzzy Hash: 49014672100218FBDB129F80DC04EEF3BB8EF54755F10803AFA05AA110DB75EA199B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C139, Relevance: 3.1, APIs: 2, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041C17D
RtlAllocateHeap.NTDLL(00000008,?,0045C8B8,00000010,0041E3E7,00000001,0000008C,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17), ref: 0041C1BB

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AllocateHeap__lock
String ID:
API String ID: 4078605025-0
Opcode ID: 1c62fde75f761435134d66b5f4cffda9508f87cd5b6bc7cb12e4df8c1025f6b6
Instruction ID: c1d28866222c0dc6414e7fea66e701ef6e43db6b2debc05eda2622e8d1883d5a
Opcode Fuzzy Hash: 1c62fde75f761435134d66b5f4cffda9508f87cd5b6bc7cb12e4df8c1025f6b6
Instruction Fuzzy Hash: 1611E632DC0615A6CB21AB658C816DE7B21AF90724F15421BEC24A73D3CB3C8AC18F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004398A4, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004398A9
wsprintfA.USER32 ref: 004398E6

Part of subcall function 0044F45C: __EH_prolog.LIBCMT ref: 0044F461

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog$wsprintf
String ID:
API String ID: 172397338-0
Opcode ID: 3de8a07d2760c78c032f7f6cf612e55542b580be98464b1f87c14e7a0f445d2a
Instruction ID: b58df83bfa8cb1f87c15a047e07b73912b99d9eb8ca075b9dcc5624172093b3b
Opcode Fuzzy Hash: 3de8a07d2760c78c032f7f6cf612e55542b580be98464b1f87c14e7a0f445d2a
Instruction Fuzzy Hash: 8511B671900605DFCB14EFA9D8819AEB7F5FF48318F10452EF461E7691CB34A904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041902C, Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041904E

Part of subcall function 0041C486: EnterCriticalSection.KERNEL32(00478DA0,00478DA0,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041C4AE

RtlAllocateHeap.NTDLL(00000000,?,0045C768,0000000C,004190B7,000000E0,004190E2,?,0041C409,00000018,0045C8C8,00000008,0041C49F,?,00478DA0), ref: 0041908F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 915dc4749733b52090c7e78aff1820d60ee7a4f24177a6b31d71a6b438375017
Instruction ID: dc5206d65ac73eaf864f438a6c0f78885cd20580cda411dd0d3dda0f5c44dbbb
Opcode Fuzzy Hash: 915dc4749733b52090c7e78aff1820d60ee7a4f24177a6b31d71a6b438375017
Instruction Fuzzy Hash: 85F0F631C80211D6DB24BB759C567DE7B60AB08324F25422EEC58672E1C73C5DC0CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00431AAC, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00431AD3
CallWindowProcA.USER32 ref: 00431AE8

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: a8875d60b43fa694f0911aa7ee2c2c2b59b12663bbda4821a0ac7331270e0a87
Instruction ID: 9a5d0fe453fd5e5d442d397c126565b24aef5118643a609f3f89f8589eb6a085
Opcode Fuzzy Hash: a8875d60b43fa694f0911aa7ee2c2c2b59b12663bbda4821a0ac7331270e0a87
Instruction Fuzzy Hash: 01F01536101609EFCF219F95DC18DAA7BBAFF0C352F048429FA0586630D372E820AB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4D1, Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00419C63,00000001,?,0045C7A8,00000060), ref: 0041C4E2

Part of subcall function 0041C5BC: HeapAlloc.KERNEL32(00000000,00000140,0041C50A,000003F8,?,0045C7A8,00000060), ref: 0041C5C9

HeapDestroy.KERNEL32(?,0045C7A8,00000060), ref: 0041C515

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 87bbc2843d472829b2ef89704e86d8af703d01ada110c1709cc2f7aeb2b71cc2
Instruction ID: 7c3bd9f5b4b46e9794cf6a332750d5066d7fd5e8b96e20f30908588fd1cd5013
Opcode Fuzzy Hash: 87bbc2843d472829b2ef89704e86d8af703d01ada110c1709cc2f7aeb2b71cc2
Instruction Fuzzy Hash: C7E04FB1695310EADB10AF719D8DBAA3AD6DB4478AF00043FF404C51E1EB78D5C0EA1D

Uniqueness

Uniqueness Score: -1.00%

Function 0043503C, Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

GetCurrentThreadId.KERNEL32 ref: 0043505E
SetWindowsHookExA.USER32 ref: 0043506E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: fa57018b2061f09c2615cee7a7a8ab451c877c7e69fac4a8b5c0bd024d663bfc
Instruction ID: 63aff0302d2982f97e3b76b7288842a291ddd2f00c7bfc238e4339544eb3de98
Opcode Fuzzy Hash: fa57018b2061f09c2615cee7a7a8ab451c877c7e69fac4a8b5c0bd024d663bfc
Instruction Fuzzy Hash: 7CE06531740B109ED2306B92AC15F5776A4DBC8726F51552FE50986141C335A84486BD

Uniqueness

Uniqueness Score: -1.00%

Function 00438522, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00438535
SetWindowsHookExA.USER32 ref: 00438545

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 60a374326582e6fd45de703582bfe03cc6b3e523ebf7321959d28aa07a968d44
Instruction ID: ccc9c6806e51c4b76788036dcd35ea03a28c57b756b3c0db120f588d1f581546
Opcode Fuzzy Hash: 60a374326582e6fd45de703582bfe03cc6b3e523ebf7321959d28aa07a968d44
Instruction Fuzzy Hash: F2D0A771C047607FFB102B746C19B293A505B05739F54175EF424961D2CE7CD5404B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00433D9C, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00433DA1

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1f4f402cad16baa03feb8c9b8df4c1ff7379fb18e5b1fbac80ea2e244e1f3584
Instruction ID: 217b5259fde65db3885a56b274e9404f905c368ae3fa042c110acc6f53840b47
Opcode Fuzzy Hash: 1f4f402cad16baa03feb8c9b8df4c1ff7379fb18e5b1fbac80ea2e244e1f3584
Instruction Fuzzy Hash: BF2168B2900219EFCF05DF59C4829EE7BB5FB48354F10402AF801AB241D374AE85CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0044F02F, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F034

Part of subcall function 0044ED79: TlsAlloc.KERNEL32(?,0044F05E,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,73B74DE0,00000000,?,00419D19,00000000), ref: 0044ED9B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: 08853716338d5d36f3402c2a6b0b7152c1237e78638d7e359c55b01d012e747f
Instruction ID: b0c5c036e64a4565b7a51127bc03cc4d744149bd569e55b8a23d2c6ab39c094b
Opcode Fuzzy Hash: 08853716338d5d36f3402c2a6b0b7152c1237e78638d7e359c55b01d012e747f
Instruction Fuzzy Hash: 3D0181356006019FEB29EF26D81176DB7B2FBD0365F10417EE58697391DB388D40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00433E89, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4ba2c1095bed3d4b5280d8abe911dbadc0f125a87d9c0df28e24cff0d19e04
Instruction ID: ce3cd2652dd46680a49740dd8ad986874befb26150446ae74fbe0de2da8d8814
Opcode Fuzzy Hash: 3d4ba2c1095bed3d4b5280d8abe911dbadc0f125a87d9c0df28e24cff0d19e04
Instruction Fuzzy Hash: 67F0153240121DFBCF125E919C069EF3B69AF0D366F049426FA1591121C739DB22ABAA

Uniqueness

Uniqueness Score: -1.00%

Function 00412675, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041267A

Part of subcall function 0044DB78: __EH_prolog.LIBCMT ref: 0044DB7D

Part of subcall function 00412137: __EH_prolog.LIBCMT ref: 0041213C

Part of subcall function 004315F6: __EH_prolog.LIBCMT ref: 004315FB
Part of subcall function 004315F6: FindResourceA.KERNEL32(?,00000000,00000005), ref: 00431633
Part of subcall function 004315F6: LoadResource.KERNEL32(?,00000000), ref: 0043163B
Part of subcall function 004315F6: LockResource.KERNEL32(00000000), ref: 0043164D

Part of subcall function 00430E44: __EH_prolog.LIBCMT ref: 00430E49

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog$Resource$FindLoadLock
String ID:
API String ID: 807587585-0
Opcode ID: 440cd8fa29eb9ee4f3801710ff5bdcedb7e66363f248bb282ecd869aaa0fc82a
Instruction ID: b45528432e8057bea371eba47b4c80f828b5add35470d5ee7ebcf6187e48438f
Opcode Fuzzy Hash: 440cd8fa29eb9ee4f3801710ff5bdcedb7e66363f248bb282ecd869aaa0fc82a
Instruction Fuzzy Hash: B9F08CB1E002199BCB24EB71CA027D8B770AF04329F0086AE9246A2581DF785F04CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0044EA87, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,?,0044EE76,00000010,?,?,0047B6D8,?,0044F097,?,00000000,?,73B74DE0,00000000,?,0044D598), ref: 0044EA8D

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: d2e79616b60776e2bc31ad6d9bb95daf1f1a21edb826a79946fb987e643edbbd
Instruction ID: 13ce1ef4d37947a88db7a44f601ec1a38e18faf4ed9f4b99ce46d884010a754e
Opcode Fuzzy Hash: d2e79616b60776e2bc31ad6d9bb95daf1f1a21edb826a79946fb987e643edbbd
Instruction Fuzzy Hash: 21B092BA20070256E6143FA25C56F1EAA58BF60B86F41842AE74890051D67A8450A62E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042F3FF, Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 315
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0042F3FF(signed int __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t108;
				void* _t111;
				signed int _t112;
				signed int _t113;
				signed int _t115;
				intOrPtr _t119;
				void* _t132;
				signed int _t136;
				signed int _t140;
				void* _t148;
				intOrPtr* _t155;
				signed int _t157;
				signed int _t169;
				signed int _t170;
				signed int _t173;
				signed int _t183;
				void* _t185;
				signed short _t192;
				void* _t195;
				void* _t198;
				void* _t200;
				void* _t201;
				void* _t204;

				_t108 = L00419918(E00454A1C, _t198);
				_t201 = _t200 - 0x7c;
				_t155 =  *((intOrPtr*)(_t198 + 8));
				_t192 =  *(_t155 + 4);
				_t183 = __ecx;
				 *(_t198 - 0x10) = __ecx;
				 *(_t198 - 0x1c) = _t192;
				if(_t192 == 0x200 || _t192 == 0xa0 || _t192 == 0x202 || _t192 == 0x205 || _t192 == 0x208) {
					_t108 = GetKeyState(1);
					if(_t108 < 0) {
						L46:
						_t192 =  *(_t198 - 0x1c);
						goto L47;
					}
					_t108 = GetKeyState(2);
					if(_t108 < 0) {
						goto L46;
					}
					_t108 = GetKeyState(4);
					if(_t108 < 0) {
						goto L46;
					} else {
						_t111 = L0044D5AF();
						_push( *_t155);
						_t195 = _t111;
						 *(_t198 - 0x18) = _t195;
						while(1) {
							_t108 = E0043357A(_t198);
							if(_t108 == 0) {
								break;
							}
							__eflags =  *(_t108 + 0x38) & 0x00000401;
							if(( *(_t108 + 0x38) & 0x00000401) != 0) {
								break;
							} else {
								_push(GetParent( *(_t108 + 0x1c)));
								continue;
							}
						}
						if(_t108 == _t183) {
							_t157 =  *(_t195 + 0x3c);
							_t112 = L0043389A(_t183);
							__eflags = _t157;
							 *(_t198 - 0x14) = _t112;
							if(_t157 == 0) {
								L19:
								_t113 = E004373BE(0x6c);
								 *(_t198 - 0x1c) = _t113;
								_t157 = 0;
								__eflags = _t113;
								 *(_t198 - 4) = 0;
								if(__eflags != 0) {
									_t157 = E0042EEE1(_t113, __eflags);
								}
								 *(_t198 - 4) =  *(_t198 - 4) | 0xffffffff;
								_t115 =  *((intOrPtr*)( *_t157 + 0x130))( *(_t198 - 0x14), 1);
								__eflags = _t115;
								if(_t115 != 0) {
									SendMessageA( *(_t157 + 0x1c), 0x401, 0, 0);
									_t183 =  *(_t198 - 0x10);
									 *(_t195 + 0x3c) = _t157;
									L24:
									L00419E80(_t198 - 0x88, 0, 0x30);
									_t119 =  *((intOrPtr*)(_t198 + 8));
									 *((intOrPtr*)(_t198 - 0x24)) =  *((intOrPtr*)(_t119 + 0x18));
									 *(_t198 - 0x28) =  *(_t119 + 0x14);
									ScreenToClient( *(_t183 + 0x1c), _t198 - 0x28);
									L00419E80(_t198 - 0x58, 0, 0x30);
									_t204 = _t201 + 0x18;
									 *(_t198 - 0x58) = 0x28;
									_t108 =  *((intOrPtr*)( *_t183 + 0x6c))( *(_t198 - 0x28),  *((intOrPtr*)(_t198 - 0x24)), _t198 - 0x58);
									asm("sbb ecx, ecx");
									_t169 =  ~(_t108 + 1) & _t183;
									__eflags =  *(_t195 + 0x44) - _t108;
									 *(_t198 - 0x1c) = _t108;
									 *(_t198 - 0x14) = _t169;
									if( *(_t195 + 0x44) != _t108) {
										L30:
										__eflags = _t108 - 0xffffffff;
										if(_t108 == 0xffffffff) {
											SendMessageA( *(_t157 + 0x1c), 0x401, 0, 0);
											L39:
											E0042F1F9(_t157,  *((intOrPtr*)(_t198 + 8)));
											_t83 = _t195 + 0x48; // 0x48
											_t185 = _t83;
											__eflags =  *_t185 - 0x28;
											if( *_t185 >= 0x28) {
												SendMessageA( *(_t157 + 0x1c), 0x405, 0, _t185);
											}
											 *(_t195 + 0x40) =  *(_t198 - 0x14);
											 *(_t195 + 0x44) =  *(_t198 - 0x1c);
											_t170 = 0xc;
											_t195 = _t198 - 0x58;
											_t108 = memcpy(_t185, _t195, _t170 << 2);
											_t183 = _t195 + _t170 + _t170;
											L42:
											__eflags =  *((intOrPtr*)(_t198 - 0x34)) - 0xffffffff;
											if( *((intOrPtr*)(_t198 - 0x34)) != 0xffffffff) {
												__eflags =  *(_t198 - 0x38);
												if(__eflags == 0) {
													_push( *((intOrPtr*)(_t198 - 0x34)));
													_t108 = E004190E5(_t157, _t183, _t195, __eflags);
												}
											}
											goto L75;
										}
										_t173 = 0xc;
										_t132 = memcpy(_t198 - 0x88, _t198 - 0x58, _t173 << 2);
										_t204 = _t204 + 0xc;
										 *(_t198 - 0x81) =  *(_t198 - 0x81) & 0x0000003f;
										__eflags =  *(_t132 + 0x38) & 0x00000400;
										if(( *(_t132 + 0x38) & 0x00000400) != 0) {
											_t65 = _t198 - 0x84;
											 *_t65 =  *(_t198 - 0x84) | 0x00000020;
											__eflags =  *_t65;
										}
										SendMessageA( *(_t157 + 0x1c), 0x404, 0, _t198 - 0x88);
										__eflags =  *(_t198 - 0x51) & 0x00000040;
										if(( *(_t198 - 0x51) & 0x00000040) != 0) {
											L35:
											SendMessageA( *(_t157 + 0x1c), 0x401, 1, 0);
											_t136 =  *(_t198 - 0x10);
											__eflags =  *(_t136 + 0x38) & 0x00000400;
											if(( *(_t136 + 0x38) & 0x00000400) != 0) {
												SendMessageA( *(_t157 + 0x1c), 0x411, 1, _t198 - 0x88);
											}
											SetWindowPos( *(_t157 + 0x1c), 0, 0, 0, 0, 0, 0x213);
											goto L38;
										} else {
											_t140 = E0043480D();
											__eflags = _t140;
											if(_t140 == 0) {
												L38:
												_t195 =  *(_t198 - 0x18);
												goto L39;
											}
											goto L35;
										}
									}
									__eflags =  *(_t195 + 0x40) - _t169;
									if( *(_t195 + 0x40) != _t169) {
										goto L30;
									}
									__eflags =  *(_t183 + 0x39) & 0x00000004;
									if(( *(_t183 + 0x39) & 0x00000004) == 0) {
										__eflags = _t108 - 0xffffffff;
										if(_t108 != 0xffffffff) {
											_t108 = E0042F1F9(_t157,  *((intOrPtr*)(_t198 + 8)));
										}
									} else {
										GetCursorPos(_t198 - 0x20);
										_t108 = SendMessageA( *(_t157 + 0x1c), 0x412, 0, ( *(_t198 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t198 - 0x20) & 0x0000ffff);
									}
									goto L42;
								} else {
									_t108 =  *((intOrPtr*)( *_t157 + 4))(1);
									goto L75;
								}
							}
							_t148 = L00413B0C(_t157);
							__eflags = _t148 -  *(_t198 - 0x14);
							if(_t148 !=  *(_t198 - 0x14)) {
								 *((intOrPtr*)( *_t157 + 0x60))();
								 *((intOrPtr*)( *_t157 + 4))(1);
								_t157 = 0;
								__eflags = 0;
								 *(_t195 + 0x3c) = 0;
							}
							__eflags = _t157;
							if(_t157 != 0) {
								goto L24;
							} else {
								goto L19;
							}
						}
						if(_t108 == 0) {
							 *(_t195 + 0x40) =  *(_t195 + 0x40) & _t108;
							 *(_t195 + 0x44) =  *(_t195 + 0x44) | 0xffffffff;
						}
						goto L75;
					}
				} else {
					L47:
					__eflags =  *(_t183 + 0x38) & 0x00000401;
					if(( *(_t183 + 0x38) & 0x00000401) == 0) {
						L75:
						 *[fs:0x0] =  *((intOrPtr*)(_t198 - 0xc));
						return _t108;
					}
					_push( *_t155);
					while(1) {
						_t108 = E0043357A(_t198);
						__eflags = _t108;
						if(_t108 == 0) {
							break;
						}
						__eflags = _t108 - _t183;
						if(_t108 == _t183) {
							L54:
							__eflags = _t192 - 0x100;
							if(_t192 < 0x100) {
								L56:
								__eflags = _t192 - 0x104;
								if(_t192 < 0x104) {
									L59:
									_t108 = 0;
									__eflags = 0;
									L60:
									__eflags =  *(_t183 + 0x39) & 0x00000004;
									if(( *(_t183 + 0x39) & 0x00000004) != 0) {
										goto L75;
									}
									__eflags = _t108;
									if(_t108 != 0) {
										L74:
										_t108 = E0043280E(_t108);
										goto L75;
									}
									__eflags = _t192 - 0x201;
									if(_t192 == 0x201) {
										goto L74;
									}
									__eflags = _t192 - 0x203;
									if(_t192 == 0x203) {
										goto L74;
									}
									__eflags = _t192 - 0x204;
									if(_t192 == 0x204) {
										goto L74;
									}
									__eflags = _t192 - 0x206;
									if(_t192 == 0x206) {
										goto L74;
									}
									__eflags = _t192 - 0x207;
									if(_t192 == 0x207) {
										goto L74;
									}
									__eflags = _t192 - 0x209;
									if(_t192 == 0x209) {
										goto L74;
									}
									__eflags = _t192 - 0xa1;
									if(_t192 == 0xa1) {
										goto L74;
									}
									__eflags = _t192 - 0xa3;
									if(_t192 == 0xa3) {
										goto L74;
									}
									__eflags = _t192 - 0xa4;
									if(_t192 == 0xa4) {
										goto L74;
									}
									__eflags = _t192 - 0xa6;
									if(_t192 == 0xa6) {
										goto L74;
									}
									__eflags = _t192 - 0xa7;
									if(_t192 == 0xa7) {
										goto L74;
									}
									__eflags = _t192 - 0xa9;
									if(_t192 != 0xa9) {
										goto L75;
									}
									goto L74;
								}
								__eflags = _t192 - 0x107;
								if(_t192 > 0x107) {
									goto L59;
								}
								L58:
								_t108 = 1;
								goto L60;
							}
							__eflags = _t192 - 0x109;
							if(_t192 <= 0x109) {
								goto L58;
							}
							goto L56;
						}
						__eflags =  *(_t108 + 0x38) & 0x00000401;
						if(( *(_t108 + 0x38) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t108 + 0x1c)));
					}
					__eflags = _t108 - _t183;
					if(_t108 != _t183) {
						goto L75;
					}
					goto L54;
				}
			}

0x0042f404
0x0042f409
0x0042f40d
0x0042f411
0x0042f41b
0x0042f41d
0x0042f420
0x0042f423
0x0042f451
0x0042f456
0x0042f70f
0x0042f70f
0x00000000
0x0042f70f
0x0042f45e
0x0042f463
0x00000000
0x00000000
0x0042f46b
0x0042f470
0x00000000
0x0042f476
0x0042f476
0x0042f47b
0x0042f47d
0x0042f47f
0x0042f496
0x0042f496
0x0042f49d
0x00000000
0x00000000
0x0042f484
0x0042f48a
0x00000000
0x0042f48c
0x0042f495
0x00000000
0x0042f495
0x0042f48a
0x0042f4a1
0x0042f4b7
0x0042f4bc
0x0042f4c1
0x0042f4c3
0x0042f4c6
0x0042f4ed
0x0042f4ef
0x0042f4f5
0x0042f4f8
0x0042f4fa
0x0042f4fc
0x0042f4ff
0x0042f508
0x0042f508
0x0042f50c
0x0042f517
0x0042f51d
0x0042f51f
0x0042f53b
0x0042f541
0x0042f544
0x0042f547
0x0042f552
0x0042f557
0x0042f563
0x0042f56d
0x0042f570
0x0042f57e
0x0042f585
0x0042f594
0x0042f59b
0x0042f5a3
0x0042f5a5
0x0042f5a7
0x0042f5aa
0x0042f5ad
0x0042f5b0
0x0042f601
0x0042f601
0x0042f604
0x0042f707
0x0042f6a3
0x0042f6a7
0x0042f6ac
0x0042f6ac
0x0042f6af
0x0042f6b2
0x0042f6bf
0x0042f6bf
0x0042f6c8
0x0042f6ce
0x0042f6d3
0x0042f6d4
0x0042f6d7
0x0042f6d7
0x0042f6d9
0x0042f6d9
0x0042f6dd
0x0042f6e3
0x0042f6e7
0x0042f6ed
0x0042f6f0
0x0042f6f5
0x0042f6e7
0x00000000
0x0042f6dd
0x0042f60f
0x0042f619
0x0042f619
0x0042f61b
0x0042f627
0x0042f62a
0x0042f62c
0x0042f62c
0x0042f62c
0x0042f62c
0x0042f645
0x0042f64b
0x0042f64f
0x0042f65d
0x0042f668
0x0042f66e
0x0042f671
0x0042f674
0x0042f687
0x0042f687
0x0042f69a
0x00000000
0x0042f651
0x0042f654
0x0042f659
0x0042f65b
0x0042f6a0
0x0042f6a0
0x00000000
0x0042f6a0
0x00000000
0x0042f65b
0x0042f64f
0x0042f5b2
0x0042f5b5
0x00000000
0x00000000
0x0042f5b7
0x0042f5bb
0x0042f5ea
0x0042f5ed
0x0042f5f7
0x0042f5f7
0x0042f5bd
0x0042f5c1
0x0042f5df
0x0042f5df
0x00000000
0x0042f521
0x0042f527
0x00000000
0x0042f527
0x0042f51f
0x0042f4ca
0x0042f4cf
0x0042f4d2
0x0042f4d8
0x0042f4e1
0x0042f4e4
0x0042f4e4
0x0042f4e6
0x0042f4e6
0x0042f4e9
0x0042f4eb
0x00000000
0x00000000
0x00000000
0x00000000
0x0042f4eb
0x0042f4a5
0x0042f4ab
0x0042f4ae
0x0042f4ae
0x00000000
0x0042f4a5
0x0042f712
0x0042f712
0x0042f712
0x0042f718
0x0042f7e0
0x0042f7e6
0x0042f7ee
0x0042f7ee
0x0042f71e
0x0042f738
0x0042f738
0x0042f73d
0x0042f73f
0x00000000
0x00000000
0x0042f722
0x0042f724
0x0042f749
0x0042f749
0x0042f74f
0x0042f759
0x0042f759
0x0042f75f
0x0042f76e
0x0042f76e
0x0042f76e
0x0042f770
0x0042f770
0x0042f774
0x00000000
0x00000000
0x0042f776
0x0042f778
0x0042f7da
0x0042f7db
0x00000000
0x0042f7db
0x0042f77a
0x0042f780
0x00000000
0x00000000
0x0042f782
0x0042f788
0x00000000
0x00000000
0x0042f78a
0x0042f790
0x00000000
0x00000000
0x0042f792
0x0042f798
0x00000000
0x00000000
0x0042f79a
0x0042f7a0
0x00000000
0x00000000
0x0042f7a2
0x0042f7a8
0x00000000
0x00000000
0x0042f7aa
0x0042f7b0
0x00000000
0x00000000
0x0042f7b2
0x0042f7b8
0x00000000
0x00000000
0x0042f7ba
0x0042f7c0
0x00000000
0x00000000
0x0042f7c2
0x0042f7c8
0x00000000
0x00000000
0x0042f7ca
0x0042f7d0
0x00000000
0x00000000
0x0042f7d2
0x0042f7d8
0x00000000
0x00000000
0x00000000
0x0042f7d8
0x0042f761
0x0042f767
0x00000000
0x00000000
0x0042f769
0x0042f76b
0x00000000
0x0042f76b
0x0042f751
0x0042f757
0x00000000
0x00000000
0x00000000
0x0042f757
0x0042f726
0x0042f72c
0x00000000
0x00000000
0x0042f737
0x0042f737
0x0042f741
0x0042f743
0x00000000
0x00000000
0x00000000
0x0042f743

APIs

__EH_prolog.LIBCMT ref: 0042F404
GetKeyState.USER32(00000001), ref: 0042F451
GetKeyState.USER32(00000002), ref: 0042F45E
GetKeyState.USER32(00000004), ref: 0042F46B
GetParent.USER32(?), ref: 0042F48F
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0042F53B
ScreenToClient.USER32 ref: 0042F570
GetCursorPos.USER32(?), ref: 0042F5C1
SendMessageA.USER32(?,00000412,00000000,?), ref: 0042F5DF
SendMessageA.USER32(?,00000404,00000000,?), ref: 0042F645
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 0042F668
SendMessageA.USER32(?,00000411,00000001,?), ref: 0042F687
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0042F69A
SendMessageA.USER32(?,00000405,00000000,00000048), ref: 0042F6BF
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0042F707
GetParent.USER32(?), ref: 0042F731

Strings

, xrefs: 0042F62C
?, xrefs: 0042F61B
(, xrefs: 0042F594
@, xrefs: 0042F64B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: $($?$@
API String ID: 986702660-3087990773
Opcode ID: fa45840331a6837140e9f3663fdfe2cf2cf915c048df345d933a95ca7f139334
Instruction ID: 645ea65694465927c16707bc8c9557f9d65393d4b53347270150bd7d072ef258
Opcode Fuzzy Hash: fa45840331a6837140e9f3663fdfe2cf2cf915c048df345d933a95ca7f139334
Instruction Fuzzy Hash: 79B1D231F003259BDF249F64E894BAEBB71BF44310FD0403BE915A62A2D7B89C49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004415C2, Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 475windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004415C7

Part of subcall function 00412B67: __EH_prolog.LIBCMT ref: 00412B6C

IsIconic.USER32 ref: 004417E9

Part of subcall function 00435F86: ShowWindow.USER32(?,?,00438612,?,?,00000363,00000001,00000000,00000001,00000001,?,?,00000363,00000001,00000000), ref: 00435F93

SetForegroundWindow.USER32(?,-00000005), ref: 0044180B
SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 00441B13
PostMessageA.USER32 ref: 00441B55

Strings

[open(", xrefs: 00441606
[printto(", xrefs: 004416A1
",", xrefs: 0044185E, 00441863, 00441935, 00441A04
[print(", xrefs: 00441655

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prologMessageWindow$ForegroundIconicPostSendShow
String ID: ","$[open("$[print("$[printto("
API String ID: 2480954500-3790869113
Opcode ID: 40ea25502fe8bc902dd47906edb569e27eccf96a855221a8527ff40bd0404a27
Instruction ID: e4b983113aa8f667d0804ef484494dddcb033bac977f96556f38b6c415734fcc
Opcode Fuzzy Hash: 40ea25502fe8bc902dd47906edb569e27eccf96a855221a8527ff40bd0404a27
Instruction Fuzzy Hash: C402D931900144AFDB04EBB9C885EDE7BB4AF15328F14426EF5556B2E3DF389A48C798

Uniqueness

Uniqueness Score: -1.00%

Function 0043A377, Relevance: 15.1, APIs: 10, Instructions: 102stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043A37C
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000104,?,?), ref: 0043A3A6
lstrcpynA.KERNEL32(?,?,00000104,?,?), ref: 0043A3B7

Part of subcall function 0043A335: lstrcpynA.KERNEL32(00000000,?,00000104,?,?,?), ref: 0043A35A
Part of subcall function 0043A335: PathStripToRootA.SHLWAPI(00000000,?,?), ref: 0043A361

PathIsUNCA.SHLWAPI(?,?,?,?,?), ref: 0043A3EC
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0043A410
CharUpperA.USER32(?,?,?), ref: 0043A428
FindFirstFileA.KERNEL32(?,?,?,?), ref: 0043A441
FindClose.KERNEL32(00000000,?,?), ref: 0043A44D
lstrlenA.KERNEL32(?,?,?), ref: 0043A46A
lstrcpyA.KERNEL32(?,?,?,?), ref: 0043A489

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
String ID:
API String ID: 4080879615-0
Opcode ID: 9fdb73c9f1dba1122f5efb8da8d55b859529b77c08e8a971a5295cd1962b9ea6
Instruction ID: 1d4a934237853f749489da2ceee5b8d8318a5f46f87b742eeab7e1df982f92f0
Opcode Fuzzy Hash: 9fdb73c9f1dba1122f5efb8da8d55b859529b77c08e8a971a5295cd1962b9ea6
Instruction Fuzzy Hash: CE31DF31900618EFCB119F60CC8CAFE7BB8EF58359F0041AAF959D6261D7788E908B59

Uniqueness

Uniqueness Score: -1.00%

Function 0042755B, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

_TranslateName.LIBCMT ref: 004275B6
_TranslateName.LIBCMT ref: 004275FF
IsValidCodePage.KERNEL32(00000000,00000082,?,004791F8,004222F7,?,0047BC84,?), ref: 00427663
IsValidLocale.KERNEL32(00000001), ref: 00427679
_strcat.LIBCMT ref: 004276BC

Part of subcall function 00427449: _strlen.LIBCMT ref: 0042744F
Part of subcall function 00427449: EnumSystemLocalesA.KERNEL32(0042705F,00000001,?,004791F8,004222F7,?,0047BC84,?), ref: 00427469

Strings

XE, xrefs: 004275FA
Norwegian-Nynorsk, xrefs: 004276B6
<E, xrefs: 004275B1

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: NameTranslateValid$CodeEnumLocaleLocalesPageSystem_strcat_strlen
String ID: <E$Norwegian-Nynorsk$XE
API String ID: 4291917928-1725171474
Opcode ID: 1f61790615aa3eb59a1923533b9a541d7558c9e93240893c09cd30b8e043bae2
Instruction ID: a45bc2cc55280f0d1b121632ea3b8d7c861e95774fdeb6208efc4cf1831572eb
Opcode Fuzzy Hash: 1f61790615aa3eb59a1923533b9a541d7558c9e93240893c09cd30b8e043bae2
Instruction Fuzzy Hash: 1541E171708271ABCB319B76BC81B2676A0FB40715F89403FE145972A1E72D9884DBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004450BA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164keyboardtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00413B0C: GetParent.USER32(?), ref: 00413B16

ScreenToClient.USER32 ref: 00445144
GetKeyState.USER32(00000001), ref: 004451A1
GetKeyState.USER32(00000001), ref: 004451E9
GetKeyState.USER32(00000001), ref: 00445223
KillTimer.USER32(?,0000E001), ref: 00445248
IsWindow.USER32(?), ref: 00445294

Strings

(, xrefs: 00445168

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: State$ClientKillParentScreenTimerWindow
String ID: (
API String ID: 1540673551-3887548279
Opcode ID: fff6a820c60129b48477db4f983be7f42c84b448f9f1583d61c5e07c3bc108e2
Instruction ID: cd667e9f1567b0cb063222fda460d541725427692b9275c9cedc4368ed56ad0c
Opcode Fuzzy Hash: fff6a820c60129b48477db4f983be7f42c84b448f9f1583d61c5e07c3bc108e2
Instruction Fuzzy Hash: 7B518131A01A049FEF209F94C949BAE7BB1BF44315F1400ABE915A72D2D7B99981CF49

Uniqueness

Uniqueness Score: -1.00%

Function 004231DB, Relevance: 12.2, APIs: 8, Instructions: 212timeCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 004231EE

Part of subcall function 0041C486: EnterCriticalSection.KERNEL32(00478DA0,00478DA0,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041C4AE

_strlen.LIBCMT ref: 00423260
_strcat.LIBCMT ref: 0042327D
_strncpy.LIBCMT ref: 00423296

Part of subcall function 004190E5: __lock.LIBCMT ref: 00419103
Part of subcall function 004190E5: HeapFree.KERNEL32(00000000,?,0045C778,0000000C,0041C46A,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001), ref: 0041914A

GetTimeZoneInformation.KERNEL32(0047BCE0,0045D2C8,00000018,004237F0,0045D2D8,00000008,0041BEAB,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 004232FF
WideCharToMultiByte.KERNEL32(00000000,00000000,0047BCE4,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 0042338D
WideCharToMultiByte.KERNEL32(00000000,00000000,0047BD38,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 004233C1

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
String ID:
API String ID: 3757401926-0
Opcode ID: 356a6bdc5e0bf33f91bd0b415802b226bb262df18769a7cbcbf1a2700ca9d2c0
Instruction ID: 3d09c1e6fdf1ff37a9327f1b3f502f45996753ad7f6b55a4f5102a7ca2792313
Opcode Fuzzy Hash: 356a6bdc5e0bf33f91bd0b415802b226bb262df18769a7cbcbf1a2700ca9d2c0
Instruction Fuzzy Hash: AC71F430A042609ED7219F29BC45B567BB9FB49311FA4016FE858C72E1DB3C4E82CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004121E0, Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 004121EC
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 004121FD

Part of subcall function 0043C35E: __EH_prolog.LIBCMT ref: 0043C363
Part of subcall function 0043C35E: BeginPaint.USER32(?,?,?,?,00430EA3), ref: 0043C391

SendMessageA.USER32(?,00000027,?,00000000), ref: 00412215
GetSystemMetrics.USER32 ref: 00412223
GetSystemMetrics.USER32 ref: 00412229
GetClientRect.USER32 ref: 00412234
DrawIcon.USER32 ref: 0041225E

Part of subcall function 0043C3B9: __EH_prolog.LIBCMT ref: 0043C3BE
Part of subcall function 0043C3B9: EndPaint.USER32(?,?,?,?,00430EC9,?), ref: 0043C3DB

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prologMetricsPaintSystem$BeginClientDrawFileIconIconicMessageRectSecuritySend
String ID:
API String ID: 2442360429-0
Opcode ID: 58735c31f9651c539da59f0306160509228691e277dee4335b7c50f1e30cb25f
Instruction ID: 6dfefef6daff10c6dbd3fd16b738f4a2c95a3f090111ed2935b50b8baa9065f9
Opcode Fuzzy Hash: 58735c31f9651c539da59f0306160509228691e277dee4335b7c50f1e30cb25f
Instruction Fuzzy Hash: 8D11A032600709AFCB10AFB9ED4DDBF7BBAEB84701F040129F606E61A0CA70E905CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044A5CB, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24registrywindowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0044A5D3
GetVersion.KERNEL32 ref: 0044A5DE
GetVersion.KERNEL32 ref: 0044A5E6
GetVersion.KERNEL32 ref: 0044A5EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 0044A5F9

Strings

MSWHEEL_ROLLMSG, xrefs: 0044A5F4

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 57befa0d0cf744bb6faeabde4dfa4ea4a605172469921c4fc54b585aff7258b8
Instruction ID: fb2bac4d7ef4cd12301920e04219e4347d430778caee8721f1ee1f1a4bee6878
Opcode Fuzzy Hash: 57befa0d0cf744bb6faeabde4dfa4ea4a605172469921c4fc54b585aff7258b8
Instruction Fuzzy Hash: 5AE026BA84521696F7116724AC003762AA09B443B1F9B803BDA0053350CA7C48D38FFF

Uniqueness

Uniqueness Score: -1.00%

Function 00416DE7, Relevance: 7.7, APIs: 5, Instructions: 231COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416E4A
VariantClear.OLEAUT32(?), ref: 00416E6B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClearH_prologVariant
String ID:
API String ID: 1166855276-0
Opcode ID: 59497bb2afd48fedbad3a333b64659be0640053596244d95b67473db09c2eaee
Instruction ID: 7ec257f1a53ff0c6b26f37716c15e5223fd542edcc4439dd4d62890bdfa07dc7
Opcode Fuzzy Hash: 59497bb2afd48fedbad3a333b64659be0640053596244d95b67473db09c2eaee
Instruction Fuzzy Hash: 4B61E931A002049FDB04EB65DCA59FE7BA9AF85314B15445FF849D7242DB2CD883CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00419156, Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00419170
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00419181
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004191C7
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 00419205
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 0041922B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 8d9e22ba586fd86cec1a3d9698b176ad49e0d5a874822963dd54f3e104bf4844
Instruction ID: 1b373f2e56b1145c03012bcf7937971b7b0af76e9a71cf3849547e7b3f96fcaa
Opcode Fuzzy Hash: 8d9e22ba586fd86cec1a3d9698b176ad49e0d5a874822963dd54f3e104bf4844
Instruction Fuzzy Hash: FE31A272E0021EFBDF108FA4DD98AEDBBB8EB09355F140066E905E7190D7749E80DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00420151, Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0042016C
GetCurrentProcessId.KERNEL32 ref: 00420178
GetCurrentThreadId.KERNEL32 ref: 00420180
GetTickCount.KERNEL32 ref: 00420188
QueryPerformanceCounter.KERNEL32(?), ref: 00420194

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 68475cf7401b115077d5566bc53c8b292e2b0df1156c70f62a2222efa04ac823
Instruction ID: ba3e7e43f68762bebc45f382722b151c5f15542101549dcd5918e164c92bf49a
Opcode Fuzzy Hash: 68475cf7401b115077d5566bc53c8b292e2b0df1156c70f62a2222efa04ac823
Instruction Fuzzy Hash: 7CF0FFB1D412249BCB109BB4EC0C5AEBBF8FF08355B864565E801EB211EB34E9408F89

Uniqueness

Uniqueness Score: -1.00%

Function 004514EB, Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

CreateBindCtx.OLE32(00000000,?), ref: 00451541
lstrlenA.KERNEL32(00000000,?,?,00000002,?), ref: 0045159C
CoTaskMemFree.OLE32(?,?,?,00000002,?), ref: 004515A8

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: BindCreateFreeTasklstrlen
String ID:
API String ID: 856384521-0
Opcode ID: c3c3c4101a74bb0d563ddd451ee4f8f445066b674a8cc9ebbf8a30e2462f72a7
Instruction ID: cda77011c6f3f2de2cea81693f83856f7985ad91c2fd34cbb995a1afa06f9582
Opcode Fuzzy Hash: c3c3c4101a74bb0d563ddd451ee4f8f445066b674a8cc9ebbf8a30e2462f72a7
Instruction Fuzzy Hash: 4521327590020DFFCF10AFA5CC849AF7BB8EF45346B50446AF906D6212E738DA49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0043AE3F, Relevance: 4.6, APIs: 3, Instructions: 95filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0043AE64
FindFirstFileA.KERNEL32(?,?,?,?), ref: 0043AE97
FindClose.KERNEL32(00000000), ref: 0043AEAC

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID:
API String ID: 2767606509-0
Opcode ID: c5e5c7643f6205a3f13e5afdef13d63ebce952af23c969e6ecede4ae524dcf50
Instruction ID: 27ef264583626511914cceeb7bee4e024af603411ce3de5cb553320a473431fb
Opcode Fuzzy Hash: c5e5c7643f6205a3f13e5afdef13d63ebce952af23c969e6ecede4ae524dcf50
Instruction Fuzzy Hash: 1D3139B55407048FD724DF68D8819AABBF8FF58300F10892EE49AD7351EB34E944CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00412F6C, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3bce6573e5327f4a2d716e155a67d3a9d0e73a7f121b37453505c264540ef4
Instruction ID: a49f8bf21c1a0727bba3429f9eb219b0de270bc92a742b604217b045e4d34089
Opcode Fuzzy Hash: 0d3bce6573e5327f4a2d716e155a67d3a9d0e73a7f121b37453505c264540ef4
Instruction Fuzzy Hash: CBF0193110410DABCF019FA1DE04AEF7BB9EB04345F448426F905D5121DBB9CAE2AB59

Uniqueness

Uniqueness Score: -1.00%

Function 00427480, Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00427486
_strlen.LIBCMT ref: 0042749E
EnumSystemLocalesA.KERNEL32(00427164,00000001), ref: 004274E5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: _strlen$EnumLocalesSystem
String ID:
API String ID: 2581538701-0
Opcode ID: 42d16374027909394213e677e5bcfd64f0f00fc87c7d6439cd2ad262711315da
Instruction ID: d59d3481069b895e28f9b8e132aa08482eaa47e9f7bdf504140f0bf0bd478903
Opcode Fuzzy Hash: 42d16374027909394213e677e5bcfd64f0f00fc87c7d6439cd2ad262711315da
Instruction Fuzzy Hash: 60F04F306582258EDB21AF34FC0D7613AA1FB45715FA0027BE449822A4D77D48C58B8D

Uniqueness

Uniqueness Score: -1.00%

Function 0043ED39, Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043ED49
IsIconic.USER32 ref: 0043ED75
GetParent.USER32(?), ref: 0043ED82

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Parent$Iconic
String ID:
API String ID: 344791563-0
Opcode ID: 58a3f935cf36623e1332bcfd1206750641107c0b5411d0383e34c7c268d06e93
Instruction ID: bae9f98652729457bcdc4815848d1a75ff85c461e139815cabe892a22f4bfe69
Opcode Fuzzy Hash: 58a3f935cf36623e1332bcfd1206750641107c0b5411d0383e34c7c268d06e93
Instruction Fuzzy Hash: D5F0BE31202702ABDB216F72AC14A2BAA69EF98392F10543BB400C62A1DB28DC15869D

Uniqueness

Uniqueness Score: -1.00%

Function 00401069, Relevance: 4.5, APIs: 3, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 00401071
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 00401083
GetACP.KERNEL32 ref: 004010AC

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: ef13a87e8da90230abdff8e6c4aa2c036571bf621e08d58aff36463bb3a0f3f8
Instruction ID: 2ee87717f845540d368ddee7b455f44f1bb09434cdd50e568d7a7d63add3033e
Opcode Fuzzy Hash: ef13a87e8da90230abdff8e6c4aa2c036571bf621e08d58aff36463bb3a0f3f8
Instruction Fuzzy Hash: 80F0E9329107746BE7114B50D865AFB3BA89B01B81F0401A9EAC2E7651E674A98487D8

Uniqueness

Uniqueness Score: -1.00%

Function 0043814C, Relevance: 4.5, APIs: 3, Instructions: 27keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0043816E
GetKeyState.USER32(00000011), ref: 00438177
GetKeyState.USER32(00000012), ref: 00438180

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 5ce6cda0adb12fd27b59ad971044f2bbe0222b1532eefd7804ecf7a38413f2b9
Instruction ID: b2432ceb55a8bcd10794c181b7d64abfc744c423bb8754facd4205c8d79a9191
Opcode Fuzzy Hash: 5ce6cda0adb12fd27b59ad971044f2bbe0222b1532eefd7804ecf7a38413f2b9
Instruction Fuzzy Hash: 57E0923451139DB9DF90A3508D02BA6E9D05F1A794F0CA46FB984A7096CFA8884396AD

Uniqueness

Uniqueness Score: -1.00%

Function 00426F2A, Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,?), ref: 00426F68
_strncpy.LIBCMT ref: 00426FF8

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: InfoLocale_strncpy
String ID:
API String ID: 4025304676-0
Opcode ID: f8bb38ff0c0d62aef9ede1b60afdf272c33a0bc1e30ea10ace14e9813badd8c1
Instruction ID: d3b9b2289e1d08e23ea3353d2b9d61e7cffa44219714d46435fea35dba020491
Opcode Fuzzy Hash: f8bb38ff0c0d62aef9ede1b60afdf272c33a0bc1e30ea10ace14e9813badd8c1
Instruction Fuzzy Hash: AC210B3270802297DF284938FF855777A59DB54301B874077D805CB6A1E629EE55C38D

Uniqueness

Uniqueness Score: -1.00%

Function 0044C334, Relevance: 3.0, APIs: 2, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetKeyState.USER32(00000073), ref: 0044C35E
GetKeyState.USER32(00000012), ref: 0044C367

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: State$LongWindow
String ID:
API String ID: 3716621309-0
Opcode ID: 397b47a6b3098b174837028ca5273697430aa25f15713eefcb8345dc68bb0608
Instruction ID: 449af439f9e3c682b98d3943b00fa89e2967c9510b9041f694b25c3adca048a9
Opcode Fuzzy Hash: 397b47a6b3098b174837028ca5273697430aa25f15713eefcb8345dc68bb0608
Instruction Fuzzy Hash: 1EF02B3620160926FF113E66CC91BBE3A55CF507E8F08C03BFD045A651CA79CD1192A8

Uniqueness

Uniqueness Score: -1.00%

Function 00427506, Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042750C
EnumSystemLocalesA.KERNEL32(0042737E,00000001,?,004791F8,004222F7,?,0047BC84,?), ref: 00427544

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: EnumLocalesSystem_strlen
String ID:
API String ID: 216762292-0
Opcode ID: c3498768bc7c7ce3007366be8544f74c947c9db044cc43ff3b9eaa97fdab2f53
Instruction ID: 22303a000b31451e145bd79138486843a8f293b1420a8acae8eac2092729c4f6
Opcode Fuzzy Hash: c3498768bc7c7ce3007366be8544f74c947c9db044cc43ff3b9eaa97fdab2f53
Instruction Fuzzy Hash: 73E01AB17983119ADB219F31FC097617BA1FB40705FD0017BE588851A1C77A48C5CF8C

Uniqueness

Uniqueness Score: -1.00%

Function 00427449, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042744F
EnumSystemLocalesA.KERNEL32(0042705F,00000001,?,004791F8,004222F7,?,0047BC84,?), ref: 00427469

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: EnumLocalesSystem_strlen
String ID:
API String ID: 216762292-0
Opcode ID: 20b9a74ebc507af4f055ee249a5635c439ef28494afc777d7bbc1637771c6048
Instruction ID: c7a7253a78cd63768734b03cced16f1f27e7f5927e0e7e4f128dfd1aad362f67
Opcode Fuzzy Hash: 20b9a74ebc507af4f055ee249a5635c439ef28494afc777d7bbc1637771c6048
Instruction Fuzzy Hash: 3ED05E706283054AEB209F31AC087703A61F712B15F84426BD948840E1C3BD44848F8C

Uniqueness

Uniqueness Score: -1.00%

Function 004351C1, Relevance: 1.9, APIs: 1, Instructions: 440COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004351C6

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7b6b0fc25a619e8ffa761b182e959269960955f28e5955b6301a44609188f890
Instruction ID: dfc8b4442d3cc53466dc1065af5a8aa30e92b72730c47a418db72a96a54edf46
Opcode Fuzzy Hash: 7b6b0fc25a619e8ffa761b182e959269960955f28e5955b6301a44609188f890
Instruction Fuzzy Hash: 6BE19B70600609EFDF14DF59C881ABE7BA9EF0C315F10911AF81ADB251C779EA01EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042041A, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0042041F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2c4fbdc62b8baea12eb78e9123705ccc1766836269fb6bb3ed2f109398d8077e
Instruction ID: 24497ee9b1b3a07a1162324fb9a9e74d7b7788caf2941abb3185c305368c9b96
Opcode Fuzzy Hash: 2c4fbdc62b8baea12eb78e9123705ccc1766836269fb6bb3ed2f109398d8077e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00419288, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca158314e5fdf86d87acb8034818eb9930b794b9cab69a97c95613ed4a669a4
Instruction ID: a61786a819a219ec4bf0303514e7d66edc8e6bd7f43a4f93b4cbc92c4d050e25
Opcode Fuzzy Hash: 8ca158314e5fdf86d87acb8034818eb9930b794b9cab69a97c95613ed4a669a4
Instruction Fuzzy Hash: FD21B572900208DBCB14EF69C8908EBB7A5BF49350B09856AEC158B285D734FD55C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 004255D4, Relevance: 39.2, APIs: 26, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004255D4() {
				signed int _v8;
				void* _v12;
				intOrPtr* _v16;
				char _v20;
				void* _t104;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t128;
				intOrPtr* _t130;
				void* _t136;
				void* _t150;
				intOrPtr _t151;
				char _t157;
				signed int _t160;
				intOrPtr _t164;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				void* _t171;
				void* _t172;
				void* _t173;

				_t170 =  *0x4794d0; // 0x4794d8
				_t160 = 0;
				_v8 = 0;
				do {
					_v20 = E0041A2C0( *((intOrPtr*)((_v8 << 2) + _t170 + 0x1c)));
					_t104 = E0041A2C0( *((intOrPtr*)((_v8 << 2) + _t170)));
					_v8 = _v8 + 1;
					_t12 = _v20 + 2; // 0x2
					_t160 = _t104 + _t160 + _t12;
				} while (_v8 < 7);
				_t13 = _t170 + 0x38; // 0x479510
				_v16 = _t13;
				_v12 = 0xc;
				do {
					_v20 = E0041A2C0( *((intOrPtr*)(_v16 + 0x30)));
					_t108 = E0041A2C0( *_v16);
					_v16 = _v16 + 4;
					_t157 = _v20;
					_t22 =  &_v12;
					 *_t22 = _v12 - 1;
					_t25 = _t157 + 2; // 0x2
					_t160 = _t108 + _t160 + _t25;
				} while ( *_t22 != 0);
				_t26 = _t170 + 0x98; // 0x45d94c
				_t110 = E0041A2C0( *_t26);
				_t27 = _t170 + 0x9c; // 0x45d948
				_t150 = _t110;
				_t111 = E0041A2C0( *_t27);
				_t28 = _t170 + 0xa0; // 0x45d93c
				_t30 = _t150 + 2; // 0x2
				_t113 = E0041A2C0( *_t28);
				_t31 = _t170 + 0xa4; // 0x45d928
				_t114 = E0041A2C0( *_t31);
				_t34 = _t170 + 0xa8; // 0x45d91c
				_t151 = E004190D3(_t111 + _t160 + _t30 + _t113 + 1 + _t114 + 1 + E0041A2C0( *_t34) + 1 + 0xb8);
				_t172 = _t171 + 0x18;
				if(_t151 != 0) {
					_t39 = _t151 + 0xb8; // 0xb8
					_t164 = _t39;
					L00419F80(_t151,  *0x4794d0, 0xb8);
					_v8 = _v8 & 0x00000000;
					_t42 = _t170 + 0x1c; // 0x4794f4
					_v16 = _t151;
					_t173 = _t172 + 0xc;
					_v16 = _v16 - _t170;
					_v12 = _t42;
					do {
						 *((intOrPtr*)(_t151 + _v8 * 4)) = _t164;
						_t165 = _t164 + E0041A2C0(L00421CC0(_t164,  *((intOrPtr*)(_v12 - 0x1c)))) + 1;
						 *((intOrPtr*)(_v16 + _v12)) = _t165;
						_t128 = E0041A2C0(L00421CC0(_t165,  *_v12));
						_v12 = _v12 + 4;
						_t173 = _t173 + 0x18;
						_v8 = _v8 + 1;
						_t164 = _t165 + _t128 + 1;
					} while (_v8 < 7);
					_t64 = _t151 + 0x68; // 0x68
					_v8 = _t64;
					_t66 = _t170 + 0x38; // 0x479510
					_t130 = _t66;
					_v12 = _t130;
					_v20 = 0xc;
					while(1) {
						 *((intOrPtr*)(_t130 + _v16)) = _t164;
						_t166 = _t164 + E0041A2C0(L00421CC0(_t164,  *_t130)) + 1;
						 *_v8 = _t166;
						_t136 = E0041A2C0(L00421CC0(_t166,  *((intOrPtr*)(_v12 + 0x30))));
						_v12 = _v12 + 4;
						_v8 = _v8 + 4;
						_t173 = _t173 + 0x18;
						_t81 =  &_v20;
						 *_t81 = _v20 - 1;
						_t164 = _t166 + _t136 + 1;
						if( *_t81 == 0) {
							break;
						}
						_t130 = _v12;
					}
					 *((intOrPtr*)(_t151 + 0x98)) = _t164;
					_t86 = _t170 + 0x98; // 0x45d94c
					_t167 = _t164 + E0041A2C0(L00421CC0(_t164,  *_t86)) + 1;
					 *((intOrPtr*)(_t151 + 0x9c)) = _t167;
					_t90 = _t170 + 0x9c; // 0x45d948
					_t168 = _t167 + E0041A2C0(L00421CC0(_t167,  *_t90)) + 1;
					 *((intOrPtr*)(_t151 + 0xa0)) = _t168;
					_t94 = _t170 + 0xa0; // 0x45d93c
					_t169 = _t168 + E0041A2C0(L00421CC0(_t168,  *_t94)) + 1;
					 *((intOrPtr*)(_t151 + 0xa4)) = _t169;
					_t98 = _t170 + 0xa4; // 0x45d928
					 *((intOrPtr*)(_t151 + 0xa8)) = _t169 + E0041A2C0(L00421CC0(_t169,  *_t98)) + 1;
					_t102 = _t170 + 0xa8; // 0x45d91c
					L00421CC0(_t169 + E0041A2C0(L00421CC0(_t169,  *_t98)) + 1,  *_t102);
				}
				return _t151;
			}

0x004255dc
0x004255e3
0x004255e5
0x004255e8
0x004255fa
0x004255fd
0x00425604
0x00425610
0x00425610
0x00425610
0x00425616
0x00425619
0x0042561c
0x00425623
0x00425630
0x00425633
0x00425638
0x0042563e
0x00425643
0x00425643
0x00425646
0x00425646
0x00425646
0x0042564c
0x00425652
0x00425657
0x0042565d
0x0042565f
0x00425664
0x0042566c
0x00425670
0x00425675
0x0042567f
0x00425684
0x004256a2
0x004256a4
0x004256a9
0x004256ba
0x004256ba
0x004256c1
0x004256c6
0x004256ca
0x004256cd
0x004256d0
0x004256d3
0x004256d6
0x004256d9
0x004256dc
0x004256f4
0x004256fb
0x00425707
0x0042570c
0x00425710
0x00425713
0x0042571a
0x0042571a
0x00425720
0x00425723
0x00425726
0x00425726
0x00425729
0x0042572c
0x00425738
0x0042573b
0x0042574c
0x00425753
0x00425762
0x00425767
0x0042576b
0x0042576f
0x00425772
0x00425772
0x00425775
0x00425779
0x00000000
0x00000000
0x00425735
0x00425735
0x0042577b
0x00425781
0x00425793
0x00425797
0x0042579d
0x004257af
0x004257b3
0x004257b9
0x004257cb
0x004257cf
0x004257d5
0x004257eb
0x004257f1
0x004257f8
0x004257fd
0x00425806

APIs

_strlen.LIBCMT ref: 004255F2
_strlen.LIBCMT ref: 004255FD
_strlen.LIBCMT ref: 00425629
_strlen.LIBCMT ref: 00425633
_strlen.LIBCMT ref: 00425652
_strlen.LIBCMT ref: 0042565F
_strlen.LIBCMT ref: 00425670
_strlen.LIBCMT ref: 0042567F
_strlen.LIBCMT ref: 0042568E
_strcat.LIBCMT ref: 004256E6
_strlen.LIBCMT ref: 004256EC
_strcat.LIBCMT ref: 00425701
_strlen.LIBCMT ref: 00425707
_strcat.LIBCMT ref: 00425741
_strlen.LIBCMT ref: 00425747
_strcat.LIBCMT ref: 0042575C
_strlen.LIBCMT ref: 00425762
_strcat.LIBCMT ref: 00425788
_strlen.LIBCMT ref: 0042578E
_strcat.LIBCMT ref: 004257A4
_strlen.LIBCMT ref: 004257AA
_strcat.LIBCMT ref: 004257C0
_strlen.LIBCMT ref: 004257C6
_strcat.LIBCMT ref: 004257DC
_strlen.LIBCMT ref: 004257E2
_strcat.LIBCMT ref: 004257F8

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: _strlen$_strcat
String ID:
API String ID: 1497175149-0
Opcode ID: 78eac6da2b45a6b404cf464f687b79bb8168e5f9446ea683aebb997eef74dfce
Instruction ID: cb75d5def161fe6c383dfbf8beea332d41ef0a8b038c2de46e16753c7809acee
Opcode Fuzzy Hash: 78eac6da2b45a6b404cf464f687b79bb8168e5f9446ea683aebb997eef74dfce
Instruction Fuzzy Hash: 3E61D079900304FFCB11EFA5C845ADEB7B9FF45328F40449AE80467216CB3ABA65CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00434E1D, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

CallNextHookEx.USER32 ref: 00434E52
GetClassLongA.USER32 ref: 00434E97
GlobalGetAtomNameA.KERNEL32 ref: 00434EC3
lstrcmpiA.KERNEL32(?,ime,?,?,Function_0004C800), ref: 00434ED2
SetWindowLongA.USER32 ref: 00434F0C
CallNextHookEx.USER32 ref: 00435010
UnhookWindowsHookEx.USER32(?), ref: 00435021

Strings

AfxOldWndProc423, xrefs: 00434FC7, 00434FCC, 00434FD9, 00434FE3, 00434FEE
ime, xrefs: 00434ECC
#32768, xrefs: 00434F4D, 00434F52, 00434F9E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
String ID: #32768$AfxOldWndProc423$ime
API String ID: 3204395069-4034971020
Opcode ID: 5cdde7d71113afa8dad29cd9178dfbb437c68f33628eb6adc5adda42ee59bf0f
Instruction ID: 04c338b00dbe23e70856017f5550d94cab5149a2a54fc5ed05cc8cf8f952ab21
Opcode Fuzzy Hash: 5cdde7d71113afa8dad29cd9178dfbb437c68f33628eb6adc5adda42ee59bf0f
Instruction Fuzzy Hash: 4451C271900614ABCF10AF50DC48BEA3BB5EF08366F159166F918972A1D739DE40CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00438A29, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 99stringCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00438A3F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00438A5C
MulDiv.KERNEL32(?,00000000), ref: 00438A68
lstrcpynA.KERNEL32(?,?,00000020), ref: 00438A87
CreateFontIndirectA.GDI32(?), ref: 00438A91
SelectObject.GDI32(00000000,00000000), ref: 00438AA6
GetTextMetricsA.GDI32(00000000,?), ref: 00438AB3
GetTextExtentPoint32A.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 00438AD1
SelectObject.GDI32(00000000,?), ref: 00438AEA
DeleteObject.GDI32(?), ref: 00438AEF
GetDialogBaseUnits.USER32 ref: 00438B00
GetDialogBaseUnits.USER32 ref: 00438B05
ReleaseDC.USER32 ref: 00438B0F
MulDiv.KERNEL32(?,?,00000004), ref: 00438B1B
MulDiv.KERNEL32(?,00000000,00000008), ref: 00438B2C

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00438ACB

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Object$BaseDialogSelectTextUnits$CapsCreateDeleteDeviceExtentFontIndirectMetricsPoint32Releaselstrcpyn
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 3852259643-222967699
Opcode ID: 7a6c97618d9ca0b9e586f1911e35b0138ee0c2eaf06f1180d3b7c5f65dc8c5cd
Instruction ID: abdb32216791cd6410cd44fdbbba9d954b5523de830bfe6ea2fdfafa5f4ad5bb
Opcode Fuzzy Hash: 7a6c97618d9ca0b9e586f1911e35b0138ee0c2eaf06f1180d3b7c5f65dc8c5cd
Instruction Fuzzy Hash: 15313EB1900718AFDB109FA4DC59FAE7BB9FF48716F004425FA05E7192DA74E900CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00412D88, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,00412ED2), ref: 00412DB1
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00412DCD
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00412DDE
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00412DEF
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00412E00
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00412E11
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00412E22
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 00412E33

Strings

USER32, xrefs: 00412DA7
MonitorFromWindow, xrefs: 00412DD8
GetSystemMetrics, xrefs: 00412DC7
MonitorFromRect, xrefs: 00412DE9
MonitorFromPoint, xrefs: 00412DFA
GetMonitorInfoA, xrefs: 00412E1C
EnumDisplayMonitors, xrefs: 00412E0B
EnumDisplayDevicesA, xrefs: 00412E2D

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 5d95698d711f4ce314934613e368d75e1a952b9166006762c9e0b215dffd3a85
Instruction ID: c662cc1401f9ea76623b90970a22a169da1b198d03bcc97975755aeb2bcca249
Opcode Fuzzy Hash: 5d95698d711f4ce314934613e368d75e1a952b9166006762c9e0b215dffd3a85
Instruction Fuzzy Hash: 43216D71A407949A87119F75ADC067ABAE0F74C7467A4443FE80CE2270D7B844C5CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0043CFA7, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 252windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CFAC
CreateCompatibleDC.GDI32(00000000), ref: 0043D004
CreateCompatibleDC.GDI32(00000000), ref: 0043D018
CreateCompatibleDC.GDI32(00000000), ref: 0043D02C
GetObjectA.GDI32(00000004,00000018,?), ref: 0043D04B

Part of subcall function 004142C8: CreateBitmap.GDI32(?,?,?,?,?), ref: 004142DD

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0045742C), ref: 0043D096

Part of subcall function 004142A7: CreatePatternBrush.GDI32(?), ref: 004142B6

Part of subcall function 0043C4E1: DeleteObject.GDI32(00000000), ref: 0043C4F0

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043D0BE

Part of subcall function 0043C545: SelectObject.GDI32(?,?), ref: 0043C54D

GetPixel.GDI32(?,00000000,00000000), ref: 0043D0FE

Part of subcall function 0043B57D: SetBkColor.GDI32(?,72E7A410), ref: 0043B597
Part of subcall function 0043B57D: SetBkColor.GDI32(?,72E7A410), ref: 0043B5A5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043D12A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 0043D14E
FillRect.USER32 ref: 0043D1B2
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0043D1E2
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 0043D1F9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0043D20C

Strings

hoE, xrefs: 0043D239

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Create$BitmapCompatibleObject$Color$BrushDeleteFillH_prologPatternPixelRectSelect
String ID: hoE
API String ID: 389627645-1565950461
Opcode ID: 0455afdb3a4af36fbea09df85f64318f41e169593f4745fb02d73314cc687523
Instruction ID: d12b53beaae28db31b44cd612a9cc323c89a1feea20d10ac01c6b69663cfadc8
Opcode Fuzzy Hash: 0455afdb3a4af36fbea09df85f64318f41e169593f4745fb02d73314cc687523
Instruction Fuzzy Hash: 4AA1E2B1D00218AEDF11AFA6DC85DEEBBB9FF08348F10802AF515A2162DB359D15DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00432E69, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetParent.USER32(?), ref: 00432E94
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00432EB7
GetWindowRect.USER32 ref: 00432ED0
GetWindowLongA.USER32 ref: 00432EE3
CopyRect.USER32 ref: 00432F30
CopyRect.USER32 ref: 00432F3A
GetWindowRect.USER32 ref: 00432F43
CopyRect.USER32 ref: 00432F5F

Strings

(, xrefs: 00432EFB
@, xrefs: 00432ED2

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: b82890d851b8e2da6a6fbaaebbc6452024d8fc3d2a56ed72e8a46de3ae787ebf
Instruction ID: 156d11904469ca472d1bff8b67a00e482418959c8120b2b7afc05ebe5806b83b
Opcode Fuzzy Hash: b82890d851b8e2da6a6fbaaebbc6452024d8fc3d2a56ed72e8a46de3ae787ebf
Instruction Fuzzy Hash: CF519272900619AFCB10DBA8CD85EEFBBB9AF4C314F155116F501F3281DB74E9059B68

Uniqueness

Uniqueness Score: -1.00%

Function 004408D9, Relevance: 24.2, APIs: 16, Instructions: 181windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000201,00000201,00000001), ref: 00440966
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 00440986
ReleaseCapture.USER32 ref: 004409C1
GetMessageA.USER32 ref: 004409D0
PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 004409E4
DispatchMessageA.USER32 ref: 00440A17

Part of subcall function 004405DA: ScreenToClient.USER32 ref: 004405E7
Part of subcall function 004405DA: SendMessageA.USER32(?,00000366,00000000,?), ref: 00440603
Part of subcall function 004405DA: ClientToScreen.USER32(?,?), ref: 00440610
Part of subcall function 004405DA: GetWindowLongA.USER32 ref: 00440619
Part of subcall function 004405DA: GetParent.USER32(?), ref: 00440627

PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 00440A08
GetCapture.USER32 ref: 00440A22
ReleaseCapture.USER32 ref: 00440A34
PeekMessageA.USER32(?,00000000,00000200,00000209,00000003), ref: 00440A4B
PeekMessageA.USER32(?,00000000,?,?,00000000), ref: 00440A59
GetMessageA.USER32 ref: 00440A66
TranslateMessage.USER32(?), ref: 00440A7D
DispatchMessageA.USER32 ref: 00440A9C
GetCursorPos.USER32(?), ref: 00440AA6
PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 00440ACA

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Message$Peek$Capture$ClientDispatchReleaseScreenSend$CursorLongParentTranslateWindow
String ID:
API String ID: 1710791347-0
Opcode ID: 795e70119724999315d44a23b4c37cb6843bed09b74b9cfe5e4ba5c530c80004
Instruction ID: d441850eea8e3e2f6b7d74ab23434fa270696b8da893454e3a25ce14a6477f91
Opcode Fuzzy Hash: 795e70119724999315d44a23b4c37cb6843bed09b74b9cfe5e4ba5c530c80004
Instruction Fuzzy Hash: 27518170200B04BFFB209B55CC98EBF77BDEB45701F10482AF646E6292D678DD518B69

Uniqueness

Uniqueness Score: -1.00%

Function 0044936E, Relevance: 24.2, APIs: 16, Instructions: 178windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 004493C4
GetDlgItem.USER32 ref: 0044945A
ShowWindow.USER32(00000000,00000000), ref: 00449462
GetMenu.USER32(?), ref: 0044946B
InvalidateRect.USER32(?,00000000,00000001), ref: 0044947E
SetMenu.USER32(?,00000000), ref: 00449488
GetDlgItem.USER32 ref: 004494B7
SetWindowLongA.USER32 ref: 004494CF
GetDlgItem.USER32 ref: 004494EE
GetDlgItem.USER32 ref: 00449501
SetWindowLongA.USER32 ref: 0044950F
SetWindowLongA.USER32 ref: 0044951C
InvalidateRect.USER32(?,00000000,00000001), ref: 0044952F
SetMenu.USER32(?,00000000), ref: 0044953B
GetDlgItem.USER32 ref: 0044956B
ShowWindow.USER32(?,00000005), ref: 00449577

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$Ctrl
String ID:
API String ID: 461998371-0
Opcode ID: 2c7696c0541f3139354534915a2e95358a36cc92d6046c8600301a565d7ad734
Instruction ID: 482171b699f72708907a630518d38d0c9c5b93df0630ad1482439d3971dcf4bc
Opcode Fuzzy Hash: 2c7696c0541f3139354534915a2e95358a36cc92d6046c8600301a565d7ad734
Instruction Fuzzy Hash: B9616870204701EFEB209F64DC88A2BBBE5FF48305F144A2EF556962A1DB38EC55DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0043CAE3, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CAE8
GetSysColor.USER32(00000014), ref: 0043CB2A

Part of subcall function 0043C9FF: __EH_prolog.LIBCMT ref: 0043CA04
Part of subcall function 0043C9FF: CreateSolidBrush.GDI32(?), ref: 0043CA21

GetSysColor.USER32(00000010), ref: 0043CB3B
CreateCompatibleDC.GDI32(00000000), ref: 0043CB51
CreateCompatibleDC.GDI32(00000000), ref: 0043CB65
GetObjectA.GDI32(00000004,00000018,?), ref: 0043CB84

Part of subcall function 004142C8: CreateBitmap.GDI32(?,?,?,?,?), ref: 004142DD

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043CBBE

Part of subcall function 0043C545: SelectObject.GDI32(?,?), ref: 0043C54D

GetPixel.GDI32(?,00000000,00000000), ref: 0043CC08

Part of subcall function 0043B57D: SetBkColor.GDI32(?,72E7A410), ref: 0043B597
Part of subcall function 0043B57D: SetBkColor.GDI32(?,72E7A410), ref: 0043B5A5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043CC35
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 0043CC5A
BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 0043CCBA
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 0043CCD9

Strings

hoE, xrefs: 0043CD0E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Create$Color$BitmapCompatibleH_prologObject$BrushPixelSelectSolid
String ID: hoE
API String ID: 3961675159-1565950461
Opcode ID: a8d97d001e0b882ede4cc4e0ff13c5240deee4c963582f00f6ed0ef793795675
Instruction ID: ca165975993b74f7b237811596ec307cc7e2fbd42ad6d907f5acbfdf13ffaa01
Opcode Fuzzy Hash: a8d97d001e0b882ede4cc4e0ff13c5240deee4c963582f00f6ed0ef793795675
Instruction Fuzzy Hash: 0E8104B1C0021CBEDF11AFE5DC919EEBB79EF08348F14802AF515B61A1CB359A45DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042C31B, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 123registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,?,Function_0004C800), ref: 0042C376
RegisterWindowMessageA.USER32(commdlg_ShareViolation,?,Function_0004C800), ref: 0042C382
RegisterWindowMessageA.USER32(commdlg_FileNameOK,?,Function_0004C800), ref: 0042C38E
RegisterWindowMessageA.USER32(commdlg_ColorOK,?,Function_0004C800), ref: 0042C39A
RegisterWindowMessageA.USER32(commdlg_help,?,Function_0004C800), ref: 0042C3A6
RegisterWindowMessageA.USER32(commdlg_SetRGBColor,?,Function_0004C800), ref: 0042C3B2

Strings

commdlg_LBSelChangedNotify, xrefs: 0042C371
commdlg_FileNameOK, xrefs: 0042C384
commdlg_ColorOK, xrefs: 0042C390
commdlg_ShareViolation, xrefs: 0042C378
commdlg_SetRGBColor, xrefs: 0042C3A8
commdlg_help, xrefs: 0042C39C

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1814269913-3888057576
Opcode ID: 592434c9e07c4225fc59059171f471fe7423def0eeb28905d8a3c879c8097484
Instruction ID: aa6bb77140da68abb181f66e944e8e8398f4c27f6b1d6886d7dde89fd002265d
Opcode Fuzzy Hash: 592434c9e07c4225fc59059171f471fe7423def0eeb28905d8a3c879c8097484
Instruction Fuzzy Hash: 9B41A4B1700224AFDB21AF25EC94B7F3BA1FB48351B50482BFA0557251D7399851CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 004201B7, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0045D038,00000118,00419D83,00000001,00000000,0045C7B8,00000008,0041F812,00000000,00000000,00000000), ref: 00420238
_strcat.LIBCMT ref: 0042024E
_strlen.LIBCMT ref: 0042025E
_strlen.LIBCMT ref: 0042026F
_strncpy.LIBCMT ref: 00420289
_strlen.LIBCMT ref: 00420292
_strcat.LIBCMT ref: 004202AE

Strings

Microsoft Visual C++ Runtime Library, xrefs: 004202E9
<program name unknown>, xrefs: 00420242
..., xrefs: 00420283
Unknown security failure detected!, xrefs: 004201FE
Buffer overrun detected!, xrefs: 00420214, 004202AC
Program: , xrefs: 004202BF

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 3058806289-1673886896
Opcode ID: 0177c881da9ae6d55a5c325bfeb579e2decad6df57dbe786d19a9a84fe88f374
Instruction ID: 509323ec3595f1feca5a828ad170a626c0d4052a041754f985ff224a12890268
Opcode Fuzzy Hash: 0177c881da9ae6d55a5c325bfeb579e2decad6df57dbe786d19a9a84fe88f374
Instruction Fuzzy Hash: FF31F631A41224AFC710AB66AC46FDE37A89F05724F50405FF814A7293CB7CDE648B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E5B2, Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,73B74DE0,00000000,00419C75,?,0045C7A8,00000060), ref: 0041E5CA
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041E5E2
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041E5EF
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041E5FC
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041E609
FlsAlloc.KERNEL32(0041E430,?,0045C7A8,00000060), ref: 0041E646
FlsSetValue.KERNEL32(00000000,?,0045C7A8,00000060), ref: 0041E673
GetCurrentThreadId.KERNEL32 ref: 0041E687

Part of subcall function 0041E38F: FlsFree.KERNEL32(00000006,0041E69C,?,0045C7A8,00000060), ref: 0041E39A

Strings

FlsSetValue, xrefs: 0041E5F1
FlsFree, xrefs: 0041E5FE
FlsGetValue, xrefs: 0041E5E4
FlsAlloc, xrefs: 0041E5DC
kernel32.dll, xrefs: 0041E5C5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
API String ID: 2355849793-282957996
Opcode ID: b0fc7db47b1ed1aa3e6ab7518098af21e142eb5520a994f0bcd2061fc11b20e4
Instruction ID: 18653ac72d73170730b48cb4d738fcd4fae9ece10a62ae51c04a8065f066ec95
Opcode Fuzzy Hash: b0fc7db47b1ed1aa3e6ab7518098af21e142eb5520a994f0bcd2061fc11b20e4
Instruction Fuzzy Hash: 88217F746407449EC3205F36AC48B667FE4EB50755360413BEC08D76A5EB78A4C5CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00446A94, Relevance: 21.4, APIs: 14, Instructions: 397COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00446AB8
GetClientRect.USER32 ref: 00446AF6
BeginDeferWindowPos.USER32 ref: 00446B23
GetWindowRect.USER32 ref: 00446BD9
OffsetRect.USER32(?,?,00000000), ref: 00446C0C
OffsetRect.USER32(?,?,00000000), ref: 00446C41
OffsetRect.USER32(?,00000002,00000000), ref: 00446C61
EqualRect.USER32 ref: 00446C9B
OffsetRect.USER32(?,00000000,?), ref: 00446D17
OffsetRect.USER32(?,00000000,?), ref: 00446D4C
OffsetRect.USER32(?,00000000,?), ref: 00446D70
EqualRect.USER32 ref: 00446D7E
EndDeferWindowPos.USER32(?), ref: 00446ECB
SetRectEmpty.USER32(?), ref: 00446ED5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 4fc6c7ce028b81e223960b5415d59cbcae61e89ede4da77da175392c96d09566
Instruction ID: ec35842a05b671a41ca4f092263317eddd2c1415014e09843f5530c1a106a44f
Opcode Fuzzy Hash: 4fc6c7ce028b81e223960b5415d59cbcae61e89ede4da77da175392c96d09566
Instruction Fuzzy Hash: 29F11071E00619DFDF15CFA8C884AEEBBB5FF49301F25412AE905E7211E738A941CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00442AB5, Relevance: 21.1, APIs: 14, Instructions: 136windowCOMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?), ref: 00442AC1
LockResource.KERNEL32(00000000), ref: 00442AD4
GetSysColor.USER32(00000000), ref: 00442B53
GetSysColor.USER32(00000000), ref: 00442B61
GetSysColor.USER32(00000000), ref: 00442B76
GetDC.USER32(00000000), ref: 00442BA8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00442BB4
CreateCompatibleDC.GDI32(00000000), ref: 00442BC4
SelectObject.GDI32(00000000,?), ref: 00442BD6
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000010,00000000,00000000,?,00000010,00000000,00000000,00000000,00CC0020), ref: 00442C05
SelectObject.GDI32(00000000,00000010), ref: 00442C0F
DeleteDC.GDI32(00000000), ref: 00442C12
ReleaseDC.USER32 ref: 00442C1D
FreeResource.KERNEL32(00000000), ref: 00442C2D

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ColorResource$CompatibleCreateObjectSelect$BitmapBitsDeleteFreeLoadLockReleaseStretch
String ID:
API String ID: 2552574679-0
Opcode ID: b6cd25d081ebcbbcdc3eb6bbb8a846c915e03783bfb04099abe3044299ce3b7a
Instruction ID: e668aa8e6fefe6ccbbc5973c51a600fd6a2f7cfa73832fc3c5997a9df98bb69e
Opcode Fuzzy Hash: b6cd25d081ebcbbcdc3eb6bbb8a846c915e03783bfb04099abe3044299ce3b7a
Instruction Fuzzy Hash: FD419C71500608FFEB119F64CC98ABE7BB9FF49352B40842AFA0586261DB75E910DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,0045CE38,?,?), ref: 00424A26
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00424A42
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00424A53
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00424A60
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00424A76
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00424A87

Strings

GetLastActivePopup, xrefs: 00424A55
GetProcessWindowStation, xrefs: 00424A81
user32.dll, xrefs: 00424A21
MessageBoxA, xrefs: 00424A3C
GetActiveWindow, xrefs: 00424A4D
GetUserObjectInformationA, xrefs: 00424A70

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: 07883a8530852e86b6cfd7917d0937b589c557e04ffda26da383b73b86869424
Instruction ID: ea4dac2c55dd507aa576aa07ab65aca5b26ba79e5af85967ffc6543cd80e143e
Opcode Fuzzy Hash: 07883a8530852e86b6cfd7917d0937b589c557e04ffda26da383b73b86869424
Instruction Fuzzy Hash: 9621B931740325AED7709FB5AC45B273AA8EFC4754B44003BE905D5251E7B9CC44CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00414DAF, Relevance: 19.7, APIs: 13, Instructions: 187COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414DB4
SafeArrayGetDim.OLEAUT32(?), ref: 00414DDE
SafeArrayGetDim.OLEAUT32(00000000), ref: 00414DE8
SafeArrayGetElemsize.OLEAUT32(?), ref: 00414E09
SafeArrayGetElemsize.OLEAUT32(00000000), ref: 00414E11
SafeArrayGetLBound.OLEAUT32(?,?,?), ref: 00414E86
SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 00414E9F
SafeArrayGetUBound.OLEAUT32(?,?,?), ref: 00414EB8
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 00414ECE

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ArraySafe$Bound$Elemsize$H_prolog
String ID:
API String ID: 779546493-0
Opcode ID: 708f1f9609431b435d77d8d62470854a913c61a55ce75a000f21eff0f1adeb98
Instruction ID: 7f3136ff9381ac1d983a0d7e1d634f472201e5da1b5bb1324ced171fea0add02
Opcode Fuzzy Hash: 708f1f9609431b435d77d8d62470854a913c61a55ce75a000f21eff0f1adeb98
Instruction Fuzzy Hash: 6F516D72D00219AFCF10AFB5DC469EE7FB5EF48355F10842AF815E7211DA388980DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044AE39, Relevance: 19.6, APIs: 13, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418BC5: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00418BCE

GetObjectA.GDI32(?,0000003C,?), ref: 0044AE84
GetStockObject.GDI32(0000000D), ref: 0044AE8E
GetObjectA.GDI32(00000000,?,?), ref: 0044AE95
lstrcmpiA.KERNEL32(?,?,?,?,00000000), ref: 0044AE9F
GetDC.USER32(00000000), ref: 0044AEAA
GetDeviceCaps.GDI32(?,0000005A), ref: 0044AEC1
GetDeviceCaps.GDI32(?,0000005A), ref: 0044AECA
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044AED7
GetDeviceCaps.GDI32(?,00000058), ref: 0044AEE4
GetDeviceCaps.GDI32(?,00000058), ref: 0044AEEE
MulDiv.KERNEL32(?,?,00000000), ref: 0044AEF7
ReleaseDC.USER32 ref: 0044AF01
CreateFontIndirectA.GDI32(?), ref: 0044AF0B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CapsDevice$Object$CreateFontIndirectMessageReleaseSendStocklstrcmpi
String ID:
API String ID: 1481441486-0
Opcode ID: 9678cde88a6559030b11c2b2b3ed4fdb7880391946f3822137df3de0dfcacd3a
Instruction ID: e8756f1a9448432b0a326bebeb9a4b639dfdf7c736c494c77775caaa8bc3770c
Opcode Fuzzy Hash: 9678cde88a6559030b11c2b2b3ed4fdb7880391946f3822137df3de0dfcacd3a
Instruction Fuzzy Hash: 46312971900618AFDB11AFA5DC88EAE7FB9FF58312F04402AF905A72A2DB749904CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00440AD9, Relevance: 18.1, APIs: 12, Instructions: 148windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00440777: LoadCursorA.USER32 ref: 00440793
Part of subcall function 00440777: LoadCursorA.USER32 ref: 004407AC

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00440B0C
PostMessageA.USER32 ref: 00440B5D
SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 00440B7C
GetCursorPos.USER32(?), ref: 00440B97
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00440BC3
ReleaseCapture.USER32 ref: 00440C0A
SetCapture.USER32(?), ref: 00440C0F
ReleaseCapture.USER32(00000000), ref: 00440C1B
SendMessageA.USER32(?,00000362,?,00000000), ref: 00440C2F
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 00440C57
PostMessageA.USER32 ref: 00440C75

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: 91894a4790515d5501cedf5eb0fcac709e36fed5d6ce8b1a45a3dca4635d0297
Instruction ID: b83cadd06f3c8146ebf596e871fa0c02ccdfbc4b289a84d902721088b97faccc
Opcode Fuzzy Hash: 91894a4790515d5501cedf5eb0fcac709e36fed5d6ce8b1a45a3dca4635d0297
Instruction Fuzzy Hash: 93513C70600B09EFEB21AFA0CCC596BBBB9FF04305F10456AE242A62A1D774ED51CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0043B004, Relevance: 18.1, APIs: 12, Instructions: 121filetimeCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 0043B018
GetLastError.KERNEL32(?), ref: 0043B02F
SetFileAttributesA.KERNEL32(?,?), ref: 0043B04D
GetLastError.KERNEL32(?), ref: 0043B05A
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 0043B0C4
GetLastError.KERNEL32(?), ref: 0043B0D4
SetFileTime.KERNEL32(00000000,?,?,?), ref: 0043B0E7
GetLastError.KERNEL32(?), ref: 0043B0F4
CloseHandle.KERNEL32(00000000), ref: 0043B0FD
GetLastError.KERNEL32(?), ref: 0043B10A
SetFileAttributesA.KERNEL32(?,?), ref: 0043B125
GetLastError.KERNEL32(?), ref: 0043B132

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ErrorLast$File$Attributes$CloseCreateHandleTime
String ID:
API String ID: 3867745407-0
Opcode ID: 6f1d07302c18f1d2ad3a8125a50d2cbb08cf6f311a8417fda7e85f54f3d5fed2
Instruction ID: 73132a415d90a435f771cdb688ba3fa4b5f9f4544d593402c2a6585c2cc81fc6
Opcode Fuzzy Hash: 6f1d07302c18f1d2ad3a8125a50d2cbb08cf6f311a8417fda7e85f54f3d5fed2
Instruction Fuzzy Hash: 44419D71900208BBDF20EF61CC85EAF7FB9EF08354F10905AF955A61A1D738EA40CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00422978, Relevance: 16.8, APIs: 11, Instructions: 299COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0045D24C,00000001,00000000,00000000,0045D250,00000038,0041B580,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 0042299F
GetLastError.KERNEL32 ref: 004229B1
MultiByteToWideChar.KERNEL32(?,00000000,0041B82D,?,00000000,00000000,0045D250,00000038,0041B580,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 00422A38
MultiByteToWideChar.KERNEL32(?,00000001,0041B82D,?,?,00000000), ref: 00422AB9
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00422AD3
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 00422B0E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 3179b567ccfc5ca14bad512f28ba5826864f7eb4d2a39d1be44cd2e33936c28c
Instruction ID: f54c2d8475ee0af1f4e1ca74572c8f4fa2e15d9ad433e95aac6cf8e76986935d
Opcode Fuzzy Hash: 3179b567ccfc5ca14bad512f28ba5826864f7eb4d2a39d1be44cd2e33936c28c
Instruction Fuzzy Hash: 14B18C7290022ABFCF219FA4ED849EE7F75FF08314F50412AF915A6260C7798991DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00438787, Relevance: 16.6, APIs: 11, Instructions: 88synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004387B9
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004387C3
ResumeThread.KERNEL32(00000000), ref: 00438805
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00438810
CloseHandle.KERNEL32(?), ref: 00438819
SuspendThread.KERNEL32(?), ref: 00438824
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00438834
CloseHandle.KERNEL32(?), ref: 0043883D
SetEvent.KERNEL32(00000004), ref: 00438847
CloseHandle.KERNEL32(?), ref: 00438855
CloseHandle.KERNEL32(?), ref: 0043885F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CloseHandle$Event$CreateObjectSingleThreadWait$ResumeSuspend
String ID:
API String ID: 3826824246-0
Opcode ID: 456450cc531a0582b2dcfafbb6c853774876ee58cf6b25959946ee626575ef5e
Instruction ID: d8ccb2f0d0974a06ccb63f2d0638bb3e92d0aa62c15449ef3d625595b2a532c0
Opcode Fuzzy Hash: 456450cc531a0582b2dcfafbb6c853774876ee58cf6b25959946ee626575ef5e
Instruction Fuzzy Hash: BA315E72C00308BFDF11BFA5DC849AEBBB9EB08326F50853EF115A1161DA359A81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0044AC49, Relevance: 16.6, APIs: 11, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000002,?), ref: 0044AC5A
LocalLock.KERNEL32(00000000), ref: 0044AC67
LocalUnlock.KERNEL32(00000000,00000000,?), ref: 0044AC7F
LocalFree.KERNEL32(00000000), ref: 0044AC86

Part of subcall function 0043E2A0: __EH_prolog.LIBCMT ref: 0043E2A5
Part of subcall function 0043E2A0: lstrcpynA.KERNEL32(?,?,00000104,?,?), ref: 0043E32C
Part of subcall function 0043E2A0: lstrcpyA.KERNEL32(?,?,00000000,?,?,00000104,?,?,?,?), ref: 0043E38A

SetWindowTextA.USER32(?,?), ref: 0044ACA9
LocalUnlock.KERNEL32(00000000), ref: 0044ACB3
LocalFree.KERNEL32(00000000), ref: 0044ACBA
GetWindowTextLengthA.USER32(?), ref: 0044ACCA
LocalUnlock.KERNEL32(00000000), ref: 0044ACEB
LocalFree.KERNEL32(00000000), ref: 0044ACF9
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 0044AD0E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Local$FreeUnlock$TextWindow$AllocH_prologInvalidateLengthLockRectlstrcpylstrcpyn
String ID:
API String ID: 2902883896-0
Opcode ID: 5509c39f0e67925bf53a2be8ad1d2a0fdbb110d79da5d8585d972dd4da7335b1
Instruction ID: 0947a974706040fddc3d8749a596057ed878d2cf9dc90dcc60b0ba33ce5e063f
Opcode Fuzzy Hash: 5509c39f0e67925bf53a2be8ad1d2a0fdbb110d79da5d8585d972dd4da7335b1
Instruction Fuzzy Hash: 9D217F71100704AFD7216F65EC99B6EBBB9BF88712F10802EF90A86261DB78D401CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0044E196, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 233registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044FB5C

Part of subcall function 0043A64B: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0043A66D
Part of subcall function 0043A64B: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 0043A685

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 0044FD70

Strings

%s\DefaultIcon, xrefs: 0044FC5A
command, xrefs: 0044FBC0, 0044FCE9, 0044FD06, 0044FD23
%s\shell\printto\%s, xrefs: 0044FBBB, 0044FCD7, 0044FD2A
%s\shell\print\%s, xrefs: 0044FCB6, 0044FD0D
ddeexec, xrefs: 0044FC8A, 0044FCAB, 0044FCCC
%s\ShellNew, xrefs: 0044FDA7
%s\shell\open\%s, xrefs: 0044FC95, 0044FCF0

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Name$FileH_prologModulePathQueryShortValue
String ID: %s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$command$ddeexec
API String ID: 365916388-556638191
Opcode ID: dd1f939e0eaad5d4c64701df3c2b59bc61daf8bcd96d28cd91a1bc5fb47a980c
Instruction ID: db1a637a5095635c9331f209b3570edfdb7fcc833a558f1f9e8dd43a48226729
Opcode Fuzzy Hash: dd1f939e0eaad5d4c64701df3c2b59bc61daf8bcd96d28cd91a1bc5fb47a980c
Instruction Fuzzy Hash: 8E819E71D0020AAFDF04EBA5CC56AAFB7B5EF04319F14456EF511B7292DB38A908CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042858F, Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00428667
_strcat.LIBCMT ref: 00428684
___shr_12.LIBCMT ref: 0042874D

Strings

GB, xrefs: 004287EA
1#INF, xrefs: 0042865E
?, xrefs: 004285E4
1#QNAN, xrefs: 0042867B
1#SNAN, xrefs: 00428633
1#IND, xrefs: 0042864D

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: _strcat$___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?$GB
API String ID: 1152255961-1528962588
Opcode ID: 75816fbd6709745af420aadf5755ed4d756680c6e09ac812335c773944bd6a0f
Instruction ID: 83a505903eb4dc0acc4a06e87b226786863f2b4345c34ed71ad3617d14a4c8b2
Opcode Fuzzy Hash: 75816fbd6709745af420aadf5755ed4d756680c6e09ac812335c773944bd6a0f
Instruction Fuzzy Hash: B6811731A052AACECF11CB68D8447AFBBB4AF61314F94459FD850DB282DB7C8605C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0043D294, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 210windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043D299

Part of subcall function 00413EC5: CreateCompatibleDC.GDI32(?), ref: 00413ED4

GetObjectA.GDI32(00000003,00000018,?), ref: 0043D30F
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0045743C), ref: 0043D330

Part of subcall function 004142A7: CreatePatternBrush.GDI32(?), ref: 004142B6

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043D35A

Part of subcall function 0043C545: SelectObject.GDI32(?,?), ref: 0043C54D

GetPixel.GDI32(?,00000000,00000000), ref: 0043D39A

Part of subcall function 0043B57D: SetBkColor.GDI32(?,72E7A410), ref: 0043B597
Part of subcall function 0043B57D: SetBkColor.GDI32(?,72E7A410), ref: 0043B5A5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043D3C7
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 0043D3EB
FillRect.USER32 ref: 0043D438

Part of subcall function 00413EFD: BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 00413F23

Strings

hoE, xrefs: 0043D4C2

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Create$BitmapColorObject$BrushCompatibleFillH_prologPatternPixelRectSelect
String ID: hoE
API String ID: 1648284681-1565950461
Opcode ID: 20b2d6d1de208eef09397783c7214cbce6fabd1978e68b5c59d12a1ca7cf4146
Instruction ID: afbdf219a7e566c47c71acd82c161841e6cd698d46cf8b307deafd8d0c4a900d
Opcode Fuzzy Hash: 20b2d6d1de208eef09397783c7214cbce6fabd1978e68b5c59d12a1ca7cf4146
Instruction Fuzzy Hash: 4781F371900218AFCF11EFA5DC95DEEBBBAFF18304F10802AF515A72A1CB759A14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043CD67, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CD6C
GetSysColor.USER32(00000014), ref: 0043CDAF

Part of subcall function 0043C9FF: __EH_prolog.LIBCMT ref: 0043CA04
Part of subcall function 0043C9FF: CreateSolidBrush.GDI32(?), ref: 0043CA21

GetSysColor.USER32(00000010), ref: 0043CDC0

Part of subcall function 00413EC5: CreateCompatibleDC.GDI32(?), ref: 00413ED4

GetObjectA.GDI32(00000004,00000018,?), ref: 0043CE00
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043CE19

Part of subcall function 0043C545: SelectObject.GDI32(?,?), ref: 0043C54D

GetPixel.GDI32(?,00000000,00000000), ref: 0043CE60

Part of subcall function 0043B57D: SetBkColor.GDI32(?,72E7A410), ref: 0043B597
Part of subcall function 0043B57D: SetBkColor.GDI32(?,72E7A410), ref: 0043B5A5

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043CE8D
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 0043CEB1

Part of subcall function 00447B7A: SetBkColor.GDI32(?,?), ref: 00447B89
Part of subcall function 00447B7A: ExtTextOutA.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00447BBB

Part of subcall function 0043C5DE: SelectObject.GDI32(?,00000000), ref: 0043C600
Part of subcall function 0043C5DE: SelectObject.GDI32(?,00000004), ref: 0043C616

Part of subcall function 00413EFD: BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 00413F23

Strings

hoE, xrefs: 0043CF4D

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Color$Object$CreateSelect$H_prolog$BitmapBrushCompatiblePixelSolidText
String ID: hoE
API String ID: 1654650548-1565950461
Opcode ID: 112319b5739f18a687645c4649c27427777c8c5ebdfc4fe5b7f08d3534b3fd62
Instruction ID: 8b8cb7e7b3736dfd8fb0ee5cb5ce5dac2b2d508f212eadebdbdde6b9921fc74f
Opcode Fuzzy Hash: 112319b5739f18a687645c4649c27427777c8c5ebdfc4fe5b7f08d3534b3fd62
Instruction Fuzzy Hash: F5711771900258AFDF01EFE5CC91AEEBFBAEF08354F14402AF505B22A1CB359A55DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043A285, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0043A2BD
RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0043A2D1
RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0043A2EC
RegQueryValueExA.ADVAPI32(?,00456DE0,00000000,?,?,?), ref: 0043A306
RegCloseKey.ADVAPI32(?), ref: 0043A316
RegCloseKey.ADVAPI32(00000001), ref: 0043A31B
RegCloseKey.ADVAPI32(?), ref: 0043A320

Strings

CLSID, xrefs: 0043A2A7
InProcServer32, xrefs: 0043A2E1

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CloseOpen$QueryValue
String ID: CLSID$InProcServer32
API String ID: 3523390698-323508013
Opcode ID: 5a7a506247fa7e00fd7b64c3e8444606b4c94e783b7e91c6e316d7fbc07d2de5
Instruction ID: 984fed07da336b98bc6cf402eb151cb2433222e2e92e65c565225a5bb75c8c43
Opcode Fuzzy Hash: 5a7a506247fa7e00fd7b64c3e8444606b4c94e783b7e91c6e316d7fbc07d2de5
Instruction Fuzzy Hash: 6E11597290021CBBCF01AF95CC40DEEBBB8EF047A4F104166F914A6260D7749B51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004507A6, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004507B8
GetSystemMetrics.USER32 ref: 004507DC
CreateFontA.GDI32(00000000,?,?,?,?,?,00450D37,00001000,?,?,?,?,?,?), ref: 004507E3
SelectObject.GDI32(00000000,00000000), ref: 004507F7
GetCharWidthA.GDI32(00000000,00000036,00000036,0047867C), ref: 00450807
SelectObject.GDI32(00000000,?), ref: 00450816
DeleteObject.GDI32(00000000), ref: 00450819
ReleaseDC.USER32 ref: 00450821

Strings

Marlett, xrefs: 004507BE

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 27ad61f5fc4afac548a7cf8b0a45ec88b21fe2e9004e1efcc27439bc8ae7119b
Instruction ID: e990b6c00733b2c1b84947776a299cf6471bd77b4640a7217df8343d24277fe5
Opcode Fuzzy Hash: 27ad61f5fc4afac548a7cf8b0a45ec88b21fe2e9004e1efcc27439bc8ae7119b
Instruction Fuzzy Hash: 520192712427247BC2315B269C5DEAF7E6CEF4ABB2F100525F60992192CB259800CAFC

Uniqueness

Uniqueness Score: -1.00%

Function 004513F8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49registrystringCOMMON

Download Yara Rule

APIs

CoTreatAsClass.OLE32(?,?), ref: 0045140B
RegOpenKeyA.ADVAPI32(80000000,CLSID,00000000), ref: 00451427
StringFromCLSID.OLE32(?,00000000), ref: 00451438

Part of subcall function 0044EA25: CoTaskMemFree.OLE32(00000000,76661760,00451446,00000000), ref: 0044EA36

lstrlenA.KERNEL32(00000000,00000000), ref: 0045144B
RegSetValueA.ADVAPI32(00000000,00000000,00000001,00000000,00000000), ref: 0045145B
CoTaskMemFree.OLE32(00000000), ref: 00451462
CoTreatAsClass.OLE32(?,?), ref: 0045146E
RegCloseKey.ADVAPI32(00000000), ref: 00451475

Strings

CLSID, xrefs: 0045141D

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClassFreeTaskTreat$CloseFromOpenStringValuelstrlen
String ID: CLSID
API String ID: 2259541326-910414637
Opcode ID: 4fcb1667894efca83af69ef1937f43604743cfcaf1144a8d868397f52fb1ad2c
Instruction ID: 13bddbe97897fe715664a3a42cf2b4dabff06fe79c654c4ba0aa2f19e6f8e4a2
Opcode Fuzzy Hash: 4fcb1667894efca83af69ef1937f43604743cfcaf1144a8d868397f52fb1ad2c
Instruction Fuzzy Hash: 21011736400208FBDF01AF90DC08EAE7FBAFB88716F544125FA0492172DB75DA64DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00452096, Relevance: 15.2, APIs: 10, Instructions: 153windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0045209B
GetMenuItemCount.USER32 ref: 004520C0
GetSubMenu.USER32 ref: 00452107
GetMenuState.USER32 ref: 00452119
GetSubMenu.USER32 ref: 0045217D
GetMenuStringA.USER32(?,?,?,00000100,00000400), ref: 0045219F
AppendMenuA.USER32 ref: 0045220B
GetMenuItemCount.USER32 ref: 00452244
GetMenuItemID.USER32(?,?), ref: 00452275
InsertMenuA.USER32(?,?,00000000,00000000), ref: 00452288

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prologInsertStateString
String ID:
API String ID: 2474435406-0
Opcode ID: 372dc654f15e9b2f8ac0be70bace5d96c795dd82f727226a8d71bf9d6cad6b70
Instruction ID: a3c65f0e911ed5a887e71280702ae2ff3894231feb2ed3ed90b26f7783ef1852
Opcode Fuzzy Hash: 372dc654f15e9b2f8ac0be70bace5d96c795dd82f727226a8d71bf9d6cad6b70
Instruction Fuzzy Hash: A4612A70900229DFCB25CF10DD85AEEBBB5FB09315F1040EAEA09A6252D7749E95CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041712F, Relevance: 15.1, APIs: 10, Instructions: 105threadstringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417134

Part of subcall function 00435D1B: GetDlgItem.USER32 ref: 00435D28

GetWindowTextLengthA.USER32(?), ref: 00417170
GetWindowTextA.USER32 ref: 0041719E

Part of subcall function 00413996: _strlen.LIBCMT ref: 004139A9

GetThreadLocale.KERNEL32(00000000,?,000000FF), ref: 004171BC
VarDecFromStr.OLEAUT32(00000000,00000000), ref: 004171C4
SysFreeString.OLEAUT32(00000000), ref: 004171CE

Part of subcall function 0044042F: __EH_prolog.LIBCMT ref: 00440434

Part of subcall function 00441BFB: SetFocus.USER32(00000000,?,?), ref: 00441C24
Part of subcall function 00441BFB: SendMessageA.USER32(00000000,000000B1,00000000,000000FF), ref: 00441C3C

GetThreadLocale.KERNEL32(00000000,?,?,?,?), ref: 004171FF
VarBstrFromDec.OLEAUT32(?,00000000), ref: 00417209
lstrlenW.KERNEL32(?), ref: 0041721B
SysFreeString.OLEAUT32(?), ref: 00417244

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: FreeFromH_prologLocaleStringTextThreadWindow$BstrFocusItemLengthMessageSend_strlenlstrlen
String ID:
API String ID: 683855824-0
Opcode ID: 21115dd91643fdbddafeee7538ae3136ca7be2087e56efbd40c0d6095c00dd24
Instruction ID: 0df45603b56d8d39115b9752e8b36fb6660d35c0ba95fd6aec973dfb3cbb0927
Opcode Fuzzy Hash: 21115dd91643fdbddafeee7538ae3136ca7be2087e56efbd40c0d6095c00dd24
Instruction Fuzzy Hash: 85319171500605AFDF00AFA1DC599FE7779FF44325B00822AF926962A2DB38DA40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0044494C, Relevance: 15.1, APIs: 10, Instructions: 96COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 00444961
GetWindowRect.USER32 ref: 00444979
SetRect.USER32 ref: 004449B3
InvalidateRect.USER32(?,?,00000001), ref: 004449C2
SetRect.USER32 ref: 004449D9
InvalidateRect.USER32(?,?,00000001), ref: 004449E8
SetRect.USER32 ref: 00444A13
InvalidateRect.USER32(?,?,00000001), ref: 00444A1E
SetRect.USER32 ref: 00444A35
InvalidateRect.USER32(?,?,00000001), ref: 00444A40

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: cca6739d5958046b3cae817321433fce64366c241de196c15b274b91701adbe6
Instruction ID: eb290115575f2aa36b2ac2a6ae4feb55bf2803e6a6752251ac244afeed595781
Opcode Fuzzy Hash: cca6739d5958046b3cae817321433fce64366c241de196c15b274b91701adbe6
Instruction Fuzzy Hash: 8031F872900209BFDB00DFA4DD89FAE7BB9FB08301F144125FA01A75A1D770AA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0045132B, Relevance: 15.1, APIs: 10, Instructions: 79comCOMMON

Download Yara Rule

APIs

ReadClassStg.OLE32(?,?), ref: 00451343
ReadFmtUserTypeStg.OLE32(?,?,?), ref: 0045135F
OleRegGetUserType.OLE32(?,00000001,?), ref: 00451374
WriteClassStg.OLE32(?,?), ref: 0045138F
WriteFmtUserTypeStg.OLE32(?,?,?), ref: 004513A5
SetConvertStg.OLE32(?,00000001), ref: 004513B1
WriteClassStg.OLE32(?,?), ref: 004513C3
WriteFmtUserTypeStg.OLE32(?,?,?), ref: 004513CC
CoTaskMemFree.OLE32(?), ref: 004513E0
CoTaskMemFree.OLE32(?), ref: 004513E5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: TypeUserWrite$Class$FreeReadTask$Convert
String ID:
API String ID: 2659014025-0
Opcode ID: a34d53b140bbba6b413f7122dd9f3fb881ac3816825872594c7da36be4d669bc
Instruction ID: 0fe9ca0442ba30225d73466667c4682b3aed5f569858f3abbcbbde4ec1b808b2
Opcode Fuzzy Hash: a34d53b140bbba6b413f7122dd9f3fb881ac3816825872594c7da36be4d669bc
Instruction Fuzzy Hash: AB21F97190061DAFDF01EF95DC909FEBBB9EF48355B108026FD04A6221D7389A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042201A, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 00422051
_strncpy.LIBCMT ref: 004220C2
_strcspn.LIBCMT ref: 004220DF

Strings

_.,, xrefs: 004220D9
., xrefs: 0042207E
,, xrefs: 004220B2
_, xrefs: 00422095
,, xrefs: 004220CA

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: _strncpy$_strcspn
String ID: ,$,$.$_$_.,
API String ID: 209312476-1893563293
Opcode ID: 6fc35b0e0376efad0445b6cc118e48abc4a1d54569f41b8d96b3e20eaf0bbdb0
Instruction ID: d9546b861bfaa6606657a772b24a8f806a5c2564f1d67e86ba1ec477af54f37f
Opcode Fuzzy Hash: 6fc35b0e0376efad0445b6cc118e48abc4a1d54569f41b8d96b3e20eaf0bbdb0
Instruction Fuzzy Hash: B3210731740125BEEF704A15BE01BF63759AF25324F988417FA4996282C2FCA985C79E

Uniqueness

Uniqueness Score: -1.00%

Function 00434876, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004348C6
SetActiveWindow.USER32(?), ref: 004348D8
SendMessageA.USER32(?,00000112,?,?), ref: 004348EE
IsWindow.USER32(?), ref: 004348FB
SetActiveWindow.USER32(?), ref: 00434902
IsWindow.USER32(?), ref: 00434907
SetFocus.USER32(?), ref: 00434911

Strings

u, xrefs: 0043491C

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 2e038301550099cdbf95b41fd42d17ea790e5b2d912dc148cb4129947452d21b
Instruction ID: c9cc414b2db8118b7e61bef0cd12ff310efcf5ea25e9cb6b0c247af0848cbf2c
Opcode Fuzzy Hash: 2e038301550099cdbf95b41fd42d17ea790e5b2d912dc148cb4129947452d21b
Instruction Fuzzy Hash: 7F11D0B2500209ABDF246F75DD08BBF7B68EF8D311F445037E942962A6D63CEE00DA58

Uniqueness

Uniqueness Score: -1.00%

Function 00438E5A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00438E7E
GetStockObject.GDI32(0000000D), ref: 00438E86
GetObjectA.GDI32(00000000,0000003C,?), ref: 00438E93
GetDC.USER32(00000000), ref: 00438EA2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00438EB6
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00438EC2
ReleaseDC.USER32 ref: 00438ECD

Strings

System, xrefs: 00438E79, 00438EE3

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: b1b7f18e2e6c33df39302ae84abbb4e29a33501770e64295b2049fac0e8f1893
Instruction ID: 50509be1ad3fe7d4fbf8d969076776d2ccdc3688f8ac3e13cbfc11f6af4df904
Opcode Fuzzy Hash: b1b7f18e2e6c33df39302ae84abbb4e29a33501770e64295b2049fac0e8f1893
Instruction Fuzzy Hash: 3E118271A00718EBDB109BA0DC56BAF7BB8AB48745F00402DF605E61D1DB749D05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00448E5E, Relevance: 13.6, APIs: 9, Instructions: 137windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043D63E: GetFocus.USER32(?,00448E72,?), ref: 0043D63F
Part of subcall function 0043D63E: GetParent.USER32(00000000), ref: 0043D668
Part of subcall function 0043D63E: GetWindowLongA.USER32 ref: 0043D683
Part of subcall function 0043D63E: GetParent.USER32(00448E72), ref: 0043D691
Part of subcall function 0043D63E: GetDesktopWindow.USER32 ref: 0043D695
Part of subcall function 0043D63E: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0043D6A9

GetMenu.USER32(?), ref: 00448EC2
GetMenu.USER32(?), ref: 00448ED6
GetMenuItemCount.USER32 ref: 00448EDF
GetSubMenu.USER32 ref: 00448EF0
GetMenuItemCount.USER32 ref: 00448F12
GetMenuItemID.USER32(?,00000000), ref: 00448F33
GetMenuItemID.USER32(?,00000000), ref: 00448F5B
GetMenuItemCount.USER32 ref: 00448F92
GetMenuItemID.USER32(?,00000000), ref: 00448FAD

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 4b8e995cbe303c707adac10594b88d378759b3f5cbc2d5f318f88ef50f99b059
Instruction ID: 1186a40309dbe65c30ebfcea576b18409112a957daea0ae91ad0f12664eb9b55
Opcode Fuzzy Hash: 4b8e995cbe303c707adac10594b88d378759b3f5cbc2d5f318f88ef50f99b059
Instruction Fuzzy Hash: EB416331900605EFEF11AFA4C980AAEB7F6FF48311F20456EE511E2251DB39ED45DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004447A1, Relevance: 13.6, APIs: 9, Instructions: 127timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 004447AC
GetCursorPos.USER32(?), ref: 004447CB
ScreenToClient.USER32 ref: 004447D8
GetCapture.USER32 ref: 00444825

Part of subcall function 00435FA7: IsWindowEnabled.USER32(?), ref: 00435FB0

ClientToScreen.USER32(?,?), ref: 0044486C
WindowFromPoint.USER32(?,?), ref: 00444878
IsChild.USER32(?,00000000), ref: 0044488D
KillTimer.USER32(?,0000E001), ref: 004448CA
KillTimer.USER32(?,0000E000), ref: 004448E6

Part of subcall function 0043480D: GetLastActivePopup.USER32(?), ref: 00434816
Part of subcall function 0043480D: GetForegroundWindow.USER32(00000000,?,00444804), ref: 00434824

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: 2d0581b59e6152926ea8c38ef2e1866b8e1c34534853f3d2e96e5dbe9b70a7e4
Instruction ID: 6965d146c38e4620de229449cf063ea3f8ea19e5a9af1fe4010416ca4d351169
Opcode Fuzzy Hash: 2d0581b59e6152926ea8c38ef2e1866b8e1c34534853f3d2e96e5dbe9b70a7e4
Instruction Fuzzy Hash: F8414134A00745EFEB20AF65CC44B6E7BB5BF84325F20466AE421D72E1DB34D9418B58

Uniqueness

Uniqueness Score: -1.00%

Function 004407D1, Relevance: 13.6, APIs: 9, Instructions: 92threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004407EA
GetActiveWindow.USER32 ref: 00440813
GetCurrentThreadId.KERNEL32 ref: 0044082C
GetWindowThreadProcessId.USER32(?,00000000), ref: 0044083B
GetDesktopWindow.USER32 ref: 00440849

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopProcess
String ID:
API String ID: 886339953-0
Opcode ID: b7866de01b63e34e6c970548139f8289d3006cc25d858ad3108556eb056168bb
Instruction ID: 3cc15904af073210b79dccec0842aa9cf3bf2c91b1676e83d6829647f8157671
Opcode Fuzzy Hash: b7866de01b63e34e6c970548139f8289d3006cc25d858ad3108556eb056168bb
Instruction Fuzzy Hash: EC316031900214EFDF11BFA5D9485AEB7B1EF44342B208476E901D7261E738CD61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004394D7, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 004394E2

Part of subcall function 00450428: PathFindFileNameA.SHLWAPI(?,004504DE,?,?,00000104), ref: 0045042C
Part of subcall function 00450428: lstrlenA.KERNEL32(00000000), ref: 0045043A

lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 00439563
lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 0043957A
lstrcatA.KERNEL32(?,\...), ref: 00439599
lstrcatA.KERNEL32(?,00000000), ref: 0043959D

Strings

\..., xrefs: 00439589
mE, xrefs: 00439516

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: lstrlen$lstrcat$FileFindNamePathlstrcpy
String ID: \...$mE
API String ID: 1604900594-287629680
Opcode ID: d6077757688e26ed8305fa125a7c83f940fdd495b79f35def1dec05b2ea30191
Instruction ID: 09aba274806faf3487fa2ef03754c5be15a086bf3c4b0ba3b08622cbd8cb28a9
Opcode Fuzzy Hash: d6077757688e26ed8305fa125a7c83f940fdd495b79f35def1dec05b2ea30191
Instruction Fuzzy Hash: 12210772900705BFDF229B248C80B6F7BA89B19356F10542FF80597142D3BCADC08B59

Uniqueness

Uniqueness Score: -1.00%

Function 004474C0, Relevance: 12.1, APIs: 8, Instructions: 110windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004474C5
GetSystemMenu.USER32(?,00000000), ref: 0044753A
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 00447558
DeleteMenu.USER32(?,0000F020,00000000), ref: 00447564
DeleteMenu.USER32(?,0000F030,00000000), ref: 00447570
DeleteMenu.USER32(?,0000F120,00000000), ref: 0044757C
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 004475AF
AppendMenuA.USER32 ref: 004475BE

Part of subcall function 00418FE6: SetParent.USER32(?,00000000,004471D0,00000000,00000000), ref: 00418FF5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: cb268a6b9311794fd0b52d85bfe050a53e12b8c1e8a3aae1882f48264c6cd560
Instruction ID: 1996e082704178db56b20f710397829d4b095804981de7dfd09d41bdd4da9c08
Opcode Fuzzy Hash: cb268a6b9311794fd0b52d85bfe050a53e12b8c1e8a3aae1882f48264c6cd560
Instruction Fuzzy Hash: AB311631740215BBEB205F21CC56FAEBB65FF44714F158129FA08AF2D2C7B8A811DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041306C, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bd416ac915eb7d92c7af6f7d990aa70e41ac88983979b11f2ce045b8114dd7
Instruction ID: 44817ab0cff2d5d7262e9f23271493fd3986ca7f44045db8597fe87f08be5891
Opcode Fuzzy Hash: a1bd416ac915eb7d92c7af6f7d990aa70e41ac88983979b11f2ce045b8114dd7
Instruction Fuzzy Hash: 2C31097190020EBF9F019FA5DD449FFBBBCEB08356F148426F905E2210E739DA819B68

Uniqueness

Uniqueness Score: -1.00%

Function 004511E4, Relevance: 12.1, APIs: 8, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 004511F2
GetMenuItemCount.USER32 ref: 004511FC
GetSubMenu.USER32 ref: 00451214
GetMenuItemCount.USER32 ref: 00451225
GetSubMenu.USER32 ref: 00451235
RemoveMenu.USER32(00000000,00000000,00000400), ref: 0045124D
GetSubMenu.USER32 ref: 00451265
RemoveMenu.USER32(?,00000000,00000400), ref: 0045127E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 398588c90de5b74bcf7154966dbc1d9013e1d2bcb43c63eca92f241cd113f64c
Instruction ID: 746b2f664515372a0ad781a10bf9a9983c1bc3f1e70f7136d6a50455f0798202
Opcode Fuzzy Hash: 398588c90de5b74bcf7154966dbc1d9013e1d2bcb43c63eca92f241cd113f64c
Instruction Fuzzy Hash: 5F11D031108700BBC6119B158C45F2FBBE8FBC4B0BF1006ABF944F2122D638AD498A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C68C, Relevance: 10.7, APIs: 7, Instructions: 199COMMON

Download Yara Rule

APIs

GetObjectType.GDI32 ref: 0043C711
GetStockObject.GDI32(0000000D), ref: 0043C71D
SelectObject.GDI32(?,00000000), ref: 0043C733
SelectObject.GDI32(?,?), ref: 0043C73E
PlayMetaFileRecord.GDI32(?,?,?,?), ref: 0043C812

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Object$Select$FileMetaPlayRecordStockType
String ID:
API String ID: 4008327421-0
Opcode ID: ff844772d8feca82522a0d794dde81d5bc5c0601914da326bd39f5ff6cf9565c
Instruction ID: 13c5e960a5dfd4f0f5ec388ab69daed2e38bc03bccbd5585ebd55d7f1b39093c
Opcode Fuzzy Hash: ff844772d8feca82522a0d794dde81d5bc5c0601914da326bd39f5ff6cf9565c
Instruction Fuzzy Hash: 9E716F75500615DBCB18EFA4C8C48BBBBB5FF8C702B10D41EF95266660D738E940DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044724B, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00447276
EqualRect.USER32 ref: 0044729B
GetDlgCtrlID.USER32 ref: 00447322
CopyRect.USER32 ref: 0044735A
GetParent.USER32(?), ref: 00447414

Strings

@, xrefs: 004472BB

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Rect$CopyCtrlEqualParentWindow
String ID: @
API String ID: 2544134605-2766056989
Opcode ID: ce25f9cad4003159e50acac0045503ce27eaf7a81df5c2f6ed88c1c224e7353a
Instruction ID: 3f2e18c560a0e6de16d949a5dbdf98d88c58a62188854486105d1e99f89ce2a8
Opcode Fuzzy Hash: ce25f9cad4003159e50acac0045503ce27eaf7a81df5c2f6ed88c1c224e7353a
Instruction Fuzzy Hash: 5D518F716006059FEF25DF68CC85BBE77AAFF48304F14452EF9199B292CB38A806CB15

Uniqueness

Uniqueness Score: -1.00%

Function 004441A5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 00444216
SetRectEmpty.USER32(?), ref: 00444250
UnionRect.USER32 ref: 00444293
IsRectEmpty.USER32 ref: 004442A1
SetRectEmpty.USER32(?), ref: 004442AF

Strings

P, xrefs: 004441C5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Rect$Empty$LongUnionWindow
String ID: P
API String ID: 1811082079-3110715001
Opcode ID: 49e24d0d7558a79cab25b101c2103ebf144890795ab70709db9ecec09b9c5f98
Instruction ID: 72f0b4e5eaf80483aa8d82ad998524f260634638f742aec56d863f194f8569c4
Opcode Fuzzy Hash: 49e24d0d7558a79cab25b101c2103ebf144890795ab70709db9ecec09b9c5f98
Instruction Fuzzy Hash: A6414971A002199FEB14CF94C849EFEB7B8FF88705F14456EF511AB280DBB89901CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0043301E, Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043304C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00433073
UpdateWindow.USER32(?), ref: 0043308D
SendMessageA.USER32(?,00000121,00000000,?), ref: 004330B1
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 004330CB
UpdateWindow.USER32(?), ref: 00433111
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00433145

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: f05eaf972e1e8e22f92118e16d07a1387f3238ed22c66bd5ecfd30a7672949b2
Instruction ID: 6388c1f0776f2a6c3e95a2978629202c0a1e4d84d2f71559620c623a3996fb0f
Opcode Fuzzy Hash: f05eaf972e1e8e22f92118e16d07a1387f3238ed22c66bd5ecfd30a7672949b2
Instruction Fuzzy Hash: 8B41B4302047409BDB319F268C44A2BBAF4FFC8B56F14592EF491912A1D73ADA05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00440055, Relevance: 10.6, APIs: 7, Instructions: 111windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0044066B
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00440684
GetFocus.USER32(?,?,?,?,00000000), ref: 00440696
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004406A2
GetLastActivePopup.USER32(?), ref: 004406C9
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004406D4
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 004406F8

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: fb674626c453f9c38f97a0d3c94d23ff4fc27fcaab8961a43ce8e921fd551bfa
Instruction ID: 6c3208c50c0dad0549d0e1f65c99075a098f6c397707bc05cd8c5ec6542013c1
Opcode Fuzzy Hash: fb674626c453f9c38f97a0d3c94d23ff4fc27fcaab8961a43ce8e921fd551bfa
Instruction Fuzzy Hash: 3F31E771300205ABEA106B25DC84E7F769DABC5795F12083BF203C7341DB7DEC2146A9

Uniqueness

Uniqueness Score: -1.00%

Function 00417267, Relevance: 10.6, APIs: 7, Instructions: 108stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041726C

Part of subcall function 00435D1B: GetDlgItem.USER32 ref: 00435D28

GetWindowTextLengthA.USER32(?), ref: 004172BC
GetWindowTextA.USER32 ref: 004172EE

Part of subcall function 00413996: _strlen.LIBCMT ref: 004139A9

lstrlenA.KERNEL32(?,000000FF), ref: 0041730A
CLSIDFromString.OLE32(00000000,?), ref: 00417335
StringFromGUID2.OLE32(?,?,00000040,?,?,?), ref: 0041736A
lstrlenW.KERNEL32(?), ref: 00417377

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: FromStringTextWindowlstrlen$H_prologItemLength_strlen
String ID:
API String ID: 1405133281-0
Opcode ID: 3ad56218be434b1bfd164963c49eb312643e7cb2ac916042b354963481bfa48d
Instruction ID: 2c0ffebfdae8514149fcedfb22c54ca54f7705be2de4bbfa77872122a1f2e0c5
Opcode Fuzzy Hash: 3ad56218be434b1bfd164963c49eb312643e7cb2ac916042b354963481bfa48d
Instruction Fuzzy Hash: 1341D171500119ABDF10AF71DC49FEEB779FF04325F00456AF929972A2DB389A90CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044E4E2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E4E7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0044E5C7
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0044E5E4
RegCloseKey.ADVAPI32(?,?,?,?,Software\), ref: 0044E604
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 0044E620

Strings

Software\, xrefs: 0044E545

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CloseEnumH_prologOpenQueryValue
String ID: Software\
API String ID: 2161548231-964853688
Opcode ID: 5743724e13406c2e7e9bcb00e3e52899bac800b6c5a1d6c8244880fea5765235
Instruction ID: 7a2801851b4db7ea290316ac2235575d8356fa22de5b450ebb6719c5dfc1a47a
Opcode Fuzzy Hash: 5743724e13406c2e7e9bcb00e3e52899bac800b6c5a1d6c8244880fea5765235
Instruction Fuzzy Hash: 8B41A231800118ABDB25EB65DC45EEEB7B9FF49314F0041AAF145A3291DB389E95CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0044EE1E, Relevance: 10.6, APIs: 7, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0047B6F4,00000000,?,?,0047B6D8,?,0044F097,?,00000000,?,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4), ref: 0044EE2E
TlsGetValue.KERNEL32(0047B6D8,?,?,0047B6D8,?,0044F097,?,00000000,?,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34), ref: 0044EE4C
LocalAlloc.KERNEL32(00000000,00000003,00000010,?,?,0047B6D8,?,0044F097,?,00000000,?,73B74DE0,00000000,?,0044D598,0044C800), ref: 0044EEA8
LocalReAlloc.KERNEL32(?,00000003,00000002,00000010,?,?,0047B6D8,?,0044F097,?,00000000,?,73B74DE0,00000000,?,0044D598), ref: 0044EEBA
LeaveCriticalSection.KERNEL32(?,?,?,0047B6D8,?,0044F097,?,00000000,?,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34), ref: 0044EEC7
TlsSetValue.KERNEL32(0047B6D8,00000000), ref: 0044EEF7
LeaveCriticalSection.KERNEL32(0047B6F4,?,?,0047B6D8,?,0044F097,?,00000000,?,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34), ref: 0044EF18

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CriticalSection$AllocLeaveLocalValue$Enter
String ID:
API String ID: 784703316-0
Opcode ID: ad5dc3029b19cc7618f8c05a7a0fd529d7f8ee4157206f5fe6c2cfbd1026253f
Instruction ID: 74750fb9b15b1461e346a8a8fe795b4931961edb61551a30855e0a732363e377
Opcode Fuzzy Hash: ad5dc3029b19cc7618f8c05a7a0fd529d7f8ee4157206f5fe6c2cfbd1026253f
Instruction Fuzzy Hash: 00318C71500A05AFEB24EF56C894C6AB7B9FF04351720892EE91AC7611C778EC54CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044F31C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 0044F34A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0044F36D
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 0044F389
RegCloseKey.ADVAPI32(?), ref: 0044F399
RegCloseKey.ADVAPI32(?), ref: 0044F3A3

Strings

software, xrefs: 0044F332

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 787cb9b01a43aaaa8bc82eeae31e2915af47890535ead89b6c02e08f84c07808
Instruction ID: 0563383205b108b6c4597869af9685a504800ebacfae56a00508705b160bb232
Opcode Fuzzy Hash: 787cb9b01a43aaaa8bc82eeae31e2915af47890535ead89b6c02e08f84c07808
Instruction Fuzzy Hash: 7711CB72D00219FB9B21DF96DD84CEFBFBCEF89740B5000AAA504A2121D2759A04DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412FD7, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00413015
GetSystemMetrics.USER32 ref: 0041302D
GetSystemMetrics.USER32 ref: 00413034
lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 0041305A

Strings

B, xrefs: 00412FF4
DISPLAY, xrefs: 00413051

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpyn
String ID: B$DISPLAY
API String ID: 2307409384-3316187204
Opcode ID: 6103ad4da9d4c7917f2b862bd0c980db9c44a83071e0530babe8334b8a5a75df
Instruction ID: 79cd31ecc504d2211d2319fef5c90b76ab43431d142017b7e85e8c76ecd66a12
Opcode Fuzzy Hash: 6103ad4da9d4c7917f2b862bd0c980db9c44a83071e0530babe8334b8a5a75df
Instruction Fuzzy Hash: 2611A7B1500324DBCF119F689C8469BBFA9EF09752F014066FD05BA109D6B4D981CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044E432, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E437

Part of subcall function 0043A64B: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0043A66D
Part of subcall function 0043A64B: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 0043A685

PathFindFileNameA.SHLWAPI(?), ref: 0044E46D

Part of subcall function 00412B67: __EH_prolog.LIBCMT ref: 00412B6C

PathRemoveExtensionA.SHLWAPI(00000000,00000000), ref: 0044E489

Part of subcall function 00413996: _strlen.LIBCMT ref: 004139A9

GlobalAddAtomA.KERNEL32 ref: 0044E4A2
GlobalAddAtomA.KERNEL32 ref: 0044E4B0

Strings

system, xrefs: 0044E4A4

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: NamePath$AtomFileGlobalH_prolog$ExtensionFindModuleRemoveShort_strlen
String ID: system
API String ID: 1296742602-3377271179
Opcode ID: 522e79b6044faba4197005ea33135ef2f3bf123cb845d31341fd95b7234d0424
Instruction ID: 392e198d2436ba2a14f062ef8f48f1d321ebba5b2b48e2b46caf25f44177814e
Opcode Fuzzy Hash: 522e79b6044faba4197005ea33135ef2f3bf123cb845d31341fd95b7234d0424
Instruction Fuzzy Hash: A7119471900205ABCB04EBA5DC15AEEB775FF04329F10462EF021A72E2DB789904CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004512BF, Relevance: 10.5, APIs: 7, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 004512CE
GlobalAlloc.KERNEL32(00002002,00000000,?,00451A04,?,?,?,?), ref: 004512DF
GlobalLock.KERNEL32 ref: 004512F4
GlobalLock.KERNEL32 ref: 004512FA
GlobalUnlock.KERNEL32(?,?,?), ref: 00451310
GlobalUnlock.KERNEL32(?,?,?), ref: 00451315
GlobalSize.KERNEL32(?), ref: 00451321

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Global$LockSizeUnlock$Alloc
String ID:
API String ID: 902569171-0
Opcode ID: 07c3e86cdede4d1902a5c9d2c84a8f5a8a8e4ba16550db1bab10859558306bf4
Instruction ID: 14654601327fc2b8be870c699a9864f6aa8f065c11582639c8b39ab7878f6147
Opcode Fuzzy Hash: 07c3e86cdede4d1902a5c9d2c84a8f5a8a8e4ba16550db1bab10859558306bf4
Instruction Fuzzy Hash: B7F0F43290021C7BCB002B65AC8486FBFACEF846A2B044027FC18D3232D671DC058BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00439148, Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00439154
GetSysColor.USER32(00000010), ref: 0043915B
GetSysColor.USER32(00000014), ref: 00439162
GetSysColor.USER32(00000012), ref: 00439169
GetSysColor.USER32(00000006), ref: 00439170
GetSysColorBrush.USER32(0000000F), ref: 0043917D
GetSysColorBrush.USER32(00000006), ref: 00439184

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 606130d50619fbdcda6609ebbbbfcfa12f01b671345df36709d1d2960f2b43db
Instruction ID: adf6ce61bc4598b9865de68172d8fa58073e23c0972c58f8f0d65ff3a69ea806
Opcode Fuzzy Hash: 606130d50619fbdcda6609ebbbbfcfa12f01b671345df36709d1d2960f2b43db
Instruction Fuzzy Hash: EEF0F8719407489BD730BB729D49B47BAE1FFC4B10F02092EE2858BA91E6B6E041DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00422D34, Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0045D24C,00000001,?,0045D278,0000001C,0041B55C,00000001,00000020,00000100,?,00000000), ref: 00422D58
GetLastError.KERNEL32 ref: 00422D6A
MultiByteToWideChar.KERNEL32(?,00000000,00000000,0041B82D,00000000,00000000,0045D278,0000001C,0041B55C,00000001,00000020,00000100,?,00000000), ref: 00422DCC
MultiByteToWideChar.KERNEL32(?,00000001,00000000,0041B82D,?,00000000), ref: 00422E4A
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00422E5C

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 93b443806a43967cc9a0a8da09271ea53bec334052f19f8fd5b461f97db20d2f
Instruction ID: a437ac7a1e3d036dd6f538cd7c2cc4f804d9cfcbdaf0fdde08833e9c25febb26
Opcode Fuzzy Hash: 93b443806a43967cc9a0a8da09271ea53bec334052f19f8fd5b461f97db20d2f
Instruction Fuzzy Hash: B941B031A00225BFCF229F54ED45AEF3B65EF48760F51411AF8149A250CBB9CD90DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00442F46, Relevance: 9.1, APIs: 6, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

SendMessageA.USER32(?,0000043D,00000000,00000000), ref: 00442FD6
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00442FE2
SendMessageA.USER32(?,0000043C,?,00000000), ref: 00442FF2
SendMessageA.USER32(?,0000043C,?,00000000), ref: 00443000
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0044300A
InvalidateRect.USER32(?,00000000,00000001), ref: 00443074

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSend$InvalidateLongRectWindow
String ID:
API String ID: 74886174-0
Opcode ID: 4000b4efff6aba69efcb7e71a416906e70954016709950a7f5eb50d6c8fd473d
Instruction ID: 5c64a453df50b1a7caf3e2cbcda202e90c6ddb59795d957dbbbc6e6a7266dfdf
Opcode Fuzzy Hash: 4000b4efff6aba69efcb7e71a416906e70954016709950a7f5eb50d6c8fd473d
Instruction Fuzzy Hash: BA418EB0600208BFEB21AF64CC96EFFBBB9EF08744F04441AF651AB291C6749D40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00442E92, Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00444ACC

Part of subcall function 0043C2C1: __EH_prolog.LIBCMT ref: 0043C2C6
Part of subcall function 0043C2C1: GetWindowDC.USER32(00000000,?,?,00437B65,00000000,000000FF), ref: 0043C2F4

GetClientRect.USER32 ref: 00444AEC
GetWindowRect.USER32 ref: 00444AF9

Part of subcall function 0043BE44: ScreenToClient.USER32 ref: 0043BE58
Part of subcall function 0043BE44: ScreenToClient.USER32 ref: 0043BE61

OffsetRect.USER32(?,?,?), ref: 00444B20

Part of subcall function 0043B713: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B738
Part of subcall function 0043B713: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043B74D

OffsetRect.USER32(?,?,?), ref: 00444B3E

Part of subcall function 0043B797: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043B7BC
Part of subcall function 0043B797: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043B7D1

SendMessageA.USER32(?,00000014,?,00000000), ref: 00444B68

Part of subcall function 0043C31C: __EH_prolog.LIBCMT ref: 0043C321
Part of subcall function 0043C31C: ReleaseDC.USER32 ref: 0043C340

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2727942566-0
Opcode ID: 784f83c97365ee9afceea5387ca49f83fa30f63f3ff8735ed809c188e5b33f49
Instruction ID: acb625c800499a9227c83e6b7996873a2e94e6dce9ab7db83418e81859d653e3
Opcode Fuzzy Hash: 784f83c97365ee9afceea5387ca49f83fa30f63f3ff8735ed809c188e5b33f49
Instruction Fuzzy Hash: 9721DB72D10109EFCB15EB94DC55EFEB7B8EF48315F10412EE522A31A1DB74AA0ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044023C, Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 0044026E
GetParent.USER32(?), ref: 0044027C
GetParent.USER32(?), ref: 0044028F
GetLastActivePopup.USER32(?), ref: 0044029E
IsWindowEnabled.USER32(?), ref: 004402B3
EnableWindow.USER32(?,00000000), ref: 004402C6

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 0d31a740e8bf9da11f87dfe3bb841f06addd3f0bef1286b111a43f32aefdc856
Instruction ID: 7d998507b6e9d1c37daed2e58111c77e7e9158b2913e65cc6971e40818471029
Opcode Fuzzy Hash: 0d31a740e8bf9da11f87dfe3bb841f06addd3f0bef1286b111a43f32aefdc856
Instruction Fuzzy Hash: 7611E332605B2057A6725A698C4CB3BB29CBF55B61F1502A7EE00E73C0DBF8CC20829D

Uniqueness

Uniqueness Score: -1.00%

Function 0042553F, Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042555E
_strlen.LIBCMT ref: 00425567
_strcat.LIBCMT ref: 0042559F
_strlen.LIBCMT ref: 004255A5
_strcat.LIBCMT ref: 004255B3
_strlen.LIBCMT ref: 004255B9

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: _strlen$_strcat
String ID:
API String ID: 1497175149-0
Opcode ID: 6d8e9a97864912384b394dee8b0a166538910757550b170f8976a70e9cfad3b8
Instruction ID: 11a6cad9a9c860b1f238bfe5ede414f9acfa9136387677aa793d2bd73018cf33
Opcode Fuzzy Hash: 6d8e9a97864912384b394dee8b0a166538910757550b170f8976a70e9cfad3b8
Instruction Fuzzy Hash: 35110676D01125BBDB216B65DC01BCEBFE8EF113BCF64009AE444A3302E73E9A50C698

Uniqueness

Uniqueness Score: -1.00%

Function 0041501B, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 0041502F
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00415043
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00415058
SafeArrayRedim.OLEAUT32(?,?), ref: 00415084
VariantClear.OLEAUT32(?), ref: 00415096
SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 004150B3

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ArraySafe$Bound$ClearCreateRedimVariant
String ID:
API String ID: 3151960920-0
Opcode ID: 423fd0d341eb92b8321c7708c72735d6a29e2c875f3cd92a98c4b5b1cac1f8bb
Instruction ID: 7d4c17ebae19c7622efc9f4619fa4766bb613293cdbd1f94e91858a5a421178e
Opcode Fuzzy Hash: 423fd0d341eb92b8321c7708c72735d6a29e2c875f3cd92a98c4b5b1cac1f8bb
Instruction Fuzzy Hash: D9112971900B09ABCB10EFA5DC89BEEBBB9AF44302F10842AF659D6151D775DAC08B94

Uniqueness

Uniqueness Score: -1.00%

Function 00440D02, Relevance: 9.1, APIs: 6, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 00440D26
RegDeleteValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 00440D46
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0043965F,?), ref: 00440D71

Part of subcall function 0044F31C: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 0044F34A
Part of subcall function 0044F31C: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0044F36D
Part of subcall function 0044F31C: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 0044F389
Part of subcall function 0044F31C: RegCloseKey.ADVAPI32(?), ref: 0044F399
Part of subcall function 0044F31C: RegCloseKey.ADVAPI32(?), ref: 0044F3A3

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00440D8C

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: 1584f9c9f667589d5d124923fd595d428c49ee6bf6f48faaff81f67984497072
Instruction ID: be05b2fc9ad5d7b6a1a6ab17eb2dce709ff9d5d88d781b80486be102b95aed3b
Opcode Fuzzy Hash: 1584f9c9f667589d5d124923fd595d428c49ee6bf6f48faaff81f67984497072
Instruction Fuzzy Hash: A011C232800719FBEF221FA0DC04BBE3B65EF04B52F008426FE0499161CB39D8759B99

Uniqueness

Uniqueness Score: -1.00%

Function 00448C9C, Relevance: 9.1, APIs: 6, Instructions: 56stringwindowCOMMON

Download Yara Rule

APIs

UnpackDDElParam.USER32(000003E8,?,?,?), ref: 00448CC8
GlobalLock.KERNEL32 ref: 00448CD3
lstrlenA.KERNEL32(00000000), ref: 00448CDA
GlobalUnlock.KERNEL32(?), ref: 00448CEE
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 00448D09
PostMessageA.USER32 ref: 00448D16

Part of subcall function 00435FA7: IsWindowEnabled.USER32(?), ref: 00435FB0

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrlen
String ID:
API String ID: 462239228-0
Opcode ID: ce3b70960625ce19abcedc1c68bf8aa3a2137f09930ec422f8944f04288b3e9d
Instruction ID: 843f36b2d976dcb65b499918346e33768c8fa267ff354ce29602813c402bb45f
Opcode Fuzzy Hash: ce3b70960625ce19abcedc1c68bf8aa3a2137f09930ec422f8944f04288b3e9d
Instruction Fuzzy Hash: 92114F71900218ABDB11AB61DC89EDEBB79FF58315F0045AAF80A961A2CA34DD50CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004254C0, Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004254D2
_strlen.LIBCMT ref: 004254DC
_strcat.LIBCMT ref: 00425509
_strlen.LIBCMT ref: 0042550F
_strcat.LIBCMT ref: 0042551F
_strlen.LIBCMT ref: 00425525

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: _strlen$_strcat
String ID:
API String ID: 1497175149-0
Opcode ID: bac27629e6831043937a660c74ecf41746d9df29e4b177afbeb76c8733d92f15
Instruction ID: 5a9cdce11d134a8d60e3e736b53a6c8a9b1ec1f00342cf81ae35700cce269ff2
Opcode Fuzzy Hash: bac27629e6831043937a660c74ecf41746d9df29e4b177afbeb76c8733d92f15
Instruction Fuzzy Hash: 0A016D7A9051243AC7222E7A6C41696BB88DF1336CB54015EF84453212DA2F5861C1DD

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0E0, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 233COMMON

Download Yara Rule

APIs

Part of subcall function 0041DFBB: _UnwindNestedFrames.LIBCMT ref: 0041DFDE

__lock.LIBCMT ref: 00423D86
DeleteCriticalSection.KERNEL32(02491C30,0045D340,00000010,00000003), ref: 00423DD4

Strings

csm, xrefs: 0041E179
csm, xrefs: 0041E109
csm, xrefs: 0041E1AD

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CriticalDeleteFramesNestedSectionUnwind__lock
String ID: csm$csm$csm
API String ID: 3118959615-393685449
Opcode ID: eeaf266864a56599e02b96fec17dceafa2841cd87502a846da7742c509402950
Instruction ID: 45f4e78f24e6799535b230a836560dca70766a821e3815cde5dc7873b858194d
Opcode Fuzzy Hash: eeaf266864a56599e02b96fec17dceafa2841cd87502a846da7742c509402950
Instruction Fuzzy Hash: D8918D35A00208AFCF24DF96D881AEE77B5BF04314F54409AEC15AB292C779DDD1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042223E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

mE, xrefs: 00422334

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID:
String ID: mE
API String ID: 0-852767849
Opcode ID: 3fb972b9e255b2ddeb56af8ca57a817e51bfa3a88d179c708d6e8ac248572a28
Instruction ID: 82f871c86f75e6b8a179efe89459e3be698569a2d7d82ffaa44ba97abef56c84
Opcode Fuzzy Hash: 3fb972b9e255b2ddeb56af8ca57a817e51bfa3a88d179c708d6e8ac248572a28
Instruction Fuzzy Hash: 3D310A71704220BAEB24DB71BE01BDB3794DF45314F94846FF908D6292EABD8D40C26E

Uniqueness

Uniqueness Score: -1.00%

Function 00438D22, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00438D46
lstrlenA.KERNEL32(00000000), ref: 00438D8A

Strings

System, xrefs: 00438D43

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: GlobalLocklstrlen
String ID: System
API String ID: 1144527523-3470857405
Opcode ID: 7a5195ea006483a3ba774903d77828ef6269f516ca54ee2f708ef976ec9e096b
Instruction ID: d6a83972c4075e3664bc916c19ab451520e06dc9bf3166b1cd7839a767c994db
Opcode Fuzzy Hash: 7a5195ea006483a3ba774903d77828ef6269f516ca54ee2f708ef976ec9e096b
Instruction Fuzzy Hash: 6441AF3280020AEFCB14DFA4C88589EFBB9FF08314F14812EF415D7281DB389995CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044A478, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044A47D

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

wsprintfA.USER32 ref: 0044A4D5

Part of subcall function 0044C79F: _strlen.LIBCMT ref: 0044C7B0

wsprintfA.USER32 ref: 0044A545

Strings

- , xrefs: 0044A4EA, 0044A51C
:%d, xrefs: 0044A4CF, 0044A53F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: wsprintf$H_prologLongWindow_strlen
String ID: - $:%d
API String ID: 2235926753-2359489159
Opcode ID: a6eff60b0e5d01525219bebda3cf8b98d34a5492476112d4545c3f99a4dcad77
Instruction ID: 54f1d16b849051e413a7579d92a27a041ac2cfd59f806004b6f503fdd5eaacc3
Opcode Fuzzy Hash: a6eff60b0e5d01525219bebda3cf8b98d34a5492476112d4545c3f99a4dcad77
Instruction Fuzzy Hash: 7A316F71901108ABDB04EBA5ED96DEEB776EF44305F54452FF102A7191DF38AA08CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0044D0FD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0044D113
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0044D1B5
LoadBitmapA.USER32 ref: 0044D1CD

Strings

$nE, xrefs: 0044D17D
, xrefs: 0044D11F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID: $$nE
API String ID: 2596413745-3930062202
Opcode ID: c17a942b27ee72dca52793b24d71d82dd3dd08e09a4796e96d1be6d8782bbc98
Instruction ID: 8eeb58af6bc36a6aa5eaa7dde0ede022c5e189e02d282ca3f9d1bdb7b0f53ea0
Opcode Fuzzy Hash: c17a942b27ee72dca52793b24d71d82dd3dd08e09a4796e96d1be6d8782bbc98
Instruction Fuzzy Hash: 0721E771E403159FEB10CFA8DC89ABEBBB5EB84701F040527E905EB291E7749944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00448FD8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 0044903E
UpdateWindow.USER32(?), ref: 00449055
GetParent.USER32(?), ref: 004490C0
PostMessageA.USER32 ref: 004490DC

Strings

@, xrefs: 004490AB

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: aa6acc6ba5b6687fb2a384c7c194ca08e9f41ff811f930c7a7eea882742177c8
Instruction ID: 1ff7c1ed7a98ecd61734d89e463a723a5d04d88656f804b82a0c16df81f54f97
Opcode Fuzzy Hash: aa6acc6ba5b6687fb2a384c7c194ca08e9f41ff811f930c7a7eea882742177c8
Instruction Fuzzy Hash: 4731A535200B00EFFB304F24D948B6B77E5BF55311F20842EE6565A2A1C7BAEC40EB49

Uniqueness

Uniqueness Score: -1.00%

Function 00430FFD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 0043103E
GetDlgItem.USER32 ref: 0043105D
IsWindowEnabled.USER32(00000000), ref: 00431068
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 0043107E

Strings

Edit, xrefs: 00431048

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 093b15d037e77bcd741ee9ad2f907678fff231c758b462916c28cadcaac5a29a
Instruction ID: da8f9e1f847f9462668e1eb773fa3783db63c140cfcd26e699f80d522220ae4a
Opcode Fuzzy Hash: 093b15d037e77bcd741ee9ad2f907678fff231c758b462916c28cadcaac5a29a
Instruction Fuzzy Hash: AF01C830304341AAEA382B25DC15B6BB6B89F8C755F14652BF141E15B1CB68DC81C55C

Uniqueness

Uniqueness Score: -1.00%

Function 0043F4CC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043F4D1

Part of subcall function 0043A10E: CloseHandle.KERNEL32(?), ref: 0043A11D
Part of subcall function 0043A10E: GetLastError.KERNEL32 ref: 0043A142

GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 0043F504
GetProcAddress.KERNEL32(00000000,ReplaceFileA), ref: 0043F510

Strings

ReplaceFileA, xrefs: 0043F50A
KERNEL32, xrefs: 0043F4FF

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Handle$AddressCloseErrorH_prologLastModuleProc
String ID: KERNEL32$ReplaceFileA
API String ID: 2454685956-852406001
Opcode ID: 4e0c647cbd05ddb4b4ecca2066393c7cf00872802e03386855bf6b47a335b241
Instruction ID: 53eb8aaddabdb9520d169f757aee0b91884b2ad0c80d9ad8177d7ccce8be2223
Opcode Fuzzy Hash: 4e0c647cbd05ddb4b4ecca2066393c7cf00872802e03386855bf6b47a335b241
Instruction Fuzzy Hash: DE015271640604ABC725AB66DC95DAFB3BDFFD4706B40456FF41292152CB789D048624

Uniqueness

Uniqueness Score: -1.00%

Function 00450738, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,?,?,?,0044434E,00008000), ref: 0045074F
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0045075B

Strings

COMCTL32.DLL, xrefs: 0045074A
NCD, xrefs: 0045078D
DllGetVersion, xrefs: 00450755

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion$NCD
API String ID: 1646373207-1701423194
Opcode ID: 0c66b6129527f80c7d16f7460cdeeabfb78536e8b981e02ffb431dbeeadef5a3
Instruction ID: bca01ba98a8a2a2421139e9e7471672394311d298d8601ca3452ff83ae43df70
Opcode Fuzzy Hash: 0c66b6129527f80c7d16f7460cdeeabfb78536e8b981e02ffb431dbeeadef5a3
Instruction Fuzzy Hash: 6AF0C871E0032967D7109BFD9C45BAA76AC9B04756F500536FD04E31D1D6B4DC4887F9

Uniqueness

Uniqueness Score: -1.00%

Function 00434627, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F1DD: EnterCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F20B
Part of subcall function 0044F1DD: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F21D
Part of subcall function 0044F1DD: LeaveCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F226
Part of subcall function 0044F1DD: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4,00437F34), ref: 0044F238

Part of subcall function 0044EC5B: __EH_prolog.LIBCMT ref: 0044EC60

LoadLibraryA.KERNEL32(hhctrl.ocx,0044CF69,0000000C), ref: 0043464B
GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 0043465E
FreeLibrary.KERNEL32(?), ref: 0043466E

Strings

hhctrl.ocx, xrefs: 00434646
HtmlHelpA, xrefs: 00434658

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CriticalSection$EnterLibrary$AddressFreeH_prologInitializeLeaveLoadProc
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 813623328-63838506
Opcode ID: a76a58b66f2fa6d2d5c49b31760f79744e7f9ec3dc106ff10da9545379341535
Instruction ID: f7560a7c9ec6646cd3218d1f6398e703dc06d03c8042333b0dd717768757833b
Opcode Fuzzy Hash: a76a58b66f2fa6d2d5c49b31760f79744e7f9ec3dc106ff10da9545379341535
Instruction Fuzzy Hash: D6F04430200701DBD710AF71DD0AB577EE0AF49B42F00882EF54A915A2D77CE8488B1D

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABAC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,0041AD38,?,0045C828,00000008,0041AD6F,?,00000001,00000000,004202FE,00000003), ref: 0041ABB1
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041ABC1
ExitProcess.KERNEL32 ref: 0041ABD5

Strings

mscoree.dll, xrefs: 0041ABAC
CorExitProcess, xrefs: 0041ABBB

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 133d776a81d15c47b29590f47230e52b208ecf61127093de5c31547b2b78f831
Instruction ID: ccd9feb4c5181765ae07dfacc2c9bac8b5ef29af74bd5ac725210336e5f0eabc
Opcode Fuzzy Hash: 133d776a81d15c47b29590f47230e52b208ecf61127093de5c31547b2b78f831
Instruction Fuzzy Hash: 06D0C930204B00AFDE003F71AC5AE2F7EA9AE40B87B108835B805D0172CB78D814AA2A

Uniqueness

Uniqueness Score: -1.00%

Function 00422FB6, Relevance: 7.7, APIs: 5, Instructions: 216COMMON

Download Yara Rule

APIs

Part of subcall function 0041E3BF: GetLastError.KERNEL32(?,00000000,0041BC41,0041C448,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001,00478DA0), ref: 0041E3C1
Part of subcall function 0041E3BF: FlsGetValue.KERNEL32(?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E3CF
Part of subcall function 0041E3BF: FlsSetValue.KERNEL32(00000000,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E3F6
Part of subcall function 0041E3BF: GetCurrentThreadId.KERNEL32 ref: 0041E40E
Part of subcall function 0041E3BF: SetLastError.KERNEL32(00000000,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E425

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423028
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423125
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042317E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042319B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004231BE

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
String ID:
API String ID: 223281555-0
Opcode ID: 9695677f3be746f3c3269b4f773a90983936c10807f0c3828925298f7a3e3b85
Instruction ID: 1d619bc14e2f9ed3f9d1c0703bd3e01fbac7dbc366a132f6e4aa3b4db7166954
Opcode Fuzzy Hash: 9695677f3be746f3c3269b4f773a90983936c10807f0c3828925298f7a3e3b85
Instruction Fuzzy Hash: 4261F476B00319AFDB149F99DC41BAFB7B6EB84314F24816EF50097281DB7DAE408B58

Uniqueness

Uniqueness Score: -1.00%

Function 00446FDF, Relevance: 7.7, APIs: 5, Instructions: 204windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0044700A
EqualRect.USER32 ref: 00447030
IsWindowVisible.USER32(?), ref: 004470BE
CopyRect.USER32 ref: 004470FA
GetParent.USER32(?), ref: 004471B8

Part of subcall function 00418FE6: SetParent.USER32(?,00000000,004471D0,00000000,00000000), ref: 00418FF5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Rect$ParentWindow$CopyEqualVisible
String ID:
API String ID: 545338366-0
Opcode ID: fce6ec38e5d29166fe0af2471629ac67a4cece6c21d7f99fa14d103d6e44b6f7
Instruction ID: b154d10cbb416971668674b4ffb39726ab97605e305236bb6e81b3dd2bd63be6
Opcode Fuzzy Hash: fce6ec38e5d29166fe0af2471629ac67a4cece6c21d7f99fa14d103d6e44b6f7
Instruction Fuzzy Hash: 08619F71600705DFEF21DFB9CC41BAEB7BAAF48304F10452EE9199B296CB389846CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0041D569, Relevance: 7.7, APIs: 5, Instructions: 184COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,004192C9,?), ref: 0041D61C
InterlockedExchange.KERNEL32(0047BB48,00000001), ref: 0041D69A
InterlockedExchange.KERNEL32(0047BB48,00000000), ref: 0041D6FF
InterlockedExchange.KERNEL32(0047BB48,00000001), ref: 0041D723
InterlockedExchange.KERNEL32(0047BB48,00000000), ref: 0041D783

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: 3bef946cde86772381c7ade2703218cb5d58f068fcd97a92456abdfcaaf57326
Instruction ID: f2abfbe5d141307501c52c7c7846b977ca9cae80eb25a51dfe44d68325f93dcd
Opcode Fuzzy Hash: 3bef946cde86772381c7ade2703218cb5d58f068fcd97a92456abdfcaaf57326
Instruction Fuzzy Hash: C35195B0E006159FDB24DF28D8947EA73A1EB45718F24856BD82A872D5D378ECC1C78D

Uniqueness

Uniqueness Score: -1.00%

Function 00416E45, Relevance: 7.7, APIs: 5, Instructions: 184COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416E4A
VariantClear.OLEAUT32(?), ref: 00416E6B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClearH_prologVariant
String ID:
API String ID: 1166855276-0
Opcode ID: d63b1bd9e7ce214a3da40469daddbcecd6a15598aeafbcf9094e61a031583407
Instruction ID: 0d6a19fed4c9b0342e9decbe4a7131d05c89e341c5b7d5d7635bcba1a21a32f7
Opcode Fuzzy Hash: d63b1bd9e7ce214a3da40469daddbcecd6a15598aeafbcf9094e61a031583407
Instruction Fuzzy Hash: BC518071A01208ABCB00EF59DC959FE77A9AF88305F15441FF909E7241DB3CE982976A

Uniqueness

Uniqueness Score: -1.00%

Function 0045323A, Relevance: 7.7, APIs: 5, Instructions: 161stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0045323F
lstrcmpA.KERNEL32(00000000,00000000), ref: 004532EC
lstrcmpA.KERNEL32(?,00000000), ref: 00453318
lstrcmpA.KERNEL32(?,00000000), ref: 0045333D

Part of subcall function 0043D6B5: GlobalFlags.KERNEL32(?), ref: 0043D6BF
Part of subcall function 0043D6B5: GlobalUnlock.KERNEL32(?,00000000,?,00437E60,?,00000000,?,?,00000000,00000000,00000002), ref: 0043D6D0
Part of subcall function 0043D6B5: GlobalFree.KERNEL32 ref: 0043D6DB

GlobalLock.KERNEL32 ref: 00453269

Part of subcall function 0042C886: __EH_prolog.LIBCMT ref: 0042C88B

Part of subcall function 0042C77F: PrintDlgA.COMDLG32(?), ref: 0042C789

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Global$lstrcmp$H_prolog$FlagsFreeLockPrintUnlock
String ID:
API String ID: 2564375162-0
Opcode ID: 4a4ce266744587c1f11dfb9a8b4b216112a95a46a11b823550104a08510c7419
Instruction ID: e432ba3015f44ba8da336f1a0d52bdd18cd8c428339e51e1ddec0ed8dfadd29b
Opcode Fuzzy Hash: 4a4ce266744587c1f11dfb9a8b4b216112a95a46a11b823550104a08510c7419
Instruction Fuzzy Hash: 7E51D471A002089BCB11EF65C885BAEB7F4BF04359F14429AEC25A73A3DB78DA44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8D8, Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8c7c0f10cf69ae4a01ab01952b64038eba01c11bb30bae17d03a4454578afb
Instruction ID: 104ace5cb48f0d02621d7baf080ba196f3e34b86f1bfc47d159e33050807ef24
Opcode Fuzzy Hash: aa8c7c0f10cf69ae4a01ab01952b64038eba01c11bb30bae17d03a4454578afb
Instruction Fuzzy Hash: 0541E9B1D02125AACF20BFB68D848EF7A64DF15364711462FF815A6251D33C4DE0CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004402DA, Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044023C: GetParent.USER32(?), ref: 0044028F
Part of subcall function 0044023C: GetLastActivePopup.USER32(?), ref: 0044029E
Part of subcall function 0044023C: IsWindowEnabled.USER32(?), ref: 004402B3
Part of subcall function 0044023C: EnableWindow.USER32(?,00000000), ref: 004402C6

EnableWindow.USER32(?,00000001), ref: 0044031A
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0044032E
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004403A4
MessageBoxA.USER32 ref: 004403C8
EnableWindow.USER32(?,00000001), ref: 004403E4

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$Enable$Message$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 489645344-0
Opcode ID: 006ab811bf245947a0d5d48dfe2171e54d09eb638471a6e76f9233a147eb262e
Instruction ID: e9828913b853a2fa7b79a579e81144f4f35444586e11306f5e80e0a485d182c9
Opcode Fuzzy Hash: 006ab811bf245947a0d5d48dfe2171e54d09eb638471a6e76f9233a147eb262e
Instruction Fuzzy Hash: 24318031A007489FFB319F65CC85BAE7BA4AF45704F24042EEB05EB282D7B89D50CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0044C4AB, Relevance: 7.6, APIs: 5, Instructions: 99keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetWindowRect.USER32 ref: 0044C4C5
GetSystemMetrics.USER32 ref: 0044C4D3
GetSystemMetrics.USER32 ref: 0044C4D9
GetKeyState.USER32(00000002), ref: 0044C4F6
InflateRect.USER32(?,00000000,00000000), ref: 0044C529

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 5c5fbbad6f36d260592d60f88fc408ac2ac18a4659965ef2b37c92f77a5565a2
Instruction ID: 4afe002b0c9c30cdd5949f680f8418ad17fbd6157a0efb66b9ec37a7e82a0534
Opcode Fuzzy Hash: 5c5fbbad6f36d260592d60f88fc408ac2ac18a4659965ef2b37c92f77a5565a2
Instruction Fuzzy Hash: 6831C332B02139BBEB509BBCC8CDBBE77A5EB49394F4C4417D402DB181DA38E940C658

Uniqueness

Uniqueness Score: -1.00%

Function 00434381, Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434386
GetTopWindow.USER32(?), ref: 004343B0
GetDlgCtrlID.USER32 ref: 004343C5
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00434421
GetWindow.USER32(00000000,00000002), ref: 0043445F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: feef5a078a818fd911ff2793b7484ec74848add76fc4b57362a6f76c5545aa45
Instruction ID: dec80a576b292a55306d617c6112636975e7d6365013b881159e531b29ceba35
Opcode Fuzzy Hash: feef5a078a818fd911ff2793b7484ec74848add76fc4b57362a6f76c5545aa45
Instruction Fuzzy Hash: D931F871800114ABCF21AF65DC45AEEB778EF9C314F20922BF415E7251DB386E45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004149EC, Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004149F1
GetEnvironmentVariableA.KERNEL32(?,00000000,00000000), ref: 00414A32
GetEnvironmentVariableA.KERNEL32(?,?,00000000), ref: 00414A90
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00414AAA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 00414AC7

Part of subcall function 004190E5: __lock.LIBCMT ref: 00419103
Part of subcall function 004190E5: HeapFree.KERNEL32(00000000,?,0045C778,0000000C,0041C46A,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001), ref: 0041914A

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ByteCharEnvironmentMultiVariableWide$FreeH_prologHeap__lock
String ID:
API String ID: 1826780888-0
Opcode ID: 1c57d277da245b779fdfdb0b0c08730cc9a53c43f40047f502e70339f66857a3
Instruction ID: 86e358562cc49a885798446446d5a8bc4cd7307985207540ebe7857a0f63b3a7
Opcode Fuzzy Hash: 1c57d277da245b779fdfdb0b0c08730cc9a53c43f40047f502e70339f66857a3
Instruction Fuzzy Hash: B1312D7190012CEBCF259B61CD45EDEBB79EF84354F0041AAE219A21A2DB744EC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044E31E, Relevance: 7.6, APIs: 5, Instructions: 70registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E323
RegOpenKeyA.ADVAPI32(?,?,?), ref: 0044E34C
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0044E370
RegDeleteKeyA.ADVAPI32(?,?), ref: 0044E403
RegCloseKey.ADVAPI32(?), ref: 0044E411

Part of subcall function 00412B67: __EH_prolog.LIBCMT ref: 00412B6C

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog$CloseDeleteEnumOpen
String ID:
API String ID: 4272528234-0
Opcode ID: 4ad063682219cb9ce74caa9d621bf32ef9f41a91f90c09b27fa96dae8843257c
Instruction ID: da6db9835a7e23721245754a4c1eb856a16c09a72ceb4262fc006e24f0b4fd35
Opcode Fuzzy Hash: 4ad063682219cb9ce74caa9d621bf32ef9f41a91f90c09b27fa96dae8843257c
Instruction Fuzzy Hash: 6D219C72D00528EBDB22EF58CC45AEDB7B4FF08321F0042AAFD45A72A1C7349E409B95

Uniqueness

Uniqueness Score: -1.00%

Function 00432BDC, Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00432BEA
GetWindowRect.USER32 ref: 00432C10
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 00432C3B
GetWindow.USER32(?,00000005), ref: 00432C44
ScrollWindow.USER32 ref: 00432C5D

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: 3b80cceae8fef5efa21ddeccb48e40085fda7cd262afc16db22c08ed63475565
Instruction ID: 89bfee9c827c0a7c37fa881957d8a6833d5d3518ebec507e4ff49f367cd34f8b
Opcode Fuzzy Hash: 3b80cceae8fef5efa21ddeccb48e40085fda7cd262afc16db22c08ed63475565
Instruction Fuzzy Hash: E0218B31200A09EFDF268F54CD44EBF77BAEF48301F10542AFA0196260D7B5D911DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00448438, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00448491
SendMessageA.USER32(?,00000086,00000000,00000000), ref: 004484A5
GetDesktopWindow.USER32 ref: 004484A9
SendMessageA.USER32(00000000,0000036D,?,00000000), ref: 004484D1
GetWindow.USER32(00000000), ref: 004484D6

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: a08e5ec03bb11222856fa75d2c7da2b736794da07e692a7ef6983ab2a1ae4292
Instruction ID: a38436a14a428af11c73d2a351162ad18985ccf39f538fe65e6af469ccce38b5
Opcode Fuzzy Hash: a08e5ec03bb11222856fa75d2c7da2b736794da07e692a7ef6983ab2a1ae4292
Instruction Fuzzy Hash: 11113631240B0773F2325B219C12F2F6A5AAF84BA5F14011EB7416A6D1EF59DC0182AE

Uniqueness

Uniqueness Score: -1.00%

Function 00448BC1, Relevance: 7.6, APIs: 5, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameA.KERNEL32 ref: 00448C2E
GlobalAddAtomA.KERNEL32 ref: 00448C3D
GlobalGetAtomNameA.KERNEL32 ref: 00448C55
GlobalAddAtomA.KERNEL32 ref: 00448C5E
SendMessageA.USER32(?,000003E4,?,?), ref: 00448C85

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: c10b87f29cad846cced7e62ce6f7bcc3221981c412e42600f3665563855999d7
Instruction ID: 0e8920fd5fa5a57fd3338adc6f6de2e1ab7861d86d558998dea7d80fa9540b0e
Opcode Fuzzy Hash: c10b87f29cad846cced7e62ce6f7bcc3221981c412e42600f3665563855999d7
Instruction Fuzzy Hash: 9E117235500618ABEB20EFA5CC40AEAB3B8FB14705F40845AE599D7140EAB8EEC0CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042C790, Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0042C7A8
GlobalLock.KERNEL32 ref: 0042C7B5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: GlobalLock
String ID:
API String ID: 2848605275-0
Opcode ID: 0d08c6537dac4b8c6d60fd208f2b6f77f84ea6b19277b57b6c6a8d528863aa76
Instruction ID: eab6c0e5f07e73c5dcc4547e0faaf7ed7774e892b33c31d0ad024b3ae84eaf02
Opcode Fuzzy Hash: 0d08c6537dac4b8c6d60fd208f2b6f77f84ea6b19277b57b6c6a8d528863aa76
Instruction Fuzzy Hash: 49F08662700733A7C6305B25ACC4A3B7ADCAFC4791B540826F845D2200D768CC05DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 004482D4, Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 004482F5
PostMessageA.USER32 ref: 0044830B
GetCapture.USER32 ref: 0044830D
ReleaseCapture.USER32 ref: 00448318
PostMessageA.USER32 ref: 00448335

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 69c904ec4d5a664b96c13f511a762c1fc727b83242dc2f5972c6a4fe762c6446
Instruction ID: 15e2c0053e4a6a86276d1fc509de2ede083f09d010ec39ffcd9bd0c359a259ca
Opcode Fuzzy Hash: 69c904ec4d5a664b96c13f511a762c1fc727b83242dc2f5972c6a4fe762c6446
Instruction Fuzzy Hash: 65F08131501B08BFD6216F12EC44D2B7FBDFB81B49B41452EF54192621DA36E505C768

Uniqueness

Uniqueness Score: -1.00%

Function 004405DA, Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 004405E7
SendMessageA.USER32(?,00000366,00000000,?), ref: 00440603
ClientToScreen.USER32(?,?), ref: 00440610
GetWindowLongA.USER32 ref: 00440619
GetParent.USER32(?), ref: 00440627

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 0b9fbcd36d5850b221add9002afbffea8c641d88a42993163cf4f836edc791b7
Instruction ID: ed0a94f7f148d7c1e6acc9c1f203a6b8a98cd677c9b1c02db17a1ca1edff7dad
Opcode Fuzzy Hash: 0b9fbcd36d5850b221add9002afbffea8c641d88a42993163cf4f836edc791b7
Instruction Fuzzy Hash: 54F08636101A24B7E7110F14AC04ABF375CEF85762F114226FE16C6281DB34D911C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 00438FA4, Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 00438FC2
LoadResource.KERNEL32(?,00000000), ref: 00438FD2
LockResource.KERNEL32(00000000), ref: 00438FDB
SizeofResource.KERNEL32(?,00000000), ref: 00438FE5
FreeResource.KERNEL32(00000000,00000000,00000000), ref: 00438FF7

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: ea674846b0546b218ed9fcbcc41572dea3c523eba70cc7a97cc7c6b22ff765bd
Instruction ID: 55e58e986300225009e3ed557c75c39bce7feb8fd8cc79c601b8b7308a6c0668
Opcode Fuzzy Hash: ea674846b0546b218ed9fcbcc41572dea3c523eba70cc7a97cc7c6b22ff765bd
Instruction Fuzzy Hash: 38F06D72105B11BFD3115B71AC5CC3BBBACEF89716F11482FF90292212DA78DC018B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C523, Relevance: 7.5, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00100000,00004000,?,?), ref: 0041C55A
VirtualFree.KERNEL32(?,00000000,00008000,?,?), ref: 0041C565
HeapFree.KERNEL32(00000000,?,?,?), ref: 0041C572
HeapFree.KERNEL32(00000000), ref: 0041C590
HeapDestroy.KERNEL32 ref: 0041C59A

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Free$Heap$Virtual$Destroy
String ID:
API String ID: 782257640-0
Opcode ID: a38e44b56dc6c5fd77030161dbff25367193b8ab797bc8b5ffe72fcb5fd2949c
Instruction ID: 822ce8e6704b7ef0e25170f83ec14b37c12ea2241ad7d201b9742c35cc620b6a
Opcode Fuzzy Hash: a38e44b56dc6c5fd77030161dbff25367193b8ab797bc8b5ffe72fcb5fd2949c
Instruction Fuzzy Hash: 1FF01932680214ABDA216F65EC86F66BB26E744751F21413AF648A21B186627890DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041651A, Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041651F
SysStringLen.OLEAUT32(?), ref: 0041653C
SysStringLen.OLEAUT32(?), ref: 0041654C
SysStringLen.OLEAUT32(?), ref: 00416553
SysFreeString.OLEAUT32(?), ref: 00416562

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: String$FreeH_prolog
String ID:
API String ID: 1748501836-0
Opcode ID: 5023673124db32a7c4394156cc55c440209f91733b0e6da76784e11744c5cdb1
Instruction ID: 9d9f937ffc3f4de4929d7871df5c1d493c13535497bbb7c815b91d33c5d26377
Opcode Fuzzy Hash: 5023673124db32a7c4394156cc55c440209f91733b0e6da76784e11744c5cdb1
Instruction Fuzzy Hash: F2F06D36600114BBCB01AB29E990BFE7BBDAF95B56F01401FF805D3205CB7CDA819A69

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3BF, Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,0041BC41,0041C448,00000000,0045C8C8,00000008,0041C49F,?,00478DA0,?,0041E870,?,00419950,00000001,00478DA0), ref: 0041E3C1
FlsGetValue.KERNEL32(?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E3CF
SetLastError.KERNEL32(00000000,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E425

Part of subcall function 0041C139: __lock.LIBCMT ref: 0041C17D
Part of subcall function 0041C139: RtlAllocateHeap.NTDLL(00000008,?,0045C8B8,00000010,0041E3E7,00000001,0000008C,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17), ref: 0041C1BB

FlsSetValue.KERNEL32(00000000,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041E3F6
GetCurrentThreadId.KERNEL32 ref: 0041E40E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread__lock
String ID:
API String ID: 1487844433-0
Opcode ID: 766c9cda01c2485ee0a6817a78b0bc3a923c12363f033c38df0a1a89b4c54149
Instruction ID: e55714113cac68ff0966e7cd339825e2ca9e50f91fe9c1786a78d998c1f4fc1d
Opcode Fuzzy Hash: 766c9cda01c2485ee0a6817a78b0bc3a923c12363f033c38df0a1a89b4c54149
Instruction Fuzzy Hash: B3F0C835641B119BD7302F71AC096963BA4EF04766F00453AFD4596292CBB598C4479D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F0D9, Relevance: 7.5, APIs: 5, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(00535BC0,?,?,0044F16C,00000000,00000001), ref: 0044F0FF
GlobalHandle.KERNEL32 ref: 0044F10D
GlobalUnlock.KERNEL32(00000000,?,?,0044F16C,00000000,00000001), ref: 0044F116
GlobalFree.KERNEL32 ref: 0044F11D
DeleteCriticalSection.KERNEL32(0047B6BC,?,?,0044F16C,00000000,00000001), ref: 0044F127

Part of subcall function 0044EF41: EnterCriticalSection.KERNEL32(?), ref: 0044EF9E
Part of subcall function 0044EF41: LeaveCriticalSection.KERNEL32(?,?), ref: 0044EFAE
Part of subcall function 0044EF41: LocalFree.KERNEL32(?), ref: 0044EFB7
Part of subcall function 0044EF41: TlsSetValue.KERNEL32(?,00000000), ref: 0044EFC9

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: ebb61852112657514682d7a6ca464c92e47b5f5d5e997e64c70c5bfc2ff8d0c0
Instruction ID: 593d290c91d7e5f47e0130104d4c624effb0ff489bb563d2ffe64eaf750aaa60
Opcode Fuzzy Hash: ebb61852112657514682d7a6ca464c92e47b5f5d5e997e64c70c5bfc2ff8d0c0
Instruction Fuzzy Hash: 2FF0E935200A109BE3209B3CEC1CA3B72FCAF85752715012AF805D7352D778DC058769

Uniqueness

Uniqueness Score: -1.00%

Function 00416C27, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416C2C
VariantClear.OLEAUT32(?), ref: 00416C79
SysStringByteLen.OLEAUT32(?), ref: 00416D06

Strings

`, xrefs: 00416C53

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ByteClearH_prologStringVariant
String ID: `
API String ID: 2994549436-2679148245
Opcode ID: bf61cc3dc551981a2f429e8b7d5a45f231c456fcf1aae27da260365d3022685b
Instruction ID: 03d5b11f5ab8b0a9bd661a03e599ca0084791930a695db9df101b3aee24d673a
Opcode Fuzzy Hash: bf61cc3dc551981a2f429e8b7d5a45f231c456fcf1aae27da260365d3022685b
Instruction Fuzzy Hash: 7B51A170600518EBCF05AFA1E905AEE7B76EF89704F11404EF806A7251DB39CD91DBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0044C105, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0044C148

Part of subcall function 0043617F: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00433017,?,00433017,00000000,?,?,000000FF,000000FF,00000015), ref: 004361A5

GetWindowLongA.USER32 ref: 0044C1E9
UpdateWindow.USER32(?), ref: 0044C202

Strings

P, xrefs: 0044C183

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: 3f4007b6359e8e5bf26f7250b3ab46f81b7b94c98f71c1464263963471a4d667
Instruction ID: 5d840f8d3223d603c82bc41cd748a86d651b29bff7e1a4e6ae8431601f36d906
Opcode Fuzzy Hash: 3f4007b6359e8e5bf26f7250b3ab46f81b7b94c98f71c1464263963471a4d667
Instruction Fuzzy Hash: 0C31C470201705AFEF219F21DC85B6F7BA5FF08354F04451AF956962A2CB78AC10CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0043A7B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043A7BC

Part of subcall function 0043A735: wsprintfA.USER32 ref: 0043A790

Part of subcall function 0043A285: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0043A2BD
Part of subcall function 0043A285: RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0043A2D1
Part of subcall function 0043A285: RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0043A2EC
Part of subcall function 0043A285: RegQueryValueExA.ADVAPI32(?,00456DE0,00000000,?,?,?), ref: 0043A306
Part of subcall function 0043A285: RegCloseKey.ADVAPI32(?), ref: 0043A316
Part of subcall function 0043A285: RegCloseKey.ADVAPI32(00000001), ref: 0043A31B
Part of subcall function 0043A285: RegCloseKey.ADVAPI32(?), ref: 0043A320

LoadLibraryA.KERNEL32(00458094,00458094,00458094,?,0043A887,?,00460670,00000000,?,?,?,0043A93B,004580A4,00000000,00458094,?), ref: 0043A80B
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0043A81B

Strings

DllGetClassObject, xrefs: 0043A815

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
String ID: DllGetClassObject
API String ID: 821125782-1075368562
Opcode ID: af7ad3de74ec3a80c0c9a371719c5e25bb83794d881664af43c0362ca1a45e87
Instruction ID: f1d88cb63e4c6cda5629fe78ec4bdd6090c2810cdae06c6191e75c70925f52e3
Opcode Fuzzy Hash: af7ad3de74ec3a80c0c9a371719c5e25bb83794d881664af43c0362ca1a45e87
Instruction Fuzzy Hash: 3F118231540205AFCB04EFA5CC04BAE77B9FF48359F14852EF851A7291D738D916CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0043D528, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 0043D541
GetClassNameA.USER32(00000000,?,0000000A), ref: 0043D55C
lstrcmpiA.KERNEL32(?,combobox), ref: 0043D56B

Strings

combobox, xrefs: 0043D562

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 01a471b00a89e67f4daa927a76da9f9cd0554cb648f5de566d61bea561f5181d
Instruction ID: e3d941c496cb8e14d7f5ce9a63f2b964ff301d39f54b49c6284712e2e027210b
Opcode Fuzzy Hash: 01a471b00a89e67f4daa927a76da9f9cd0554cb648f5de566d61bea561f5181d
Instruction Fuzzy Hash: 4FF0B431940208FBCF00EF64DC55ABE7BB4FB04355F504426F415D6191D734EA00CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041CEB4, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

IsBadWritePtr.KERNEL32(?), ref: 0041CECF

Strings

, xrefs: 0041D154

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Write
String ID:
API String ID: 3165279579-3916222277
Opcode ID: 39382a45e6f6533ebd26eefbd2ae844dbd4a54701e71c99624e7b221f35ba291
Instruction ID: 65ff6ab0defd5c0f2b03dcc9ccebb9924a8e5440ebbfd159657baaf6c6273323
Opcode Fuzzy Hash: 39382a45e6f6533ebd26eefbd2ae844dbd4a54701e71c99624e7b221f35ba291
Instruction Fuzzy Hash: D09179B1D40215ABDB24CF98C880AEEB7B1BB44324F24436BD526A62D4D73899C2CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00428EC7, Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 00428F41
GetLastError.KERNEL32(?,?,?), ref: 00428F4B
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,?), ref: 00429014
GetLastError.KERNEL32(?,?,?), ref: 0042901E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 8a2679a4a1a5844fc740426203e623fa0925a9d18b95ad58fed4e8722ed6f8b1
Instruction ID: f7c38d60d52cbf84ee477a75cb800241464e0c785c98fb131cee04dccff12f8b
Opcode Fuzzy Hash: 8a2679a4a1a5844fc740426203e623fa0925a9d18b95ad58fed4e8722ed6f8b1
Instruction Fuzzy Hash: 2861D4307043999FDB21CF68D884BAE7BB0AF01314F95409EE9658B392D778DD41CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00422629, Relevance: 6.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0042269D
_strlen.LIBCMT ref: 004226E5
_strcspn.LIBCMT ref: 00422705
_strncpy.LIBCMT ref: 00422725

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: _strcspn_strlen_strncpy_strpbrk
String ID:
API String ID: 635841138-0
Opcode ID: 0f7511ea8b2b085eff856125f4ff4e3890986e68d6f425f2abefd5b6b68f9f19
Instruction ID: 902014aae05fd0e7057af0f97b72d00e827c42a0b58ae3140385d2548b97e531
Opcode Fuzzy Hash: 0f7511ea8b2b085eff856125f4ff4e3890986e68d6f425f2abefd5b6b68f9f19
Instruction Fuzzy Hash: AC510072F082367ADF219AA4BA817BFB7A49B80354FA4046FDD04A2242D7FD4D41879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043E2A0, Relevance: 6.2, APIs: 4, Instructions: 162stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043E2A5
lstrcpynA.KERNEL32(?,?,00000104,?,?), ref: 0043E32C
lstrcpyA.KERNEL32(?,?,00000000,?,?,00000104,?,?,?,?), ref: 0043E38A

Part of subcall function 00417A81: __EH_prolog.LIBCMT ref: 00417A86

GetParent.USER32(?), ref: 0043E407

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog$Parentlstrcpylstrcpyn
String ID:
API String ID: 920876626-0
Opcode ID: caf602e010c9b2329e11dce37e724bb49feef95daeacf4a4aebcd72411b482a5
Instruction ID: 86020ff683b3aa938f71a769aa5410179d7b4564055bf711f1d68717bed32249
Opcode Fuzzy Hash: caf602e010c9b2329e11dce37e724bb49feef95daeacf4a4aebcd72411b482a5
Instruction Fuzzy Hash: 22514E71A012099FDB24EFB6C844AEE77B8AF08314F24152EF919DB292DB38D944CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00424E63, Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00478DA0,00000001), ref: 00424F4B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e5ef7195d86555f875a49c810bf4227f9e418c8038cf1bf2836acca55f7ca8e6
Instruction ID: 90a4a92926a013a4ab1d763c84b4336753dbd3dea6746d020de625a6822fcd2f
Opcode Fuzzy Hash: e5ef7195d86555f875a49c810bf4227f9e418c8038cf1bf2836acca55f7ca8e6
Instruction Fuzzy Hash: D6519E31A00258CFDB32DFA9DD80AEDBBB8FF85304F51415AE8599B252DB349A01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00442912, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0044230D,?,?,?,#D,00442A61,?,?,?,#D,?,?,?,00442AB1,?,?), ref: 00442961
lstrcpyA.KERNEL32(00000000,0044230D,00000000,?,?,?,#D,00442A61,?,?,?,#D,?,?,?,00442AB1), ref: 004429D4
lstrlenA.KERNEL32(00000000,?,?,?,#D,00442A61,?,?,?,#D,?,?,?,00442AB1,?,?), ref: 004429DB

Strings

#D, xrefs: 00442912

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID: #D
API String ID: 805584807-948025513
Opcode ID: b69bd2c926ddd07615725587d5f90aab9cf9c2c4131d7002812ce245e76a286e
Instruction ID: b6435c4ea0a1fd351b4fda25a8c5154e40f6e1af29395d8866e18a55ef8b598b
Opcode Fuzzy Hash: b69bd2c926ddd07615725587d5f90aab9cf9c2c4131d7002812ce245e76a286e
Instruction Fuzzy Hash: C531F8B02086865AF7214E298A9437A7B95AB4B358FD4105BF4C2C6343C2DC8C93932E

Uniqueness

Uniqueness Score: -1.00%

Function 00428A1B, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00428A3D

Part of subcall function 0041C486: EnterCriticalSection.KERNEL32(00478DA0,00478DA0,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041C4AE

__lock.LIBCMT ref: 00428A89
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,0045E920,00000014), ref: 00428AD3
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0045E920,00000014), ref: 00428AE0

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CriticalSection$Enter__lock$Leave
String ID:
API String ID: 885841014-0
Opcode ID: 5eee73868591a982254cea555b16d803eee884c78d76ef6dc99e31147a571eb7
Instruction ID: 6872d09f8e36810ea49ef885412d58bcf818ca3348d75930be8b2bd0cd5396e3
Opcode Fuzzy Hash: 5eee73868591a982254cea555b16d803eee884c78d76ef6dc99e31147a571eb7
Instruction Fuzzy Hash: 70414771A013268BDB209F75E8457AE7BA0AF05334F64832FE125962D2CF7C9981CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0043B16D, Relevance: 6.1, APIs: 4, Instructions: 103stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000104), ref: 0043B198
GetFileTime.KERNEL32(?,?,?,?), ref: 0043B1BA
GetFileSize.KERNEL32(?,00000000), ref: 0043B1C8
GetFileAttributesA.KERNEL32(?), ref: 0043B1F2

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 7e74d28faf73bd5aa7f71fac9a00b32d3eaffc7d88ba26098864637426e67fcb
Instruction ID: a4d1a498919dbad6d024253846dec2ffc3f202889047349a0fe2af8b5f2562ed
Opcode Fuzzy Hash: 7e74d28faf73bd5aa7f71fac9a00b32d3eaffc7d88ba26098864637426e67fcb
Instruction Fuzzy Hash: 1D415B715007059FCB24DF64C895CABBBF8FB083507104B2EE6A6936A1EB34F904CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004364D0, Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00436504
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00436569
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004365AE
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 004365D7

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 921ce21e34b7839efdbbbacbcaa53cd0e3cb4b865897c28f710a033f94748604
Instruction ID: 2217d65772d4ee0cce2a03cd5a120ea262780da84c53e4da9f54219d1033c350
Opcode Fuzzy Hash: 921ce21e34b7839efdbbbacbcaa53cd0e3cb4b865897c28f710a033f94748604
Instruction Fuzzy Hash: 4C31A13054011AFBCB24DF55D880EAB3BA9EF05354F11907BF5058B256DA38EE80DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414897, Relevance: 6.1, APIs: 4, Instructions: 93stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041489C
lstrlenW.KERNEL32(?), ref: 004148CE
lstrlenW.KERNEL32(?), ref: 0041491B
CompareStringA.KERNEL32(?,?,?,?,00000000,?), ref: 00414975

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: lstrlen$CompareH_prologString
String ID:
API String ID: 2824397935-0
Opcode ID: 17d27a3aa7493fb7ecb7d8a23dc8a3d88f84494154e5b492bfb1e652e5447d7a
Instruction ID: 5c9ae6b659badee0e404090425cfe742a6fdbf12efeb44eceed77ff2261444a7
Opcode Fuzzy Hash: 17d27a3aa7493fb7ecb7d8a23dc8a3d88f84494154e5b492bfb1e652e5447d7a
Instruction Fuzzy Hash: 8C3181B290011AABCF11AFB4DC469EF7B74EF44314F04012AF915F32A1D7388A91CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044AF29, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0043B755: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043B779
Part of subcall function 0043B755: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043B78F

GetDeviceCaps.GDI32(?,00000008), ref: 0044AF81
GetDeviceCaps.GDI32(?,0000000A), ref: 0044AF8F
SetRect.USER32 ref: 0044AFA0
DPtoLP.GDI32(?,?,00000002), ref: 0044AFAE

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Rect$CapsClipDeviceIntersect
String ID:
API String ID: 2536322604-0
Opcode ID: 6984cf44b9c367715ddf87efe21e6cab5f44e02fdc710be7d430f2a08dc7cc54
Instruction ID: 9ee8f3c20c9977b085a481a8c28c0f8eb6cf99b023bcfd19e3e686239e7793d9
Opcode Fuzzy Hash: 6984cf44b9c367715ddf87efe21e6cab5f44e02fdc710be7d430f2a08dc7cc54
Instruction Fuzzy Hash: 72310475A00604EFDB05DF68D984AAEBBFAFF09311F108065FD09DB251D770EA518B91

Uniqueness

Uniqueness Score: -1.00%

Function 004174F2, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004174F7

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 55223ed69a862f5ee785227b74d371fc1cee7b1ea9c31c6c669e78f52498e4c9
Instruction ID: 7e98fc469639de1a4b9c34bf89da2550f82167ab0fe68f9bcc28aa188ee56bdd
Opcode Fuzzy Hash: 55223ed69a862f5ee785227b74d371fc1cee7b1ea9c31c6c669e78f52498e4c9
Instruction Fuzzy Hash: D9316F7190020AABCF10EFA1C885EEEB779FF04318F10481AF511A7291D778DA45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00438659, Relevance: 6.1, APIs: 4, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043865E

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

Part of subcall function 00438522: GetCurrentThreadId.KERNEL32 ref: 00438535
Part of subcall function 00438522: SetWindowsHookExA.USER32 ref: 00438545

SetEvent.KERNEL32(?,Function_0004D523), ref: 0043871A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00438723
CloseHandle.KERNEL32(?), ref: 0043872A

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog$CloseCurrentEventHandleHookObjectSingleThreadWaitWindows
String ID:
API String ID: 2789817125-0
Opcode ID: 234dca78356ffcecfab7653091b55683e8f69887e45975aaa82e87dce581644b
Instruction ID: 6193c5cdfbfa06214e0606c6fa21f8748cfa421d0d0f67a1432b46abc5233d96
Opcode Fuzzy Hash: 234dca78356ffcecfab7653091b55683e8f69887e45975aaa82e87dce581644b
Instruction Fuzzy Hash: 4D314930A00705DFCB14EFA5C985A9DF7B1BF08315F20956EF01697292CB38EA45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00450D94, Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F1), ref: 00450DAE
LoadResource.KERNEL32(?,00000000), ref: 00450DBA
LockResource.KERNEL32(00000000), ref: 00450DC8
FreeResource.KERNEL32(?), ref: 00450E4B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 1971d945b6e44f5dd74037333a4939e35218bac19dc0838dd16ba1864c40d5e4
Instruction ID: 4f86f653c3520568694ec64d98aec450067ba8234150793ac0c3b4c6c8a54c68
Opcode Fuzzy Hash: 1971d945b6e44f5dd74037333a4939e35218bac19dc0838dd16ba1864c40d5e4
Instruction Fuzzy Hash: 4A21D376500610BBC7249FA2CC448BFB7BCEF45706710842EFD46D7252EA38E945D768

Uniqueness

Uniqueness Score: -1.00%

Function 0044E980, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,00000001,?,00000001,00000000,00000000), ref: 0044E9C7
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 0044E9D9
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 0044E9EB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 0044E9FD

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 440ca55411f3eb67cb07367baee8992a5be6b8b86c657a542c0817ebfd35c97f
Instruction ID: 77bdaba1d00404e6d18f7a7ff7345b5d069986789cf29112c8d10026780bed53
Opcode Fuzzy Hash: 440ca55411f3eb67cb07367baee8992a5be6b8b86c657a542c0817ebfd35c97f
Instruction Fuzzy Hash: 37116D7224060C7FE250EA52CC81FE7BB9CFB4A788F820416F705D6881D2A2F954C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 0043AF4B, Relevance: 6.1, APIs: 4, Instructions: 67timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 0043AFCD
GetLastError.KERNEL32(00000000), ref: 0043AFDE
LocalFileTimeToFileTime.KERNEL32(?,0000FFFF), ref: 0043AFED
GetLastError.KERNEL32(00000000), ref: 0043AFF8

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: c5765ad88efcfcc70b83ff8a0bc5b8746a5f0d1555a4d46d2ac63f4b09ab1b03
Instruction ID: 226d52641a4a1b36584305c8edc7bf94fb764e0dfcb3f679671b918d7b12d757
Opcode Fuzzy Hash: c5765ad88efcfcc70b83ff8a0bc5b8746a5f0d1555a4d46d2ac63f4b09ab1b03
Instruction Fuzzy Hash: AF119D68A40619A68F10BBA68C018FF777CEF48355B00905FF845E3211EB3C8642CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 0042C520, Relevance: 6.1, APIs: 4, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,00000000,00000080), ref: 0042C589
lstrcpynA.KERNEL32(?,?,00000080), ref: 0042C59C
FindTextA.COMDLG32(?), ref: 0042C5AE
ReplaceTextA.COMDLG32(?), ref: 0042C5B6

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Textlstrcpyn$FindReplace
String ID:
API String ID: 38701251-0
Opcode ID: 4ba84f1a53416ed09f1a6bf9d3ff6dc8432da32ce58b1dc35dab4ad11a99244f
Instruction ID: c1da3444947088873f260f49b6d69de29417c103fa745dd9ad9aa1c74fef4962
Opcode Fuzzy Hash: 4ba84f1a53416ed09f1a6bf9d3ff6dc8432da32ce58b1dc35dab4ad11a99244f
Instruction Fuzzy Hash: FE218170200B19ABD720DF74D885BDB77E8BF04354F40442AE959C3250DB38F945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00414B35, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414B3A
WideCharToMultiByte.KERNEL32(00000000), ref: 00414B73
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00414B9A
GetStringTypeA.KERNEL32(?,?,?,00000000,?), ref: 00414BB5

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ByteCharMultiWide$H_prologStringType
String ID:
API String ID: 2088138148-0
Opcode ID: 7edea53b1129ea2bc59c899dc5bfe0db457c67f83fa02c34144f902730ab7173
Instruction ID: 7f07e105d1c3c75ba6467eabad54b2c191e8ac336323d7a3a0b80ca00416f6cf
Opcode Fuzzy Hash: 7edea53b1129ea2bc59c899dc5bfe0db457c67f83fa02c34144f902730ab7173
Instruction Fuzzy Hash: 4B117F71801128ABCB219FA5DD44EEFBF79FF05364F00016AF619A21A1C7758E51DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00431314, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 0043133A
LoadResource.KERNEL32(?,00000000), ref: 00431342
LockResource.KERNEL32(00000000), ref: 00431354
FreeResource.KERNEL32(00000000), ref: 0043139E

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: cf62371c89410eed651ab7bc9a5b780898f0221130fca4ee2fd6a04c1507b6e0
Instruction ID: 697a7456634bd751cf7345a9cb5bf64695b6d6545dae8979859041b25fbf9e82
Opcode Fuzzy Hash: cf62371c89410eed651ab7bc9a5b780898f0221130fca4ee2fd6a04c1507b6e0
Instruction Fuzzy Hash: E9118F3A500B01EFD7209FA4C958ABBB7B8FF08759F04506AEC4253B61D778AD44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044C3D6, Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435E61: GetWindowLongA.USER32 ref: 00435E6C

GetForegroundWindow.USER32 ref: 0044C3FA
GetLastActivePopup.USER32(?), ref: 0044C415
SendMessageA.USER32(?,0000036D,00000040,00000000), ref: 0044C431
SendMessageA.USER32(?,0000036D,00000000,00000000), ref: 0044C457

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: 186d86e1bb963998237b7a736ea5499e4c11d518e37746bf39770847421075bb
Instruction ID: 5487f9e960b537acd162726a438ef349b049046759a06f1788ac177a2798c895
Opcode Fuzzy Hash: 186d86e1bb963998237b7a736ea5499e4c11d518e37746bf39770847421075bb
Instruction Fuzzy Hash: 8701F2723117003BFB617FB1ADB5B3B76499B84385F44443ABB02C22A2EE69D911829C

Uniqueness

Uniqueness Score: -1.00%

Function 0044271E, Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435D1B: GetDlgItem.USER32 ref: 00435D28

SendMessageA.USER32(?,00000188,00000000,00000000), ref: 00442756
SendMessageA.USER32(?,0000018A,00000000,00000000), ref: 0044276A
SendMessageA.USER32(?,00000189,00000000,00000000), ref: 0044277F
SendMessageA.USER32(?,0000018C,000000FF,?), ref: 004427A7

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 7f41dbfbf8ef9c8d126ce108dcb7240f5cd3241689d2781002a55b914dfb6c6b
Instruction ID: 8041d22320b68c721f3673dc4c96feccd1c6170c8bb1ab664d201b69bfeca2ac
Opcode Fuzzy Hash: 7f41dbfbf8ef9c8d126ce108dcb7240f5cd3241689d2781002a55b914dfb6c6b
Instruction Fuzzy Hash: C511A131200258BBEF11AF54CC01FEE3B69EB44730F54821AF9255B1E0CAB4AA51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043514E, Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00435178
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0043519A
GetCapture.USER32 ref: 004351AC
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004351BB

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 275c7470fd92f4db9bea6f84a4e2efcf8c2a6b156ae9a6bf5841001c49007eea
Instruction ID: 0a548c32f2a49e1ca95ef3edf2df1b9e3ade186cb478b6fd28bdccdf70a56fdb
Opcode Fuzzy Hash: 275c7470fd92f4db9bea6f84a4e2efcf8c2a6b156ae9a6bf5841001c49007eea
Instruction Fuzzy Hash: F30181703407087FFA302B519CC9FBB76ADDF8CB99F150439F741AA1D2CA959C019A64

Uniqueness

Uniqueness Score: -1.00%

Function 0043A1F3, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0043A227
GetCurrentProcess.KERNEL32(?,00000000), ref: 0043A22D
DuplicateHandle.KERNEL32(00000000), ref: 0043A230
GetLastError.KERNEL32(?), ref: 0043A24B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: f43501c3ad00d979ca8949cb0b5f2fb4eb75575df92d0f543ee4709812707c9a
Instruction ID: d19c58c811fe869435c673ebef52d2a589f64447806e85ebeac7f0d803b75d8d
Opcode Fuzzy Hash: f43501c3ad00d979ca8949cb0b5f2fb4eb75575df92d0f543ee4709812707c9a
Instruction Fuzzy Hash: 1F01D471780300BFDB109BA5CC49F1B7BADEF88760F244566B918CB282DA79DC108B65

Uniqueness

Uniqueness Score: -1.00%

Function 0042F0C0, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 0042F0D7
GetParent.USER32(00000000), ref: 0042F0E5
ScreenToClient.USER32 ref: 0042F106
IsWindowEnabled.USER32(00000000), ref: 0042F11F

Part of subcall function 0043D528: GetWindowLongA.USER32 ref: 0043D541

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 7af2d92b0e4e6fe1c4986829b38481c096636f8d09cc349725e32c715e8149c6
Instruction ID: be6a2684098ef9029235d31d2a2595e08044e56b0ffe46fe9dc2f4dfdd85837a
Opcode Fuzzy Hash: 7af2d92b0e4e6fe1c4986829b38481c096636f8d09cc349725e32c715e8149c6
Instruction Fuzzy Hash: 1B015E35700A24FF87129B98EC14D7E7ABAEF89741B94003AF901D7311EB39DD159768

Uniqueness

Uniqueness Score: -1.00%

Function 004340A4, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 004340B2
GetTopWindow.USER32(00000000), ref: 004340F1
GetWindow.USER32(00000000,00000002), ref: 0043410F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4c7675546fed4c68ff6b2959f0bb60fc012f474acdb2a04c82075ef66a8a8ce5
Instruction ID: 259b82e19fe315ce6f40e17c40c9f9583afda0cdad1ce1555e6fbf2ece579630
Opcode Fuzzy Hash: 4c7675546fed4c68ff6b2959f0bb60fc012f474acdb2a04c82075ef66a8a8ce5
Instruction Fuzzy Hash: 43012D32100619BBCF266F919C04DDF3B65EF9D361F005012FA1155161C739DA71EFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00440C80, Relevance: 6.0, APIs: 4, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 00440CB4
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00440CBD
wsprintfA.USER32 ref: 00440CD9
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00440CEF

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: 5a829fc43b19d6576071f952581df4ceec643a62c395a179110bffa97fd79806
Instruction ID: e364b23941fd1f50c9e455df84a575aa998c447550a51376d72d6155b1379767
Opcode Fuzzy Hash: 5a829fc43b19d6576071f952581df4ceec643a62c395a179110bffa97fd79806
Instruction Fuzzy Hash: 05019231400609FBCB11AF64DD09EAF7BB9AF04754F00402AFA05A61A1EB74D9148B99

Uniqueness

Uniqueness Score: -1.00%

Function 00448AD7, Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00448AEE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00448B09
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 00448B31
DragFinish.SHELL32(?), ref: 00448B50

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 46547077bcd133510ec4924af27e508996734cbab59f10683b2010f327a4193a
Instruction ID: 811eb5ae18ced5a33dd0d22ad501efbf9176d3b1dcfe12d23c63cd1a34373c17
Opcode Fuzzy Hash: 46547077bcd133510ec4924af27e508996734cbab59f10683b2010f327a4193a
Instruction Fuzzy Hash: AB0180B0900218BFDB00AF64DC95DEE7B79EB44358F0081AAF14497161CB74AE81CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044E7A8, Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0044E7BC
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0044E7D2
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0044E7DA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000), ref: 0044E7EF

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 6beb052cbc144f6f04b3814d5c9ae83ad362a7e9b15841d5c27456f2ecfc3060
Instruction ID: 0a7df2b0e4a7b2320b0d1227de3961cdb3e9df72f2d6397e8c28316157d3c472
Opcode Fuzzy Hash: 6beb052cbc144f6f04b3814d5c9ae83ad362a7e9b15841d5c27456f2ecfc3060
Instruction Fuzzy Hash: ECF03A721062287F92219B679C88CBBBF9CFE8B2A6B01092AF549C2101D6659801CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 00450BA4, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00450BAD
SendMessageA.USER32(?,00000420,00000000,?), ref: 00450BD6
SendMessageA.USER32(?,0000041F,00000000,?), ref: 00450BF0
InvalidateRect.USER32(?,00000000,00000001), ref: 00450BF9

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 900c92f147fee0f123edb7998ee78f6a9c0137c69f237fd7a3feb4c04f5052cd
Instruction ID: 6be21cc921ab488fe83cdb2aaebf5af216ca1324879f092a9d8742b9e9ab487e
Opcode Fuzzy Hash: 900c92f147fee0f123edb7998ee78f6a9c0137c69f237fd7a3feb4c04f5052cd
Instruction Fuzzy Hash: 67014C70200718AFE7208F19DC01BBBBBE8FB44711F10492AF995D6291E6B0F815DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043258A, Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 004325C8
SetBkColor.GDI32(00000000,00000000), ref: 004325D4
GetSysColor.USER32(00000008), ref: 004325E4
SetTextColor.GDI32(00000000,?), ref: 004325EE

Part of subcall function 0043D528: GetWindowLongA.USER32 ref: 0043D541

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: b7142684bdcea25886398c842aec33319ee83e2b88264cebe4716ecc218c793c
Instruction ID: 899486bf84d7be424ba47e0dad8f9707cf811990ace3e460cb2a9a148db9a957
Opcode Fuzzy Hash: b7142684bdcea25886398c842aec33319ee83e2b88264cebe4716ecc218c793c
Instruction Fuzzy Hash: EF014B30500A09FBDF215F64DE69BAF3B64FB08316F106522F902C41E0C7B5CA91EA59

Uniqueness

Uniqueness Score: -1.00%

Function 00436A58, Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 00436A83
GetFocus.USER32 ref: 00436A96
GetParent.USER32(?), ref: 00436AA4
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 00436AB9

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: 5c8adbf52efe4bab700ff7f9670f21ab973b1f9946edbed9e4f69596a0f66013
Instruction ID: 47d18d4e09eb640d0724fce8ff488ff96568a87c080486eef87d0d843262678a
Opcode Fuzzy Hash: 5c8adbf52efe4bab700ff7f9670f21ab973b1f9946edbed9e4f69596a0f66013
Instruction Fuzzy Hash: FA015E30100B01BFDB249F10DC19B26BBB1EF55312F15D62EF146961E0C775E844CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004365E0, Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004365E5
GetWindowTextA.USER32 ref: 004365FD
lstrcpynA.KERNEL32(?,?,?,?,00447079,?,00000104), ref: 00436633
lstrlenA.KERNEL32(?,?,00447079,?,00000104), ref: 0043663C

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prologTextWindowlstrcpynlstrlen
String ID:
API String ID: 3022380644-0
Opcode ID: fcfc9e4c5a51c01e947fd4ec5bd7c33908cb81bfa05d587a785a486351c207b0
Instruction ID: 513485dc15bc5937fdad1ec73cc70a4ece73e4ebfb768c1dfe87799239e38278
Opcode Fuzzy Hash: fcfc9e4c5a51c01e947fd4ec5bd7c33908cb81bfa05d587a785a486351c207b0
Instruction Fuzzy Hash: DB018C31510614EFCF009FA4C818AADBBB2FF08315F00C66DF5129B262CB759910DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00414C4E, Relevance: 6.0, APIs: 4, Instructions: 36memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00414C5E
CoTaskMemAlloc.OLE32(00000000), ref: 00414C6B
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00414C80
CoTaskMemFree.OLE32(00000000), ref: 00414C8B

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Task$AllocByteCharFreeMultiWidelstrlen
String ID:
API String ID: 1031297831-0
Opcode ID: d9fcdb4e81432dfe2e19a30d6e4d67446f60bb26955e24c4bc6fe731ea92e3d9
Instruction ID: 544606fc187c06161ef729f5156908492f206a0bbee31cd4e8b966ed0bede971
Opcode Fuzzy Hash: d9fcdb4e81432dfe2e19a30d6e4d67446f60bb26955e24c4bc6fe731ea92e3d9
Instruction Fuzzy Hash: 60F0A072301B0177D3201BAAEC88FAB7AACDFC5763F11013AF519C62A5EB24C8008964

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4B6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0041B4D2

Strings

, xrefs: 0041B4F9
, xrefs: 0041B520

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: b9d7742f0d687b9507fae7ecca0d0c4dce2f1495c6ce05c83b244f66533a1e56
Instruction ID: 3cece0b747b5dfe9e4ee91e28d7e92a175b810417601d5da7d1a0f647cb4a04d
Opcode Fuzzy Hash: b9d7742f0d687b9507fae7ecca0d0c4dce2f1495c6ce05c83b244f66533a1e56
Instruction Fuzzy Hash: 5C418D305002987EEB119B24DC99BFB7BA9EF06308F1408E6D549D7152C3694DC59BDD

Uniqueness

Uniqueness Score: -1.00%

Function 0041F328, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__shift.LIBCMT ref: 0041F34B

Part of subcall function 0041F30B: _strlen.LIBCMT ref: 0041F313

_strcat.LIBCMT ref: 0041F388

Strings

e+000, xrefs: 0041F37A

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: __shift_strcat_strlen
String ID: e+000
API String ID: 208078240-1027065040
Opcode ID: 875e55a9c64274ed01c054211ec61591270a626eb8f2cf2ea0d2932a9a59f3e3
Instruction ID: 10dd06bfe5233906032f42402e65a8300de7b1c3d025f13929c72fdbf92f1e96
Opcode Fuzzy Hash: 875e55a9c64274ed01c054211ec61591270a626eb8f2cf2ea0d2932a9a59f3e3
Instruction Fuzzy Hash: E321D5322083989FDB1A8E389C903D63BD05B02358F1C44BFE899CB292D67DD9CAC355

Uniqueness

Uniqueness Score: -1.00%

Function 00416B5D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(mE), ref: 00416B88
VarDateFromStr.OLEAUT32(00000000,?,?), ref: 00416BE9

Strings

mE, xrefs: 00416B85

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: DateFromlstrlen
String ID: mE
API String ID: 3083244965-852767849
Opcode ID: 21236a63205d3c610e0caf2d6ec9922e4dc7df269fe6eeac49355a1a8804db29
Instruction ID: c9c3653280e534b12a607a29e002e4b7e8b5001cc8de6abf38bf35f728cf013b
Opcode Fuzzy Hash: 21236a63205d3c610e0caf2d6ec9922e4dc7df269fe6eeac49355a1a8804db29
Instruction Fuzzy Hash: 8E21FF72100204EBCB109F65DC85AEF7BA8EF0035AF21842AF845D7261D739EAC4CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AF0D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00423D86
DeleteCriticalSection.KERNEL32(02491C30,0045D340,00000010,00000003), ref: 00423DD4

Strings

csm, xrefs: 0041AF0F

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CriticalDeleteSection__lock
String ID: csm
API String ID: 590241456-1018135373
Opcode ID: 72e3b7236b32f5d339321de57c6609f757999602fafbac578acfb188ccc614ae
Instruction ID: d5757be441aae5840aabba58e7df4775a35bafef4b674f724e490e16ffbc9297
Opcode Fuzzy Hash: 72e3b7236b32f5d339321de57c6609f757999602fafbac578acfb188ccc614ae
Instruction Fuzzy Hash: CB21A1316102149FD725AF66E886BAD33A0AF05726F90051AF815972E2C77C9D829A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00432960, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 004329BF

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 004329AB
Afx:%p:%x, xrefs: 00432990

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 3534257612-2801496823
Opcode ID: 5a6ecf764b755fafe288c511cbc0af2046ea21260e69a38337e23847647d8f8a
Instruction ID: 71333daf6e53f7061f0a2f5fb7ad414b963afdaae8e7c258016f27abd0a4e414
Opcode Fuzzy Hash: 5a6ecf764b755fafe288c511cbc0af2046ea21260e69a38337e23847647d8f8a
Instruction Fuzzy Hash: C1211571900209EF9F11EF95D941ADFBBB8EF0C754F54402BF904A3201E7749A518BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428B97, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,?,0045E938,00000010), ref: 00428BC3
GetLastError.KERNEL32(?,?,0045E938,00000010), ref: 00428BCD

Strings

@, xrefs: 00428BAE

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ErrorFileLastType
String ID: @
API String ID: 1621975986-2766056989
Opcode ID: a58c7fe9f6e6cd8ea95554f3b77d2d2b968d1fd669286dd6fcdc1e0dffa9d69b
Instruction ID: dc55c15812bcf55b5a31ac393ab05fe854771c4cf6b567790ce8dd56b42e6323
Opcode Fuzzy Hash: a58c7fe9f6e6cd8ea95554f3b77d2d2b968d1fd669286dd6fcdc1e0dffa9d69b
Instruction Fuzzy Hash: 8A11E1707072245ADF246B35E8063DD3F50AB01324F98464EF9615B2E3DF3C5A819B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0044E8FF, Relevance: 5.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 0044E945
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 0044E955
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 0044E965
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 0044E975

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 230db3f02c2b4d33a1f1149295bc099b439d4cf158d66aa02b203a68de4277dc
Instruction ID: 16091c942826140615f5f6159e83aadbb5d87404f9aaeb989487e2677a1adb25
Opcode Fuzzy Hash: 230db3f02c2b4d33a1f1149295bc099b439d4cf158d66aa02b203a68de4277dc
Instruction Fuzzy Hash: FC116D7324460C7EE290A6A1DC81FB7B39CFB4CB04F50091AFB4AD6880E260F90487B9

Uniqueness

Uniqueness Score: -1.00%

Function 0044EF41, Relevance: 5.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0044EF9E
LeaveCriticalSection.KERNEL32(?,?), ref: 0044EFAE
LocalFree.KERNEL32(?), ref: 0044EFB7
TlsSetValue.KERNEL32(?,00000000), ref: 0044EFC9

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: c4633e0bd8bdf9a850104e2a539da053a2a06415692cc4456e0187cf9023bed2
Instruction ID: 3be043c67c09bb75a6237c3996a36536f15ec3ef990194b2d65087d099a9e09d
Opcode Fuzzy Hash: c4633e0bd8bdf9a850104e2a539da053a2a06415692cc4456e0187cf9023bed2
Instruction Fuzzy Hash: E7116731600B05EFE724CF56D884F6AB7B4FF0535AF10842AF5468B6A2CBB4E844CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041C947, Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,?,?,0041D37D,?,?,00000000), ref: 0041C96E
HeapAlloc.KERNEL32(00000008,000041C4,00000000,?,0041D37D,?,?,00000000), ref: 0041C9A7
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,0041D37D,?,?,00000000), ref: 0041C9C5
HeapFree.KERNEL32(00000000,?,?,0041D37D,?,?,00000000), ref: 0041C9DC

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: ad83cb98e11d12c31e8bd914c5f30b11e71b8074a9adf87749378c44b0c77e47
Instruction ID: b06f7167849a2c346c4febfd77e7389f94a7d8b5d83d0225e4c1a3a83ebe4785
Opcode Fuzzy Hash: ad83cb98e11d12c31e8bd914c5f30b11e71b8074a9adf87749378c44b0c77e47
Instruction Fuzzy Hash: 8B112B71280601EFC7318F69EC95D66BBB7FB85755B50462EF55AC61F0C370A885CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0044F1DD, Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F20B
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F21D
LeaveCriticalSection.KERNEL32(0047B754,?,00000000,?,?,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4), ref: 0044F226
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4,00437F34), ref: 0044F238

Part of subcall function 0044F174: InitializeCriticalSection.KERNEL32(0047B754,0044F1EB,0044EC7C,00000010,73B74DE0,00000000,?,?,?,0044D5AE,0044D53B,0044C800,0044D5B4,00437F34,0043B484,73B74DE0), ref: 0044F18C

Memory Dump Source

Source File: 00000000.00000002.640675963.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.640671591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640715555.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.640733271.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.640742231.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640747595.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640751185.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.640762293.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 3b11186741ab5f92f4e9157304ee343cd161919b5d1cb659cb08613b51adbfa1
Instruction ID: e0a91512c71e7208316553512d16b5441200be99d7561811c4e93602965cf57e
Opcode Fuzzy Hash: 3b11186741ab5f92f4e9157304ee343cd161919b5d1cb659cb08613b51adbfa1
Instruction Fuzzy Hash: 8CF06D7140060EDFE7109F94EC84B62B3ACFB94316F104837E60883011D778A499CAE8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BnJvVt951o.exe PID: 6224 Parent PID: 7148 BnJvVt951o.exeCOMMON

Executed Functions

Function 00420406, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000203B8), ref: 0042040B

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bd62c4e1d80563d32ea440ce6060cb46cd4ae1cee373a393b7e2554c0fa64008
Instruction ID: 1b1c346f4f04dce3418a89abf90b8b8a101ec60d6b84e6121621e05be0691acb
Opcode Fuzzy Hash: bd62c4e1d80563d32ea440ce6060cb46cd4ae1cee373a393b7e2554c0fa64008
Instruction Fuzzy Hash: E2A011B0220320CBA300CF30AC0A2083AE0E380202B0082BAA800C2A22EF308080AA08

Uniqueness

Uniqueness Score: -1.00%

Function 00401E04, Relevance: 36.5, APIs: 1, Strings: 10, Instructions: 19977memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D3B: LoadStringW.USER32(00000005,0000000A,00000000,00000000), ref: 00401D4F

Part of subcall function 00401D5A: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000064,00000000,Characters: %c %c ,000007B9,?,004120B2,00000000), ref: 00401D82

VirtualAlloc.KERNELBASE(00000000,0000E944,00001000,00000040), ref: 004120E2

Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401C9A
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CA1
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CA8
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CAF
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CB6
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CBD
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CC4
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CCB
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CD2
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CD9
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CE0
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CE7
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CEE
Part of subcall function 00401C7A: CallWindowProcA.USER32 ref: 00401CF5

Strings

Preceding with blanks: %10d , xrefs: 00401E41, 00401E73, 00401EA5, 00401F24, 00401F9F, 0040201A, 00402095, 00402110, 0040218B, 00402206, 00402281, 004022FC, 00402377, 004023F2, 0040246D, 004024E8, 00402563, 004025DE, 00402659, 004026D4, 0040274F, 004027CA, 00402845, 004028C0, 0040293B, 004029B6, 00402A31, 00402AAC, 00402B27, 00402BA2, 00402C1D, 00402C98, 00402D13, 00402D8E, 00402E09, 00402E84, 00402EFF, 00402F7A, 00402FF5, 00403070, 004030EB, 00403166, 004031E1, 0040325C, 004032D7, 00403352, 004033CD, 00403448, 004034C3, 0040353E, 004035B9, 00403634, 004036AF, 0040372A, 004037A5, 00403820, 0040389B, 00403916, 00403991, 00403A0C, 00403A87, 00403B02, 00403B7D, 00403BF8, 00403C73, 00403CEE, 00403D69, 00403DE4, 00403E5F, 00403EDA, 00403F55, 00403FD0, 0040404B, 004040C6, 00404141, 004041BC, 00404237, 004042B2, 0040432D, 004043A8, 00404423, 0040449E, 00404519, 00404594, 0040460F, 0040468A, 00404705, 00404780, 004047FB, 00404876, 004048F1, 0040496C, 004049E7, 00404A62, 00404ADD, 00404B58, 00404BD3, 00404C4E, 00404CC9, 00404D44, 00404DBF, 00404E3A, 00404EB5, 00404F30, 00404FAB, 00405026, 004050A1, 0040511C, 00405197, 00405212, 0040528D, 00405308, 00405383, 004053FE, 00405479, 004054F4, 0040556F, 004055EA, 00405665, 004056E0, 0040575B, 004057D6, 00405851, 004058CC, 00405947, 004059C2, 00405A3D, 00405AB8, 00405B33, 00405BAE, 00405C29, 00405CA4, 00405D1F, 00405D9A, 00405E15, 00405E90, 00405F0B, 00405F86, 00406001, 0040607C, 004060F7, 00406172, 004061ED, 00406268, 004062E3, 0040635E, 004063D9, 00406454, 004064CF, 0040654A, 004065C5, 00406640, 004066BB, 00406736, 004067B1, 0040682C, 004068A7, 00406922, 0040699D, 00406A18, 00406A93, 00406B0E, 00406B89, 00406C04, 00406C7F, 00406CFA, 00406D75, 00406DF0, 00406E6B, 00406EE6, 00406F61, 00406FDC, 00407057, 004070D2, 0040714D, 004071C8, 00407243, 004072BE, 00407339, 004073B4, 0040742F, 004074AA, 00407525, 004075A0, 0040761B, 00407696, 00407711, 0040778C, 00407807, 00407882, 004078FD, 00407978, 004079F3, 00407A6E, 00407AE9, 00407B64, 00407BDF, 00407C5A, 00407CD5, 00407D50, 00407DCB, 00407E46, 00407EC1, 00407F3C, 00407FB7, 00408032, 004080AD, 00408128, 004081A3, 0040821E, 00408299, 00408314, 0040838F, 0040840A, 00408485, 00408500, 0040857B, 004085F6, 00408671, 004086EC, 00408767, 004087E2, 0040885D, 004088D8, 00408953, 004089CE, 00408A49, 00408AC4, 00408B3F, 00408BBA, 00408C35, 00408CB0, 00408D2B, 00408DA6, 00408E21, 00408E9C, 00408F17, 00408F92, 0040900D, 00409088, 00409103, 0040917E, 004091F9, 00409274, 004092EF, 0040936A, 004093E5, 00409460, 004094DB, 00409556, 004095D1, 0040964C, 004096C7, 00409742, 004097BD, 00409838, 004098B3, 0040992E, 004099A9, 00409A24, 00409A9F, 00409B1A, 00409B95, 00409C10, 00409C8B, 00409D06, 00409D81, 00409DFC, 00409E77, 00409EF2, 00409F6D, 00409FE8, 0040A063, 0040A0DE, 0040A159, 0040A1D4, 0040A24F, 0040A2CA, 0040A345, 0040A3C0, 0040A43B, 0040A4B6, 0040A531, 0040A5AC, 0040A627, 0040A6A2, 0040A71D, 0040A798, 0040A813, 0040A88E, 0040A909, 0040A984, 0040A9FF, 0040AA7A, 0040AAF5, 0040AB70, 0040ABEB, 0040AC66, 0040ACE1, 0040AD5C, 0040ADD7, 0040AE52, 0040AECD, 0040AF48, 0040AFC3, 0040B03E, 0040B0B9, 0040B134, 0040B1AF, 0040B22A, 0040B2A5, 0040B320, 0040B39B, 0040B416, 0040B491, 0040B50C, 0040B587, 0040B602, 0040B67D, 0040B6F8, 0040B773, 0040B7EE, 0040B869, 0040B8E4, 0040B95F, 0040B9DA, 0040BA55, 0040BAD0, 0040BB4B, 0040BBC6, 0040BC41, 0040BCBC, 0040BD37, 0040BDB2, 0040BE2D, 0040BEA8, 0040BF23, 0040BF9E, 0040C019, 0040C094, 0040C10F, 0040C18A, 0040C205, 0040C280, 0040C2FB, 0040C376, 0040C3F1, 0040C46C, 0040C4E7, 0040C562, 0040C5DD, 0040C658, 0040C6D3, 0040C74E, 0040C7C9, 0040C844, 0040C8BF, 0040C93A, 0040C9B5, 0040CA30, 0040CAAB, 0040CB26, 0040CBA1, 0040CC1C, 0040CC97, 0040CD12, 0040CD8D, 0040CE08, 0040CE83, 0040CEFE, 0040CF79, 0040CFF4, 0040D06F, 0040D0EA, 0040D165, 0040D1E0, 0040D25B, 0040D2D6, 0040D351, 0040D3CC, 0040D447, 0040D4C2, 0040D53D, 0040D5B8, 0040D633, 0040D6AE, 0040D729, 0040D7A4, 0040D81F, 0040D89A, 0040D915, 0040D990, 0040DA0B, 0040DA86, 0040DB01, 0040DB7C, 0040DBF7, 0040DC72, 0040DCED, 0040DD68, 0040DDE3, 0040DE5E, 0040DED9, 0040DF54, 0040DFCF, 0040E04A, 0040E0C5, 0040E140, 0040E1BB, 0040E236, 0040E2B1, 0040E32C, 0040E3A7, 0040E422, 0040E49D, 0040E518, 0040E593, 0040E60E, 0040E689, 0040E704, 0040E77F, 0040E7FA, 0040E875, 0040E8F0, 0040E96B, 0040E9E6, 0040EA61, 0040EADC, 0040EB57, 0040EBD2, 0040EC4D, 0040ECC8, 0040ED43, 0040EDBE, 0040EE39, 0040EEB4, 0040EF2F, 0040EFAA, 0040F025, 0040F0A0, 0040F11B, 0040F196, 0040F211, 0040F28C, 0040F307, 0040F382, 0040F3FD, 0040F478, 0040F4F3, 0040F56E, 0040F5E9, 0040F664, 0040F6DF, 0040F75A, 0040F7D5, 0040F850, 0040F8CB, 0040F946, 0040F9C1, 0040FA3C, 0040FAB7, 0040FB32, 0040FBAD, 0040FC28, 0040FCA3, 0040FD1E, 0040FD99, 0040FE14, 0040FE8F, 0040FF0A, 0040FF85, 00410000, 0041007B, 004100F6, 00410171, 004101EC, 00410267, 004102E2, 0041035D, 004103D8, 00410453, 004104CE, 00410549, 004105C4, 0041063F, 004106BA, 00410735, 004107B0, 0041082B, 004108A6, 00410921, 0041099C, 00410A17, 00410A92, 00410B0D, 00410B88, 00410C03, 00410C7E, 00410CF9, 00410D74, 00410DEF, 00410E6A, 00410EE5, 00410F60, 00410FDB, 00411056, 004110D1, 0041114C, 004111C7, 00411242, 004112BD, 00411338, 004113B3, 0041142E, 004114A9, 00411524, 0041159F, 0041161A, 00411695, 00411710, 0041178B, 00411806, 00411881, 004118FC, 00411977, 004119F2, 00411A6D, 00411AE8, 00411B63, 00411BDE, 00411C59, 00411CD4, 00411D4F, 00411DCA, 00411E45, 00411EC0, 00411F3B, 00411FB6, 00412031
Characters: %c %c , xrefs: 00401E0C, 00401E11, 00401E32, 00401E4F, 00401E64, 00401E81, 00401E96, 00401F0E, 00401F89, 00402004, 0040207F, 004020FA, 00402175, 004021F0, 0040226B, 004022E6, 00402361, 004023DC, 00402457, 004024D2, 0040254D, 004025C8, 00402643, 004026BE, 00402739, 004027B4, 0040282F, 004028AA, 00402925, 004029A0, 00402A1B, 00402A96, 00402B11, 00402B8C, 00402C07, 00402C82, 00402CFD, 00402D78, 00402DF3, 00402E6E, 00402EE9, 00402F64, 00402FDF, 0040305A, 004030D5, 00403150, 004031CB, 00403246, 004032C1, 0040333C, 004033B7, 00403432, 004034AD, 00403528, 004035A3, 0040361E, 00403699, 00403714, 0040378F, 0040380A, 00403885, 00403900, 0040397B, 004039F6, 00403A71, 00403AEC, 00403B67, 00403BE2, 00403C5D, 00403CD8, 00403D53, 00403DCE, 00403E49, 00403EC4, 00403F3F, 00403FBA, 00404035, 004040B0, 0040412B, 004041A6, 00404221, 0040429C, 00404317, 00404392, 0040440D, 00404488, 00404503, 0040457E, 004045F9, 00404674, 004046EF, 0040476A, 004047E5, 00404860, 004048DB, 00404956, 004049D1, 00404A4C, 00404AC7, 00404B42, 00404BBD, 00404C38, 00404CB3, 00404D2E, 00404DA9, 00404E24, 00404E9F, 00404F1A, 00404F95, 00405010, 0040508B, 00405106, 00405181, 004051FC, 00405277, 004052F2, 0040536D, 004053E8, 00405463, 004054DE, 00405559, 004055D4, 0040564F, 004056CA, 00405745, 004057C0, 0040583B, 004058B6, 00405931, 004059AC, 00405A27, 00405AA2, 00405B1D, 00405B98, 00405C13, 00405C8E, 00405D09, 00405D84, 00405DFF, 00405E7A, 00405EF5, 00405F70, 00405FEB, 00406066, 004060E1, 0040615C, 004061D7, 00406252, 004062CD, 00406348, 004063C3, 0040643E, 004064B9, 00406534, 004065AF, 0040662A, 004066A5, 00406720, 0040679B, 00406816, 00406891, 0040690C, 00406987, 00406A02, 00406A7D, 00406AF8, 00406B73, 00406BEE, 00406C69, 00406CE4, 00406D5F, 00406DDA, 00406E55, 00406ED0, 00406F4B, 00406FC6, 00407041, 004070BC, 00407137, 004071B2, 0040722D, 004072A8, 00407323, 0040739E, 00407419, 00407494, 0040750F, 0040758A, 00407605, 00407680, 004076FB, 00407776, 004077F1, 0040786C, 004078E7, 00407962, 004079DD, 00407A58, 00407AD3, 00407B4E, 00407BC9, 00407C44, 00407CBF, 00407D3A, 00407DB5, 00407E30, 00407EAB, 00407F26, 00407FA1, 0040801C, 00408097, 00408112, 0040818D, 00408208, 00408283, 004082FE, 00408379, 004083F4, 0040846F, 004084EA, 00408565, 004085E0, 0040865B, 004086D6, 00408751, 004087CC, 00408847, 004088C2, 0040893D, 004089B8, 00408A33, 00408AAE, 00408B29, 00408BA4, 00408C1F, 00408C9A, 00408D15, 00408D90, 00408E0B, 00408E86, 00408F01, 00408F7C, 00408FF7, 00409072, 004090ED, 00409168, 004091E3, 0040925E, 004092D9, 00409354, 004093CF, 0040944A, 004094C5, 00409540, 004095BB, 00409636, 004096B1, 0040972C, 004097A7, 00409822, 0040989D, 00409918, 00409993, 00409A0E, 00409A89, 00409B04, 00409B7F, 00409BFA, 00409C75, 00409CF0, 00409D6B, 00409DE6, 00409E61, 00409EDC, 00409F57, 00409FD2, 0040A04D, 0040A0C8, 0040A143, 0040A1BE, 0040A239, 0040A2B4, 0040A32F, 0040A3AA, 0040A425, 0040A4A0, 0040A51B, 0040A596, 0040A611, 0040A68C, 0040A707, 0040A782, 0040A7FD, 0040A878, 0040A8F3, 0040A96E, 0040A9E9, 0040AA64, 0040AADF, 0040AB5A, 0040ABD5, 0040AC50, 0040ACCB, 0040AD46, 0040ADC1, 0040AE3C, 0040AEB7, 0040AF32, 0040AFAD, 0040B028, 0040B0A3, 0040B11E, 0040B199, 0040B214, 0040B28F, 0040B30A, 0040B385, 0040B400, 0040B47B, 0040B4F6, 0040B571, 0040B5EC, 0040B667, 0040B6E2, 0040B75D, 0040B7D8, 0040B853, 0040B8CE, 0040B949, 0040B9C4, 0040BA3F, 0040BABA, 0040BB35, 0040BBB0, 0040BC2B, 0040BCA6, 0040BD21, 0040BD9C, 0040BE17, 0040BE92, 0040BF0D, 0040BF88, 0040C003, 0040C07E, 0040C0F9, 0040C174, 0040C1EF, 0040C26A, 0040C2E5, 0040C360, 0040C3DB, 0040C456, 0040C4D1, 0040C54C, 0040C5C7, 0040C642, 0040C6BD, 0040C738, 0040C7B3, 0040C82E, 0040C8A9, 0040C924, 0040C99F, 0040CA1A, 0040CA95, 0040CB10, 0040CB8B, 0040CC06, 0040CC81, 0040CCFC, 0040CD77, 0040CDF2, 0040CE6D, 0040CEE8, 0040CF63, 0040CFDE, 0040D059, 0040D0D4, 0040D14F, 0040D1CA, 0040D245, 0040D2C0, 0040D33B, 0040D3B6, 0040D431, 0040D4AC, 0040D527, 0040D5A2, 0040D61D, 0040D698, 0040D713, 0040D78E, 0040D809, 0040D884, 0040D8FF, 0040D97A, 0040D9F5, 0040DA70, 0040DAEB, 0040DB66, 0040DBE1, 0040DC5C, 0040DCD7, 0040DD52, 0040DDCD, 0040DE48, 0040DEC3, 0040DF3E, 0040DFB9, 0040E034, 0040E0AF, 0040E12A, 0040E1A5, 0040E220, 0040E29B, 0040E316, 0040E391, 0040E40C, 0040E487, 0040E502, 0040E57D, 0040E5F8, 0040E673, 0040E6EE, 0040E769, 0040E7E4, 0040E85F, 0040E8DA, 0040E955, 0040E9D0, 0040EA4B, 0040EAC6, 0040EB41, 0040EBBC, 0040EC37, 0040ECB2, 0040ED2D, 0040EDA8, 0040EE23, 0040EE9E, 0040EF19, 0040EF94, 0040F00F, 0040F08A, 0040F105, 0040F180, 0040F1FB, 0040F276, 0040F2F1, 0040F36C, 0040F3E7, 0040F462, 0040F4DD, 0040F558, 0040F5D3, 0040F64E, 0040F6C9, 0040F744, 0040F7BF, 0040F83A, 0040F8B5, 0040F930, 0040F9AB, 0040FA26, 0040FAA1, 0040FB1C, 0040FB97, 0040FC12, 0040FC8D, 0040FD08, 0040FD83, 0040FDFE, 0040FE79, 0040FEF4, 0040FF6F, 0040FFEA, 00410065, 004100E0, 0041015B, 004101D6, 00410251, 004102CC, 00410347, 004103C2, 0041043D, 004104B8, 00410533, 004105AE, 00410629, 004106A4, 0041071F, 0041079A, 00410815, 00410890, 0041090B, 00410986, 00410A01, 00410A7C, 00410AF7, 00410B72, 00410BED, 00410C68, 00410CE3, 00410D5E, 00410DD9, 00410E54, 00410ECF, 00410F4A, 00410FC5, 00411040, 004110BB, 00411136, 004111B1, 0041122C, 004112A7, 00411322, 0041139D, 00411418, 00411493, 0041150E, 00411589, 00411604, 0041167F, 004116FA, 00411775, 004117F0, 0041186B, 004118E6, 00411961, 004119DC, 00411A57, 00411AD2, 00411B4D, 00411BC8, 00411C43, 00411CBE, 00411D39, 00411DB4, 00411E2F, 00411EAA, 00411F25, 00411FA0, 0041201B, 00412096
SysWOW64\bushexa.exe, xrefs: 00401E17, 00401E1C, 00401E38, 00401E58, 00401E6A, 00401E87, 00401E9C, 00401F14, 00401F8F, 0040200A, 00402085, 00402100, 0040217B, 004021F6, 00402271, 004022EC, 00402367, 004023E2, 0040245D, 004024D8, 00402553, 004025CE, 00402649, 004026C4, 0040273F, 004027BA, 00402835, 004028B0, 0040292B, 004029A6, 00402A21, 00402A9C, 00402B17, 00402B92, 00402C0D, 00402C88, 00402D03, 00402D7E, 00402DF9, 00402E74, 00402EEF, 00402F6A, 00402FE5, 00403060, 004030DB, 00403156, 004031D1, 0040324C, 004032C7, 00403342, 004033BD, 00403438, 004034B3, 0040352E, 004035A9, 00403624, 0040369F, 0040371A, 00403795, 00403810, 0040388B, 00403906, 00403981, 004039FC, 00403A77, 00403AF2, 00403B6D, 00403BE8, 00403C63, 00403CDE, 00403D59, 00403DD4, 00403E4F, 00403ECA, 00403F45, 00403FC0, 0040403B, 004040B6, 00404131, 004041AC, 00404227, 004042A2, 0040431D, 00404398, 00404413, 0040448E, 00404509, 00404584, 004045FF, 0040467A, 004046F5, 00404770, 004047EB, 00404866, 004048E1, 0040495C, 004049D7, 00404A52, 00404ACD, 00404B48, 00404BC3, 00404C3E, 00404CB9, 00404D34, 00404DAF, 00404E2A, 00404EA5, 00404F20, 00404F9B, 00405016, 00405091, 0040510C, 00405187, 00405202, 0040527D, 004052F8, 00405373, 004053EE, 00405469, 004054E4, 0040555F, 004055DA, 00405655, 004056D0, 0040574B, 004057C6, 00405841, 004058BC, 00405937, 004059B2, 00405A2D, 00405AA8, 00405B23, 00405B9E, 00405C19, 00405C94, 00405D0F, 00405D8A, 00405E05, 00405E80, 00405EFB, 00405F76, 00405FF1, 0040606C, 004060E7, 00406162, 004061DD, 00406258, 004062D3, 0040634E, 004063C9, 00406444, 004064BF, 0040653A, 004065B5, 00406630, 004066AB, 00406726, 004067A1, 0040681C, 00406897, 00406912, 0040698D, 00406A08, 00406A83, 00406AFE, 00406B79, 00406BF4, 00406C6F, 00406CEA, 00406D65, 00406DE0, 00406E5B, 00406ED6, 00406F51, 00406FCC, 00407047, 004070C2, 0040713D, 004071B8, 00407233, 004072AE, 00407329, 004073A4, 0040741F, 0040749A, 00407515, 00407590, 0040760B, 00407686, 00407701, 0040777C, 004077F7, 00407872, 004078ED, 00407968, 004079E3, 00407A5E, 00407AD9, 00407B54, 00407BCF, 00407C4A, 00407CC5, 00407D40, 00407DBB, 00407E36, 00407EB1, 00407F2C, 00407FA7, 00408022, 0040809D, 00408118, 00408193, 0040820E, 00408289, 00408304, 0040837F, 004083FA, 00408475, 004084F0, 0040856B, 004085E6, 00408661, 004086DC, 00408757, 004087D2, 0040884D, 004088C8, 00408943, 004089BE, 00408A39, 00408AB4, 00408B2F, 00408BAA, 00408C25, 00408CA0, 00408D1B, 00408D96, 00408E11, 00408E8C, 00408F07, 00408F82, 00408FFD, 00409078, 004090F3, 0040916E, 004091E9, 00409264, 004092DF, 0040935A, 004093D5, 00409450, 004094CB, 00409546, 004095C1, 0040963C, 004096B7, 00409732, 004097AD, 00409828, 004098A3, 0040991E, 00409999, 00409A14, 00409A8F, 00409B0A, 00409B85, 00409C00, 00409C7B, 00409CF6, 00409D71, 00409DEC, 00409E67, 00409EE2, 00409F5D, 00409FD8, 0040A053, 0040A0CE, 0040A149, 0040A1C4, 0040A23F, 0040A2BA, 0040A335, 0040A3B0, 0040A42B, 0040A4A6, 0040A521, 0040A59C, 0040A617, 0040A692, 0040A70D, 0040A788, 0040A803, 0040A87E, 0040A8F9, 0040A974, 0040A9EF, 0040AA6A, 0040AAE5, 0040AB60, 0040ABDB, 0040AC56, 0040ACD1, 0040AD4C, 0040ADC7, 0040AE42, 0040AEBD, 0040AF38, 0040AFB3, 0040B02E, 0040B0A9, 0040B124, 0040B19F, 0040B21A, 0040B295, 0040B310, 0040B38B, 0040B406, 0040B481, 0040B4FC, 0040B577, 0040B5F2, 0040B66D, 0040B6E8, 0040B763, 0040B7DE, 0040B859, 0040B8D4, 0040B94F, 0040B9CA, 0040BA45, 0040BAC0, 0040BB3B, 0040BBB6, 0040BC31, 0040BCAC, 0040BD27, 0040BDA2, 0040BE1D, 0040BE98, 0040BF13, 0040BF8E, 0040C009, 0040C084, 0040C0FF, 0040C17A, 0040C1F5, 0040C270, 0040C2EB, 0040C366, 0040C3E1, 0040C45C, 0040C4D7, 0040C552, 0040C5CD, 0040C648, 0040C6C3, 0040C73E, 0040C7B9, 0040C834, 0040C8AF, 0040C92A, 0040C9A5, 0040CA20, 0040CA9B, 0040CB16, 0040CB91, 0040CC0C, 0040CC87, 0040CD02, 0040CD7D, 0040CDF8, 0040CE73, 0040CEEE, 0040CF69, 0040CFE4, 0040D05F, 0040D0DA, 0040D155, 0040D1D0, 0040D24B, 0040D2C6, 0040D341, 0040D3BC, 0040D437, 0040D4B2, 0040D52D, 0040D5A8, 0040D623, 0040D69E, 0040D719, 0040D794, 0040D80F, 0040D88A, 0040D905, 0040D980, 0040D9FB, 0040DA76, 0040DAF1, 0040DB6C, 0040DBE7, 0040DC62, 0040DCDD, 0040DD58, 0040DDD3, 0040DE4E, 0040DEC9, 0040DF44, 0040DFBF, 0040E03A, 0040E0B5, 0040E130, 0040E1AB, 0040E226, 0040E2A1, 0040E31C, 0040E397, 0040E412, 0040E48D, 0040E508, 0040E583, 0040E5FE, 0040E679, 0040E6F4, 0040E76F, 0040E7EA, 0040E865, 0040E8E0, 0040E95B, 0040E9D6, 0040EA51, 0040EACC, 0040EB47, 0040EBC2, 0040EC3D, 0040ECB8, 0040ED33, 0040EDAE, 0040EE29, 0040EEA4, 0040EF1F, 0040EF9A, 0040F015, 0040F090, 0040F10B, 0040F186, 0040F201, 0040F27C, 0040F2F7, 0040F372, 0040F3ED, 0040F468, 0040F4E3, 0040F55E, 0040F5D9, 0040F654, 0040F6CF, 0040F74A, 0040F7C5, 0040F840, 0040F8BB, 0040F936, 0040F9B1, 0040FA2C, 0040FAA7, 0040FB22, 0040FB9D, 0040FC18, 0040FC93, 0040FD0E, 0040FD89, 0040FE04, 0040FE7F, 0040FEFA, 0040FF75, 0040FFF0, 0041006B, 004100E6, 00410161, 004101DC, 00410257, 004102D2, 0041034D, 004103C8, 00410443, 004104BE, 00410539, 004105B4, 0041062F, 004106AA, 00410725, 004107A0, 0041081B, 00410896, 00410911, 0041098C, 00410A07, 00410A82, 00410AFD, 00410B78, 00410BF3, 00410C6E, 00410CE9, 00410D64, 00410DDF, 00410E5A, 00410ED5, 00410F50, 00410FCB, 00411046, 004110C1, 0041113C, 004111B7, 00411232, 004112AD, 00411328, 004113A3, 0041141E, 00411499, 00411514, 0041158F, 0041160A, 00411685, 00411700, 0041177B, 004117F6, 00411871, 004118EC, 00411967, 004119E2, 00411A5D, 00411AD8, 00411B53, 00411BCE, 00411C49, 00411CC4, 00411D3F, 00411DBA, 00411E35, 00411EB0, 00411F2B, 00411FA6, 00412021
floats: %4.2f %+.0e %E , xrefs: 00401EE3, 00401F5E, 00401FD9, 00402054, 004020CF, 0040214A, 004021C5, 00402240, 004022BB, 00402336, 004023B1, 0040242C, 004024A7, 00402522, 0040259D, 00402618, 00402693, 0040270E, 00402789, 00402804, 0040287F, 004028FA, 00402975, 004029F0, 00402A6B, 00402AE6, 00402B61, 00402BDC, 00402C57, 00402CD2, 00402D4D, 00402DC8, 00402E43, 00402EBE, 00402F39, 00402FB4, 0040302F, 004030AA, 00403125, 004031A0, 0040321B, 00403296, 00403311, 0040338C, 00403407, 00403482, 004034FD, 00403578, 004035F3, 0040366E, 004036E9, 00403764, 004037DF, 0040385A, 004038D5, 00403950, 004039CB, 00403A46, 00403AC1, 00403B3C, 00403BB7, 00403C32, 00403CAD, 00403D28, 00403DA3, 00403E1E, 00403E99, 00403F14, 00403F8F, 0040400A, 00404085, 00404100, 0040417B, 004041F6, 00404271, 004042EC, 00404367, 004043E2, 0040445D, 004044D8, 00404553, 004045CE, 00404649, 004046C4, 0040473F, 004047BA, 00404835, 004048B0, 0040492B, 004049A6, 00404A21, 00404A9C, 00404B17, 00404B92, 00404C0D, 00404C88, 00404D03, 00404D7E, 00404DF9, 00404E74, 00404EEF, 00404F6A, 00404FE5, 00405060, 004050DB, 00405156, 004051D1, 0040524C, 004052C7, 00405342, 004053BD, 00405438, 004054B3, 0040552E, 004055A9, 00405624, 0040569F, 0040571A, 00405795, 00405810, 0040588B, 00405906, 00405981, 004059FC, 00405A77, 00405AF2, 00405B6D, 00405BE8, 00405C63, 00405CDE, 00405D59, 00405DD4, 00405E4F, 00405ECA, 00405F45, 00405FC0, 0040603B, 004060B6, 00406131, 004061AC, 00406227, 004062A2, 0040631D, 00406398, 00406413, 0040648E, 00406509, 00406584, 004065FF, 0040667A, 004066F5, 00406770, 004067EB, 00406866, 004068E1, 0040695C, 004069D7, 00406A52, 00406ACD, 00406B48, 00406BC3, 00406C3E, 00406CB9, 00406D34, 00406DAF, 00406E2A, 00406EA5, 00406F20, 00406F9B, 00407016, 00407091, 0040710C, 00407187, 00407202, 0040727D, 004072F8, 00407373, 004073EE, 00407469, 004074E4, 0040755F, 004075DA, 00407655, 004076D0, 0040774B, 004077C6, 00407841, 004078BC, 00407937, 004079B2, 00407A2D, 00407AA8, 00407B23, 00407B9E, 00407C19, 00407C94, 00407D0F, 00407D8A, 00407E05, 00407E80, 00407EFB, 00407F76, 00407FF1, 0040806C, 004080E7, 00408162, 004081DD, 00408258, 004082D3, 0040834E, 004083C9, 00408444, 004084BF, 0040853A, 004085B5, 00408630, 004086AB, 00408726, 004087A1, 0040881C, 00408897, 00408912, 0040898D, 00408A08, 00408A83, 00408AFE, 00408B79, 00408BF4, 00408C6F, 00408CEA, 00408D65, 00408DE0, 00408E5B, 00408ED6, 00408F51, 00408FCC, 00409047, 004090C2, 0040913D, 004091B8, 00409233, 004092AE, 00409329, 004093A4, 0040941F, 0040949A, 00409515, 00409590, 0040960B, 00409686, 00409701, 0040977C, 004097F7, 00409872, 004098ED, 00409968, 004099E3, 00409A5E, 00409AD9, 00409B54, 00409BCF, 00409C4A, 00409CC5, 00409D40, 00409DBB, 00409E36, 00409EB1, 00409F2C, 00409FA7, 0040A022, 0040A09D, 0040A118, 0040A193, 0040A20E, 0040A289, 0040A304, 0040A37F, 0040A3FA, 0040A475, 0040A4F0, 0040A56B, 0040A5E6, 0040A661, 0040A6DC, 0040A757, 0040A7D2, 0040A84D, 0040A8C8, 0040A943, 0040A9BE, 0040AA39, 0040AAB4, 0040AB2F, 0040ABAA, 0040AC25, 0040ACA0, 0040AD1B, 0040AD96, 0040AE11, 0040AE8C, 0040AF07, 0040AF82, 0040AFFD, 0040B078, 0040B0F3, 0040B16E, 0040B1E9, 0040B264, 0040B2DF, 0040B35A, 0040B3D5, 0040B450, 0040B4CB, 0040B546, 0040B5C1, 0040B63C, 0040B6B7, 0040B732, 0040B7AD, 0040B828, 0040B8A3, 0040B91E, 0040B999, 0040BA14, 0040BA8F, 0040BB0A, 0040BB85, 0040BC00, 0040BC7B, 0040BCF6, 0040BD71, 0040BDEC, 0040BE67, 0040BEE2, 0040BF5D, 0040BFD8, 0040C053, 0040C0CE, 0040C149, 0040C1C4, 0040C23F, 0040C2BA, 0040C335, 0040C3B0, 0040C42B, 0040C4A6, 0040C521, 0040C59C, 0040C617, 0040C692, 0040C70D, 0040C788, 0040C803, 0040C87E, 0040C8F9, 0040C974, 0040C9EF, 0040CA6A, 0040CAE5, 0040CB60, 0040CBDB, 0040CC56, 0040CCD1, 0040CD4C, 0040CDC7, 0040CE42, 0040CEBD, 0040CF38, 0040CFB3, 0040D02E, 0040D0A9, 0040D124, 0040D19F, 0040D21A, 0040D295, 0040D310, 0040D38B, 0040D406, 0040D481, 0040D4FC, 0040D577, 0040D5F2, 0040D66D, 0040D6E8, 0040D763, 0040D7DE, 0040D859, 0040D8D4, 0040D94F, 0040D9CA, 0040DA45, 0040DAC0, 0040DB3B, 0040DBB6, 0040DC31, 0040DCAC, 0040DD27, 0040DDA2, 0040DE1D, 0040DE98, 0040DF13, 0040DF8E, 0040E009, 0040E084, 0040E0FF, 0040E17A, 0040E1F5, 0040E270, 0040E2EB, 0040E366, 0040E3E1, 0040E45C, 0040E4D7, 0040E552, 0040E5CD, 0040E648, 0040E6C3, 0040E73E, 0040E7B9, 0040E834, 0040E8AF, 0040E92A, 0040E9A5, 0040EA20, 0040EA9B, 0040EB16, 0040EB91, 0040EC0C, 0040EC87, 0040ED02, 0040ED7D, 0040EDF8, 0040EE73, 0040EEEE, 0040EF69, 0040EFE4, 0040F05F, 0040F0DA, 0040F155, 0040F1D0, 0040F24B, 0040F2C6, 0040F341, 0040F3BC, 0040F437, 0040F4B2, 0040F52D, 0040F5A8, 0040F623, 0040F69E, 0040F719, 0040F794, 0040F80F, 0040F88A, 0040F905, 0040F980, 0040F9FB, 0040FA76, 0040FAF1, 0040FB6C, 0040FBE7, 0040FC62, 0040FCDD, 0040FD58, 0040FDD3, 0040FE4E, 0040FEC9, 0040FF44, 0040FFBF, 0041003A, 004100B5, 00410130, 004101AB, 00410226, 004102A1, 0041031C, 00410397, 00410412, 0041048D, 00410508, 00410583, 004105FE, 00410679, 004106F4, 0041076F, 004107EA, 00410865, 004108E0, 0041095B, 004109D6, 00410A51, 00410ACC, 00410B47, 00410BC2, 00410C3D, 00410CB8, 00410D33, 00410DAE, 00410E29, 00410EA4, 00410F1F, 00410F9A, 00411015, 00411090, 0041110B, 00411186, 00411201, 0041127C, 004112F7, 00411372, 004113ED, 00411468, 004114E3, 0041155E, 004115D9, 00411654, 004116CF, 0041174A, 004117C5, 00411840, 004118BB, 00411936, 004119B1, 00411A2C, 00411AA7, 00411B22, 00411B9D, 00411C18, 00411C93, 00411D0E, 00411D89, 00411E04, 00411E7F, 00411EFA, 00411F75, 00411FF0, 0041206B
A string, xrefs: 00401EFB, 00401F76, 00401FF1, 0040206C, 004020E7, 00402162, 004021DD, 00402258, 004022D3, 0040234E, 004023C9, 00402444, 004024BF, 0040253A, 004025B5, 00402630, 004026AB, 00402726, 004027A1, 0040281C, 00402897, 00402912, 0040298D, 00402A08, 00402A83, 00402AFE, 00402B79, 00402BF4, 00402C6F, 00402CEA, 00402D65, 00402DE0, 00402E5B, 00402ED6, 00402F51, 00402FCC, 00403047, 004030C2, 0040313D, 004031B8, 00403233, 004032AE, 00403329, 004033A4, 0040341F, 0040349A, 00403515, 00403590, 0040360B, 00403686, 00403701, 0040377C, 004037F7, 00403872, 004038ED, 00403968, 004039E3, 00403A5E, 00403AD9, 00403B54, 00403BCF, 00403C4A, 00403CC5, 00403D40, 00403DBB, 00403E36, 00403EB1, 00403F2C, 00403FA7, 00404022, 0040409D, 00404118, 00404193, 0040420E, 00404289, 00404304, 0040437F, 004043FA, 00404475, 004044F0, 0040456B, 004045E6, 00404661, 004046DC, 00404757, 004047D2, 0040484D, 004048C8, 00404943, 004049BE, 00404A39, 00404AB4, 00404B2F, 00404BAA, 00404C25, 00404CA0, 00404D1B, 00404D96, 00404E11, 00404E8C, 00404F07, 00404F82, 00404FFD, 00405078, 004050F3, 0040516E, 004051E9, 00405264, 004052DF, 0040535A, 004053D5, 00405450, 004054CB, 00405546, 004055C1, 0040563C, 004056B7, 00405732, 004057AD, 00405828, 004058A3, 0040591E, 00405999, 00405A14, 00405A8F, 00405B0A, 00405B85, 00405C00, 00405C7B, 00405CF6, 00405D71, 00405DEC, 00405E67, 00405EE2, 00405F5D, 00405FD8, 00406053, 004060CE, 00406149, 004061C4, 0040623F, 004062BA, 00406335, 004063B0, 0040642B, 004064A6, 00406521, 0040659C, 00406617, 00406692, 0040670D, 00406788, 00406803, 0040687E, 004068F9, 00406974, 004069EF, 00406A6A, 00406AE5, 00406B60, 00406BDB, 00406C56, 00406CD1, 00406D4C, 00406DC7, 00406E42, 00406EBD, 00406F38, 00406FB3, 0040702E, 004070A9, 00407124, 0040719F, 0040721A, 00407295, 00407310, 0040738B, 00407406, 00407481, 004074FC, 00407577, 004075F2, 0040766D, 004076E8, 00407763, 004077DE, 00407859, 004078D4, 0040794F, 004079CA, 00407A45, 00407AC0, 00407B3B, 00407BB6, 00407C31, 00407CAC, 00407D27, 00407DA2, 00407E1D, 00407E98, 00407F13, 00407F8E, 00408009, 00408084, 004080FF, 0040817A, 004081F5, 00408270, 004082EB, 00408366, 004083E1, 0040845C, 004084D7, 00408552, 004085CD, 00408648, 004086C3, 0040873E, 004087B9, 00408834, 004088AF, 0040892A, 004089A5, 00408A20, 00408A9B, 00408B16, 00408B91, 00408C0C, 00408C87, 00408D02, 00408D7D, 00408DF8, 00408E73, 00408EEE, 00408F69, 00408FE4, 0040905F, 004090DA, 00409155, 004091D0, 0040924B, 004092C6, 00409341, 004093BC, 00409437, 004094B2, 0040952D, 004095A8, 00409623, 0040969E, 00409719, 00409794, 0040980F, 0040988A, 00409905, 00409980, 004099FB, 00409A76, 00409AF1, 00409B6C, 00409BE7, 00409C62, 00409CDD, 00409D58, 00409DD3, 00409E4E, 00409EC9, 00409F44, 00409FBF, 0040A03A, 0040A0B5, 0040A130, 0040A1AB, 0040A226, 0040A2A1, 0040A31C, 0040A397, 0040A412, 0040A48D, 0040A508, 0040A583, 0040A5FE, 0040A679, 0040A6F4, 0040A76F, 0040A7EA, 0040A865, 0040A8E0, 0040A95B, 0040A9D6, 0040AA51, 0040AACC, 0040AB47, 0040ABC2, 0040AC3D, 0040ACB8, 0040AD33, 0040ADAE, 0040AE29, 0040AEA4, 0040AF1F, 0040AF9A, 0040B015, 0040B090, 0040B10B, 0040B186, 0040B201, 0040B27C, 0040B2F7, 0040B372, 0040B3ED, 0040B468, 0040B4E3, 0040B55E, 0040B5D9, 0040B654, 0040B6CF, 0040B74A, 0040B7C5, 0040B840, 0040B8BB, 0040B936, 0040B9B1, 0040BA2C, 0040BAA7, 0040BB22, 0040BB9D, 0040BC18, 0040BC93, 0040BD0E, 0040BD89, 0040BE04, 0040BE7F, 0040BEFA, 0040BF75, 0040BFF0, 0040C06B, 0040C0E6, 0040C161, 0040C1DC, 0040C257, 0040C2D2, 0040C34D, 0040C3C8, 0040C443, 0040C4BE, 0040C539, 0040C5B4, 0040C62F, 0040C6AA, 0040C725, 0040C7A0, 0040C81B, 0040C896, 0040C911, 0040C98C, 0040CA07, 0040CA82, 0040CAFD, 0040CB78, 0040CBF3, 0040CC6E, 0040CCE9, 0040CD64, 0040CDDF, 0040CE5A, 0040CED5, 0040CF50, 0040CFCB, 0040D046, 0040D0C1, 0040D13C, 0040D1B7, 0040D232, 0040D2AD, 0040D328, 0040D3A3, 0040D41E, 0040D499, 0040D514, 0040D58F, 0040D60A, 0040D685, 0040D700, 0040D77B, 0040D7F6, 0040D871, 0040D8EC, 0040D967, 0040D9E2, 0040DA5D, 0040DAD8, 0040DB53, 0040DBCE, 0040DC49, 0040DCC4, 0040DD3F, 0040DDBA, 0040DE35, 0040DEB0, 0040DF2B, 0040DFA6, 0040E021, 0040E09C, 0040E117, 0040E192, 0040E20D, 0040E288, 0040E303, 0040E37E, 0040E3F9, 0040E474, 0040E4EF, 0040E56A, 0040E5E5, 0040E660, 0040E6DB, 0040E756, 0040E7D1, 0040E84C, 0040E8C7, 0040E942, 0040E9BD, 0040EA38, 0040EAB3, 0040EB2E, 0040EBA9, 0040EC24, 0040EC9F, 0040ED1A, 0040ED95, 0040EE10, 0040EE8B, 0040EF06, 0040EF81, 0040EFFC, 0040F077, 0040F0F2, 0040F16D, 0040F1E8, 0040F263, 0040F2DE, 0040F359, 0040F3D4, 0040F44F, 0040F4CA, 0040F545, 0040F5C0, 0040F63B, 0040F6B6, 0040F731, 0040F7AC, 0040F827, 0040F8A2, 0040F91D, 0040F998, 0040FA13, 0040FA8E, 0040FB09, 0040FB84, 0040FBFF, 0040FC7A, 0040FCF5, 0040FD70, 0040FDEB, 0040FE66, 0040FEE1, 0040FF5C, 0040FFD7, 00410052, 004100CD, 00410148, 004101C3, 0041023E, 004102B9, 00410334, 004103AF, 0041042A, 004104A5, 00410520, 0041059B, 00410616, 00410691, 0041070C, 00410787, 00410802, 0041087D, 004108F8, 00410973, 004109EE, 00410A69, 00410AE4, 00410B5F, 00410BDA, 00410C55, 00410CD0, 00410D4B, 00410DC6, 00410E41, 00410EBC, 00410F37, 00410FB2, 0041102D, 004110A8, 00411123, 0041119E, 00411219, 00411294, 0041130F, 0041138A, 00411405, 00411480, 004114FB, 00411576, 004115F1, 0041166C, 004116E7, 00411762, 004117DD, 00411858, 004118D3, 0041194E, 004119C9, 00411A44, 00411ABF, 00411B3A, 00411BB5, 00411C30, 00411CAB, 00411D26, 00411DA1, 00411E1C, 00411E97, 00411F12, 00411F8D, 00412008, 00412083
Width trick: %*d , xrefs: 00401EF1, 00401F6C, 00401FE7, 00402062, 004020DD, 00402158, 004021D3, 0040224E, 004022C9, 00402344, 004023BF, 0040243A, 004024B5, 00402530, 004025AB, 00402626, 004026A1, 0040271C, 00402797, 00402812, 0040288D, 00402908, 00402983, 004029FE, 00402A79, 00402AF4, 00402B6F, 00402BEA, 00402C65, 00402CE0, 00402D5B, 00402DD6, 00402E51, 00402ECC, 00402F47, 00402FC2, 0040303D, 004030B8, 00403133, 004031AE, 00403229, 004032A4, 0040331F, 0040339A, 00403415, 00403490, 0040350B, 00403586, 00403601, 0040367C, 004036F7, 00403772, 004037ED, 00403868, 004038E3, 0040395E, 004039D9, 00403A54, 00403ACF, 00403B4A, 00403BC5, 00403C40, 00403CBB, 00403D36, 00403DB1, 00403E2C, 00403EA7, 00403F22, 00403F9D, 00404018, 00404093, 0040410E, 00404189, 00404204, 0040427F, 004042FA, 00404375, 004043F0, 0040446B, 004044E6, 00404561, 004045DC, 00404657, 004046D2, 0040474D, 004047C8, 00404843, 004048BE, 00404939, 004049B4, 00404A2F, 00404AAA, 00404B25, 00404BA0, 00404C1B, 00404C96, 00404D11, 00404D8C, 00404E07, 00404E82, 00404EFD, 00404F78, 00404FF3, 0040506E, 004050E9, 00405164, 004051DF, 0040525A, 004052D5, 00405350, 004053CB, 00405446, 004054C1, 0040553C, 004055B7, 00405632, 004056AD, 00405728, 004057A3, 0040581E, 00405899, 00405914, 0040598F, 00405A0A, 00405A85, 00405B00, 00405B7B, 00405BF6, 00405C71, 00405CEC, 00405D67, 00405DE2, 00405E5D, 00405ED8, 00405F53, 00405FCE, 00406049, 004060C4, 0040613F, 004061BA, 00406235, 004062B0, 0040632B, 004063A6, 00406421, 0040649C, 00406517, 00406592, 0040660D, 00406688, 00406703, 0040677E, 004067F9, 00406874, 004068EF, 0040696A, 004069E5, 00406A60, 00406ADB, 00406B56, 00406BD1, 00406C4C, 00406CC7, 00406D42, 00406DBD, 00406E38, 00406EB3, 00406F2E, 00406FA9, 00407024, 0040709F, 0040711A, 00407195, 00407210, 0040728B, 00407306, 00407381, 004073FC, 00407477, 004074F2, 0040756D, 004075E8, 00407663, 004076DE, 00407759, 004077D4, 0040784F, 004078CA, 00407945, 004079C0, 00407A3B, 00407AB6, 00407B31, 00407BAC, 00407C27, 00407CA2, 00407D1D, 00407D98, 00407E13, 00407E8E, 00407F09, 00407F84, 00407FFF, 0040807A, 004080F5, 00408170, 004081EB, 00408266, 004082E1, 0040835C, 004083D7, 00408452, 004084CD, 00408548, 004085C3, 0040863E, 004086B9, 00408734, 004087AF, 0040882A, 004088A5, 00408920, 0040899B, 00408A16, 00408A91, 00408B0C, 00408B87, 00408C02, 00408C7D, 00408CF8, 00408D73, 00408DEE, 00408E69, 00408EE4, 00408F5F, 00408FDA, 00409055, 004090D0, 0040914B, 004091C6, 00409241, 004092BC, 00409337, 004093B2, 0040942D, 004094A8, 00409523, 0040959E, 00409619, 00409694, 0040970F, 0040978A, 00409805, 00409880, 004098FB, 00409976, 004099F1, 00409A6C, 00409AE7, 00409B62, 00409BDD, 00409C58, 00409CD3, 00409D4E, 00409DC9, 00409E44, 00409EBF, 00409F3A, 00409FB5, 0040A030, 0040A0AB, 0040A126, 0040A1A1, 0040A21C, 0040A297, 0040A312, 0040A38D, 0040A408, 0040A483, 0040A4FE, 0040A579, 0040A5F4, 0040A66F, 0040A6EA, 0040A765, 0040A7E0, 0040A85B, 0040A8D6, 0040A951, 0040A9CC, 0040AA47, 0040AAC2, 0040AB3D, 0040ABB8, 0040AC33, 0040ACAE, 0040AD29, 0040ADA4, 0040AE1F, 0040AE9A, 0040AF15, 0040AF90, 0040B00B, 0040B086, 0040B101, 0040B17C, 0040B1F7, 0040B272, 0040B2ED, 0040B368, 0040B3E3, 0040B45E, 0040B4D9, 0040B554, 0040B5CF, 0040B64A, 0040B6C5, 0040B740, 0040B7BB, 0040B836, 0040B8B1, 0040B92C, 0040B9A7, 0040BA22, 0040BA9D, 0040BB18, 0040BB93, 0040BC0E, 0040BC89, 0040BD04, 0040BD7F, 0040BDFA, 0040BE75, 0040BEF0, 0040BF6B, 0040BFE6, 0040C061, 0040C0DC, 0040C157, 0040C1D2, 0040C24D, 0040C2C8, 0040C343, 0040C3BE, 0040C439, 0040C4B4, 0040C52F, 0040C5AA, 0040C625, 0040C6A0, 0040C71B, 0040C796, 0040C811, 0040C88C, 0040C907, 0040C982, 0040C9FD, 0040CA78, 0040CAF3, 0040CB6E, 0040CBE9, 0040CC64, 0040CCDF, 0040CD5A, 0040CDD5, 0040CE50, 0040CECB, 0040CF46, 0040CFC1, 0040D03C, 0040D0B7, 0040D132, 0040D1AD, 0040D228, 0040D2A3, 0040D31E, 0040D399, 0040D414, 0040D48F, 0040D50A, 0040D585, 0040D600, 0040D67B, 0040D6F6, 0040D771, 0040D7EC, 0040D867, 0040D8E2, 0040D95D, 0040D9D8, 0040DA53, 0040DACE, 0040DB49, 0040DBC4, 0040DC3F, 0040DCBA, 0040DD35, 0040DDB0, 0040DE2B, 0040DEA6, 0040DF21, 0040DF9C, 0040E017, 0040E092, 0040E10D, 0040E188, 0040E203, 0040E27E, 0040E2F9, 0040E374, 0040E3EF, 0040E46A, 0040E4E5, 0040E560, 0040E5DB, 0040E656, 0040E6D1, 0040E74C, 0040E7C7, 0040E842, 0040E8BD, 0040E938, 0040E9B3, 0040EA2E, 0040EAA9, 0040EB24, 0040EB9F, 0040EC1A, 0040EC95, 0040ED10, 0040ED8B, 0040EE06, 0040EE81, 0040EEFC, 0040EF77, 0040EFF2, 0040F06D, 0040F0E8, 0040F163, 0040F1DE, 0040F259, 0040F2D4, 0040F34F, 0040F3CA, 0040F445, 0040F4C0, 0040F53B, 0040F5B6, 0040F631, 0040F6AC, 0040F727, 0040F7A2, 0040F81D, 0040F898, 0040F913, 0040F98E, 0040FA09, 0040FA84, 0040FAFF, 0040FB7A, 0040FBF5, 0040FC70, 0040FCEB, 0040FD66, 0040FDE1, 0040FE5C, 0040FED7, 0040FF52, 0040FFCD, 00410048, 004100C3, 0041013E, 004101B9, 00410234, 004102AF, 0041032A, 004103A5, 00410420, 0041049B, 00410516, 00410591, 0041060C, 00410687, 00410702, 0041077D, 004107F8, 00410873, 004108EE, 00410969, 004109E4, 00410A5F, 00410ADA, 00410B55, 00410BD0, 00410C4B, 00410CC6, 00410D41, 00410DBC, 00410E37, 00410EB2, 00410F2D, 00410FA8, 00411023, 0041109E, 00411119, 00411194, 0041120F, 0041128A, 00411305, 00411380, 004113FB, 00411476, 004114F1, 0041156C, 004115E7, 00411662, 004116DD, 00411758, 004117D3, 0041184E, 004118C9, 00411944, 004119BF, 00411A3A, 00411AB5, 00411B30, 00411BAB, 00411C26, 00411CA1, 00411D1C, 00411D97, 00411E12, 00411E8D, 00411F08, 00411F83, 00411FFE, 00412079
Preceding with zeros: %010d , xrefs: 00401EB0, 00401F2F, 00401FAA, 00402025, 004020A0, 0040211B, 00402196, 00402211, 0040228C, 00402307, 00402382, 004023FD, 00402478, 004024F3, 0040256E, 004025E9, 00402664, 004026DF, 0040275A, 004027D5, 00402850, 004028CB, 00402946, 004029C1, 00402A3C, 00402AB7, 00402B32, 00402BAD, 00402C28, 00402CA3, 00402D1E, 00402D99, 00402E14, 00402E8F, 00402F0A, 00402F85, 00403000, 0040307B, 004030F6, 00403171, 004031EC, 00403267, 004032E2, 0040335D, 004033D8, 00403453, 004034CE, 00403549, 004035C4, 0040363F, 004036BA, 00403735, 004037B0, 0040382B, 004038A6, 00403921, 0040399C, 00403A17, 00403A92, 00403B0D, 00403B88, 00403C03, 00403C7E, 00403CF9, 00403D74, 00403DEF, 00403E6A, 00403EE5, 00403F60, 00403FDB, 00404056, 004040D1, 0040414C, 004041C7, 00404242, 004042BD, 00404338, 004043B3, 0040442E, 004044A9, 00404524, 0040459F, 0040461A, 00404695, 00404710, 0040478B, 00404806, 00404881, 004048FC, 00404977, 004049F2, 00404A6D, 00404AE8, 00404B63, 00404BDE, 00404C59, 00404CD4, 00404D4F, 00404DCA, 00404E45, 00404EC0, 00404F3B, 00404FB6, 00405031, 004050AC, 00405127, 004051A2, 0040521D, 00405298, 00405313, 0040538E, 00405409, 00405484, 004054FF, 0040557A, 004055F5, 00405670, 004056EB, 00405766, 004057E1, 0040585C, 004058D7, 00405952, 004059CD, 00405A48, 00405AC3, 00405B3E, 00405BB9, 00405C34, 00405CAF, 00405D2A, 00405DA5, 00405E20, 00405E9B, 00405F16, 00405F91, 0040600C, 00406087, 00406102, 0040617D, 004061F8, 00406273, 004062EE, 00406369, 004063E4, 0040645F, 004064DA, 00406555, 004065D0, 0040664B, 004066C6, 00406741, 004067BC, 00406837, 004068B2, 0040692D, 004069A8, 00406A23, 00406A9E, 00406B19, 00406B94, 00406C0F, 00406C8A, 00406D05, 00406D80, 00406DFB, 00406E76, 00406EF1, 00406F6C, 00406FE7, 00407062, 004070DD, 00407158, 004071D3, 0040724E, 004072C9, 00407344, 004073BF, 0040743A, 004074B5, 00407530, 004075AB, 00407626, 004076A1, 0040771C, 00407797, 00407812, 0040788D, 00407908, 00407983, 004079FE, 00407A79, 00407AF4, 00407B6F, 00407BEA, 00407C65, 00407CE0, 00407D5B, 00407DD6, 00407E51, 00407ECC, 00407F47, 00407FC2, 0040803D, 004080B8, 00408133, 004081AE, 00408229, 004082A4, 0040831F, 0040839A, 00408415, 00408490, 0040850B, 00408586, 00408601, 0040867C, 004086F7, 00408772, 004087ED, 00408868, 004088E3, 0040895E, 004089D9, 00408A54, 00408ACF, 00408B4A, 00408BC5, 00408C40, 00408CBB, 00408D36, 00408DB1, 00408E2C, 00408EA7, 00408F22, 00408F9D, 00409018, 00409093, 0040910E, 00409189, 00409204, 0040927F, 004092FA, 00409375, 004093F0, 0040946B, 004094E6, 00409561, 004095DC, 00409657, 004096D2, 0040974D, 004097C8, 00409843, 004098BE, 00409939, 004099B4, 00409A2F, 00409AAA, 00409B25, 00409BA0, 00409C1B, 00409C96, 00409D11, 00409D8C, 00409E07, 00409E82, 00409EFD, 00409F78, 00409FF3, 0040A06E, 0040A0E9, 0040A164, 0040A1DF, 0040A25A, 0040A2D5, 0040A350, 0040A3CB, 0040A446, 0040A4C1, 0040A53C, 0040A5B7, 0040A632, 0040A6AD, 0040A728, 0040A7A3, 0040A81E, 0040A899, 0040A914, 0040A98F, 0040AA0A, 0040AA85, 0040AB00, 0040AB7B, 0040ABF6, 0040AC71, 0040ACEC, 0040AD67, 0040ADE2, 0040AE5D, 0040AED8, 0040AF53, 0040AFCE, 0040B049, 0040B0C4, 0040B13F, 0040B1BA, 0040B235, 0040B2B0, 0040B32B, 0040B3A6, 0040B421, 0040B49C, 0040B517, 0040B592, 0040B60D, 0040B688, 0040B703, 0040B77E, 0040B7F9, 0040B874, 0040B8EF, 0040B96A, 0040B9E5, 0040BA60, 0040BADB, 0040BB56, 0040BBD1, 0040BC4C, 0040BCC7, 0040BD42, 0040BDBD, 0040BE38, 0040BEB3, 0040BF2E, 0040BFA9, 0040C024, 0040C09F, 0040C11A, 0040C195, 0040C210, 0040C28B, 0040C306, 0040C381, 0040C3FC, 0040C477, 0040C4F2, 0040C56D, 0040C5E8, 0040C663, 0040C6DE, 0040C759, 0040C7D4, 0040C84F, 0040C8CA, 0040C945, 0040C9C0, 0040CA3B, 0040CAB6, 0040CB31, 0040CBAC, 0040CC27, 0040CCA2, 0040CD1D, 0040CD98, 0040CE13, 0040CE8E, 0040CF09, 0040CF84, 0040CFFF, 0040D07A, 0040D0F5, 0040D170, 0040D1EB, 0040D266, 0040D2E1, 0040D35C, 0040D3D7, 0040D452, 0040D4CD, 0040D548, 0040D5C3, 0040D63E, 0040D6B9, 0040D734, 0040D7AF, 0040D82A, 0040D8A5, 0040D920, 0040D99B, 0040DA16, 0040DA91, 0040DB0C, 0040DB87, 0040DC02, 0040DC7D, 0040DCF8, 0040DD73, 0040DDEE, 0040DE69, 0040DEE4, 0040DF5F, 0040DFDA, 0040E055, 0040E0D0, 0040E14B, 0040E1C6, 0040E241, 0040E2BC, 0040E337, 0040E3B2, 0040E42D, 0040E4A8, 0040E523, 0040E59E, 0040E619, 0040E694, 0040E70F, 0040E78A, 0040E805, 0040E880, 0040E8FB, 0040E976, 0040E9F1, 0040EA6C, 0040EAE7, 0040EB62, 0040EBDD, 0040EC58, 0040ECD3, 0040ED4E, 0040EDC9, 0040EE44, 0040EEBF, 0040EF3A, 0040EFB5, 0040F030, 0040F0AB, 0040F126, 0040F1A1, 0040F21C, 0040F297, 0040F312, 0040F38D, 0040F408, 0040F483, 0040F4FE, 0040F579, 0040F5F4, 0040F66F, 0040F6EA, 0040F765, 0040F7E0, 0040F85B, 0040F8D6, 0040F951, 0040F9CC, 0040FA47, 0040FAC2, 0040FB3D, 0040FBB8, 0040FC33, 0040FCAE, 0040FD29, 0040FDA4, 0040FE1F, 0040FE9A, 0040FF15, 0040FF90, 0041000B, 00410086, 00410101, 0041017C, 004101F7, 00410272, 004102ED, 00410368, 004103E3, 0041045E, 004104D9, 00410554, 004105CF, 0041064A, 004106C5, 00410740, 004107BB, 00410836, 004108B1, 0041092C, 004109A7, 00410A22, 00410A9D, 00410B18, 00410B93, 00410C0E, 00410C89, 00410D04, 00410D7F, 00410DFA, 00410E75, 00410EF0, 00410F6B, 00410FE6, 00411061, 004110DC, 00411157, 004111D2, 0041124D, 004112C8, 00411343, 004113BE, 00411439, 004114B4, 0041152F, 004115AA, 00411625, 004116A0, 0041171B, 00411796, 00411811, 0041188C, 00411907, 00411982, 004119FD, 00411A78, 00411AF3, 00411B6E, 00411BE9, 00411C64, 00411CDF, 00411D5A, 00411DD5, 00411E50, 00411ECB, 00411F46, 00411FC1, 0041203C
Decimals: %d %ld, xrefs: 00401E23, 00401E28, 00401E3A, 00401E5A, 00401E6C, 00401E89, 00401E9E, 00401F1A, 00401F95, 00402010, 0040208B, 00402106, 00402181, 004021FC, 00402277, 004022F2, 0040236D, 004023E8, 00402463, 004024DE, 00402559, 004025D4, 0040264F, 004026CA, 00402745, 004027C0, 0040283B, 004028B6, 00402931, 004029AC, 00402A27, 00402AA2, 00402B1D, 00402B98, 00402C13, 00402C8E, 00402D09, 00402D84, 00402DFF, 00402E7A, 00402EF5, 00402F70, 00402FEB, 00403066, 004030E1, 0040315C, 004031D7, 00403252, 004032CD, 00403348, 004033C3, 0040343E, 004034B9, 00403534, 004035AF, 0040362A, 004036A5, 00403720, 0040379B, 00403816, 00403891, 0040390C, 00403987, 00403A02, 00403A7D, 00403AF8, 00403B73, 00403BEE, 00403C69, 00403CE4, 00403D5F, 00403DDA, 00403E55, 00403ED0, 00403F4B, 00403FC6, 00404041, 004040BC, 00404137, 004041B2, 0040422D, 004042A8, 00404323, 0040439E, 00404419, 00404494, 0040450F, 0040458A, 00404605, 00404680, 004046FB, 00404776, 004047F1, 0040486C, 004048E7, 00404962, 004049DD, 00404A58, 00404AD3, 00404B4E, 00404BC9, 00404C44, 00404CBF, 00404D3A, 00404DB5, 00404E30, 00404EAB, 00404F26, 00404FA1, 0040501C, 00405097, 00405112, 0040518D, 00405208, 00405283, 004052FE, 00405379, 004053F4, 0040546F, 004054EA, 00405565, 004055E0, 0040565B, 004056D6, 00405751, 004057CC, 00405847, 004058C2, 0040593D, 004059B8, 00405A33, 00405AAE, 00405B29, 00405BA4, 00405C1F, 00405C9A, 00405D15, 00405D90, 00405E0B, 00405E86, 00405F01, 00405F7C, 00405FF7, 00406072, 004060ED, 00406168, 004061E3, 0040625E, 004062D9, 00406354, 004063CF, 0040644A, 004064C5, 00406540, 004065BB, 00406636, 004066B1, 0040672C, 004067A7, 00406822, 0040689D, 00406918, 00406993, 00406A0E, 00406A89, 00406B04, 00406B7F, 00406BFA, 00406C75, 00406CF0, 00406D6B, 00406DE6, 00406E61, 00406EDC, 00406F57, 00406FD2, 0040704D, 004070C8, 00407143, 004071BE, 00407239, 004072B4, 0040732F, 004073AA, 00407425, 004074A0, 0040751B, 00407596, 00407611, 0040768C, 00407707, 00407782, 004077FD, 00407878, 004078F3, 0040796E, 004079E9, 00407A64, 00407ADF, 00407B5A, 00407BD5, 00407C50, 00407CCB, 00407D46, 00407DC1, 00407E3C, 00407EB7, 00407F32, 00407FAD, 00408028, 004080A3, 0040811E, 00408199, 00408214, 0040828F, 0040830A, 00408385, 00408400, 0040847B, 004084F6, 00408571, 004085EC, 00408667, 004086E2, 0040875D, 004087D8, 00408853, 004088CE, 00408949, 004089C4, 00408A3F, 00408ABA, 00408B35, 00408BB0, 00408C2B, 00408CA6, 00408D21, 00408D9C, 00408E17, 00408E92, 00408F0D, 00408F88, 00409003, 0040907E, 004090F9, 00409174, 004091EF, 0040926A, 004092E5, 00409360, 004093DB, 00409456, 004094D1, 0040954C, 004095C7, 00409642, 004096BD, 00409738, 004097B3, 0040982E, 004098A9, 00409924, 0040999F, 00409A1A, 00409A95, 00409B10, 00409B8B, 00409C06, 00409C81, 00409CFC, 00409D77, 00409DF2, 00409E6D, 00409EE8, 00409F63, 00409FDE, 0040A059, 0040A0D4, 0040A14F, 0040A1CA, 0040A245, 0040A2C0, 0040A33B, 0040A3B6, 0040A431, 0040A4AC, 0040A527, 0040A5A2, 0040A61D, 0040A698, 0040A713, 0040A78E, 0040A809, 0040A884, 0040A8FF, 0040A97A, 0040A9F5, 0040AA70, 0040AAEB, 0040AB66, 0040ABE1, 0040AC5C, 0040ACD7, 0040AD52, 0040ADCD, 0040AE48, 0040AEC3, 0040AF3E, 0040AFB9, 0040B034, 0040B0AF, 0040B12A, 0040B1A5, 0040B220, 0040B29B, 0040B316, 0040B391, 0040B40C, 0040B487, 0040B502, 0040B57D, 0040B5F8, 0040B673, 0040B6EE, 0040B769, 0040B7E4, 0040B85F, 0040B8DA, 0040B955, 0040B9D0, 0040BA4B, 0040BAC6, 0040BB41, 0040BBBC, 0040BC37, 0040BCB2, 0040BD2D, 0040BDA8, 0040BE23, 0040BE9E, 0040BF19, 0040BF94, 0040C00F, 0040C08A, 0040C105, 0040C180, 0040C1FB, 0040C276, 0040C2F1, 0040C36C, 0040C3E7, 0040C462, 0040C4DD, 0040C558, 0040C5D3, 0040C64E, 0040C6C9, 0040C744, 0040C7BF, 0040C83A, 0040C8B5, 0040C930, 0040C9AB, 0040CA26, 0040CAA1, 0040CB1C, 0040CB97, 0040CC12, 0040CC8D, 0040CD08, 0040CD83, 0040CDFE, 0040CE79, 0040CEF4, 0040CF6F, 0040CFEA, 0040D065, 0040D0E0, 0040D15B, 0040D1D6, 0040D251, 0040D2CC, 0040D347, 0040D3C2, 0040D43D, 0040D4B8, 0040D533, 0040D5AE, 0040D629, 0040D6A4, 0040D71F, 0040D79A, 0040D815, 0040D890, 0040D90B, 0040D986, 0040DA01, 0040DA7C, 0040DAF7, 0040DB72, 0040DBED, 0040DC68, 0040DCE3, 0040DD5E, 0040DDD9, 0040DE54, 0040DECF, 0040DF4A, 0040DFC5, 0040E040, 0040E0BB, 0040E136, 0040E1B1, 0040E22C, 0040E2A7, 0040E322, 0040E39D, 0040E418, 0040E493, 0040E50E, 0040E589, 0040E604, 0040E67F, 0040E6FA, 0040E775, 0040E7F0, 0040E86B, 0040E8E6, 0040E961, 0040E9DC, 0040EA57, 0040EAD2, 0040EB4D, 0040EBC8, 0040EC43, 0040ECBE, 0040ED39, 0040EDB4, 0040EE2F, 0040EEAA, 0040EF25, 0040EFA0, 0040F01B, 0040F096, 0040F111, 0040F18C, 0040F207, 0040F282, 0040F2FD, 0040F378, 0040F3F3, 0040F46E, 0040F4E9, 0040F564, 0040F5DF, 0040F65A, 0040F6D5, 0040F750, 0040F7CB, 0040F846, 0040F8C1, 0040F93C, 0040F9B7, 0040FA32, 0040FAAD, 0040FB28, 0040FBA3, 0040FC1E, 0040FC99, 0040FD14, 0040FD8F, 0040FE0A, 0040FE85, 0040FF00, 0040FF7B, 0040FFF6, 00410071, 004100EC, 00410167, 004101E2, 0041025D, 004102D8, 00410353, 004103CE, 00410449, 004104C4, 0041053F, 004105BA, 00410635, 004106B0, 0041072B, 004107A6, 00410821, 0041089C, 00410917, 00410992, 00410A0D, 00410A88, 00410B03, 00410B7E, 00410BF9, 00410C74, 00410CEF, 00410D6A, 00410DE5, 00410E60, 00410EDB, 00410F56, 00410FD1, 0041104C, 004110C7, 00411142, 004111BD, 00411238, 004112B3, 0041132E, 004113A9, 00411424, 0041149F, 0041151A, 00411595, 00411610, 0041168B, 00411706, 00411781, 004117FC, 00411877, 004118F2, 0041196D, 004119E8, 00411A63, 00411ADE, 00411B59, 00411BD4, 00411C4F, 00411CCA, 00411D45, 00411DC0, 00411E3B, 00411EB6, 00411F31, 00411FAC, 00412027
Some different radices: %d %x %o %#x %#o , xrefs: 00401EC2, 00401F3E, 00401FB9, 00402034, 004020AF, 0040212A, 004021A5, 00402220, 0040229B, 00402316, 00402391, 0040240C, 00402487, 00402502, 0040257D, 004025F8, 00402673, 004026EE, 00402769, 004027E4, 0040285F, 004028DA, 00402955, 004029D0, 00402A4B, 00402AC6, 00402B41, 00402BBC, 00402C37, 00402CB2, 00402D2D, 00402DA8, 00402E23, 00402E9E, 00402F19, 00402F94, 0040300F, 0040308A, 00403105, 00403180, 004031FB, 00403276, 004032F1, 0040336C, 004033E7, 00403462, 004034DD, 00403558, 004035D3, 0040364E, 004036C9, 00403744, 004037BF, 0040383A, 004038B5, 00403930, 004039AB, 00403A26, 00403AA1, 00403B1C, 00403B97, 00403C12, 00403C8D, 00403D08, 00403D83, 00403DFE, 00403E79, 00403EF4, 00403F6F, 00403FEA, 00404065, 004040E0, 0040415B, 004041D6, 00404251, 004042CC, 00404347, 004043C2, 0040443D, 004044B8, 00404533, 004045AE, 00404629, 004046A4, 0040471F, 0040479A, 00404815, 00404890, 0040490B, 00404986, 00404A01, 00404A7C, 00404AF7, 00404B72, 00404BED, 00404C68, 00404CE3, 00404D5E, 00404DD9, 00404E54, 00404ECF, 00404F4A, 00404FC5, 00405040, 004050BB, 00405136, 004051B1, 0040522C, 004052A7, 00405322, 0040539D, 00405418, 00405493, 0040550E, 00405589, 00405604, 0040567F, 004056FA, 00405775, 004057F0, 0040586B, 004058E6, 00405961, 004059DC, 00405A57, 00405AD2, 00405B4D, 00405BC8, 00405C43, 00405CBE, 00405D39, 00405DB4, 00405E2F, 00405EAA, 00405F25, 00405FA0, 0040601B, 00406096, 00406111, 0040618C, 00406207, 00406282, 004062FD, 00406378, 004063F3, 0040646E, 004064E9, 00406564, 004065DF, 0040665A, 004066D5, 00406750, 004067CB, 00406846, 004068C1, 0040693C, 004069B7, 00406A32, 00406AAD, 00406B28, 00406BA3, 00406C1E, 00406C99, 00406D14, 00406D8F, 00406E0A, 00406E85, 00406F00, 00406F7B, 00406FF6, 00407071, 004070EC, 00407167, 004071E2, 0040725D, 004072D8, 00407353, 004073CE, 00407449, 004074C4, 0040753F, 004075BA, 00407635, 004076B0, 0040772B, 004077A6, 00407821, 0040789C, 00407917, 00407992, 00407A0D, 00407A88, 00407B03, 00407B7E, 00407BF9, 00407C74, 00407CEF, 00407D6A, 00407DE5, 00407E60, 00407EDB, 00407F56, 00407FD1, 0040804C, 004080C7, 00408142, 004081BD, 00408238, 004082B3, 0040832E, 004083A9, 00408424, 0040849F, 0040851A, 00408595, 00408610, 0040868B, 00408706, 00408781, 004087FC, 00408877, 004088F2, 0040896D, 004089E8, 00408A63, 00408ADE, 00408B59, 00408BD4, 00408C4F, 00408CCA, 00408D45, 00408DC0, 00408E3B, 00408EB6, 00408F31, 00408FAC, 00409027, 004090A2, 0040911D, 00409198, 00409213, 0040928E, 00409309, 00409384, 004093FF, 0040947A, 004094F5, 00409570, 004095EB, 00409666, 004096E1, 0040975C, 004097D7, 00409852, 004098CD, 00409948, 004099C3, 00409A3E, 00409AB9, 00409B34, 00409BAF, 00409C2A, 00409CA5, 00409D20, 00409D9B, 00409E16, 00409E91, 00409F0C, 00409F87, 0040A002, 0040A07D, 0040A0F8, 0040A173, 0040A1EE, 0040A269, 0040A2E4, 0040A35F, 0040A3DA, 0040A455, 0040A4D0, 0040A54B, 0040A5C6, 0040A641, 0040A6BC, 0040A737, 0040A7B2, 0040A82D, 0040A8A8, 0040A923, 0040A99E, 0040AA19, 0040AA94, 0040AB0F, 0040AB8A, 0040AC05, 0040AC80, 0040ACFB, 0040AD76, 0040ADF1, 0040AE6C, 0040AEE7, 0040AF62, 0040AFDD, 0040B058, 0040B0D3, 0040B14E, 0040B1C9, 0040B244, 0040B2BF, 0040B33A, 0040B3B5, 0040B430, 0040B4AB, 0040B526, 0040B5A1, 0040B61C, 0040B697, 0040B712, 0040B78D, 0040B808, 0040B883, 0040B8FE, 0040B979, 0040B9F4, 0040BA6F, 0040BAEA, 0040BB65, 0040BBE0, 0040BC5B, 0040BCD6, 0040BD51, 0040BDCC, 0040BE47, 0040BEC2, 0040BF3D, 0040BFB8, 0040C033, 0040C0AE, 0040C129, 0040C1A4, 0040C21F, 0040C29A, 0040C315, 0040C390, 0040C40B, 0040C486, 0040C501, 0040C57C, 0040C5F7, 0040C672, 0040C6ED, 0040C768, 0040C7E3, 0040C85E, 0040C8D9, 0040C954, 0040C9CF, 0040CA4A, 0040CAC5, 0040CB40, 0040CBBB, 0040CC36, 0040CCB1, 0040CD2C, 0040CDA7, 0040CE22, 0040CE9D, 0040CF18, 0040CF93, 0040D00E, 0040D089, 0040D104, 0040D17F, 0040D1FA, 0040D275, 0040D2F0, 0040D36B, 0040D3E6, 0040D461, 0040D4DC, 0040D557, 0040D5D2, 0040D64D, 0040D6C8, 0040D743, 0040D7BE, 0040D839, 0040D8B4, 0040D92F, 0040D9AA, 0040DA25, 0040DAA0, 0040DB1B, 0040DB96, 0040DC11, 0040DC8C, 0040DD07, 0040DD82, 0040DDFD, 0040DE78, 0040DEF3, 0040DF6E, 0040DFE9, 0040E064, 0040E0DF, 0040E15A, 0040E1D5, 0040E250, 0040E2CB, 0040E346, 0040E3C1, 0040E43C, 0040E4B7, 0040E532, 0040E5AD, 0040E628, 0040E6A3, 0040E71E, 0040E799, 0040E814, 0040E88F, 0040E90A, 0040E985, 0040EA00, 0040EA7B, 0040EAF6, 0040EB71, 0040EBEC, 0040EC67, 0040ECE2, 0040ED5D, 0040EDD8, 0040EE53, 0040EECE, 0040EF49, 0040EFC4, 0040F03F, 0040F0BA, 0040F135, 0040F1B0, 0040F22B, 0040F2A6, 0040F321, 0040F39C, 0040F417, 0040F492, 0040F50D, 0040F588, 0040F603, 0040F67E, 0040F6F9, 0040F774, 0040F7EF, 0040F86A, 0040F8E5, 0040F960, 0040F9DB, 0040FA56, 0040FAD1, 0040FB4C, 0040FBC7, 0040FC42, 0040FCBD, 0040FD38, 0040FDB3, 0040FE2E, 0040FEA9, 0040FF24, 0040FF9F, 0041001A, 00410095, 00410110, 0041018B, 00410206, 00410281, 004102FC, 00410377, 004103F2, 0041046D, 004104E8, 00410563, 004105DE, 00410659, 004106D4, 0041074F, 004107CA, 00410845, 004108C0, 0041093B, 004109B6, 00410A31, 00410AAC, 00410B27, 00410BA2, 00410C1D, 00410C98, 00410D13, 00410D8E, 00410E09, 00410E84, 00410EFF, 00410F7A, 00410FF5, 00411070, 004110EB, 00411166, 004111E1, 0041125C, 004112D7, 00411352, 004113CD, 00411448, 004114C3, 0041153E, 004115B9, 00411634, 004116AF, 0041172A, 004117A5, 00411820, 0041189B, 00411916, 00411991, 00411A0C, 00411A87, 00411B02, 00411B7D, 00411BF8, 00411C73, 00411CEE, 00411D69, 00411DE4, 00411E5F, 00411EDA, 00411F55, 00411FD0, 0041204B
%s , xrefs: 00401F00, 00401F7B, 00401FF6, 00402071, 004020EC, 00402167, 004021E2, 0040225D, 004022D8, 00402353, 004023CE, 00402449, 004024C4, 0040253F, 004025BA, 00402635, 004026B0, 0040272B, 004027A6, 00402821, 0040289C, 00402917, 00402992, 00402A0D, 00402A88, 00402B03, 00402B7E, 00402BF9, 00402C74, 00402CEF, 00402D6A, 00402DE5, 00402E60, 00402EDB, 00402F56, 00402FD1, 0040304C, 004030C7, 00403142, 004031BD, 00403238, 004032B3, 0040332E, 004033A9, 00403424, 0040349F, 0040351A, 00403595, 00403610, 0040368B, 00403706, 00403781, 004037FC, 00403877, 004038F2, 0040396D, 004039E8, 00403A63, 00403ADE, 00403B59, 00403BD4, 00403C4F, 00403CCA, 00403D45, 00403DC0, 00403E3B, 00403EB6, 00403F31, 00403FAC, 00404027, 004040A2, 0040411D, 00404198, 00404213, 0040428E, 00404309, 00404384, 004043FF, 0040447A, 004044F5, 00404570, 004045EB, 00404666, 004046E1, 0040475C, 004047D7, 00404852, 004048CD, 00404948, 004049C3, 00404A3E, 00404AB9, 00404B34, 00404BAF, 00404C2A, 00404CA5, 00404D20, 00404D9B, 00404E16, 00404E91, 00404F0C, 00404F87, 00405002, 0040507D, 004050F8, 00405173, 004051EE, 00405269, 004052E4, 0040535F, 004053DA, 00405455, 004054D0, 0040554B, 004055C6, 00405641, 004056BC, 00405737, 004057B2, 0040582D, 004058A8, 00405923, 0040599E, 00405A19, 00405A94, 00405B0F, 00405B8A, 00405C05, 00405C80, 00405CFB, 00405D76, 00405DF1, 00405E6C, 00405EE7, 00405F62, 00405FDD, 00406058, 004060D3, 0040614E, 004061C9, 00406244, 004062BF, 0040633A, 004063B5, 00406430, 004064AB, 00406526, 004065A1, 0040661C, 00406697, 00406712, 0040678D, 00406808, 00406883, 004068FE, 00406979, 004069F4, 00406A6F, 00406AEA, 00406B65, 00406BE0, 00406C5B, 00406CD6, 00406D51, 00406DCC, 00406E47, 00406EC2, 00406F3D, 00406FB8, 00407033, 004070AE, 00407129, 004071A4, 0040721F, 0040729A, 00407315, 00407390, 0040740B, 00407486, 00407501, 0040757C, 004075F7, 00407672, 004076ED, 00407768, 004077E3, 0040785E, 004078D9, 00407954, 004079CF, 00407A4A, 00407AC5, 00407B40, 00407BBB, 00407C36, 00407CB1, 00407D2C, 00407DA7, 00407E22, 00407E9D, 00407F18, 00407F93, 0040800E, 00408089, 00408104, 0040817F, 004081FA, 00408275, 004082F0, 0040836B, 004083E6, 00408461, 004084DC, 00408557, 004085D2, 0040864D, 004086C8, 00408743, 004087BE, 00408839, 004088B4, 0040892F, 004089AA, 00408A25, 00408AA0, 00408B1B, 00408B96, 00408C11, 00408C8C, 00408D07, 00408D82, 00408DFD, 00408E78, 00408EF3, 00408F6E, 00408FE9, 00409064, 004090DF, 0040915A, 004091D5, 00409250, 004092CB, 00409346, 004093C1, 0040943C, 004094B7, 00409532, 004095AD, 00409628, 004096A3, 0040971E, 00409799, 00409814, 0040988F, 0040990A, 00409985, 00409A00, 00409A7B, 00409AF6, 00409B71, 00409BEC, 00409C67, 00409CE2, 00409D5D, 00409DD8, 00409E53, 00409ECE, 00409F49, 00409FC4, 0040A03F, 0040A0BA, 0040A135, 0040A1B0, 0040A22B, 0040A2A6, 0040A321, 0040A39C, 0040A417, 0040A492, 0040A50D, 0040A588, 0040A603, 0040A67E, 0040A6F9, 0040A774, 0040A7EF, 0040A86A, 0040A8E5, 0040A960, 0040A9DB, 0040AA56, 0040AAD1, 0040AB4C, 0040ABC7, 0040AC42, 0040ACBD, 0040AD38, 0040ADB3, 0040AE2E, 0040AEA9, 0040AF24, 0040AF9F, 0040B01A, 0040B095, 0040B110, 0040B18B, 0040B206, 0040B281, 0040B2FC, 0040B377, 0040B3F2, 0040B46D, 0040B4E8, 0040B563, 0040B5DE, 0040B659, 0040B6D4, 0040B74F, 0040B7CA, 0040B845, 0040B8C0, 0040B93B, 0040B9B6, 0040BA31, 0040BAAC, 0040BB27, 0040BBA2, 0040BC1D, 0040BC98, 0040BD13, 0040BD8E, 0040BE09, 0040BE84, 0040BEFF, 0040BF7A, 0040BFF5, 0040C070, 0040C0EB, 0040C166, 0040C1E1, 0040C25C, 0040C2D7, 0040C352, 0040C3CD, 0040C448, 0040C4C3, 0040C53E, 0040C5B9, 0040C634, 0040C6AF, 0040C72A, 0040C7A5, 0040C820, 0040C89B, 0040C916, 0040C991, 0040CA0C, 0040CA87, 0040CB02, 0040CB7D, 0040CBF8, 0040CC73, 0040CCEE, 0040CD69, 0040CDE4, 0040CE5F, 0040CEDA, 0040CF55, 0040CFD0, 0040D04B, 0040D0C6, 0040D141, 0040D1BC, 0040D237, 0040D2B2, 0040D32D, 0040D3A8, 0040D423, 0040D49E, 0040D519, 0040D594, 0040D60F, 0040D68A, 0040D705, 0040D780, 0040D7FB, 0040D876, 0040D8F1, 0040D96C, 0040D9E7, 0040DA62, 0040DADD, 0040DB58, 0040DBD3, 0040DC4E, 0040DCC9, 0040DD44, 0040DDBF, 0040DE3A, 0040DEB5, 0040DF30, 0040DFAB, 0040E026, 0040E0A1, 0040E11C, 0040E197, 0040E212, 0040E28D, 0040E308, 0040E383, 0040E3FE, 0040E479, 0040E4F4, 0040E56F, 0040E5EA, 0040E665, 0040E6E0, 0040E75B, 0040E7D6, 0040E851, 0040E8CC, 0040E947, 0040E9C2, 0040EA3D, 0040EAB8, 0040EB33, 0040EBAE, 0040EC29, 0040ECA4, 0040ED1F, 0040ED9A, 0040EE15, 0040EE90, 0040EF0B, 0040EF86, 0040F001, 0040F07C, 0040F0F7, 0040F172, 0040F1ED, 0040F268, 0040F2E3, 0040F35E, 0040F3D9, 0040F454, 0040F4CF, 0040F54A, 0040F5C5, 0040F640, 0040F6BB, 0040F736, 0040F7B1, 0040F82C, 0040F8A7, 0040F922, 0040F99D, 0040FA18, 0040FA93, 0040FB0E, 0040FB89, 0040FC04, 0040FC7F, 0040FCFA, 0040FD75, 0040FDF0, 0040FE6B, 0040FEE6, 0040FF61, 0040FFDC, 00410057, 004100D2, 0041014D, 004101C8, 00410243, 004102BE, 00410339, 004103B4, 0041042F, 004104AA, 00410525, 004105A0, 0041061B, 00410696, 00410711, 0041078C, 00410807, 00410882, 004108FD, 00410978, 004109F3, 00410A6E, 00410AE9, 00410B64, 00410BDF, 00410C5A, 00410CD5, 00410D50, 00410DCB, 00410E46, 00410EC1, 00410F3C, 00410FB7, 00411032, 004110AD, 00411128, 004111A3, 0041121E, 00411299, 00411314, 0041138F, 0041140A, 00411485, 00411500, 0041157B, 004115F6, 00411671, 004116EC, 00411767, 004117E2, 0041185D, 004118D8, 00411953, 004119CE, 00411A49, 00411AC4, 00411B3F, 00411BBA, 00411C35, 00411CB0, 00411D2B, 00411DA6, 00411E21, 00411E9C, 00411F17, 00411F92, 0041200D, 00412088

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CallProcWindow$AllocByteCharLoadMultiStringVirtualWide
String ID: %s $A string$Characters: %c %c $Decimals: %d %ld$Preceding with blanks: %10d $Preceding with zeros: %010d $Some different radices: %d %x %o %#x %#o $SysWOW64\bushexa.exe$Width trick: %*d $floats: %4.2f %+.0e %E
API String ID: 965092674-1842070646
Opcode ID: 4faedc87637a6878093169c4d3d605fe4ab5dc08f946da224ed09edfd01ae1de
Instruction ID: 0aebab6a80ce3fde290079580919b52b1e3247745899e55c1e150ea4edafc8a6
Opcode Fuzzy Hash: 4faedc87637a6878093169c4d3d605fe4ab5dc08f946da224ed09edfd01ae1de
Instruction Fuzzy Hash: EF3422F0794B0170DD217A728D7BFBF1A189F61B8AF20084FF9D4342E3999D5AA4416E

Uniqueness

Uniqueness Score: -1.00%

Function 004315F6, Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004315FB
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00431633
LoadResource.KERNEL32(?,00000000), ref: 0043163B

Part of subcall function 00433622: UnhookWindowsHookEx.USER32(?), ref: 00433647

LockResource.KERNEL32(00000000), ref: 0043164D
GetDesktopWindow.USER32 ref: 0043167A
IsWindowEnabled.USER32(00000000), ref: 00431688
EnableWindow.USER32(00000000,00000000), ref: 00431697
EnableWindow.USER32(00000000,00000001), ref: 00431726
GetActiveWindow.USER32 ref: 00431731
SetActiveWindow.USER32(00000000), ref: 0043173F
FreeResource.KERNEL32(00000000), ref: 0043175B

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: ce71086b03d54d9c65edfdc0c6feb1ec0fe07aa3cb5f2fb9872758785c552c6d
Instruction ID: c80a947bf2f6b874c5c82c51990a73349f493b2a6f47a5415102d4061b6d75a7
Opcode Fuzzy Hash: ce71086b03d54d9c65edfdc0c6feb1ec0fe07aa3cb5f2fb9872758785c552c6d
Instruction Fuzzy Hash: A8418030900705DFDB21AFA5C95A7BEBBB5AF08716F14102FF102A22A1CB789941CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00434CC5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434CCA
GetPropA.USER32 ref: 00434CE2
CallWindowProcA.USER32 ref: 00434D40

Part of subcall function 00433D23: GetWindowRect.USER32 ref: 00433D48
Part of subcall function 00433D23: GetWindow.USER32(?,00000004), ref: 00433D65

SetWindowLongA.USER32 ref: 00434D70
RemovePropA.USER32 ref: 00434D78
GlobalFindAtomA.KERNEL32 ref: 00434D7F
GlobalDeleteAtom.KERNEL32 ref: 00434D86

Part of subcall function 00432754: GetWindowRect.USER32 ref: 00432760

CallWindowProcA.USER32 ref: 00434DDA

Strings

AfxOldWndProc423, xrefs: 00434CDB, 00434CE0, 00434D76, 00434D7E

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ff15bca09e0eb7e406143482a3ef9c335fcd6e55898f3d77f75a080db70639e7
Instruction ID: 12abf3a039a44a727739dfb4959889e1be9217344ea0f0b479962cac14099a61
Opcode Fuzzy Hash: ff15bca09e0eb7e406143482a3ef9c335fcd6e55898f3d77f75a080db70639e7
Instruction Fuzzy Hash: 0C316172800219BBCB119FA5DD49EFF7F78FF49316F00412AF501A2161C739AA119BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044EAAF, Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0047B6F4,73B74DE0,?,?,0047B6D8,0047B6D8,?,0044F06F,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484), ref: 0044EAC0
GlobalAlloc.KERNELBASE(00000002,00000040,?,?,0047B6D8,0047B6D8,?,0044F06F,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484), ref: 0044EB11
GlobalHandle.KERNEL32 ref: 0044EB1A
GlobalUnlock.KERNEL32(00000000,?,?,0047B6D8,0047B6D8,?,0044F06F,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,73B74DE0), ref: 0044EB24
GlobalReAlloc.KERNEL32(?,00000040,00002002), ref: 0044EB38
GlobalHandle.KERNEL32 ref: 0044EB4A
GlobalLock.KERNEL32 ref: 0044EB51
LeaveCriticalSection.KERNEL32(?,?,?,0047B6D8,0047B6D8,?,0044F06F,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,73B74DE0), ref: 0044EB5A
GlobalLock.KERNEL32 ref: 0044EB66
LeaveCriticalSection.KERNEL32(?), ref: 0044EBAE

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: b04793688510a88f67e5c568a89932a2d6769de8e8383a32167a042d3a654f9b
Instruction ID: f7f23203b9efe10dc177ef4e6959b102c6c9f186cb83817a26fe115b791422a3
Opcode Fuzzy Hash: b04793688510a88f67e5c568a89932a2d6769de8e8383a32167a042d3a654f9b
Instruction Fuzzy Hash: B431EE30A00B05AFD720CF6ADC98A6ABBF9FF40345B01496EE956D3621D778F940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004313E9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004313EE
GetSystemMetrics.USER32 ref: 004314B2
GlobalLock.KERNEL32 ref: 0043151D
CreateDialogIndirectParamA.USER32(?,?,?,Function_00030DE2,00000000), ref: 0043154C

Strings

MS Shell Dlg, xrefs: 004314BC

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: b1838b986e74c8f40b3d4ecf676eea66dee448865fa6d39ddd366ea3ccbe1829
Instruction ID: e0f64d9ec0343e99e2e9ee4d9acaebb91454337ed0347725652701e1449b16bc
Opcode Fuzzy Hash: b1838b986e74c8f40b3d4ecf676eea66dee448865fa6d39ddd366ea3ccbe1829
Instruction Fuzzy Hash: 6751A431900205EFCF119FA4C8859EEBBB5EF48315F24556BF412A72A2DB389E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00432655, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(COMCTL32.DLL,00008000,00000000,00000400,0043346D,00000000,00040000,00000000,?), ref: 0043265E
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 00432667
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0043267B
#17.COMCTL32(?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 00432696
#17.COMCTL32(?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 004326B2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00431431,00000010,00000000), ref: 004326BF

Strings

InitCommonControlsEx, xrefs: 00432673
COMCTL32.DLL, xrefs: 00432658, 0043265D, 00432664

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: fbc869dff4a4af753050b1c1a6b0d85685cb09798fd04b456239473298ed4885
Instruction ID: 5fa1d96a4472cd52907bff507a2bc74d54206005f978a52e19e2591faae4ea83
Opcode Fuzzy Hash: fbc869dff4a4af753050b1c1a6b0d85685cb09798fd04b456239473298ed4885
Instruction Fuzzy Hash: 23F0A9326007229787115B659D59A2FB6ECBF94753B451436F805F3211CFA8EC0586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00450457, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00450498
PathFindExtensionA.KERNELBASE(?), ref: 004504B2
lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045054C
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00450579

Strings

.HLP, xrefs: 00450544
.INI, xrefs: 0045056D
.CHM, xrefs: 0045053D

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
String ID: .CHM$.HLP$.INI
API String ID: 2140653559-4017452060
Opcode ID: 77cb3e02a1d5fd2dcdfbfdbf5264098ea0434eb04d60befdb6af3fc4bd62b3ee
Instruction ID: b6df33e5751ea74f5826cc98093051f0f3abe019c6a471caf1ebe553c2435343
Opcode Fuzzy Hash: 77cb3e02a1d5fd2dcdfbfdbf5264098ea0434eb04d60befdb6af3fc4bd62b3ee
Instruction Fuzzy Hash: 70412875500B09AFCB71EFA5D845BDA77E8AB08306F10482FFA89C6242EB38D5448F25

Uniqueness

Uniqueness Score: -1.00%

Function 0043918C, Relevance: 12.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 00439199
GetSystemMetrics.USER32 ref: 004391A0
GetSystemMetrics.USER32 ref: 004391A7
GetSystemMetrics.USER32 ref: 004391B1
GetDC.USER32(00000000), ref: 004391BB
GetDeviceCaps.GDI32(00000000,00000058), ref: 004391CC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004391D4
ReleaseDC.USER32 ref: 004391DC

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 2dbb417450004d57444fbcb471158f4b0ee786ac08df754a132355d1f0c5ae34
Instruction ID: 042a91b24d9d83c6ebad07df20038e5cd2289658d9ba2151f457e89fbd6056d9
Opcode Fuzzy Hash: 2dbb417450004d57444fbcb471158f4b0ee786ac08df754a132355d1f0c5ae34
Instruction Fuzzy Hash: A0F03671A40B04AEE7206F729C59F277BB4EB95B12F11442AE6418B1D1D6B5D8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0044F45C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F461
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F4DA
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F50D
RegCloseKey.ADVAPI32(?,?,?,00000000,00000001,00439907,?,?,?,00456DE0), ref: 0044F528
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 0044F57B

Strings

mE, xrefs: 0044F572

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: QueryValue$CloseH_prologPrivateProfileString
String ID: mE
API String ID: 1022837590-852767849
Opcode ID: 249ea3ed76278fdc5f2ad60c9f866fb1f1cab811b581774d5f974148515f067f
Instruction ID: f1cded26cd753e4b897d3bf62b173a12f1a3ee0e8f92eae1bcd43dace040cb53
Opcode Fuzzy Hash: 249ea3ed76278fdc5f2ad60c9f866fb1f1cab811b581774d5f974148515f067f
Instruction Fuzzy Hash: 0D416770800259FBDF20DF11CC408EEBB79FF48354F0084AAF959A6261D7B89A95EF54

Uniqueness

Uniqueness Score: -1.00%

Function 004505A5, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0043B4A3,?,?,?,?,73B74DE0,00000000,?,00419D19,00000000), ref: 004505AE
SetErrorMode.KERNELBASE(00000000,?,00419D19,00000000), ref: 004505B6
GetModuleHandleA.KERNEL32(user32.dll,00419D19,00000000), ref: 00450601
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00450611

Part of subcall function 00450457: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00450498
Part of subcall function 00450457: PathFindExtensionA.KERNELBASE(?), ref: 004504B2
Part of subcall function 00450457: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045054C
Part of subcall function 00450457: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00450579

Strings

NotifyWinEvent, xrefs: 0045060B
user32.dll, xrefs: 004505FC

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
String ID: NotifyWinEvent$user32.dll
API String ID: 4004864024-597752486
Opcode ID: b50bf68e2b5de257a348941957a5666d38a24f24bd2454486d7854c91595e3bd
Instruction ID: 74da4d911cd3c67dbcb73de4fb85063a1f61eb744a766c99006dd413cafa1df5
Opcode Fuzzy Hash: b50bf68e2b5de257a348941957a5666d38a24f24bd2454486d7854c91595e3bd
Instruction Fuzzy Hash: 94014BB4A10710AFD710EF619804A1A7B94AF08706F05886FF84997363DF78C844CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044DB78, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044DB7D

Part of subcall function 00439945: __EH_prolog.LIBCMT ref: 0043994A

Strings

File%d, xrefs: 0044DBBA
Settings, xrefs: 0044DBE5
PreviewPages, xrefs: 0044DBE0
Recent File List, xrefs: 0044DBBF

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: f06a5cb311d69bc97bd4333ebde88718be601381b48ec27b8e411bc5b28f1ba3
Instruction ID: 6ecb9a6e47c6ed6da365f7f5841e959e2fb76d13caa31787ec29dc486ad6f34b
Opcode Fuzzy Hash: f06a5cb311d69bc97bd4333ebde88718be601381b48ec27b8e411bc5b28f1ba3
Instruction Fuzzy Hash: 5D014971E04340ABDB25DF689C01BAF7AB1FB85B10F20452FF821A7382CBB80900C758

Uniqueness

Uniqueness Score: -1.00%

Function 0041257E, Relevance: 7.6, APIs: 5, Instructions: 70windowencryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412583
CertOpenStore.CRYPT32(00000000,00000000,00000000,00000000,00000000), ref: 00412595
GetSystemMenu.USER32(?,00000000), ref: 004125CB
AppendMenuA.USER32 ref: 00412610
AppendMenuA.USER32 ref: 0041261B

Part of subcall function 00401D3B: LoadStringW.USER32(00000005,0000000A,00000000,00000000), ref: 00401D4F

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Menu$Append$CertH_prologLoadOpenStoreStringSystem
String ID:
API String ID: 2154892219-0
Opcode ID: 11bb417483d622feea004db716fe9203556d7dc3c7520d62cdc46bb90d24d3f2
Instruction ID: acac48fb911abb386090c21b2f7dd5dbfc6e7f2fbe9a5444ef82efc6a18a4669
Opcode Fuzzy Hash: 11bb417483d622feea004db716fe9203556d7dc3c7520d62cdc46bb90d24d3f2
Instruction Fuzzy Hash: 2C110B70900114AFDB107BB6CC55EAFBB35FF44324F00452EF115E72A2CB7898108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044D9CA, Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,004781F0,00000000,00000001,?), ref: 0044DA0D
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 0044DA2D
RegCloseKey.ADVAPI32(?), ref: 0044DA71
RegCloseKey.ADVAPI32(00000000), ref: 0044DA87

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: e5fe929cb7eb099dfd86e2b72a41db03c230be63d796b1944a5c0b7d55085c9c
Instruction ID: 7605e3d858354b6adad4e8cc50f48b23ac3a8088f01cb4c1ddeff153822fe4fb
Opcode Fuzzy Hash: e5fe929cb7eb099dfd86e2b72a41db03c230be63d796b1944a5c0b7d55085c9c
Instruction Fuzzy Hash: DD2138B1D04208EFEB14CF96CC45AAEBBB8EF90705F1040ABE505B6261D7745A00CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3F3, Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0044F42C
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0044F435
GetPrivateProfileIntA.KERNEL32 ref: 0044F451

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ClosePrivateProfileQueryValue
String ID:
API String ID: 1423431592-0
Opcode ID: a5adae195a35fa4e73bf76f32d84e35c62258e7142751bb22f96dca9acb772e9
Instruction ID: 74f09bcaac624bead4b59f43faef543b983ea7b1c8e5fdb6f0ea1876ef778dd1
Opcode Fuzzy Hash: a5adae195a35fa4e73bf76f32d84e35c62258e7142751bb22f96dca9acb772e9
Instruction Fuzzy Hash: 49014672100218FBDB129F80DC04EEF3BB8EF54755F10803AFA05AA110DB75EA199B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041C139, Relevance: 3.1, APIs: 2, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041C17D
RtlAllocateHeap.NTDLL(00000008,?,0045C8B8,00000010,0041E3E7,00000001,0000008C,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17), ref: 0041C1BB

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AllocateHeap__lock
String ID:
API String ID: 4078605025-0
Opcode ID: 1c62fde75f761435134d66b5f4cffda9508f87cd5b6bc7cb12e4df8c1025f6b6
Instruction ID: c1d28866222c0dc6414e7fea66e701ef6e43db6b2debc05eda2622e8d1883d5a
Opcode Fuzzy Hash: 1c62fde75f761435134d66b5f4cffda9508f87cd5b6bc7cb12e4df8c1025f6b6
Instruction Fuzzy Hash: 1611E632DC0615A6CB21AB658C816DE7B21AF90724F15421BEC24A73D3CB3C8AC18F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004398A4, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004398A9
wsprintfA.USER32 ref: 004398E6

Part of subcall function 0044F45C: __EH_prolog.LIBCMT ref: 0044F461

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog$wsprintf
String ID:
API String ID: 172397338-0
Opcode ID: 3de8a07d2760c78c032f7f6cf612e55542b580be98464b1f87c14e7a0f445d2a
Instruction ID: b58df83bfa8cb1f87c15a047e07b73912b99d9eb8ca075b9dcc5624172093b3b
Opcode Fuzzy Hash: 3de8a07d2760c78c032f7f6cf612e55542b580be98464b1f87c14e7a0f445d2a
Instruction Fuzzy Hash: 8511B671900605DFCB14EFA9D8819AEB7F5FF48318F10452EF461E7691CB34A904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041902C, Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041904E

Part of subcall function 0041C486: EnterCriticalSection.KERNEL32(00478DA0,00478DA0,?,0041E870,?,00419950,00000001,00478DA0,0045C788,00000010,00401E17,Characters: %c %c ,00000061,00000041), ref: 0041C4AE

RtlAllocateHeap.NTDLL(00000000,?,0045C768,0000000C,004190B7,000000E0,004190E2,?,0041C409,00000018,0045C8C8,00000008,0041C49F,?,00478DA0), ref: 0041908F

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 915dc4749733b52090c7e78aff1820d60ee7a4f24177a6b31d71a6b438375017
Instruction ID: dc5206d65ac73eaf864f438a6c0f78885cd20580cda411dd0d3dda0f5c44dbbb
Opcode Fuzzy Hash: 915dc4749733b52090c7e78aff1820d60ee7a4f24177a6b31d71a6b438375017
Instruction Fuzzy Hash: 85F0F631C80211D6DB24BB759C567DE7B60AB08324F25422EEC58672E1C73C5DC0CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00431AAC, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00431AD3
CallWindowProcA.USER32 ref: 00431AE8

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: a8875d60b43fa694f0911aa7ee2c2c2b59b12663bbda4821a0ac7331270e0a87
Instruction ID: 9a5d0fe453fd5e5d442d397c126565b24aef5118643a609f3f89f8589eb6a085
Opcode Fuzzy Hash: a8875d60b43fa694f0911aa7ee2c2c2b59b12663bbda4821a0ac7331270e0a87
Instruction Fuzzy Hash: 01F01536101609EFCF219F95DC18DAA7BBAFF0C352F048429FA0586630D372E820AB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4D1, Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00419C63,00000001,?,0045C7A8,00000060), ref: 0041C4E2

Part of subcall function 0041C5BC: HeapAlloc.KERNEL32(00000000,00000140,0041C50A,000003F8,?,0045C7A8,00000060), ref: 0041C5C9

HeapDestroy.KERNEL32(?,0045C7A8,00000060), ref: 0041C515

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 87bbc2843d472829b2ef89704e86d8af703d01ada110c1709cc2f7aeb2b71cc2
Instruction ID: 7c3bd9f5b4b46e9794cf6a332750d5066d7fd5e8b96e20f30908588fd1cd5013
Opcode Fuzzy Hash: 87bbc2843d472829b2ef89704e86d8af703d01ada110c1709cc2f7aeb2b71cc2
Instruction Fuzzy Hash: C7E04FB1695310EADB10AF719D8DBAA3AD6DB4478AF00043FF404C51E1EB78D5C0EA1D

Uniqueness

Uniqueness Score: -1.00%

Function 0043503C, Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

GetCurrentThreadId.KERNEL32 ref: 0043505E
SetWindowsHookExA.USER32 ref: 0043506E

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: fa57018b2061f09c2615cee7a7a8ab451c877c7e69fac4a8b5c0bd024d663bfc
Instruction ID: 63aff0302d2982f97e3b76b7288842a291ddd2f00c7bfc238e4339544eb3de98
Opcode Fuzzy Hash: fa57018b2061f09c2615cee7a7a8ab451c877c7e69fac4a8b5c0bd024d663bfc
Instruction Fuzzy Hash: 7CE06531740B109ED2306B92AC15F5776A4DBC8726F51552FE50986141C335A84486BD

Uniqueness

Uniqueness Score: -1.00%

Function 00438522, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00438535
SetWindowsHookExA.USER32 ref: 00438545

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 60a374326582e6fd45de703582bfe03cc6b3e523ebf7321959d28aa07a968d44
Instruction ID: ccc9c6806e51c4b76788036dcd35ea03a28c57b756b3c0db120f588d1f581546
Opcode Fuzzy Hash: 60a374326582e6fd45de703582bfe03cc6b3e523ebf7321959d28aa07a968d44
Instruction Fuzzy Hash: F2D0A771C047607FFB102B746C19B293A505B05739F54175EF424961D2CE7CD5404B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00433D9C, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00433DA1

Part of subcall function 0044F02F: __EH_prolog.LIBCMT ref: 0044F034

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1f4f402cad16baa03feb8c9b8df4c1ff7379fb18e5b1fbac80ea2e244e1f3584
Instruction ID: 217b5259fde65db3885a56b274e9404f905c368ae3fa042c110acc6f53840b47
Opcode Fuzzy Hash: 1f4f402cad16baa03feb8c9b8df4c1ff7379fb18e5b1fbac80ea2e244e1f3584
Instruction Fuzzy Hash: BF2168B2900219EFCF05DF59C4829EE7BB5FB48354F10402AF801AB241D374AE85CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0044F02F, Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F034

Part of subcall function 0044ED79: TlsAlloc.KERNEL32(?,0044F05E,73B74DE0,00000000,?,0044D598,0044C800,0044D5B4,00437F34,0043B484,73B74DE0,00000000,?,00419D19,00000000), ref: 0044ED9B

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: 08853716338d5d36f3402c2a6b0b7152c1237e78638d7e359c55b01d012e747f
Instruction ID: b0c5c036e64a4565b7a51127bc03cc4d744149bd569e55b8a23d2c6ab39c094b
Opcode Fuzzy Hash: 08853716338d5d36f3402c2a6b0b7152c1237e78638d7e359c55b01d012e747f
Instruction Fuzzy Hash: 3D0181356006019FEB29EF26D81176DB7B2FBD0365F10417EE58697391DB388D40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412675, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041267A

Part of subcall function 0044DB78: __EH_prolog.LIBCMT ref: 0044DB7D

Part of subcall function 00412137: __EH_prolog.LIBCMT ref: 0041213C

Part of subcall function 004315F6: __EH_prolog.LIBCMT ref: 004315FB
Part of subcall function 004315F6: FindResourceA.KERNEL32(?,00000000,00000005), ref: 00431633
Part of subcall function 004315F6: LoadResource.KERNEL32(?,00000000), ref: 0043163B
Part of subcall function 004315F6: LockResource.KERNEL32(00000000), ref: 0043164D

Part of subcall function 00430E44: __EH_prolog.LIBCMT ref: 00430E49

Memory Dump Source

Source File: 00000001.00000002.653276993.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.653273053.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653314084.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.653325279.0000000000469000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.653334545.0000000000477000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653338865.000000000047B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653344097.000000000047D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.653347535.000000000047E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_BnJvVt951o.jbxd

Similarity

API ID: H_prolog$Resource$FindLoadLock
String ID:
API String ID: 807587585-0
Opcode ID: 440cd8fa29eb9ee4f3801710ff5bdcedb7e66363f248bb282ecd869aaa0fc82a
Instruction ID: b45528432e8057bea371eba47b4c80f828b5add35470d5ee7ebcf6187e48438f
Opcode Fuzzy Hash: 440cd8fa29eb9ee4f3801710ff5bdcedb7e66363f248bb282ecd869aaa0fc82a
Instruction Fuzzy Hash: B9F08CB1E002199BCB24EB71CA027D8B770AF04329F0086AE9246A2581DF785F04CB44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report BnJvVt951o.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Function 0042F3FF, Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 315
windowkeyboardCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre