Play interactive tour

Edit tour

Analysis Report #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat

Overview

General Information

Sample Name:	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat (renamed file extension from bat to exe)
Analysis ID:	343504
MD5:	6665909a2652c5860fd874cb15c3991c
SHA1:	84a5a2e920e8165634e510766eaa51662401a227
SHA256:	1ef7ae3509e71c3cd0904a7396831e6bd2c021f14dc5d4b2485a38ebefc3dd3d
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe (PID: 4164 cmdline: 'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe' MD5: 6665909A2652C5860FD874CB15C3991C)

zr.exe (PID: 6340 cmdline: 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*' MD5: 045FCBE6C174AFA9A6A998BDD6F9FAD7)

conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6648 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PMRunner64.exe (PID: 7120 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)

zr.exe (PID: 6800 cmdline: 'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y MD5: 045FCBE6C174AFA9A6A998BDD6F9FAD7)

conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PMRunner64.exe (PID: 6492 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)

PMRunner64.exe (PID: 6972 cmdline: 'C:\Users\user\zT6Nm@i4\PMRunner64.exe' MD5: 65DBB57517611D9DE8CE522022DCD727)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\zT6Nm@i4\ru2.url	Methodology_Suspicious_Shortcut_Local_URL	Detects local script usage for .URL persistence	@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)	0x13:$file: URL=file:/// 0x0:$url_explicit: [InternetShortcut]

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Virustotal: Detection: 15%			Perma Link
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	ReversingLabs: Detection: 22%

Privilege Escalation:

Contains functionality to bypass UAC (CMSTPLUA)

Show sources

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000180002D40 CoGetObject,CoGetObject,Sleep,SleepEx,

0_2_0000000180002D40

Compliance:

Binary contains paths to debug symbols

Show sources

Source:

Binary string: C:\sourcetree\CortexCommon\Razer.ProcessManager\PMManager\x64\Release\PMRunner.pdb source: PMRunner64.exe, 0000000C.00000000.685253001.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000E.00000000.707315840.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe, 0000000F.00000000.724614077.00007FF7A5177000.00000002.00020000.sdmp, PMRunner64.exe.0.dr

Spreading:

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400223C0 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00000001400223C0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00405BD6 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,	1_2_00405BD6
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0040755D FindFirstFileW,	1_2_0040755D

Source: C:\Users\user\zT6Nm@i4\zr.exe

Code function: 1_2_00406532 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

1_2_00406532

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\	Jump to behavior

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 110.92.66.246 ports 1,2,13527,3,5,7

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49746

Source: global traffic

TCP traffic: 192.168.2.4:49744 -> 110.92.66.246:13527

Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHWSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnCSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkFSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527

Source: Joe Sandbox View

IP Address: 204.79.197.200 204.79.197.200

Source: Joe Sandbox View

ASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 104.79.89.181
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.135
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140002220 recv,SendMessageW,_cwprintf_s_l,inet_ntoa,_cwprintf_s_l,inet_ntoa,_cwprintf_s_l,_cwprintf_s_l,_cwprintf_s_l,htons,_cwprintf_s_l,

0_2_0000000140002220

Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHWSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnCSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527
Source: global traffic	HTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkFSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 110.92.66.246:13527

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://th.symcb.com/th.crl0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://th.symcb.com/th.crt0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://th.symcd.com0&
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: http://www.nsecsoft.com
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: https://www.thawte.com/cps0
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001400DC700 CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

0_2_00000001400DC700

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001400900A0 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,

0_2_00000001400900A0

Source: zr.exe, 00000001.00000002.653437096.0000000000708000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014007AAC4 MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,	0_2_000000014007AAC4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140085328 GetParent,ScreenToClient,free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_0000000140085328
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014000F35C GetKeyState,GetKeyState,GetKeyState,SendMessageW,	0_2_000000014000F35C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014008F93C GetKeyState,GetKeyState,GetKeyState,	0_2_000000014008F93C

System Summary:

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\zT6Nm@i4\zr.exe

Code function: 1_2_00406D20: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,

1_2_00406D20

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014002007C	0_2_000000014002007C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140011818	0_2_0000000140011818
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140076074	0_2_0000000140076074
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014010E08C	0_2_000000014010E08C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BE1D0	0_2_00000001400BE1D0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005A1C4	0_2_000000014005A1C4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140162354	0_2_0000000140162354
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005C3D4	0_2_000000014005C3D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014007A4D8	0_2_000000014007A4D8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400365D8	0_2_00000001400365D8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140046614	0_2_0000000140046614
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014003C644	0_2_000000014003C644
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005A694	0_2_000000014005A694
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400DE6A4	0_2_00000001400DE6A4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014004472C	0_2_000000014004472C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014000A760	0_2_000000014000A760
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BE798	0_2_00000001400BE798
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014006C8BC	0_2_000000014006C8BC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400768F8	0_2_00000001400768F8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140074934	0_2_0000000140074934
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014002C960	0_2_000000014002C960
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140018AB8	0_2_0000000140018AB8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140014AD0	0_2_0000000140014AD0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005EAE4	0_2_000000014005EAE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140040B54	0_2_0000000140040B54
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140092B98	0_2_0000000140092B98
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140024BFC	0_2_0000000140024BFC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140084BF4	0_2_0000000140084BF4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140090C1C	0_2_0000000140090C1C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005AD18	0_2_000000014005AD18
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140078D58	0_2_0000000140078D58
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140042E18	0_2_0000000140042E18
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140018EA0	0_2_0000000140018EA0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400F0FA4	0_2_00000001400F0FA4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140021100	0_2_0000000140021100
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014003910C	0_2_000000014003910C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140029308	0_2_0000000140029308
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005F304	0_2_000000014005F304
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BF304	0_2_00000001400BF304
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140097328	0_2_0000000140097328
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400DF350	0_2_00000001400DF350
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014009140C	0_2_000000014009140C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400CB4B4	0_2_00000001400CB4B4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014003754C	0_2_000000014003754C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014007564C	0_2_000000014007564C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140081668	0_2_0000000140081668
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014001D68C	0_2_000000014001D68C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001401636B0	0_2_00000001401636B0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400476E4	0_2_00000001400476E4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014002377C	0_2_000000014002377C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400577E8	0_2_00000001400577E8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400F1800	0_2_00000001400F1800
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140051880	0_2_0000000140051880
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400798A4	0_2_00000001400798A4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400638BC	0_2_00000001400638BC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001401578AC	0_2_00000001401578AC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400A38D0	0_2_00000001400A38D0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400918D4	0_2_00000001400918D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014007DA44	0_2_000000014007DA44
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140161B54	0_2_0000000140161B54
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140087CCC	0_2_0000000140087CCC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140067CE4	0_2_0000000140067CE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140159CFC	0_2_0000000140159CFC
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BBD90	0_2_00000001400BBD90
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400DFD94	0_2_00000001400DFD94
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140041DE4	0_2_0000000140041DE4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400A1E3C	0_2_00000001400A1E3C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140043E5C	0_2_0000000140043E5C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014005BE90	0_2_000000014005BE90
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140079EC0	0_2_0000000140079EC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140161ED4	0_2_0000000140161ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400B9ED4	0_2_00000001400B9ED4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400BDED8	0_2_00000001400BDED8
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014006FF0C	0_2_000000014006FF0C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140047F40	0_2_0000000140047F40
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014000DF9C	0_2_000000014000DF9C
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014006BFC4	0_2_000000014006BFC4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000018000C380	0_2_000000018000C380
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001800088E0	0_2_00000001800088E0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001800090C0	0_2_00000001800090C0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000018000E274	0_2_000000018000E274
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001800104F0	0_2_00000001800104F0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000180016900	0_2_0000000180016900
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000180006AE0	0_2_0000000180006AE0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004292EC	1_2_004292EC
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004419AF	1_2_004419AF
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C0C8	1_2_0044C0C8
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C0A0	1_2_0044C0A0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044017B	1_2_0044017B
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045A190	1_2_0045A190
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0041C3CB	1_2_0041C3CB
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0041A459	1_2_0041A459
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00456650	1_2_00456650
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0043674E	1_2_0043674E
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C8A0	1_2_0044C8A0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004509E8	1_2_004509E8
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C9B0	1_2_0044C9B0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044AC50	1_2_0044AC50
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00454F00	1_2_00454F00
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00452FB0	1_2_00452FB0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00451150	1_2_00451150
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B423	1_2_0045B423
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004575D0	1_2_004575D0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B5B1	1_2_0045B5B1
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004015BE	1_2_004015BE
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B68B	1_2_0045B68B
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B771	1_2_0045B771
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_004159D7	1_2_004159D7
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00401999	1_2_00401999
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00459AE0	1_2_00459AE0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00451B10	1_2_00451B10
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00459CA0	1_2_00459CA0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0040DDF1	1_2_0040DDF1
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044BF30	1_2_0044BF30

Source: C:\Users\user\zT6Nm@i4\zr.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: String function: 00401CC2 appears 153 times
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: String function: 0045AD30 appears 480 times

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: K_FPS64.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PMRunner64.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename7zr.exe, vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686343189.0000000002530000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686343189.0000000002530000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686174201.0000000002430000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686004489.00000000020D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686469830.00000000026C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.686358301.0000000002550000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\zT6Nm@i4\ru2.url, type: DROPPED

Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: classification engine

Classification label: mal72.troj.expl.evad.winEXE@13/17@0/5

Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00414942 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00414942
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00407CF5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		1_2_00407CF5

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_000000014001E7FC CoInitialize,CoCreateInstance,

0_2_000000014001E7FC

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001400081A8 FindResourceW,LoadResource,LockResource,FreeResource,

0_2_00000001400081A8

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

File created: C:\Users\user\zT6Nm@i4

Jump to behavior

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Mutant created: \Sessions\1\BaseNamedObjects\V 5i
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Random name
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_01

Source: unknown

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Virustotal: Detection: 15%
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe 'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe'
Source: unknown	Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\Microsoft\zr.exe 'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: unknown	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: unknown	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'	Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static file information: File size 3150336 > 1048576

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x179c00

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Static PE information: More than 200 imports for USER32.dll

Source:

Data Obfuscation:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140032378 GetModuleHandleW,LoadLibraryW,GetProcAddress,

0_2_0000000140032378

Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Static PE information: section name: text
Source: zr.exe.0.dr	Static PE information: section name: .sxdata
Source: zr.exe.3.dr	Static PE information: section name: .sxdata

Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0044C2D0 push ecx; mov dword ptr [esp], ecx	1_2_0044C2D1
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045AD30 push eax; ret	1_2_0045AD4E
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0045B0E0 push eax; ret	1_2_0045B10E

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\zr.exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\ProgramData\Microsoft\zr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\K_FPS64.dll	Jump to dropped file

Source: C:\Windows\System32\cmd.exe

File created: C:\ProgramData\Microsoft\zr.exe

Jump to dropped file

Boot Survival:

Source: C:\ProgramData\Microsoft\zr.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File created: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk	Jump to behavior
Source: C:\ProgramData\Microsoft\zr.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk	Jump to behavior

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 13527
Source: unknown	Network traffic detected: HTTP traffic on port 13527 -> 49746

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400025A0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	0_2_00000001400025A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140038030 IsIconic,	0_2_0000000140038030
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400900A0 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	0_2_00000001400900A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400926C4 IsIconic,PostMessageW,	0_2_00000001400926C4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400668D4 IsWindowVisible,IsIconic,	0_2_00000001400668D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140090DC0 GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140090DC0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140091184 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,	0_2_0000000140091184
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140045388 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageW,UpdateWindow,GetParent,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_0000000140045388
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400918D4 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageW,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,SendMessageW,GetFocus,WindowFromPoint,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	0_2_00000001400918D4
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140037F50 SetForegroundWindow,IsIconic,	0_2_0000000140037F50

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_000000018000C380 RtlEncodePointer,_initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000000018000C380

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Show sources

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: K_FPS64.dll.0.dr

Binary or memory string: OLLYDBG.EXEPROCESSHACKER.EXETCPVIEW.EXEAUTORUNS.EXEAUTORUNSC.EXEFILEMON.EXEPROCMON.EXEREGMON.EXEPROCEXP.EXEIDAQ.EXEIDAQ64.EXEIMMUNITYDEBUGGER.EXEWIRESHARK.EXEDUMPCAP.EXEHOOKEXPLORER.EXEIMPORTREC.EXEPETOOLS.EXELORDPE.EXESYSINSPECTOR.EXEPROC_ANALYZER.EXESYSANALYZER.EXESNIFF_HIT.EXEWINDBG.EXEJOEBOXCONTROL.EXEJOEBOXSERVER.EXERESOURCEHACKER.EXEX32DBG.EXEX64DBG.EXEFIDDLER.EXEHTTPDEBUGGER.EXERANDOM NAMEI AM CRITICAL FUNCTION, YOU SHOULD PROTECT AGAINST INT3 BPS %DPRL_CC.EXEPRL_TOOLS.EXECHECKING PARALLELS PROCESSES: %SHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0IDENTIFIERQEMUCHECKING REG KEY %S QEMU-GA.EXECHECKING QEMU PROCESSES %S VBOXHARDWARE\DESCRIPTION\SYSTEMSYSTEMBIOSDATE06/23/99HARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOVBOXSERVICE.EXEVBOXTRAY.EXEVMSRVC.EXEVMUSRVC.EXECHECKING VIRTUAL PC PROCESSES %S SOFTWARE\MICROSOFT\VIRTUAL MACHINE\GUEST\PARAMETERSVMWAREHARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONSYSTEMMANUFACTURERSYSTEMPRODUCTNAMECHECKING REG KEY %S

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-68413

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	API coverage: 4.5 %
Source: C:\Users\user\zT6Nm@i4\zr.exe	API coverage: 7.3 %

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6568	Thread sleep count: 342 > 30	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6876	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe TID: 6884	Thread sleep count: 45 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_00000001400223C0 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00000001400223C0
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_00405BD6 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,	1_2_00405BD6
Source: C:\Users\user\zT6Nm@i4\zr.exe	Code function: 1_2_0040755D FindFirstFileW,	1_2_0040755D

Source: C:\Users\user\zT6Nm@i4\zr.exe

Code function: 1_2_00406532 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

1_2_00406532

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_000000014015892C VirtualQuery,GetSystemInfo,SetThreadStackGuarantee,VirtualAlloc,VirtualProtect,

0_2_000000014015892C

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	File opened: C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\	Jump to behavior

Source: K_FPS64.dll.0.dr	Binary or memory string: ollydbg.exeProcessHacker.exetcpview.exeautoruns.exeautorunsc.exefilemon.exeprocmon.exeregmon.exeprocexp.exeidaq.exeidaq64.exeImmunityDebugger.exeWireshark.exedumpcap.exeHookExplorer.exeImportREC.exePETools.exeLordPE.exeSysInspector.exeproc_analyzer.exesysAnalyzer.exesniff_hit.exewindbg.exejoeboxcontrol.exejoeboxserver.exeResourceHacker.exex32dbg.exex64dbg.exeFiddler.exehttpdebugger.exeRandom nameI am critical function, you should protect against int3 bps %dprl_cc.exeprl_tools.exeChecking Parallels processes: %sHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUChecking reg key %s qemu-ga.exeChecking qemu processes %s VBOXHARDWARE\Description\SystemSystemBiosDate06/23/99HARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxVideovboxservice.exevboxtray.exeVMSrvc.exeVMUSrvc.exeChecking Virtual PC processes %s SOFTWARE\Microsoft\Virtual Machine\Guest\ParametersVMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationSystemManufacturerSystemProductNameChecking reg key %s
Source: K_FPS64.dll.0.dr	Binary or memory string: 00:1C:14PV00:50:56Checking MAC starting with %svmtoolsd.exevmwaretray.exevmwareuser.exeVGAuthService.exevmacthlp.exeChecking VWware process %s kernel32.dllntdll.dllRtlGetVersionRtlAddFunctionTablentdll
Source: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000002.685826678.0000000000641000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	API call chain: ExitProcess graph end node			graph_0-68580
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	API call chain: ExitProcess graph end node			graph_0-67129

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_000000014015C7A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000000014015C7A0

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000180014870 RtlEncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_0000000180014870

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140032378 GetModuleHandleW,LoadLibraryW,GetProcAddress,

0_2_0000000140032378

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140002BFC VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,

0_2_0000000140002BFC

Source: C:\Users\user\zT6Nm@i4\PMRunner64.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_000000014015C7A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000000014015C7A0
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: 0_2_0000000140154B40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0000000140154B40

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001800090C0 SetFileAttributesW,Sleep,SleepEx,ShellExecuteExW,Sleep,SleepEx,DeleteFileW,ShellExecuteW,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,Sleep,SleepEx,ShellExecuteExW,DeleteFileW,DeleteFileW,DeleteFileW,

0_2_00000001800090C0

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Users\user\zT6Nm@i4\zr.exe 'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Process created: C:\Users\user\zT6Nm@i4\PMRunner64.exe 'C:\Users\user\zT6Nm@i4\PMRunner64.exe'	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: _cwprintf_s_l,GetNumberFormatW,GetLocaleInfoW,lstrlenW,		0_2_000000014006CC48
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Code function: GetProcAddress,_errno,GetUserDefaultUILanguage,ConvertDefaultLocale,ConvertDefaultLocale,GetSystemDefaultUILanguage,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameW,GetLocaleInfoW,_errno,_errno,_snwprintf_s,_errno,_errno,_errno,LoadLibraryW,		0_2_0000000140003520

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140154D44 GetSystemTimeAsFileTime,

0_2_0000000140154D44

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140161ED4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0000000140161ED4

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_00000001400206A8 GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00000001400206A8

Remote Access Functionality:

Source: C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Code function: 0_2_0000000140001D04 WSAStartup,WSASocketW,gethostname,gethostbyname,inet_ntoa,htons,bind,WSAIoctl,

0_2_0000000140001D04

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Scripting1	Startup Items1	Startup Items1	Deobfuscate/Decode Files or Information1	Input Capture31	System Time Discovery2	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	DLL Side-Loading1	Exploitation for Privilege Escalation1	Scripting1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Input Capture31	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Application Shimming1	DLL Side-Loading1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery4	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Standard Port11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder21	Application Shimming1	DLL Side-Loading1	NTDS	System Information Discovery25	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Bypass User Access Control1	Bypass User Access Control1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Access Token Manipulation1	Masquerading1	Cached Domain Credentials	Security Software Discovery241	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Process Injection11	Virtualization/Sandbox Evasion2	DCSync	Virtualization/Sandbox Evasion2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Registry Run Keys / Startup Folder21	Access Token Manipulation1	Proc Filesystem	Process Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection11	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	15%	Virustotal		Browse
#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe	22%	ReversingLabs	Win64.Trojan.CrypterX

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Microsoft\zr.exe	0%	Virustotal		Browse
C:\ProgramData\Microsoft\zr.exe	0%	Metadefender		Browse
C:\ProgramData\Microsoft\zr.exe	0%	ReversingLabs
C:\Users\user\zT6Nm@i4\K_FPS64.dll	6%	Virustotal		Browse
C:\Users\user\zT6Nm@i4\K_FPS64.dll	10%	ReversingLabs	Win64.Trojan.Wacatac
C:\Users\user\zT6Nm@i4\PMRunner64.exe	0%	Virustotal		Browse
C:\Users\user\zT6Nm@i4\PMRunner64.exe	0%	Metadefender		Browse
C:\Users\user\zT6Nm@i4\PMRunner64.exe	0%	ReversingLabs
C:\Users\user\zT6Nm@i4\zr.exe	0%	Virustotal		Browse
C:\Users\user\zT6Nm@i4\zr.exe	0%	Metadefender		Browse
C:\Users\user\zT6Nm@i4\zr.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.nsecsoft.com	0%	Virustotal		Browse
http://www.nsecsoft.com	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://110.92.66.246:13527/\	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawtePremiumServerCA.crl0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
https://www.thawte.com/cps0/	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://crl.thawte.com/ThawtePCA.crl0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://www.symauth.com/cps0(	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	false		high
http://www.symauth.com/rpa00	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643759945.0000000000691000.00000004.00000001.sdmp, PMRunner64.exe.0.dr	false		high
https://www.thawte.com/cps0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://www.nsecsoft.com	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false		high
http://ocsp.thawte.com0	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe, 00000000.00000003.643844289.000000000069C000.00000004.00000001.sdmp, zr.exe.3.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
40.126.31.135	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
110.92.66.246	unknown	Hong Kong	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	true

Private

IP
192.168.2.1
192.168.2.4

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	343504
Start date:	24.01.2021
Start time:	10:22:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat (renamed file extension from bat to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.expl.evad.winEXE@13/17@0/5
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 12.2% (good quality ratio 9.2%) Quality average: 39.6% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 59% Number of executed functions: 58 Number of non-executed functions: 310
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 51.104.139.180, 92.122.213.194, 92.122.213.247, 8.248.141.254, 8.253.204.249, 8.241.121.126, 67.27.157.254, 8.248.113.254 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, arc.msn.com.nsatc.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, a1449.dscg2.akamai.net, arc.msn.com, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:23:40	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\zT6Nm@i4\PMRunner64.exe
10:23:48	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\zT6Nm@i4\PMRunner64.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
204.79.197.200	6.html	Get hash	malicious	Browse	www.bing.com/favicon.ico
204.79.197.200	6.html	Get hash	malicious	Browse	www.bing.com/favicon.ico

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HKKFGL-AS-APHKKwaifongGroupLimitedHK	insz.exe	Get hash	malicious	Browse	88.218.145.49
	DOCUMENTO_MEDICO.doc	Get hash	malicious	Browse	154.221.28.167
	NI3651011817UL.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_46979369.doc	Get hash	malicious	Browse	103.210.237.241
	427424855528075826480424.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_81380052.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	DOC_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	KH3117818420XX.doc	Get hash	malicious	Browse	103.210.237.241
	XCP_87353228.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	IO3812758081JW.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_53345761.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	FILE_YZGLOSASM.doc	Get hash	malicious	Browse	103.210.237.241
	BAL_3105782760272.doc	Get hash	malicious	Browse	103.210.237.241
	VCG4PMFIB0AR.doc	Get hash	malicious	Browse	103.210.237.241
	4502009880852.doc	Get hash	malicious	Browse	103.210.237.241
	INV_PO_09152020EX.doc	Get hash	malicious	Browse	103.210.237.241
	W_RS5947693334AJ.doc	Get hash	malicious	Browse	103.210.237.241
MICROSOFT-CORP-MSN-AS-BLOCKUS	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	52.165.230.236
	397282_BHJ.LNK	Get hash	malicious	Browse	157.55.165.21
	075782_NGD.LNK	Get hash	malicious	Browse	157.55.165.21
	118.apk	Get hash	malicious	Browse	52.177.138.113
	oHqMFmPndx.exe	Get hash	malicious	Browse	52.110.67.58
	ID652411022142.vbs	Get hash	malicious	Browse	104.41.44.79
	FileZilla_3.52.2_win64_sponsored-setup.exe	Get hash	malicious	Browse	104.208.16.0
	mfpVTSmyz-Fichero.msi	Get hash	malicious	Browse	40.112.173.153
	Proforma Invoice.exe	Get hash	malicious	Browse	52.97.170.34
	ID196619484.vbs	Get hash	malicious	Browse	104.41.44.79
	#Ud83d#Udcde stephane.viard@colt.net @ 1200 PM 1200 PM.pff.HTM	Get hash	malicious	Browse	104.41.163.16
	57229937-122020-4-7676523.doc	Get hash	malicious	Browse	52.165.155.237
	20202237F.html	Get hash	malicious	Browse	52.239.172.132
	demo.js	Get hash	malicious	Browse	191.233.233.157
	demo.js	Get hash	malicious	Browse	191.233.233.157
	E-DEKONT.exe	Get hash	malicious	Browse	52.97.144.178
	PO-RY 001-21 Accuri.jar	Get hash	malicious	Browse	23.98.35.163
	ID32256523109.vbs	Get hash	malicious	Browse	104.41.44.79
	SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	20.190.63.69
	DHL Notification -AWB DHL-2021011293002.exe	Get hash	malicious	Browse	52.97.201.82
MICROSOFT-CORP-MSN-AS-BLOCKUS	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	52.165.230.236
	397282_BHJ.LNK	Get hash	malicious	Browse	157.55.165.21
	075782_NGD.LNK	Get hash	malicious	Browse	157.55.165.21
	118.apk	Get hash	malicious	Browse	52.177.138.113
	oHqMFmPndx.exe	Get hash	malicious	Browse	52.110.67.58
	ID652411022142.vbs	Get hash	malicious	Browse	104.41.44.79
	FileZilla_3.52.2_win64_sponsored-setup.exe	Get hash	malicious	Browse	104.208.16.0
	mfpVTSmyz-Fichero.msi	Get hash	malicious	Browse	40.112.173.153
	Proforma Invoice.exe	Get hash	malicious	Browse	52.97.170.34
	ID196619484.vbs	Get hash	malicious	Browse	104.41.44.79
	#Ud83d#Udcde stephane.viard@colt.net @ 1200 PM 1200 PM.pff.HTM	Get hash	malicious	Browse	104.41.163.16
	57229937-122020-4-7676523.doc	Get hash	malicious	Browse	52.165.155.237
	20202237F.html	Get hash	malicious	Browse	52.239.172.132
	demo.js	Get hash	malicious	Browse	191.233.233.157
	demo.js	Get hash	malicious	Browse	191.233.233.157
	E-DEKONT.exe	Get hash	malicious	Browse	52.97.144.178
	PO-RY 001-21 Accuri.jar	Get hash	malicious	Browse	23.98.35.163
	ID32256523109.vbs	Get hash	malicious	Browse	104.41.44.79
	SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	20.190.63.69
	DHL Notification -AWB DHL-2021011293002.exe	Get hash	malicious	Browse	52.97.201.82

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\111.7z Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	871
Entropy (8bit):	7.6751333998200835
Encrypted:	false
SSDEEP:	24:CIOegEZhc5iZzVT78nOwNDSxEqrohfoi4:CLegEZnf8nhmtURoT
MD5:	23AEFC140636655BE400C41403524704
SHA1:	BD581B29370FD93ABF63BD2C02998A0EF2DFD2A4
SHA-256:	D37575E0B66A925ACB5432CC7B706DA8985635B80B3D60C6C90F748D1F743505
SHA-512:	2517137ABEE797FCA5E597A3826B7C02B1CB1EC045DAE4C1B493C8EE2070D6473DA9E7C584F8302D598DF11C687EE11BF2DDE9E33616243C6F94986CBD0A7AA0
Malicious:	false
Reputation:	low
Preview:	7z..'....A`.$.......#.........8.....l].&.0.!?...o..1b..V..pS.G.U.>............Gg..1>....;....>\|.P..D.H.ta......0ur4..F6..f.d.2..Vzr.....#.%..a...?.6.j8KM..$...Uh..{.{._.21.!....ui8..Y..M...K.L+.6zE0.....S=..c......4.H...E}..z. D......k...P:3...c9.......7."....V........>..l......R.a.i.Pk.....?.2.c...,.L.. .VC...ui...y^..[.$..%.ea........B...l-.....w.Ao.0.`.....Z>.......,\>.x...l..d......B.v.#P....a.8V.9`lw.f..J"r.._."9j...r".C.......?.L@..=.....9%...-..4...".[.....I...-...').(Dj.....`0L.Jq.;yZ.!w.i./..\2.e.....iCg...P....xr..9^........"..Q...V.V......... 0..M...q.).?uB...H.D..{Q.......[.4C..5....(:.{!\.u}5......{..'-..X=T.....3....Ed^.$...p..@.p.u/..........#.,..o.(iAk.HY-.}1./vF...].%...W.z@.@l.......gS........{....E.i.n..q.]Y....H.=<.R.[..V%.!K-}.....v...y.M&..^....T..@....s...AZP.....t..........#....]......r......

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Realtek???????? .lnk Download File
Process:	C:\ProgramData\Microsoft\zr.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Jan 14 15:39:10 2021, mtime=Thu Jan 14 15:39:10 2021, atime=Thu Jan 14 15:39:10 2021, length=271704, window=hide
Category:	dropped
Size (bytes):	1791
Entropy (8bit):	3.466273590595946
Encrypted:	false
SSDEEP:	24:8Z3AX3ighdUAfmqpdoe7KODlWJdo7aB6m:8Z3AnisOqjl2k0B6
MD5:	5FF572CBE6B366349A9D3389D4A60CAC
SHA1:	497C442D14F4A09D00C3294784ECA1DC43A6F4A2
SHA-256:	16731A0D7B072BE60F580E93797D2E91F2DE970CF45C31EE7B9BAE52D4824B6E
SHA-512:	6DF6B097BFF0B76EC465A886ABE72EBC7DB3C850E4FA7D8CE1D60A36F57E04E3063507D3F23F059AA7024E7E7162F8F298610AA1702E16217730B1EF79D176B8
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....K......K......K.....X%......................,.:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X.......................z.T.6.N.m.@.i.4...D.j.2.X%...R. .PMRUNN~1.EXE..N.......R..R......W........................P.M.R.u.n.n.e.r.6.4...e.x.e.......U...............-.......T..............w.....C:\Users\user\zT6Nm@i4\PMRunner64.exe........\.....\.....\.....\.....\.P.M.R.u.n.n.e.r.6.4...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e.........%USERPROFILE%\zT6Nm@i4\PMRunner64.exe...............................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e..........

C:\ProgramData\Microsoft\zr.exe Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461088
Entropy (8bit):	6.581027593342649
Encrypted:	false
SSDEEP:	12288:tUBwDn0mdLrMkNpj6hTEXRrn9VsArg1xi:tUu7t3GTEhrn9VsA+i
MD5:	045FCBE6C174AFA9A6A998BDD6F9FAD7
SHA1:	9F477006DC176608E953EF44902FCE17DDF8FCA3
SHA-256:	08E510EF41795B4192650452D8E5482DBF71CEFAF9D67CFE02F60253D6023F96
SHA-512:	59CE53DDA80567A3B3E19FA2FBE404B655CB4203170B1295B1E6C33B9EBD0B6D2526FB568255610E64FA5C29A6F5C464766CDD746E207FFD2D48DA36811D717B
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................G..............J.......L..G............\|.....H........Rich..........................PE..L......W........../..........X....................@..................................W..........................................x.......(............... ............................................................................................text...u........................... ..`.rdata..............................@..@.data...\k..........................@....sxdata......p......................@....rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Plugin32.dll Download File
Process:	C:\Users\user\zT6Nm@i4\PMRunner64.exe
File Type:	data
Category:	dropped
Size (bytes):	191488
Entropy (8bit):	7.99619087524627
Encrypted:	true
SSDEEP:	3072:SGtyjkUNHHoDhFMFI0rciHPgZwkndg0WU15pI9SmDCPAuE1L3kaF/F1Dmq:S0yjkKHHAh9t4EbHI9SmDiAQWd1Dmq
MD5:	F6773A1C5D1566F4BEBDBF81BDDDC57D
SHA1:	38CC9D3391DE6AE3773076E23B528F9534E40471
SHA-256:	5B672EE64618CCCBC94011E1BA713E5B6EFA574A8CCA18CC3653C499B2AF2202
SHA-512:	63E4BE550A66783ADFA6D064BA4912A6440986D3AF396F608F3C7B0B9F830DB8BB718216824689E1CA23D636AE67838ADB49DC0DA3263C9D64D823FB15CC964C
Malicious:	false
Reputation:	low
Preview:	U...u].Z....u.....D<(.8x.S....L..N...+^...^.r.!.........!.\|u.N).Fa...L.;..{b..F.t.<.#.2=.}.r\|.!l....KnR.F..4{Ih..5..\......L...Fm...4F)J..%(q..<...zE8..8...A..#.b...&...\..Y.+^.,.......0..oi..`.g.kD.48.G....L.QNor..+2.&"..r.!.Q...".V....l7.@.)8!..h.C8.....:&=.@.1.I..~....bg.r..Z....vK..h.D\8..8....sBM..^..5+^...~.r.!...u... .\|.\|..@V)8.%..+.8......-..B{1.)..j..=.B..._.Z.....v...(.D.(.p8......L@.N/..+^.....rN!............\|..@.)8.%.(+.8.t..s:&}.@.1....>....b%.r..Z.U<`.v.....D.8..8.g..7.L..N...+^r...rNv&)9.5..}..<..Q.@.+8A).+d8.....:&.B@;....L.....r..r..Z....^i....D\|(.08...4.....N..U+^....r.!............\|..@v)8.%..+.8.4..3:&=.@.1.......].b..r..Z.....v...H.D.(..8.'....L`.NO..+^2....rn!.1.....=....\|..@.)8.%.H+$8.....:&..@.1.9..^....bE.r..Zs..p.v+....D<(..8....S.L..N...+^...^.r.!...U.....\.\|u.@6)8a%.+.8.....:&..@[1.......b..rN.Z.....v.....D.(.P8......L .N..u+^....r.!............\|..@.)8.%..+.8.T..S:&].@.1.......}.b..r..Z3..0.v...h.D.(..8.GN"*8L.\.N.N.3

C:\Users\user\zT6Nm@i4\111.7z Download File
Process:	C:\Users\user\zT6Nm@i4\zr.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	895
Entropy (8bit):	7.58674925006426
Encrypted:	false
SSDEEP:	24:7OegEZhc5iZzVT78nOwNDSxEqrohfoiQ3T:KegEZnf8nhmtURo/3T
MD5:	8B8E701F0984126214856AEA7B49A3E1
SHA1:	BC4995ABD24C3451D3AF427F7CE03FA484055157
SHA-256:	D4714CBC4612E14FA5D62B26274411A435396094EFECAAC6D82325FA2400FD04
SHA-512:	7049B6C1ED94B5F10138C3971598A7C98D2E25F340A3C914F4E0D27074AF70A51FF53A7652CE4373140054B0E16A484D1083483CFEB105F6DF5D313C3FAF35E5
Malicious:	false
Reputation:	low
Preview:	7z..'...............................l].&.0.!?...o..1b..V..pS.G.U.>............Gg..1>....;....>\|.P..D.H.ta......0ur4..F6..f.d.2..Vzr.....#.%..a...?.6.j8KM..$...Uh..{.{._.21.!....ui8..Y..M...K.L+.6zE0.....S=..c......4.H...E}..z. D......k...P:3...c9.......7."....V........>..l......R.a.i.Pk.....?.2.c...,.L.. .VC...ui...y^..[.$..%.ea........B...l-.....w.Ao.0.`.....Z>.......,\>.x...l..d......B.v.#P....a.8V.9`lw.f..J"r.._."9j...r".C.......?.L@..=.....9%...-..4...".[.....I...-...').(Dj.....`0L.Jq.;yZ.!w.i./..\2.e.....iCg...P....xr..9^........"..Q...V.V......... 0..M...q.).?uB...H.D..{Q.......[.4C..5....(:.{!\.u}5......{..'-..X=T.....3....Ed^.$...p..@.p.u/..........#.,..o.(iAk.HY-.}1./vF...].%...W.z@.@l.......gS........{....E.i.n..q.]Y....H.=<.R.[..V%.!K-}.....v...y.M&..^....T..@....s...AZP.....t..........#....]......r.......A`.$.......#.........8.

C:\Users\user\zT6Nm@i4\KK.txt Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	data
Category:	dropped
Size (bytes):	224323
Entropy (8bit):	7.996498851977439
Encrypted:	true
SSDEEP:	6144:5SDdKtn3KwKa9xg8LIzF9yWeSBvd+tResBuYU:4Dde3xKhOIzOGBF
MD5:	7B30F5D321E85813F5E5835F92FFA0FC
SHA1:	369474EA5BFFA01DAC8C663EDE08D7D0D8967054
SHA-256:	445E5B49DA01A0D99AFD84EF3D9C5238E02D5E4FBC546D43C619005A622C9917
SHA-512:	8797E96456F2C822DA7B79486784BA49ED7A4CC85FF74F76D097339EA8C2FDC945E1EB51BEF28F7E1358EA38BD6BBB8D1C35D63A54F5000A1D75C5E90DDAB0FD
Malicious:	false
Reputation:	low
Preview:	rc(.%c.Q.q....<cfW.&.-...SP#....\|O.%'q5.XrVN\....@J..)F.YZ.....%...,...y.s.x.....C...L.y.'....V.Ck....I.4'L.b....e'.Q..QS...w.xgF...L.Q......../.....'v6=.yj..t.h.n.i.a%g..:#.\.Q.lN...r.ht....y..I..k.ATu/.._..j._B...?%....-..N\|.G....\|1.V..&..^..8.L..E.y.PQ.....j\|fhfm 2....e..k..\. ...Q.......'}u....<.AW".I.a6..Dv.....G.j#..f...^..6.)...ky..yI.X..vv.....v..........$..4...I..........S..Zoz..n).....%....\...TFg...`~.@V.....E.Q....L.._.PnR4OI...^ .Av.y.d.....2.t2...-.D....Y.2.T!.Pl6...@;...[..q.o..'./.3..[k.E :....i.+%....c.@.o......eL....1.cig....?rP.O.C'....Ak...7..R....EG......Q.ey.._.k.r./..TOCe.y......q..<.I:9#+5...^..&.A..........U`v.w..t...A7m.Jg..m..".mz.......#....gW.^...q.z..HbX.......2..iH.!...#H.9..>W....S..&e..k..h<2..c.........b._..0.D1.Bno.q.$bP....o8[.Lq.bCG.E3g.W2.^.{.."n.........N4..(.....=E..R..O....\|......._L...IX.._.%.....x...`;...]Nm...Q.s7..i..QW.B...h.u.3.~..).#."&..(X.....l0.............X......z...b'..34.

C:\Users\user\zT6Nm@i4\K_FPS64.dll Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	302592
Entropy (8bit):	5.94262128533878
Encrypted:	false
SSDEEP:	6144:YDVMbwz0W4gWqPcjwhum9o34Ec2x1tRuf+X4zNEP:YDGO0WTWq4wYb34Ec2vupEP
MD5:	B8477E4DF0F24A96BBAFD2F13C31A4A2
SHA1:	E4548C10552B1906BBE4A7EED90E97D24C958CF5
SHA-256:	5EFD269CA1CD474F68ECE50E6AC3F88F1831ACA273DE9789C17DD8A46AEA8D71
SHA-512:	6FE6FF9E3BD95CE0583AA2BBB06B8AB123363D94AFEEAB3CCE377B1FB5EABB0BA58F1107E822C39FF2D186E788783262EFFAB8270519A2A118C055013BEEC6B3
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 6%, Browse Antivirus: ReversingLabs, Detection: 10%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sl..7.@.7.@.7.@.B..6.@...-.0.@...;.,.@.7.A...@.>u...@.>u..=.@.>u..H.@.>u..+.@.>u..6.@.)_..6.@.>u..6.@.Rich7.@.................PE..d......`.........." ................4........................................@......=.....@.........................................@...................x....@..............................................h$..(....................................................text...h........................... ..`.rdata..G...........................@..@.data..............................@....pdata.......@...0..................@..@.tls.........p......................@....rsrc...x...........................@..@.reloc...(.......*...t..............@..B........................................................................................................................................................................................................

C:\Users\user\zT6Nm@i4\PMRunner64.exe Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	271704
Entropy (8bit):	5.761811520401724
Encrypted:	false
SSDEEP:	3072:wWHyRIh1NDBeEOqDhPbsuB35WlP+7l1MYMb3URvwgwWwBHNFs:nrrNDBeJwhbh3mU9wgw
MD5:	65DBB57517611D9DE8CE522022DCD727
SHA1:	B33E6DB5C460E5E38DD636C4D48E9D4523E2838F
SHA-256:	0525B815E61D3CD83FD4C87032DE7C1DCBA5E8D2619539F925E43624EB6E1D77
SHA-512:	D8D34BC3642255DFF395CB47A0EA58CC07D911B3535A0A6D972CC4E501F6CCAB200A7D636FCDEE77DC6E7AD6B735918BCDF48EA6F0EA0E26804C31F2D175490D
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$..eJ.eJ.eJ.....eJ.....+eJ.....eJ.;I.eJ.;O.eJ.;N.eJ.d...eJ.eK.>eJ..;C.eJ..;J.eJ.+;..eJ.e..eJ..;H.eJ.Rich.eJ.........................PE..d....S.^.........."......`..........l0.........@.............................`............`................................................. ...P....... ....`..........X#...P.. ...`...p............................................p..x............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data....*...0......................@....pdata.......`.......&..............@..@.gfids...............<..............@..@.rsrc... ............>..............@..@.reloc.. ....P......................@..B................................................................................................................................................................................

C:\Users\user\zT6Nm@i4\TXP\Windows\Start Menu\Programs\Startup\Realtek???????? .lnk Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Jan 14 15:39:10 2021, mtime=Thu Jan 14 15:39:10 2021, atime=Thu Jan 14 15:39:10 2021, length=271704, window=hide
Category:	dropped
Size (bytes):	1791
Entropy (8bit):	3.466273590595946
Encrypted:	false
SSDEEP:	24:8Z3AX3ighdUAfmqpdoe7KODlWJdo7aB6m:8Z3AnisOqjl2k0B6
MD5:	5FF572CBE6B366349A9D3389D4A60CAC
SHA1:	497C442D14F4A09D00C3294784ECA1DC43A6F4A2
SHA-256:	16731A0D7B072BE60F580E93797D2E91F2DE970CF45C31EE7B9BAE52D4824B6E
SHA-512:	6DF6B097BFF0B76EC465A886ABE72EBC7DB3C850E4FA7D8CE1D60A36F57E04E3063507D3F23F059AA7024E7E7162F8F298610AA1702E16217730B1EF79D176B8
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....K......K......K.....X%......................,.:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X.......................z.T.6.N.m.@.i.4...D.j.2.X%...R. .PMRUNN~1.EXE..N.......R..R......W........................P.M.R.u.n.n.e.r.6.4...e.x.e.......U...............-.......T..............w.....C:\Users\user\zT6Nm@i4\PMRunner64.exe........\.....\.....\.....\.....\.P.M.R.u.n.n.e.r.6.4...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.&.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e.........%USERPROFILE%\zT6Nm@i4\PMRunner64.exe...............................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m.@.i.4.\.P.M.R.u.n.n.e.r.6.4...e.x.e..........

C:\Users\user\zT6Nm@i4\copy.bat Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.859584238440697
Encrypted:	false
SSDEEP:	3:55Pt+ZIgUAdkdZkRErG+ffbNQdi25Pt+ZIrUhFmRdZkRErG+fUNhn:PwZIPAra3ZQdi2wZIroakn
MD5:	7EE919ABFE2EBEFCDD420D0E0784F1C9
SHA1:	760A5A935E7453C7C3D0CFE786975F97931382BB
SHA-256:	21C285FD608237D8B329AD8266FDCC0E9C671BAEB956E9544CAEC712944EF8A9
SHA-512:	0327C9A5500BEF65DFF1501553F0471B7CF2584CAA56CBF15673AC4AF10E748C08E15C5878F0C792907F2F777C6393925A22AB36BDBB70C29963FEC9A07AFFF5
Malicious:	false
Reputation:	low
Preview:	copy "C:\Users\user\zT6Nm@i4\zr.exe" "C:\ProgramData\Microsoft\zr.exe"..copy "C:\Users\user\zT6Nm@i4\111.7z" "C:\ProgramData\Microsoft\111.7z"..

C:\Users\user\zT6Nm@i4\ru2.url Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\zT6Nm@i4\run001.lnk>), ASCII text, with CR line terminators
Category:	dropped
Size (bytes):	65
Entropy (8bit):	4.934228490671524
Encrypted:	false
SSDEEP:	3:HRAbABGQVuOt+ZIo7g:HRYF5OwZIig
MD5:	004A6C48B0C8EE5A854123B30016589A
SHA1:	E491D660E83A6DC76EDFB00A8750B98E6F66C665
SHA-256:	2CF3CC8BCD1655AE232418CCFEBBF8D0AA5EFB062F95DF320C27B5C3A69E9A7C
SHA-512:	02CD3B044426D6CE89CECBFD16D294882AF867C33F53E6AE71104A4D4E2D57C9A551E659616B7D331CD8714E55DED39538796AD4A1F076483E619CF49E864E7E
Malicious:	false
Yara Hits:	Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\zT6Nm@i4\ru2.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Reputation:	low
Preview:	[InternetShortcut].URL=file:///C:\Users\user\zT6Nm@i4\run001.lnk

C:\Users\user\zT6Nm@i4\run.lnk Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Apr 11 22:34:14 2018, mtime=Wed Sep 30 06:35:53 2020, atime=Wed Apr 11 22:34:14 2018, length=273920, window=hide
Category:	dropped
Size (bytes):	1845
Entropy (8bit):	3.204025472281673
Encrypted:	false
SSDEEP:	24:8PHjJW6PV7Mmc7S6MAdx+/5+fUt+/g4I0Z57aB6m:8PMYdCXLiu8sIrB6
MD5:	BE3AF8B163611E11E35121A9C0DE546F
SHA1:	DFEEE23EAE5794D9C6D7B54A00CB0E42800AFAA3
SHA-256:	271541E40261A329ED49F004A2ABAAA533009C1E94B9F7CA3CED62756E59912B
SHA-512:	495C1D2427C943DFBC3739CFC3E104934449E629B39FEF81074F21151345DBA06A96DFE766B03F8CF74CDE5EB8D52CB8F00FA969186E8CECDFCF3B37346739EF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...].......J..S....]...............................5....P.O. .:i.....+00.../C:\...................V.1.....>Qz<..Windows.@......L..8R.J..............................W.i.n.d.o.w.s.....Z.1.....8R.J..System32..B......L..8R.J..........................e...S.y.s.t.e.m.3.2.....V.2......LH. .cmd.exe.@......LH.>Qx<...............t...........&.c.m.d...e.x.e.......J...............-.......I..............w.....C:\Windows\System32\cmd.exe..!.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.c.m.d...e.x.e...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.&. ./.c. .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.r.u.n.0.0.1...l.n.k...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.c.m.d...e.x.e.........%SystemRoot%\System32\cmd.exe.......................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y

C:\Users\user\zT6Nm@i4\run001.lnk Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1457
Entropy (8bit):	1.9452446037061828
Encrypted:	false
SSDEEP:	12:8zM0i/kdvrHjHbQbfnbB5baP0yZ3ZrwPH:8AIzD7kzzk0yZ3Zk
MD5:	95A5332A3DE1AE6E16F7E139EE968E9B
SHA1:	9E7DD05E15FCAC8C1B8E91978B7EFEB923CD6A88
SHA-256:	5D0904F70763CA9D1118EFD2171BA4A0CF0D7C10B8D121836F95CE16A3E03C5A
SHA-512:	53A9CA5C5754D742BD568953B8B4A5AB58BDEA9C9CFC7E49C921484883BCF93CA9E5B6758FDFF72FF98BD0C5D1B70B97B264C89912880A7BB179CE26E8A768B0
Malicious:	false
Reputation:	low
Preview:	L..................F.@......................................................A....P.O. .:i.....+00.../C:\...................b.1...........ProgramData.H............................................P.r.o.g.r.a.m.D.a.t.a.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....T.2...........zr.exe..>............................................z.r...e.x.e.......%.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.%. .x. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.1.1.1...7.z. .-.y...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e.........%ALLUSERSPROFILE%\Microsoft\zr.exe..................................................................................................................................................................................................................................%.A.L.L.U.S.E.R.S.P.R.O.F.I.L.E.%.\.M.i.c.r.o.s.o.f.t.\.z.r...e.x.e

C:\Users\user\zT6Nm@i4\run003.lnk Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sun Apr 30 07:53:46 2017, mtime=Sun Apr 30 07:53:46 2017, atime=Sun Apr 30 07:53:46 2017, length=461088, window=hide
Category:	dropped
Size (bytes):	1837
Entropy (8bit):	3.401424786774406
Encrypted:	false
SSDEEP:	24:8hJ3AX3igX1AnxQfouopHO8jAIM7aB6m:8/3AniRyfouopHdB6
MD5:	4AC952055902E20C748E96234BF2F56C
SHA1:	9B0BADF7DE8286543D6D5C45CD19E834E76E671F
SHA-256:	0D7B6A444BFA014BEE1DC4769FB66663BB1F0FC0B3327EC41AB9F5342BF571EF
SHA-512:	80639E1E8B2C4DD3BEC66CBEF87B7E1293D9CCE7E8B34C71B9011400E536CBA39801155CAC3C691B096F2B2B55254CF53FB402B7D843E429196C8B5484DD83DA
Malicious:	false
Preview:	L..................F.@.. ......i.......i.......i.... .........................:..DG..Yr?.D..U..k0.&...&...........-....k.2...X,~.2.......t...CFSF..1.....8R.J7.zT6Nm@i4....t.Y^...H.g.3..(.....gVA.G..k...B......8R.J8R.J....3X........................z.T.6.N.m.@.i.4...D.T.2. ....J.F .zr.exe..>......J.F.J.F....:X........................z.r...e.x.e.......M...............-.......L..............w.....C:\Users\user\zT6Nm@i4\zr.exe......\.z.r...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.B.a. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.1.1.1...7.z.". .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.T.X.P.\.*."...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.z.T.6.N.m.@.i.4.\.z.r...e.x.e.........%USERPROFILE%\zT6Nm@i4\zr.exe.......................................................................................................................................................................................................................................%.U.S.E.R.P.R.O.F.I.L.E.%.\.z.T.6.N.m

C:\Users\user\zT6Nm@i4\zr.exe Download File
Process:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	461088
Entropy (8bit):	6.581027593342649
Encrypted:	false
SSDEEP:	12288:tUBwDn0mdLrMkNpj6hTEXRrn9VsArg1xi:tUu7t3GTEhrn9VsA+i
MD5:	045FCBE6C174AFA9A6A998BDD6F9FAD7
SHA1:	9F477006DC176608E953EF44902FCE17DDF8FCA3
SHA-256:	08E510EF41795B4192650452D8E5482DBF71CEFAF9D67CFE02F60253D6023F96
SHA-512:	59CE53DDA80567A3B3E19FA2FBE404B655CB4203170B1295B1E6C33B9EBD0B6D2526FB568255610E64FA5C29A6F5C464766CDD746E207FFD2D48DA36811D717B
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................G..............J.......L..G............\|.....H........Rich..........................PE..L......W........../..........X....................@..................................W..........................................x.......(............... ............................................................................................text...u........................... ..`.rdata..............................@..@.data...\k..........................@....sxdata......p......................@....rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\ProgramData\Microsoft\zr.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	484
Entropy (8bit):	4.98831110003937
Encrypted:	false
SSDEEP:	12:pltQzsBRwgaQH7pyTkaHo8ajFsQcE5+svhJAISLGN2Gy:pYzsDwXQboTjUZH+svhJAI9wv
MD5:	70C66FCD7F376B7EC9AD79053CA63030
SHA1:	E3AE64762463879E0B8C91713A291B540131E423
SHA-256:	3FD565B1794F89DB8FFA179D9EBF283A0AC7B37BD9E8AD8DE94BB1443B0416BA
SHA-512:	0B07E9206A5B8D60D93AE7AE826605FFBC2DE13B072DB3EEF2A74E0E05485B8ADDA1E5D6231CC9965FD34093739603566841098631FBD89B8F7CC8889A2FBDA0
Malicious:	false
Preview:	..7-Zip (r) [32] 16.04 : Igor Pavlov : Public domain : 2016-10-04....Scanning the drive for archives:.. 0M Scan C:\ProgramData\Microsoft\. .1 file, 871 bytes (1 KiB)....Extracting archive: C:\ProgramData\Microsoft\111.7z..--..Path = C:\ProgramData\Microsoft\111.7z..Type = 7z..Physical Size = 871..Headers Size = 243..Method = LZMA2:12..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Folders: 4..Files: 1..Size: 1791..Compressed: 871..

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.805779435598225
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
File size:	3150336
MD5:	6665909a2652c5860fd874cb15c3991c
SHA1:	84a5a2e920e8165634e510766eaa51662401a227
SHA256:	1ef7ae3509e71c3cd0904a7396831e6bd2c021f14dc5d4b2485a38ebefc3dd3d
SHA512:	c7ca90037a3e67b443fe6b8f8a8df510eb2794d53a80a416b7234de123703cf5b590f3314f1e0acf749156ce40cc176182d521679c83afceb18b60d39e07c6a5
SSDEEP:	49152:jwBFRHHY3rC5IgDAI9q8xCFEXlZ40nqSvLcUhGcwKEAX/ivWPlGbjtGysnISnvpZ:jwlHYm5IML9hGvTWlGnUysnISnBdu2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c`7...d...d...dFL.d...d.z.d...d.z.d...d.z.d...d...d...d.t.dd..d.t.d...d.t.d...d.t.d...d.t.d...dRich...d................PE..d..

File Icon


Icon Hash:	74cac4d4d4d0c4d4

Static PE Info

General
Entrypoint:	0x1401543b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x600BDCC7 [Sat Jan 23 08:22:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	5894f7ecf05bebd0f6f297d29b91f916

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7DAC8515DCh
dec eax
add esp, 28h
jmp 00007F7DAC84AA97h
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
lea eax, dword ptr [00076193h]
mov ebx, edx
dec eax
mov edi, ecx
dec eax
mov dword ptr [ecx], eax
call 00007F7DAC851667h
test bl, 00000001h
je 00007F7DAC84AC4Ah
dec eax
mov ecx, edi
call 00007F7DAC6F960Eh
dec eax
mov eax, edi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
int3
int3
dec eax
sub esp, 28h
dec eax
mov eax, edx
dec eax
lea edx, dword ptr [ecx+11h]
dec eax
lea ecx, dword ptr [eax+11h]
call 00007F7DAC8516B1h
test eax, eax
sete al
dec eax
add esp, 28h
ret
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], ebp
dec eax
mov dword ptr [esp+20h], esi
push edi
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
inc ecx
push edi
dec eax
sub esp, 20h
dec ecx
arpl word ptr [eax+0Ch], di
dec esp
mov edi, ecx
dec ecx
mov ecx, eax
dec ecx
mov ebp, ecx
dec ebp
mov ebp, eax
dec esp
mov esi, edx
call 00007F7DAC8517ADh
dec ebp
mov edx, dword ptr [edi]
dec esp
mov dword ptr [ebp+00h], edx
inc esp
mov esp, eax
test edi, edi
je 00007F7DAC84ACCAh
dec eax
lea ecx, dword ptr [edi+edi*4]
dec eax
lea esi, dword ptr [FFFFFFECh+ecx*4]
dec ecx
arpl word ptr [ebp+10h], bx
dec ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ff938	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x306000	0xb0f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2f0000	0x13518	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17b000	0x1350	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x179a48	0x179c00	False	0.519473729112	data	6.37063911403	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x17b000	0x886cc	0x88800	False	0.253088870765	data	4.38109791814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x204000	0xeb290	0xdee00	False	0.944429595485	data	7.74292213666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x2f0000	0x13518	0x13600	False	0.497505040323	data	6.14754754116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
text	0x304000	0xbbd	0xc00	False	0.466796875	data	5.50929008744	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA
data	0x305000	0x760	0x800	False	0.6806640625	data	5.89712002279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x306000	0xb0f8	0xb200	False	0.413031074438	data	5.68750375192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x306c10	0x134	data	Chinese	China
RT_CURSOR	0x306d44	0xb4	data	Chinese	China
RT_CURSOR	0x306df8	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x306f2c	0x134	data	Chinese	China
RT_CURSOR	0x307060	0x134	data	Chinese	China
RT_CURSOR	0x307194	0x134	data	Chinese	China
RT_CURSOR	0x3072c8	0x134	data	Chinese	China
RT_CURSOR	0x3073fc	0x134	data	Chinese	China
RT_CURSOR	0x307530	0x134	data	Chinese	China
RT_CURSOR	0x307664	0x134	data	Chinese	China
RT_CURSOR	0x307798	0x134	data	Chinese	China
RT_CURSOR	0x3078cc	0x134	data	Chinese	China
RT_CURSOR	0x307a00	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x307b34	0x134	data	Chinese	China
RT_CURSOR	0x307c68	0x134	data	Chinese	China
RT_CURSOR	0x307d9c	0x134	data	Chinese	China
RT_BITMAP	0x307ed0	0xb8	data	Chinese	China
RT_BITMAP	0x307f88	0x144	data	Chinese	China
RT_ICON	0x3080cc	0xea8	data	Chinese	China
RT_ICON	0x308f74	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x30981c	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x309d84	0x25ad	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China
RT_ICON	0x30c334	0x25a8	data	Chinese	China
RT_ICON	0x30e8dc	0x10a8	data	Chinese	China
RT_ICON	0x30f984	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x30fdec	0xde	data	Chinese	China
RT_DIALOG	0x30fecc	0x210	data	Chinese	China
RT_DIALOG	0x3100dc	0xe2	data	Chinese	China
RT_DIALOG	0x3101c0	0x34	data	Chinese	China
RT_STRING	0x3101f4	0x6a	data	Chinese	China
RT_STRING	0x310260	0x4e	data	Chinese	China
RT_STRING	0x3102b0	0x2c	data	Chinese	China
RT_STRING	0x3102dc	0x84	data	Chinese	China
RT_STRING	0x310360	0x1c4	data	Chinese	China
RT_STRING	0x310524	0x14e	data	Chinese	China
RT_STRING	0x310674	0x10e	data	Chinese	China
RT_STRING	0x310784	0x50	data	Chinese	China
RT_STRING	0x3107d4	0x44	data	Chinese	China
RT_STRING	0x310818	0x68	data	Chinese	China
RT_STRING	0x310880	0x1b2	data	Chinese	China
RT_STRING	0x310a34	0xf4	data	Chinese	China
RT_STRING	0x310b28	0x24	data	Chinese	China
RT_STRING	0x310b4c	0x1a6	data	Chinese	China
RT_GROUP_CURSOR	0x310cf4	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x310d18	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d2c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d40	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d54	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d68	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d7c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310d90	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310da4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310db8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310dcc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310de0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310df4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310e08	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x310e1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x310e30	0x68	data	Chinese	China
RT_MANIFEST	0x310e98	0x25f	ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	IsValidCodePage, GetTimeZoneInformation, LCMapStringW, GetConsoleCP, GetConsoleMode, WriteConsoleW, SetEnvironmentVariableA, RtlCaptureContext, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, HeapCreate, GetVersion, HeapSetInformation, FlsAlloc, FlsFree, FlsSetValue, FlsGetValue, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, SizeofResource, SetUnhandledExceptionFilter, GetFileType, SetStdHandle, VirtualQuery, GetSystemInfo, SetThreadStackGuarantee, HeapSize, HeapQueryInformation, RtlPcToFileHeader, GetOEMCP, CreateThread, ExitThread, HeapReAlloc, GetSystemTimeAsFileTime, DecodePointer, EncodePointer, RtlUnwindEx, RtlLookupFunctionEntry, GetStartupInfoW, GetCommandLineW, FindResourceExW, SearchPathW, Sleep, GetProfileIntW, InitializeCriticalSectionAndSpinCount, GetTickCount, GetNumberFormatW, GetWindowsDirectoryW, GetTempPathW, GetTempFileNameW, GetFileTime, GetFileSizeEx, GetFileAttributesW, FileTimeToLocalFileTime, GetFileAttributesExW, SetErrorMode, FileTimeToSystemTime, GlobalGetAtomNameW, lstrlenA, GetFullPathNameW, GetACP, GetCPInfo, RaiseException, GetStringTypeW, GetVolumeInformationW, FindFirstFileW, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileW, lstrcmpiW, GetThreadLocale, lstrcpyW, DeleteFileW, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, GlobalHandle, GlobalReAlloc, TlsAlloc, InitializeCriticalSection, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, GetCurrentDirectoryW, ReleaseActCtx, CreateActCtxW, CopyFileW, GlobalSize, FormatMessageW, LocalFree, MulDiv, GlobalFindAtomW, GetVersionExW, CompareStringW, GlobalUnlock, GlobalFree, FreeResource, GetCurrentProcessId, GlobalAddAtomW, GetPrivateProfileStringW, lstrlenW, WritePrivateProfileStringW, GetPrivateProfileIntW, CreateEventW, SuspendThread, SetEvent, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, lstrcmpA, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetModuleFileNameW, GetLocaleInfoW, ActivateActCtx, LoadLibraryW, GetLastError, DeactivateActCtx, SetLastError, WideCharToMultiByte, GlobalLock, lstrcmpW, GlobalAlloc, GetModuleHandleW, HeapAlloc, FreeLibrary, GetProcessHeap, HeapFree, IsBadReadPtr, LoadLibraryA, GetProcAddress, VirtualFree, VirtualProtect, VirtualAlloc, MultiByteToWideChar, TerminateThread, ExitProcess, FindResourceW, LoadResource, LockResource
USER32.dll	SetMenuDefaultItem, PostThreadMessageW, CreateMenu, IsMenu, UpdateLayeredWindow, UnionRect, MonitorFromPoint, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcW, DefFrameProcW, RegisterClipboardFormatW, CopyImage, GetIconInfo, EnableScrollBar, HideCaret, InvertRect, GetMenuDefaultItem, UnpackDDElParam, ReuseDDElParam, LoadImageW, InsertMenuItemW, TranslateAcceleratorW, LockWindowUpdate, BringWindowToTop, SetCursorPos, CreateAcceleratorTableW, LoadAcceleratorsW, GetKeyboardState, GetKeyboardLayout, ToUnicodeEx, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, DrawStateW, SetClassLongPtrW, GetAsyncKeyState, NotifyWinEvent, CreatePopupMenu, DestroyAcceleratorTable, SetParent, RedrawWindow, SetWindowRgn, IsZoomed, UnregisterClassW, MessageBeep, GetNextDlgGroupItem, InvalidateRgn, SetRect, IsRectEmpty, CopyAcceleratorTableW, OffsetRect, CharNextW, IntersectRect, LoadMenuW, CharUpperW, DestroyIcon, WaitMessage, ReleaseCapture, WindowFromPoint, SetCapture, GetSysColorBrush, LoadCursorW, SetLayeredWindowAttributes, SetRectEmpty, KillTimer, SetTimer, InvalidateRect, RealChildWindowFromPoint, DeleteMenu, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FillRect, SystemParametersInfoW, DestroyMenu, IsClipboardFormatAvailable, InflateRect, GetMenuStringW, InsertMenuW, RemoveMenu, ShowWindow, SetWindowTextW, IsDialogMessageW, SetDlgItemTextW, CheckDlgButton, RegisterWindowMessageW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassNameW, GetClassLongPtrW, SetPropW, GetPropW, RemovePropW, SetFocus, GetWindowTextLengthW, GetWindowTextW, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetWindowLongPtrW, SetWindowLongPtrW, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MonitorFromWindow, GetMonitorInfoW, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, UpdateWindow, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, GetSysColor, AdjustWindowRectEx, GetWindowRect, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, PtInRect, SetWindowPlacement, GetWindowPlacement, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, GetMenu, GetWindow, SetWindowContextHelpId, FrameRect, GetUpdateRect, GetWindowRgn, DestroyCursor, SubtractRect, MapVirtualKeyExW, IsCharLowerW, GetDoubleClickTime, MapDialogRect, SetWindowPos, MapVirtualKeyW, GetKeyNameTextW, ReleaseDC, GetDC, CopyRect, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamW, CharUpperBuffW, CopyIcon, EmptyClipboard, CloseClipboard, SetClipboardData, GetMenuItemInfoW, OpenClipboard, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetWindowThreadProcessId, GetLastActivePopup, IsWindowEnabled, MessageBoxW, ShowOwnedPopups, SetCursor, SetWindowsHookExW, CallNextHookEx, GetMessageW, TranslateMessage, DispatchMessageW, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageW, GetCursorPos, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, GetFocus, GetParent, ModifyMenuW, GetMenuState, EnableMenuItem, CheckMenuItem, PostMessageW, PostQuitMessage, GetSystemMetrics, LoadIconW, EnableWindow, GetClientRect, IsIconic, GetSystemMenu, SendMessageW, AppendMenuW, DrawIcon, MoveWindow, GetWindowLongW, SetWindowLongW, EnumDisplayMonitors
GDI32.dll	CreateSolidBrush, CreateHatchBrush, CreateDIBitmap, CreateCompatibleBitmap, GetTextMetricsW, EnumFontFamiliesW, GetTextCharsetInfo, SetRectRgn, CombineRgn, GetMapMode, DPtoLP, GetBkColor, GetTextColor, GetRgnBox, CreateDIBSection, CreateRoundRectRgn, CreatePolygonRgn, CreateEllipticRgn, Polyline, Ellipse, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, OffsetRgn, SetDIBColorTable, CreatePen, SetPixel, Rectangle, EnumFontFamiliesExW, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, GetTextFaceW, SetPixelV, RectVisible, PtVisible, GetPixel, GetObjectType, TextOutW, SelectPalette, GetStockObject, CreatePatternBrush, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, StretchBlt, CreateBitmap, GetWindowExtEx, GetViewportExtEx, CreateRectRgn, SelectClipRgn, DeleteObject, SetLayout, GetLayout, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32W, ExtTextOutW, BitBlt, CreateCompatibleDC, CreateFontIndirectW, CreateDCW, CopyMetaFileW, GetDeviceCaps, GetObjectW, SetBkColor, SetTextColor, PatBlt, CreateRectRgnIndirect, Escape
MSIMG32.dll	AlphaBlend, TransparentBlt
COMDLG32.dll	GetFileTitleW
WINSPOOL.DRV	ClosePrinter, OpenPrinterW, DocumentPropertiesW
ADVAPI32.dll	RegEnumKeyExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyW, RegQueryValueW, RegCloseKey, RegEnumValueW
SHELL32.dll	SHAppBarMessage, SHGetFileInfoW, ShellExecuteW, DragFinish, DragQueryFileW, SHBrowseForFolderW, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetDesktopFolder
COMCTL32.dll	ImageList_GetIconSize
SHLWAPI.dll	PathFindFileNameW, PathStripToRootW, PathIsUNCW, PathFindExtensionW, PathRemoveFileSpecW
ole32.dll	OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CoInitializeEx, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoInitialize, CoUninitialize, OleCreateMenuDescriptor, CoTaskMemAlloc, ReleaseStgMedium, CoTaskMemFree, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleLockRunning, CreateStreamOnHGlobal, OleIsCurrentClipboard, OleFlushClipboard, DoDragDrop, CLSIDFromString, CLSIDFromProgID, CoCreateGuid, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleGetClipboard, OleDuplicateData, CoRegisterMessageFilter, CoCreateInstance, CoRevokeClassObject
OLEAUT32.dll	SysFreeString, VarBstrFromDate, VariantCopy, SafeArrayDestroy, SystemTimeToVariantTime, VariantTimeToSystemTime, OleCreateFontIndirect, SysStringLen, VariantInit, VariantChangeType, VariantClear, SysAllocStringLen, SysAllocString
oledlg.dll	OleUIBusyW
WS2_32.dll	WSAIoctl, htons, inet_ntoa, gethostbyname, gethostname, WSASocketW, WSAStartup, ntohs, recv, bind
OLEACC.dll	LresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
gdiplus.dll	GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipGetImagePaletteSize, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipGetImagePalette, GdipCreateBitmapFromStream, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipGetImageGraphicsContext, GdipCreateFromHDC, GdipDrawImageI
IMM32.dll	ImmGetOpenStatus, ImmReleaseContext, ImmGetContext
WINMM.dll	PlaySoundW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2021 10:23:23.492737055 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493050098 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493232012 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493341923 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493448019 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493484020 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493712902 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493824005 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.493865967 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.503756046 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503794909 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503830910 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503869057 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503894091 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.503979921 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504018068 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504620075 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504646063 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504668951 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504837036 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.504875898 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505203962 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505242109 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505482912 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505522966 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505681992 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505717039 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505799055 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.505855083 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:23.506150961 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.506251097 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.506513119 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.506541967 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.626178026 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:23.626334906 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.676939011 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677278996 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677455902 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677529097 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677571058 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677608013 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677635908 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677711964 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677747011 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677762985 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.677767992 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.686454058 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.686647892 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.686887026 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.687319994 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.687814951 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.687844992 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.687937021 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.688262939 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.688580036 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.688678026 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.688756943 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.688922882 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689089060 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689160109 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.689368963 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689434052 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689743042 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.689924002 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.720083952 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.720293045 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:28.755439043 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:23:28.755672932 CET	49696	443	192.168.2.4	204.79.197.200
Jan 24, 2021 10:23:37.462538004 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.462593079 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.462704897 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.462745905 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.499459982 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.499675989 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.499989986 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.500017881 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.553977013 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.554744005 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645104885 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645154953 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645194054 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645241976 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645297050 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645302057 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645345926 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645354986 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645435095 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645481110 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645541906 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645591974 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645615101 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645648003 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645689964 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645725965 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645764112 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645801067 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645807028 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645837069 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645838022 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645874023 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645915031 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.645931005 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.645987034 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:23:37.646002054 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.686861992 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:37.697947025 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:23:44.404624939 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:44.628895998 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:44.629020929 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:44.673149109 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:44.892343998 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:44.932837963 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:45.670763016 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:45.893397093 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:45.948796988 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:49.980010986 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:49.994618893 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.026993036 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.186917067 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.187036037 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.193909883 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.387290955 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.411216974 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.610318899 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.652071953 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.759540081 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.963913918 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.963973999 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.964061022 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.964103937 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:50.964139938 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:50.964200974 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.156513929 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156574011 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156611919 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156658888 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156680107 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.156770945 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156811953 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156830072 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.156867981 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156903982 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.156936884 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.157119989 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349153042 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349229097 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349268913 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349322081 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349366903 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349406958 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349477053 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349519968 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349538088 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349575996 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349631071 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349673986 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349726915 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349766970 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349803925 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349841118 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349877119 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349896908 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.349946022 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.349986076 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.350016117 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.350043058 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.350085974 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.350173950 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.542428017 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542546988 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542587996 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542634964 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542674065 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542704105 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.542759895 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542800903 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542840004 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.542848110 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.542865038 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542913914 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542951107 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.542988062 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543021917 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543028116 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543055058 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543097973 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543144941 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543188095 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543222904 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543231010 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543251991 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543289900 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543327093 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543365002 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543396950 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543402910 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543423891 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543462038 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543500900 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543540001 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543574095 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543585062 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.543644905 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543694019 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.543729067 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.544234037 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.545517921 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.789244890 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994138002 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994185925 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994221926 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994277954 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994292021 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994347095 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994389057 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994426966 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994462013 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994478941 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994518995 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994558096 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994613886 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994626999 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994636059 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994688988 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994756937 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994805098 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994833946 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994873047 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994910955 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.994950056 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.994997978 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995035887 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995060921 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995099068 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995135069 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995170116 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995208979 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995225906 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995270014 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995282888 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995316982 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995352030 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995398045 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995440006 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995476961 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995517969 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995568037 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995575905 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995587111 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995625973 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995659113 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995697021 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995733023 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995779037 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995820045 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995839119 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995846033 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.995883942 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995920897 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995956898 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.995990038 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996009111 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996016026 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996048927 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996084929 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996121883 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996159077 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996175051 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996186018 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996227980 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996268034 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996304989 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996336937 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996356964 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996364117 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996397018 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996433973 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996469975 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:51.996522903 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:51.996534109 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.188680887 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188730001 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188767910 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188790083 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.188832998 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188877106 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.188992023 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.230405092 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.778477907 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979238987 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979288101 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979325056 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979362011 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979389906 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979429960 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979448080 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979487896 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979523897 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979542971 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979597092 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979652882 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979665041 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979716063 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979763031 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979773998 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979813099 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979849100 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979871035 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.979918003 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979973078 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.979986906 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980030060 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980077982 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980089903 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980128050 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980164051 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980180025 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980217934 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980254889 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980271101 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980309010 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980345964 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980376959 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980392933 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980436087 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980458975 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980506897 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980556011 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980566978 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980606079 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980648994 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980659962 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980698109 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980746984 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980757952 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980792046 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980834007 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980844975 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980882883 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980923891 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.980936050 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.980983973 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.981025934 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:52.981041908 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.981071949 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:52.981113911 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:53.118199110 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:53.365730047 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:53.814583063 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:53.814702988 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:53.859205008 CET	49745	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.051073074 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.051347017 CET	13527	49745	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:54.270224094 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:54.270334005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.288530111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.507450104 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:54.574243069 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.612688065 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:54.836000919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:54.886840105 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.295989037 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.307897091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.515795946 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.515813112 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.515820980 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.515970945 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.516011953 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.526813030 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.526993990 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.735239983 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.735272884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.735299110 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.735323906 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.735451937 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.745811939 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.745851994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.954360008 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.954396009 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.954477072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:55.954575062 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:55.954715014 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:56.223587990 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:56.223792076 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:56.491796970 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:56.491944075 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:56.761743069 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:56.761857033 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.030440092 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.030524969 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.300798893 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.300970078 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.570388079 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.571827888 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.698775053 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:57.840342045 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.917685032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.917718887 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.917814970 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:57.993100882 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:58.214649916 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:58.214685917 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:58.215725899 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:58.484622002 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:58.486310959 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:58.755295992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:58.755490065 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:59.024013996 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:59.024091959 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:59.292634964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:59.296293020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:59.564798117 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:59.564878941 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:23:59.833225012 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:23:59.836514950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:00.106441021 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:00.108120918 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:00.376741886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:00.376991987 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:00.645517111 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:00.645638943 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:00.914259911 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:00.914372921 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:01.182372093 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:01.182488918 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:01.451486111 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:01.451598883 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:01.720177889 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:01.720314980 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:01.988185883 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:01.988405943 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:02.258222103 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:02.258667946 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:02.527736902 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:02.527841091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:02.796634912 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:02.798907995 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:03.067519903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:03.067601919 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:03.336163044 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:03.336451054 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:03.482877970 CET	80	49688	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:03.483721018 CET	49688	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:03.597266912 CET	80	49687	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:03.598772049 CET	49687	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:03.605046034 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:03.605139017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:03.873642921 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:03.876305103 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.144437075 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.144527912 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.188651085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.406955004 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.407644987 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.452977896 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.577502966 CET	80	49711	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:04.577620983 CET	49711	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:04.626560926 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.715922117 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:04.757339001 CET	80	49712	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:04.759186983 CET	49712	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:04.984618902 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:04.984940052 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:05.253281116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:05.255887032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:05.271456957 CET	49713	443	192.168.2.4	104.79.89.181
Jan 24, 2021 10:24:05.271657944 CET	49714	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:05.524389982 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:05.524590015 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:05.753616095 CET	80	49707	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:05.753742933 CET	49707	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:05.792771101 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:05.793199062 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:06.062020063 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:06.062305927 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:06.330858946 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:06.330975056 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:06.609314919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:06.609409094 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:06.877954006 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:06.878751993 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:07.146608114 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:07.147188902 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:07.415678024 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:07.415781021 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:07.685522079 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:07.685849905 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:07.954140902 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:07.954351902 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:08.223099947 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:08.223467112 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:08.492399931 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:08.494678020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:08.763119936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:08.763338089 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:09.031897068 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:09.031997919 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:09.300657034 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:09.301146984 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:09.570686102 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:09.570786953 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:09.838772058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:09.839318037 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:10.108814001 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:10.402307034 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:10.670810938 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:10.672283888 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:10.940509081 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:11.392703056 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:11.661114931 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:11.661201954 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:11.930252075 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:11.930355072 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:12.199026108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:12.199130058 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:12.467624903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:12.467708111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:12.735907078 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:12.736166000 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:13.004185915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:13.005191088 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:13.274581909 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:13.278134108 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:13.546989918 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:13.547348976 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:13.816880941 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:13.817001104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:14.087378025 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:14.087476015 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:14.363312960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:14.365601063 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:14.634673119 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:14.634782076 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:14.904660940 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:14.904779911 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:15.172898054 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:15.172988892 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:15.441334963 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:15.441540956 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:15.711215973 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:15.711436987 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:15.989732027 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:15.990199089 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.258379936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:16.258465052 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.527291059 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:16.527455091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.566608906 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.798059940 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:16.800570965 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:16.838176966 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.069073915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.069190979 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:17.337997913 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.338148117 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:17.606755018 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.607089996 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:17.876199007 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:17.877790928 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:18.146377087 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:18.146477938 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:18.414860010 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:18.416063070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:18.684304953 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:18.685837984 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:18.954674006 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:18.956798077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:19.225153923 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:19.225323915 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:19.494291067 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:19.497940063 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:19.766884089 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:19.767023087 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:20.036458969 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:20.036592007 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:20.304441929 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:20.304681063 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:20.574187994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:20.574295998 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:20.842816114 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:20.843712091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:21.112056971 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:21.113923073 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:21.382647038 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:21.382750988 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:21.651397943 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:21.651499033 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:21.929666996 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:21.929831028 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:22.198828936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:22.200498104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:22.468805075 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:22.470222950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:22.738514900 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:22.738609076 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:23.007834911 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:23.008702993 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:23.277044058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:23.277196884 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:23.546056032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:23.546264887 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:23.815642118 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:23.815763950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:24.084367037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:24.084583044 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:24.352526903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:24.353346109 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:24.622344017 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:24.623051882 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:24.891127110 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:24.892421961 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.161118031 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:25.161360025 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.440212011 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:25.442578077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.710808039 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:25.713737011 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.805048943 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.903383017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:25.982023001 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.023891926 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.035103083 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.123476982 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.143909931 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.254165888 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.254245996 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.362951040 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.364584923 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.523013115 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.526617050 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.633141041 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.634171009 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:26.793479919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.904495955 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:26.906682968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:27.175882101 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:27.178646088 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:27.447189093 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:27.450264931 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:27.718775034 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:27.893541098 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:28.162134886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:28.162406921 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:28.431360960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:28.664343119 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:28.933193922 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:28.933428049 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:29.203636885 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:29.203773022 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:29.471947908 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:29.472130060 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:29.740379095 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:29.740506887 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:30.009432077 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:30.009541988 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:30.279051065 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:30.279210091 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:30.548115969 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:30.548228979 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:30.816816092 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:30.817253113 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:31.086479902 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:31.086667061 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:31.355819941 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:31.355921984 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:31.625742912 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:31.625927925 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:31.894752026 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:31.895200968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:32.163626909 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:32.163947105 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:32.434046030 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:32.434236050 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:32.702395916 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:32.705086946 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:32.973676920 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:32.973814011 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:33.244616032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:33.244744062 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:33.513820887 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:33.513923883 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:33.783210039 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:33.783324003 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:34.051631927 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:34.051717997 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:34.329853058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:34.333246946 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:34.602957964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:34.603135109 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:34.871273994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:34.874190092 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:35.143079042 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:35.143322945 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:35.412717104 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:35.414908886 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:35.683578968 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:35.687561989 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:35.956814051 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:35.959089041 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:36.228622913 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:36.228730917 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:36.496671915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:36.496763945 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:36.764910936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:36.767513990 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:37.036355019 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:37.039608002 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:37.308146000 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:37.311693907 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:37.589992046 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:37.590531111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:37.858679056 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:37.858841896 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:38.127378941 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:38.127494097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:38.395629883 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:38.395757914 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:38.664344072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:38.664644957 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:38.933423042 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:38.933621883 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:39.203843117 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:39.203955889 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:39.472434044 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:39.472563028 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:39.741750002 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:39.743758917 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:40.012676954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:40.012800932 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:40.281017065 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:40.281892061 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:40.559911966 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:40.561508894 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:40.830530882 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:40.834180117 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:41.102693081 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:41.107939005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:41.376296043 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:41.376650095 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:41.645350933 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:41.647895098 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:41.916986942 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:41.917927027 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:42.186188936 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:42.186285973 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:42.455260038 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:42.456051111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:42.724718094 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:42.725914955 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:42.994393110 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:42.994574070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:43.262664080 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:43.262840033 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:43.531454086 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:43.531548023 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:43.800040960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:43.800143957 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:44.069000959 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:44.072150946 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:44.340634108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:44.344223022 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:44.612821102 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:44.612912893 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:44.883492947 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:44.884325027 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:45.154580116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:45.156296015 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:45.426048994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:45.428379059 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:45.696516037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:45.700423002 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:45.969198942 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:46.025207996 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:46.293617964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:46.293797970 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:46.562621117 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:46.562864065 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:46.832654953 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:46.832895994 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:47.103919983 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:47.104196072 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:47.373049021 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:47.530911922 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:47.799447060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:47.799551010 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.067898035 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.068078041 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.336503983 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.336639881 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.563296080 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.604945898 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.605097055 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:48.832588911 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.871464014 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:48.871565104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.140199900 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.140345097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.408720016 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.408828020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.491842031 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.589169979 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.668848991 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.677587032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.710947037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.808396101 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.808531046 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:49.887806892 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:49.887897968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.076951981 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.077136040 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.155924082 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.156117916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.346848965 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.346959114 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.426770926 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.426847935 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.615374088 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.615545988 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.698685884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.698919058 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.884274960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.884433031 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:50.968293905 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:50.968377113 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.153485060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.153713942 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.233433962 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.233550072 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.423113108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.423212051 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.502192020 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.502307892 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.692327976 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.692431927 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.780338049 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.780431032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:51.970549107 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:51.970638990 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.051393986 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.051599026 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.188894987 CET	49681	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.188981056 CET	49688	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:52.189145088 CET	49687	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:52.189455986 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.189517975 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.208045959 CET	80	49687	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:52.208093882 CET	80	49688	93.184.220.29	192.168.2.4
Jan 24, 2021 10:24:52.208141088 CET	49687	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:52.208235979 CET	49688	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:24:52.226140976 CET	443	49683	40.126.31.135	192.168.2.4
Jan 24, 2021 10:24:52.226186037 CET	443	49682	40.126.31.135	192.168.2.4
Jan 24, 2021 10:24:52.226263046 CET	49683	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.226301908 CET	49682	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.226382971 CET	443	49681	40.126.31.135	192.168.2.4
Jan 24, 2021 10:24:52.226444960 CET	49681	443	192.168.2.4	40.126.31.135
Jan 24, 2021 10:24:52.238904953 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.239022970 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.319817066 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.319921970 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.507154942 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.507349968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.589071989 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.589237928 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.775427103 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.775521040 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:52.857549906 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:52.857676029 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.044110060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.044199944 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.127254963 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.127372026 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.316621065 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.316842079 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.397062063 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.397192955 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.585668087 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.585906982 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.665972948 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.666102886 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.857163906 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.857336044 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:53.934221029 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:53.934329033 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.125595093 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.125682116 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.203318119 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.203411102 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.395068884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.395226002 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.472225904 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.472315073 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.663928032 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.664071083 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.741497993 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.741610050 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:54.932316065 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:54.932586908 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.010271072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.010534048 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.210603952 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.210728884 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.278749943 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.278855085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.479554892 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.479738951 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.547542095 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.547776937 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.748570919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.748764038 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:55.816817045 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:55.816941023 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:56.016659975 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:56.016762972 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:56.084697008 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:56.084783077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:56.439024925 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:57.141978979 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:58.439088106 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:58.658382893 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:58.658638954 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:58.926501036 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:58.926610947 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:59.198493004 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:59.198596001 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:59.467097044 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:59.467199087 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:24:59.736037016 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:24:59.736176014 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:00.004898071 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:00.009469986 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:00.279738903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:00.279871941 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:00.548027992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:00.548173904 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:00.816198111 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:00.816298008 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:01.084546089 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:01.084662914 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:01.353806019 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:01.353905916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:01.622065067 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:01.622251034 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:01.900883913 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:01.901091099 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:02.169213057 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:02.169425011 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:02.437884092 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:02.438002110 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:02.706109047 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:02.706192017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:02.974900007 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:02.975006104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:03.245841980 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:03.246011972 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:03.516577005 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:03.516772985 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:03.785427094 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:03.785567999 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:04.054411888 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:04.054568052 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:04.322794914 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:04.322896957 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:04.591923952 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:04.592142105 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:04.862068892 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:04.862157106 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:05.140609026 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:05.140750885 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:05.318269968 CET	443	49701	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:05.409532070 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:05.409619093 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:05.678798914 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:05.678910971 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:05.947104931 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:05.947381973 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:06.009604931 CET	80	49707	93.184.220.29	192.168.2.4
Jan 24, 2021 10:25:06.009776115 CET	49707	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:25:06.216638088 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:06.216909885 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:06.485739946 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:06.485903978 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:06.753957987 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:06.754064083 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.022171021 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.022286892 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.291866064 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.292124987 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.561003923 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.561110020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.679440022 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.830420017 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.830729961 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.898576021 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:07.898680925 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:07.987287998 CET	443	49702	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:08.100558996 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.100708961 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.167654037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.167772055 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.278325081 CET	443	49699	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:08.278882027 CET	443	49705	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:08.368813992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.368916035 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.439265013 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.549748898 CET	443	49710	13.107.42.23	192.168.2.4
Jan 24, 2021 10:25:08.637607098 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.637706995 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.669476032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.888273954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:08.888361931 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:08.936176062 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.157208920 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.157329082 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:09.426207066 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.426316023 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:09.695178986 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.695285082 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:09.699049950 CET	443	49698	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:09.890197039 CET	443	49700	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:09.959615946 CET	443	49703	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:09.963783979 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:09.963912964 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:10.235433102 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:10.235539913 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:10.246742010 CET	443	49708	13.107.5.88	192.168.2.4
Jan 24, 2021 10:25:10.504143000 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:10.504251957 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:10.605376959 CET	443	49704	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:10.772947073 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:10.773081064 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.041670084 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:11.041863918 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.142512083 CET	443	49709	13.107.5.88	192.168.2.4
Jan 24, 2021 10:25:11.310424089 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:11.310537100 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.579118967 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:11.579272032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.847428083 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:11.847585917 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:11.989367008 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.092156887 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.116403103 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.170695066 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.172115088 CET	443	49715	204.79.197.222	192.168.2.4
Jan 24, 2021 10:25:12.208189964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.208236933 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.250076056 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.311028004 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.311070919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.389642954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.389686108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.389746904 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.469042063 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.469257116 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.659431934 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.662571907 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.738796949 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.738878012 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:12.939498901 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:12.939615965 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.009527922 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.009603024 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.210366964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.210443020 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.278295994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.434866905 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.479104996 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.653752089 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.653937101 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:13.922641993 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:13.922785997 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.193414927 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.193538904 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.461852074 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.462007999 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.483470917 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.702274084 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.702451944 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:14.761816025 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.981149912 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:14.981362104 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:15.241889954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:15.242021084 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:15.510221958 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:15.510304928 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:15.778426886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:15.778532982 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:16.060941935 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:16.061047077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:16.329827070 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:16.330060005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:16.598242044 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:16.598447084 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:16.866916895 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:16.867100000 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:17.135126114 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:17.135281086 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:17.403434038 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:17.403614044 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:17.672471046 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:17.672673941 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:17.941854000 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:17.941977024 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:18.210589886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:18.210741997 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:18.479249001 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:18.479408026 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:18.747505903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:18.747643948 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:19.016108990 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:19.301820993 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:19.429673910 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:19.570580959 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:19.570741892 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:19.699790001 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:19.839732885 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:19.839920044 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:20.108160019 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:20.108325005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:20.161662102 CET	80	49707	93.184.220.29	192.168.2.4
Jan 24, 2021 10:25:20.161837101 CET	49707	80	192.168.2.4	93.184.220.29
Jan 24, 2021 10:25:20.377080917 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:20.377254009 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:20.645407915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:20.852606058 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:21.131155968 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:21.131283045 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:21.400587082 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:21.400790930 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:21.669661999 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:21.669862032 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:21.938733101 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:21.938947916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:22.207583904 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:22.207676888 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:22.477802992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:22.477909088 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:22.746829033 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:22.746915102 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:23.015248060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:23.017405987 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:23.285511971 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:23.285794973 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:23.554758072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:23.555485964 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:23.825571060 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:23.825710058 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:24.094038963 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:24.094124079 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:24.362963915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:24.363495111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:24.631658077 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:24.631743908 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:24.900302887 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:24.903404951 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:25.171988964 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:25.173912048 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:25.442148924 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:25.447627068 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:25.716079950 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:25.716372967 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:25.984467030 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:25.984622955 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:26.253187895 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:26.253884077 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:26.523453951 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:26.523643017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:26.793775082 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:26.794178009 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:27.062589884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:27.063272953 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:27.332279921 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:27.332389116 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:27.600822926 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:27.603584051 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:27.872706890 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:27.873569012 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:28.142493010 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:28.142584085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:28.411519051 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:28.411621094 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:28.679925919 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:28.680083036 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:28.950053930 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:28.951919079 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:29.219504118 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:29.220015049 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:29.489149094 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:29.492090940 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:29.760782957 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:29.764039993 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:30.032726049 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:30.032829046 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:30.311604977 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:30.311722040 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:30.580347061 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:30.580459118 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:30.849612951 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:30.850210905 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:31.119383097 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:31.122268915 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:31.391403913 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:31.392136097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:31.660047054 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:31.660253048 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:31.928343058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:31.928462982 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:32.198287010 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:32.198410034 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:32.466777086 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:32.466887951 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:32.735479116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:32.735675097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:33.004374981 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:33.004971981 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:33.274585009 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:33.274689913 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:33.543323994 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:33.543417931 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:33.821815014 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:33.821902990 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.089786053 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:34.091139078 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.359627008 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:34.359741926 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.628345013 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:34.628453016 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.897989035 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:34.898721933 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:34.994081974 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:35.167524099 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.167637110 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:35.212827921 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.436116934 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.436244965 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:35.704838991 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.705209017 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:35.789550066 CET	443	49696	204.79.197.200	192.168.2.4
Jan 24, 2021 10:25:35.973540068 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:35.974869013 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:36.038981915 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:36.243877888 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:36.244633913 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:36.257977009 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:36.514252901 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:36.514350891 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:36.785731077 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:36.785995007 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.055166960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.055274010 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.323863983 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.324106932 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.548943996 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.592978954 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.673412085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.767819881 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.767844915 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:37.768060923 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.870428085 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:37.892501116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.037353992 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.037563086 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:38.089272022 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.089548111 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:38.308374882 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.308840036 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:38.577912092 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.578017950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:38.846225977 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:38.846391916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:39.115302086 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:39.115736008 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:39.384159088 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:39.384387970 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:39.652415991 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:39.653819084 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:39.921762943 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:39.921943903 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:40.189997911 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:40.190288067 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:40.459741116 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:40.460187912 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:40.728326082 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:40.732275963 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:41.000852108 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:41.001213074 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:41.270035028 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:41.270123005 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:41.538613081 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:41.538708925 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:41.806782961 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:41.806895018 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:42.075192928 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:42.075742006 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:42.345067978 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:42.345768929 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:42.614276886 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:42.614376068 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:42.885521889 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:42.885649920 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:43.155566931 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:43.155860901 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:43.424901009 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:43.425229073 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:43.694047928 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:43.694153070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:43.962793112 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:43.962922096 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:44.230937004 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:44.231046915 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:44.499701023 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:44.499792099 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:44.769310951 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:44.770132065 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:45.039064884 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:45.039186001 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:45.307105064 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:45.307214975 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:45.575519085 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:45.575668097 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:45.845530987 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:45.845948935 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:46.114037037 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:46.114161968 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:46.382684946 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:46.382801056 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:46.650896072 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:46.651015997 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:46.919786930 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:46.921416998 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:47.189661026 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:47.190571070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:47.458534002 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:47.458667040 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:47.727315903 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:47.727509975 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:47.996248960 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:47.996428013 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:48.264758110 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:48.265588045 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:48.534209967 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:48.537630081 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:48.804461956 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:48.804667950 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:49.073492050 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:49.073601007 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:49.345246077 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:49.345331907 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:49.614111900 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:49.614449978 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:49.882350922 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:49.883657932 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.161946058 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:50.162249088 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.430856943 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:50.431824923 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.701349020 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:50.701440096 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.957868099 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:50.971667051 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:50.972004890 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:51.232930899 CET	13527	49744	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:51.240814924 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:51.240953922 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:51.509495020 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:51.509670973 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:51.777699947 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:51.777831078 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:52.045835972 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:52.045934916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:52.314860106 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:52.314974070 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:52.583288908 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:52.585428953 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:52.853586912 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:52.853761911 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:53.131726980 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:53.134107113 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:53.403244972 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:53.403343916 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:53.674995899 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:53.676291943 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:53.944113970 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:53.944233894 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:54.068289995 CET	49744	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:54.068381071 CET	49746	13527	192.168.2.4	110.92.66.246
Jan 24, 2021 10:25:54.212507010 CET	13527	49746	110.92.66.246	192.168.2.4
Jan 24, 2021 10:25:54.212594986 CET	49746	13527	192.168.2.4	110.92.66.246

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2021 10:23:13.309921980 CET	55854	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:13.332984924 CET	53	55854	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:13.920188904 CET	64549	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:13.943337917 CET	53	64549	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:14.716948032 CET	63153	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:14.740032911 CET	53	63153	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:15.511826038 CET	52991	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:15.535604000 CET	53	52991	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:16.968394041 CET	53700	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:16.991550922 CET	53	53700	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:17.860275030 CET	51726	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:17.883440971 CET	53	51726	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:19.125066996 CET	56794	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:19.150897026 CET	53	56794	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:19.983750105 CET	56534	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:20.006917000 CET	53	56534	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:20.637813091 CET	56627	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:20.664338112 CET	53	56627	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:21.486450911 CET	56621	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:21.512278080 CET	53	56621	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:22.337990046 CET	63116	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:22.361217976 CET	53	63116	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:23.166867018 CET	64078	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:23.201261997 CET	53	64078	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:37.773974895 CET	64801	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:37.796924114 CET	53	64801	8.8.8.8	192.168.2.4
Jan 24, 2021 10:23:40.221301079 CET	61721	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:23:40.253931046 CET	53	61721	8.8.8.8	192.168.2.4
Jan 24, 2021 10:24:03.344569921 CET	51255	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:24:03.370654106 CET	53	51255	8.8.8.8	192.168.2.4
Jan 24, 2021 10:24:32.072946072 CET	61522	53	192.168.2.4	8.8.8.8
Jan 24, 2021 10:24:32.110757113 CET	53	61522	8.8.8.8	192.168.2.4

HTTP Request Dependency Graph

110.92.66.246:13527

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49744	110.92.66.246	13527	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:44.673149109 CET	405	OUT	GET /\ HTTP/1.1 Connection: Upgrade Sec-WebSocket-Key: FCzEFfJJGECxZCsRaGKFlJqHW Sec-WebSocket-Version: 13 Upgrade: websocket Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits Host: 110.92.66.246:13527

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	110.92.66.246	13527	192.168.2.4	49744	C:\Users\user\zT6Nm@i4\PMRunner64.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:44.892343998 CET	406	IN	HTTP/1.1 101 Switching Protocols Connection: Upgrade Upgrade: WebSocket Sec-WebSocket-Accept: J6aOSpBDe/Sy9K0gZYEbzVgYYn8= Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49745	110.92.66.246	13527	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:50.193909883 CET	407	OUT	GET /\ HTTP/1.1 Connection: Upgrade Sec-WebSocket-Key: hVvGEJDDITDIJDJeQLtIKCsnC Sec-WebSocket-Version: 13 Upgrade: websocket Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits Host: 110.92.66.246:13527

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	110.92.66.246	13527	192.168.2.4	49745	C:\Users\user\zT6Nm@i4\PMRunner64.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:50.387290955 CET	407	IN	HTTP/1.1 101 Switching Protocols Connection: Upgrade Upgrade: WebSocket Sec-WebSocket-Accept: Zt5ptgVJyb+M21WHDTqV3GKtCPo= Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49746	110.92.66.246	13527	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:54.288530111 CET	607	OUT	GET /\ HTTP/1.1 Connection: Upgrade Sec-WebSocket-Key: IKBXBepAaaBfkIYjnCKuMRKkF Sec-WebSocket-Version: 13 Upgrade: websocket Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits Host: 110.92.66.246:13527

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	110.92.66.246	13527	192.168.2.4	49746	C:\Users\user\zT6Nm@i4\PMRunner64.exe

Timestamp	kBytes transferred	Direction	Data
Jan 24, 2021 10:23:54.507450104 CET	607	IN	HTTP/1.1 101 Switching Protocols Connection: Upgrade Upgrade: WebSocket Sec-WebSocket-Accept: Kj9tthj3c2jmoKNtKOHJo/S2svQ= Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe PID: 4164 Parent PID: 5908

General

Start time:	10:23:18
Start date:	24/01/2021
Path:	C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe'
Imagebase:	0x140000000
File size:	3150336 bytes
MD5 hash:	6665909A2652C5860FD874CB15C3991C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: zr.exe PID: 6340 Parent PID: 4164

General

Start time:	10:23:22
Start date:	24/01/2021
Path:	C:\Users\user\zT6Nm@i4\zr.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\zT6Nm@i4\zr.exe' a 'C:\Users\user\zT6Nm@i4\111.7z' 'C:\Users\user\zT6Nm@i4\TXP\*'
Imagebase:	0x400000
File size:	461088 bytes
MD5 hash:	045FCBE6C174AFA9A6A998BDD6F9FAD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6356 Parent PID: 6340

General

Start time:	10:23:22
Start date:	24/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6648 Parent PID: 4164

General

Start time:	10:23:24
Start date:	24/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C 'C:\Users\user\zT6Nm@i4\copy.bat'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6700 Parent PID: 6648

General

Start time:	10:23:24
Start date:	24/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: zr.exe PID: 6800 Parent PID: 6796

General

Start time:	10:23:28
Start date:	24/01/2021
Path:	C:\ProgramData\Microsoft\zr.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Microsoft\zr.exe' x C:\ProgramData\Microsoft\111.7z -y
Imagebase:	0x400000
File size:	461088 bytes
MD5 hash:	045FCBE6C174AFA9A6A998BDD6F9FAD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6656 Parent PID: 6800

General

Start time:	10:23:28
Start date:	24/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: PMRunner64.exe PID: 7120 Parent PID: 4164

General

Start time:	10:23:37
Start date:	24/01/2021
Path:	C:\Users\user\zT6Nm@i4\PMRunner64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Imagebase:	0x7ff7a5160000
File size:	271704 bytes
MD5 hash:	65DBB57517611D9DE8CE522022DCD727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: PMRunner64.exe PID: 6492 Parent PID: 3424

General

Start time:	10:23:48
Start date:	24/01/2021
Path:	C:\Users\user\zT6Nm@i4\PMRunner64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Imagebase:	0x7ff7a5160000
File size:	271704 bytes
MD5 hash:	65DBB57517611D9DE8CE522022DCD727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: PMRunner64.exe PID: 6972 Parent PID: 3424

General

Start time:	10:23:56
Start date:	24/01/2021
Path:	C:\Users\user\zT6Nm@i4\PMRunner64.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\zT6Nm@i4\PMRunner64.exe'
Imagebase:	0x7ff7a5160000
File size:	271704 bytes
MD5 hash:	65DBB57517611D9DE8CE522022DCD727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exe PID: 4164 Parent PID: 5908 #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.exeCOMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	12%
Signature Coverage:	24.6%
Total number of Nodes:	1374
Total number of Limit Nodes:	59

Executed Functions

Function 00000001800090C0, Relevance: 83.1, APIs: 19, Strings: 28, Instructions: 864
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180008A80: GetModuleFileNameA.KERNEL32 ref: 0000000180008AE8

SetFileAttributesW.KERNEL32 ref: 00000001800093ED
Sleep.KERNEL32 ref: 00000001800097F9
ShellExecuteExW.SHELL32 ref: 0000000180009940
Sleep.KERNEL32 ref: 000000018000994B
DeleteFileW.KERNEL32 ref: 0000000180009968

Part of subcall function 00000001800083B0: CoInitialize.OLE32 ref: 00000001800083E9

ShellExecuteW.SHELL32 ref: 0000000180009CF2
Sleep.KERNEL32 ref: 0000000180009CFD
DeleteFileW.KERNEL32 ref: 0000000180009D1A
DeleteFileW.KERNEL32 ref: 0000000180009D37
DeleteFileW.KERNEL32 ref: 0000000180009D54

Part of subcall function 00000001800030F0: GetModuleHandleA.KERNEL32 ref: 0000000180003130
Part of subcall function 00000001800030F0: GetProcAddress.KERNEL32 ref: 000000018000315D
Part of subcall function 00000001800030F0: GetProcAddress.KERNEL32 ref: 000000018000317C
Part of subcall function 00000001800030F0: GetProcAddress.KERNEL32 ref: 00000001800031A1
Part of subcall function 00000001800030F0: GetProcAddress.KERNEL32 ref: 00000001800031CC
Part of subcall function 00000001800030F0: GetProcAddress.KERNEL32 ref: 00000001800031F5

Sleep.KERNEL32 ref: 0000000180009DE6
DeleteFileW.KERNEL32 ref: 0000000180009E03
DeleteFileW.KERNEL32 ref: 0000000180009E20
DeleteFileW.KERNEL32 ref: 0000000180009E3D
Sleep.KERNEL32 ref: 0000000180009E48
ShellExecuteExW.SHELL32 ref: 0000000180009EA5
DeleteFileW.KERNEL32 ref: 0000000180009EC2
DeleteFileW.KERNEL32 ref: 0000000180009EDF
DeleteFileW.KERNEL32 ref: 0000000180009EFC

Strings

\TXP\Windows\Start Menu\Programs\Startup\Realtek, xrefs: 00000001800095EB
C:\Windows\System32\cmd.exe, xrefs: 0000000180009449
", xrefs: 0000000180009AE5, 0000000180009BBB
\Microsoft\, xrefs: 00000001800092B0
\ru2.url, xrefs: 000000018000996E
\TXP\*, xrefs: 000000018000966D
runas, xrefs: 0000000180009CE9
\run.lnk, xrefs: 0000000180009564
URL=file:///, xrefs: 00000001800099BC
\run001.lnk, xrefs: 000000018000959A
-y, xrefs: 00000001800097AE
\copy.bat, xrefs: 0000000180009549
111.7z, xrefs: 0000000180009778
\111.7z, xrefs: 000000018000945D, 0000000180009652
\zr.exe", xrefs: 00000001800094AE
/c , xrefs: 0000000180009A57
\PMRunner64.exe, xrefs: 00000001800095D0
\run003.lnk, xrefs: 00000001800095B5
\zr.exe, xrefs: 0000000180009478
\TXP\Windows\Start Menu\Programs\Startup, xrefs: 00000001800093F3
[InternetShortcut], xrefs: 00000001800099A8
" ", xrefs: 00000001800096A1
zr.exe, xrefs: 000000018000975D
\111.7z", xrefs: 000000018000950D
x , xrefs: 000000018000979A
\run002.lnk, xrefs: 000000018000957F
a ", xrefs: 000000018000968F
copy , xrefs: 0000000180009B03, 0000000180009BD1

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: File$Delete$AddressProcSleep$ExecuteShell$Module$AttributesHandleInitializeName
String ID: -y$ /c $ x $"$" "$111.7z$C:\Windows\System32\cmd.exe$URL=file:///$[InternetShortcut]$\111.7z$\111.7z"$\Microsoft\$\PMRunner64.exe$\TXP\*$\TXP\Windows\Start Menu\Programs\Startup$\TXP\Windows\Start Menu\Programs\Startup\Realtek$\copy.bat$\ru2.url$\run.lnk$\run001.lnk$\run002.lnk$\run003.lnk$\zr.exe$\zr.exe"$a "$copy $runas$zr.exe
API String ID: 1447988764-2956462178
Opcode ID: 0b7d18145ae30151f17328b5e1a2a75291c60442eb6ff8648fb8f4eb0540d4f5
Instruction ID: 93b6c1ea5101e8c75e4868764a802d8d76c1f54b48229b35d8eeac1166df4d8b
Opcode Fuzzy Hash: 0b7d18145ae30151f17328b5e1a2a75291c60442eb6ff8648fb8f4eb0540d4f5
Instruction Fuzzy Hash: C7B2F532215AC9D9EBB2DF60DC983CD33A5FB4938CF508126E6494AAA9DF748748C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002007C, Relevance: 51.4, APIs: 34, Instructions: 370
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140018580: GetWindowDC.USER32 ref: 00000001400185BF

GetDeviceCaps.GDI32 ref: 00000001400200DA
DeleteObject.GDI32 ref: 000000014002014A
DeleteObject.GDI32 ref: 000000014002016D
DeleteObject.GDI32 ref: 0000000140020190
DeleteObject.GDI32 ref: 00000001400201B3
DeleteObject.GDI32 ref: 00000001400201D6
DeleteObject.GDI32 ref: 00000001400201F9
DeleteObject.GDI32 ref: 000000014002021D
DeleteObject.GDI32 ref: 0000000140020240
DeleteObject.GDI32 ref: 0000000140020263
DeleteObject.GDI32 ref: 0000000140020287
GetTextCharsetInfo.GDI32 ref: 00000001400202B3
lstrcpyW.KERNEL32 ref: 000000014002030A
EnumFontFamiliesW.GDI32 ref: 0000000140020333
lstrcpyW.KERNEL32 ref: 0000000140020349
EnumFontFamiliesW.GDI32 ref: 000000014002036B
lstrcpyW.KERNEL32 ref: 0000000140020388
CreateFontIndirectW.GDI32 ref: 0000000140020393
CreateFontIndirectW.GDI32 ref: 00000001400203E2
CreateFontIndirectW.GDI32 ref: 0000000140020421
CreateFontIndirectW.GDI32 ref: 0000000140020456
CreateFontIndirectW.GDI32 ref: 0000000140020480
GetSystemMetrics.USER32 ref: 00000001400204A7
lstrcpyW.KERNEL32 ref: 00000001400204BF
CreateFontIndirectW.GDI32 ref: 00000001400204CA
GetStockObject.GDI32 ref: 00000001400204F8
GetObjectW.GDI32 ref: 0000000140020518
lstrcpyW.KERNEL32 ref: 000000014002055D
CreateFontIndirectW.GDI32 ref: 0000000140020568
CreateFontIndirectW.GDI32 ref: 0000000140020582
GetStockObject.GDI32 ref: 0000000140020598
GetObjectW.GDI32 ref: 00000001400205B4
CreateFontIndirectW.GDI32 ref: 00000001400205C4
CreateFontIndirectW.GDI32 ref: 00000001400205E7

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$EnumFamiliesStock$CapsCharsetDeviceInfoMetricsSystemTextWindow
String ID:
API String ID: 3508414979-0
Opcode ID: 6e20358c550147889875c32589333509f05a43fb427871e5c131736143bd45e8
Instruction ID: ba0818e02d43f36292fe1763b5b1dc41ae99007347e22566d4449ffcd63f51a3
Opcode Fuzzy Hash: 6e20358c550147889875c32589333509f05a43fb427871e5c131736143bd45e8
Instruction Fuzzy Hash: AA029132205B8186EB16DB27E4587DE73A5FB8CB80F54412AEB4A477B6DF38CA55C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400206A8, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 185
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32 ref: 000000014002083D
GetSystemMetrics.USER32 ref: 0000000140020848
GetProcAddress.KERNEL32 ref: 00000001400208C8
GetProcAddress.KERNEL32 ref: 00000001400208E3
GetProcAddress.KERNEL32 ref: 00000001400208FE
GetProcAddress.KERNEL32 ref: 0000000140020919
GetProcAddress.KERNEL32 ref: 0000000140020934
GetProcAddress.KERNEL32 ref: 000000014002094F
GetProcAddress.KERNEL32 ref: 00000001400209AA
GetProcAddress.KERNEL32 ref: 00000001400209C5
GetProcAddress.KERNEL32 ref: 00000001400209E0

Strings

DwmIsCompositionEnabled, xrefs: 00000001400209D2
UxTheme.dll, xrefs: 00000001400208A2
BufferedPaintInit, xrefs: 00000001400208F0
EndBufferedPaint, xrefs: 0000000140020941
DrawThemeParentBackground, xrefs: 00000001400208BE
BufferedPaintUnInit, xrefs: 000000014002090B
2, xrefs: 0000000140020A87
DwmExtendFrameIntoClientArea, xrefs: 00000001400209A0
DrawThemeTextEx, xrefs: 00000001400208D5
dwmapi.dll, xrefs: 0000000140020988
DwmDefWindowProc, xrefs: 00000001400209B7
BeginBufferedPaint, xrefs: 0000000140020926

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressProc$MetricsSystemVersion
String ID: 2$BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 1222729687-1204417773
Opcode ID: 640cb516b391a9670892f916f81da503ebf25ab51b1c1c0c5dd2ccf9962feaeb
Instruction ID: 0b87f6db654519b9e357d8e4bbde514ea029f2e38b1e6f5a1e06d387e5297a55
Opcode Fuzzy Hash: 640cb516b391a9670892f916f81da503ebf25ab51b1c1c0c5dd2ccf9962feaeb
Instruction Fuzzy Hash: 4EB17232102B8085D782CF25E9883C973E8F758F88F68423ADA994B7B4DF758566C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001D04, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 136
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0000000140001D67
WSASocketW.WS2_32 ref: 0000000140001DA2
gethostname.WS2_32 ref: 0000000140001DB7
gethostbyname.WS2_32 ref: 0000000140001DC1
inet_ntoa.WS2_32 ref: 0000000140001DE3
htons.WS2_32 ref: 0000000140001E7A
bind.WS2_32 ref: 0000000140001EAA
WSAIoctl.WS2_32 ref: 0000000140001EFB

Strings

WSAStartup() failed !, xrefs: 0000000140001D76
(, xrefs: 0000000140001ED3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: IoctlSocketStartupbindgethostbynamegethostnamehtonsinet_ntoa
String ID: ($WSAStartup() failed !
API String ID: 869787016-1840855788
Opcode ID: a1724c3947eac58366e16062bc919f93eab0225298c8d248ad04712b7f06633c
Instruction ID: abde9fe847369afca694e80603aa4d59ef7abe8d1995be759e01ea42c053a72f
Opcode Fuzzy Hash: a1724c3947eac58366e16062bc919f93eab0225298c8d248ad04712b7f06633c
Instruction Fuzzy Hash: D0614972210A85C6E711DF26E8443DE73A1F788BA8F504226EB6943BF9DF78C944CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D40, Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180002BC0: RtlpNtOpenKey.NTDLL ref: 0000000180002C36

CoGetObject.OLE32 ref: 0000000180002EEE
CoGetObject.OLE32 ref: 0000000180003011
Sleep.KERNEL32 ref: 0000000180003042

Strings

Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration, xrefs: 0000000180002F29, 0000000180003052
Elevation:Administrator!new:, xrefs: 0000000180002E53, 0000000180002F7E
{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}, xrefs: 0000000180002D95
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0000000180002DBA
DisplayCalibrator, xrefs: 0000000180002F1D, 000000018000304B
0, xrefs: 0000000180002E61

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$OpenRtlpSleep
String ID: 0$DisplayCalibrator$Elevation:Administrator!new:$Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration${3E5FC7F9-9A51-4367-9063-A120244FBEC7}${D2E7041B-2927-42fb-8E9F-7CE93B6DC937}
API String ID: 145628415-2722874554
Opcode ID: 71c1ed6a255fbbc55cbc742e89c039c3efaa5b5e8a4c4d05442f49652f36c115
Instruction ID: 3d22a9c014b2c50595b803851a73d9406be8ec9c41fdbb561083845071600a94
Opcode Fuzzy Hash: 71c1ed6a255fbbc55cbc742e89c039c3efaa5b5e8a4c4d05442f49652f36c115
Instruction Fuzzy Hash: CFA1AC32201B8986EBA2CF65D4543EE73B5F788BC4F958026EA4E57794DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800088E0, Relevance: 12.1, APIs: 8, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.SHLWAPI ref: 0000000180008918
CreateFileW.KERNEL32 ref: 0000000180008948
CloseHandle.KERNEL32 ref: 0000000180008957
CreateFileW.KERNEL32 ref: 0000000180008980
WideCharToMultiByte.KERNEL32 ref: 00000001800089BD
WideCharToMultiByte.KERNEL32 ref: 0000000180008A1C
WriteFile.KERNEL32 ref: 0000000180008A43
CloseHandle.KERNEL32 ref: 0000000180008A54

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: File$ByteCharCloseCreateHandleMultiWide$ExistsPathWrite
String ID:
API String ID: 3442908436-0
Opcode ID: ac78027ac64b0131ad8d5dfb6cd97fbb9e766a431a12132b64382382f9cf3557
Instruction ID: f9c5d8892a1a710cfd8f56384370cc769670959436ea0070a1bd9b4e451b01c3
Opcode Fuzzy Hash: ac78027ac64b0131ad8d5dfb6cd97fbb9e766a431a12132b64382382f9cf3557
Instruction Fuzzy Hash: 0A417332208B4486E7A1DB61B45439AB7E4FB8DBE4F448714FEE903B94DF38C2599B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400025A0, Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400024DC: _itow.LIBCMT ref: 0000000140002525
Part of subcall function 00000001400024DC: _itow.LIBCMT ref: 0000000140002539
Part of subcall function 00000001400024DC: _itow.LIBCMT ref: 000000014000254D

IsIconic.USER32 ref: 00000001400025E1

Part of subcall function 0000000140018624: BeginPaint.USER32(?,?,?,?,?,0000000140007B6C), ref: 000000014001865E

SendMessageW.USER32 ref: 000000014000260A
GetSystemMetrics.USER32 ref: 0000000140002615
GetSystemMetrics.USER32 ref: 0000000140002622
GetClientRect.USER32 ref: 0000000140002642
DrawIcon.USER32 ref: 0000000140002676

Part of subcall function 0000000140018684: EndPaint.USER32(?,?,?,?,?,0000000140007B93), ref: 00000001400186AC

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _itow$MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 3149539040-0
Opcode ID: 1f52d9892fc033aacd12757219a004e32a9f7d8e2f55fffd1daee766a8be0e4a
Instruction ID: 3c1b81e64eed35604fa1b727d889692916ab584ce914eb87054886437c589e36
Opcode Fuzzy Hash: 1f52d9892fc033aacd12757219a004e32a9f7d8e2f55fffd1daee766a8be0e4a
Instruction Fuzzy Hash: E2311476720A518AE720DFB6E4487DD33B1F388B89F450125EF0A97BA8CF79D4068780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032378, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400323BA
LoadLibraryW.KERNEL32 ref: 00000001400323CD
GetProcAddress.KERNEL32 ref: 00000001400323EB

Strings

DllGetVersion, xrefs: 00000001400323E4

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: DllGetVersion
API String ID: 310444273-2861820592
Opcode ID: 0ebd61c28081fcb884182ff04e9529567bc3d32a7f56ff65f6f08314e1981eb9
Instruction ID: 6cad01e5c74d91966e8b677f397e00e8319b1b426cda1d04192f9f397e4fbf14
Opcode Fuzzy Hash: 0ebd61c28081fcb884182ff04e9529567bc3d32a7f56ff65f6f08314e1981eb9
Instruction Fuzzy Hash: 8A213B32211B4086EB52DF26E89079A73A0FB8CB98F584225EB4D477B9DF38C995C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002BFC, Relevance: 6.3, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002C49
VirtualAlloc.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002C63

Part of subcall function 0000000140002B4C: FreeLibrary.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BA6
Part of subcall function 0000000140002B4C: free.LIBCMT ref: 0000000140002BBB
Part of subcall function 0000000140002B4C: VirtualFree.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BD1
Part of subcall function 0000000140002B4C: GetProcessHeap.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BD7
Part of subcall function 0000000140002B4C: HeapFree.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BE5

GetProcessHeap.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002C75
HeapAlloc.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002C84
VirtualAlloc.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002CB0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AllocHeapVirtual$Free$Process$Libraryfree
String ID:
API String ID: 534261519-0
Opcode ID: 572f210408234179bb4c2529e6a5b75765f13b61671de806369ca9f7f2e712cf
Instruction ID: 1dce4e28f6f9c210d6635de50933b2b48fb5f85bea8c104e9e161a8a76fd7a4b
Opcode Fuzzy Hash: 572f210408234179bb4c2529e6a5b75765f13b61671de806369ca9f7f2e712cf
Instruction Fuzzy Hash: 514167B2710B5087EB56DB23E444B9973A5FB88FC4F048425EF0907BA5DF38D9528B40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400081A8, Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 00000001400081F6
LoadResource.KERNEL32 ref: 0000000140008202
LockResource.KERNEL32 ref: 0000000140008213
FreeResource.KERNEL32 ref: 0000000140008269

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 165f5693d75f84c7fa48eb26979c0dbee78286aa5e3c49a8e6288fba64c6bde6
Instruction ID: c4840c82f48973f2062049cc9a8f6c088ec2b1e624f49f12e32064f18c936bc1
Opcode Fuzzy Hash: 165f5693d75f84c7fa48eb26979c0dbee78286aa5e3c49a8e6288fba64c6bde6
Instruction Fuzzy Hash: 8E212C76201A9086EA69DB53E1447AA73B4F74CFD0F189025EF9617764DF38D8A1C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140011818, Relevance: .8, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1589992e68cefba459b03effaeb64b274bfdb1d9f6b9e6ee26cfff7f953610
Instruction ID: f95b4dfa41e25c5450a222336757182446aeac68f02e92ac0cff84c60cad2bc7
Opcode Fuzzy Hash: 1e1589992e68cefba459b03effaeb64b274bfdb1d9f6b9e6ee26cfff7f953610
Instruction Fuzzy Hash: 2D52F07121669482FEAA8B17A0503FE92E1F7CDBC4F944916BB5A5F7F6DE3AC4018340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001F9A8, Relevance: 63.3, APIs: 42, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColor.USER32 ref: 000000014001F9C9
GetSysColor.USER32 ref: 000000014001F9E0
GetSysColor.USER32 ref: 000000014001F9FB
GetSysColor.USER32 ref: 000000014001FA07
GetDeviceCaps.GDI32 ref: 000000014001FA37
GetSysColor.USER32 ref: 000000014001FA45
GetSysColor.USER32 ref: 000000014001FA58
GetSysColor.USER32 ref: 000000014001FA67
GetSysColor.USER32 ref: 000000014001FA76
GetSysColor.USER32 ref: 000000014001FA85
GetSysColor.USER32 ref: 000000014001FA94
GetSysColor.USER32 ref: 000000014001FAA3
GetSysColor.USER32 ref: 000000014001FAAF
GetSysColor.USER32 ref: 000000014001FABB
GetSysColor.USER32 ref: 000000014001FAC7
GetSysColor.USER32 ref: 000000014001FAD3
GetSysColor.USER32 ref: 000000014001FAE2
GetSysColor.USER32 ref: 000000014001FAEE
GetSysColor.USER32 ref: 000000014001FAFA
GetSysColor.USER32 ref: 000000014001FB06
GetSysColor.USER32 ref: 000000014001FB15
GetSysColor.USER32 ref: 000000014001FB24
GetSysColor.USER32 ref: 000000014001FB33
GetSysColor.USER32 ref: 000000014001FB42
GetSysColor.USER32 ref: 000000014001FB51
GetSysColor.USER32 ref: 000000014001FB60
GetSysColor.USER32 ref: 000000014001FB85
GetSysColorBrush.USER32 ref: 000000014001FB9E
GetSysColorBrush.USER32 ref: 000000014001FBBF
GetSysColorBrush.USER32 ref: 000000014001FBE0
CreateSolidBrush.GDI32 ref: 000000014001FC0B
CreateSolidBrush.GDI32 ref: 000000014001FC2F
CreateSolidBrush.GDI32 ref: 000000014001FC56
CreateSolidBrush.GDI32 ref: 000000014001FC7D
CreateSolidBrush.GDI32 ref: 000000014001FCA1
CreateSolidBrush.GDI32 ref: 000000014001FCC5
CreateSolidBrush.GDI32 ref: 000000014001FCE9
CreatePen.GDI32 ref: 000000014001FD15
CreatePen.GDI32 ref: 000000014001FD41
CreatePen.GDI32 ref: 000000014001FD6D
CreateSolidBrush.GDI32 ref: 000000014001FDFB
CreatePatternBrush.GDI32 ref: 000000014001FE51

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDevicePattern
String ID:
API String ID: 3066057030-0
Opcode ID: 0f7036fb6bbea27879aad2033d7b4d5a438617b0ad9d88c595b36c9d5e1043bd
Instruction ID: df054a8aeaef4901d89132902dbb425bfd78e68d584666eaf35da574a2ddb19e
Opcode Fuzzy Hash: 0f7036fb6bbea27879aad2033d7b4d5a438617b0ad9d88c595b36c9d5e1043bd
Instruction Fuzzy Hash: F5E14F32614A409BE71AEF32D9987ED73A0FB4CB50F44412AE71A876B5EF35D568CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DD34, Relevance: 24.2, APIs: 16, Instructions: 169
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32 ref: 000000014000DD81
SendMessageW.USER32 ref: 000000014000DDAA
GetWindowRect.USER32 ref: 000000014000DDC7
GetWindowLongW.USER32 ref: 000000014000DDF5
MonitorFromWindow.USER32 ref: 000000014000DE42
GetMonitorInfoW.USER32 ref: 000000014000DE4F
CopyRect.USER32 ref: 000000014000DE5D
GetWindowRect.USER32 ref: 000000014000DE6C
MonitorFromWindow.USER32 ref: 000000014000DE7A
GetMonitorInfoW.USER32 ref: 000000014000DE87
CopyRect.USER32 ref: 000000014000DE95
GetParent.USER32 ref: 000000014000DEA1
GetClientRect.USER32 ref: 000000014000DEB1
GetClientRect.USER32 ref: 000000014000DEBE
MapWindowPoints.USER32 ref: 000000014000DED4

Part of subcall function 0000000140013868: SetWindowPos.USER32 ref: 00000001400138A2

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Rect$Monitor$ClientCopyFromInfoParent$LongMessagePointsSend
String ID:
API String ID: 3793286494-0
Opcode ID: 4829db703c72a4b1667981e976d7d1f3d847d7addd55380847b8a69cc083f036
Instruction ID: 037143d1b1de25fccbbce76c61d98701195cd9ff8c6e7541d4f57ef41192b5ed
Opcode Fuzzy Hash: 4829db703c72a4b1667981e976d7d1f3d847d7addd55380847b8a69cc083f036
Instruction Fuzzy Hash: 75714A72710A419AEB16DF7AE958BEC3371F748B88F444525EF0A5BB68DF38DA058700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800078D0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 220
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 0000000180007AD7
wsprintfW.USER32 ref: 0000000180007AFD
CreateFileW.KERNEL32 ref: 0000000180007B3D
WriteFile.KERNEL32 ref: 0000000180007BC1
SetFileTime.KERNEL32 ref: 0000000180007BFF
CloseHandle.KERNEL32 ref: 0000000180007C0F

Strings

%s%s%s, xrefs: 0000000180007AC0
%s%s, xrefs: 0000000180007AEE
:, xrefs: 0000000180007AA9

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: File$wsprintf$CloseCreateHandleTimeWrite
String ID: %s%s$%s%s%s$:
API String ID: 1593831391-3034790606
Opcode ID: 6ca435d08f868a7fb59b5864507620b8abba209bd1707243c1eb47b977580503
Instruction ID: 257bdb6db1bc698dd34f08cf985adc463d67b8981ab06abec51fab1ebc6aecef
Opcode Fuzzy Hash: 6ca435d08f868a7fb59b5864507620b8abba209bd1707243c1eb47b977580503
Instruction Fuzzy Hash: 7AA1BF32B0468882EBA6DF24E0447EE73A0F398BD4F44C116EA9D436D6DF38CA59C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001FB0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 154
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMenu.USER32 ref: 0000000140001FDA
AppendMenuW.USER32 ref: 0000000140002064
AppendMenuW.USER32 ref: 0000000140002077
SendMessageW.USER32 ref: 00000001400020B0
SendMessageW.USER32 ref: 00000001400020C6
SendMessageW.USER32 ref: 00000001400020DF
malloc.LIBCMT ref: 00000001400021CF
free.LIBCMT ref: 00000001400021EC

Strings

7, xrefs: 000000014000219F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MenuMessageSend$Append$Systemfreemalloc
String ID: 7
API String ID: 4160033202-1790921346
Opcode ID: e13a124cc6d6c21ff2076a7d1f7c7f4ed833d54a06439d5120dd0f58e92f47cb
Instruction ID: c2b7d3d1a5c8da7c22a6310bbddbd078a22331eb5d8edcb90667df8a85d2eff0
Opcode Fuzzy Hash: e13a124cc6d6c21ff2076a7d1f7c7f4ed833d54a06439d5120dd0f58e92f47cb
Instruction Fuzzy Hash: 2B619DB270068583EB2AEF26E4507DD7361F788B94F444126AB5E07BA6DF38D615CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008560, Relevance: 15.2, APIs: 10, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00000001400085CD
LoadResource.KERNEL32 ref: 00000001400085D9

Part of subcall function 000000014000E7A0: UnhookWindowsHookEx.USER32 ref: 000000014000E7DB

LockResource.KERNEL32 ref: 00000001400085EF
GetDesktopWindow.USER32 ref: 000000014000864A
IsWindowEnabled.USER32 ref: 0000000140008658
EnableWindow.USER32 ref: 0000000140008667
EnableWindow.USER32 ref: 0000000140008798
GetActiveWindow.USER32 ref: 00000001400087A3
SetActiveWindow.USER32 ref: 00000001400087B2
FreeResource.KERNEL32 ref: 00000001400087D9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeHookLoadLockUnhookWindows
String ID:
API String ID: 3362358738-0
Opcode ID: 1f04c335932b7b39e38d81ef0b043124358677c3fe5e5b7eca59b54f1db274bd
Instruction ID: 78dc7e13a218d1ed90df5ca419bcf824c57a8f2e2315c260065f4e546a88426d
Opcode Fuzzy Hash: 1f04c335932b7b39e38d81ef0b043124358677c3fe5e5b7eca59b54f1db274bd
Instruction Fuzzy Hash: 0F6192B1209A8082EA6AEB23B5547EE63A1FB89FD1F144124EF9907BF5CF38C451C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019BFC, Relevance: 15.1, APIs: 10, Instructions: 112
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140019C1C
GlobalAlloc.KERNEL32 ref: 0000000140019CA1
GlobalHandle.KERNEL32 ref: 0000000140019CA9
GlobalUnlock.KERNEL32 ref: 0000000140019CB5
GlobalReAlloc.KERNEL32 ref: 0000000140019CE3
GlobalHandle.KERNEL32 ref: 0000000140019CF7
GlobalLock.KERNEL32 ref: 0000000140019D00
LeaveCriticalSection.KERNEL32 ref: 0000000140019D0A
GlobalLock.KERNEL32 ref: 0000000140019D19
LeaveCriticalSection.KERNEL32 ref: 0000000140019D6C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: e186f3c6cf822b7ce866dc59da29ee821b0174ffe3a5d9fade48e8fe13873a7c
Instruction ID: 895e863caa3190588869d53b5269b22312ddbc91d1d2c12d49150f10eb7ae5fd
Opcode Fuzzy Hash: e186f3c6cf822b7ce866dc59da29ee821b0174ffe3a5d9fade48e8fe13873a7c
Instruction Fuzzy Hash: E841927270164083EB199B27E5983E873A1FB8CF81F014525EB6A4BBB5DF39D861C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140011140, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPropW.USER32 ref: 0000000140011194
CallWindowProcW.USER32 ref: 0000000140011211

Part of subcall function 000000014000F718: GetWindowRect.USER32 ref: 000000014000F76B
Part of subcall function 000000014000F718: GetWindow.USER32 ref: 000000014000F78D

SetWindowLongPtrW.USER32 ref: 000000014001123F
RemovePropW.USER32 ref: 000000014001124F
GlobalFindAtomW.KERNEL32 ref: 000000014001125C
GlobalDeleteAtom.KERNEL32 ref: 0000000140011265

Part of subcall function 000000014000D224: GetWindowRect.USER32 ref: 000000014000D238

CallWindowProcW.USER32 ref: 00000001400112D1

Strings

AfxOldWndProc423, xrefs: 000000014001118D, 0000000140011245, 0000000140011255

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindLongRemove
String ID: AfxOldWndProc423
API String ID: 3892049428-1060338832
Opcode ID: 5ea7d610ac5369d21026764f2c114df6279f9b325e1e7e04fd46d5daa6176d08
Instruction ID: 2f86615cc92b44afcfb2d4deea6798f5c9692d5f81e6059dab827d5bdf975efc
Opcode Fuzzy Hash: 5ea7d610ac5369d21026764f2c114df6279f9b325e1e7e04fd46d5daa6176d08
Instruction Fuzzy Hash: 5E41DE7220468481EA6A9B67B9947EA6390F78EFD4F000215FF9A0BBB6CF3DC0458741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014E80, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140014ECC
SetLastError.KERNEL32 ref: 0000000140014EE6
CreateActCtxW.KERNEL32 ref: 0000000140014F1E
CreateActCtxW.KERNEL32 ref: 0000000140014F3F
CreateActCtxW.KERNEL32 ref: 0000000140014F64

Strings

8, xrefs: 0000000140014EFB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Create$ErrorFileLastModuleName
String ID: 8
API String ID: 1315026305-4194326291
Opcode ID: e3cf2ff7dc2ad093880fe1047c2e709ecf49a0301061600d0994d2d58b00cdc4
Instruction ID: 267122bbd1efd68ddfdb6baba0726041bceec1df597bb10a791beaf41949b997
Opcode Fuzzy Hash: e3cf2ff7dc2ad093880fe1047c2e709ecf49a0301061600d0994d2d58b00cdc4
Instruction Fuzzy Hash: E6310C32100B8485E7618F61E88438973A4F34CBA8F94432AEBAC5BBE4DF79C549CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001730, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32 ref: 0000000180001754
CreateEventW.KERNEL32 ref: 000000018000176B
OutputDebugStringW.KERNEL32 ref: 0000000180001784
OutputDebugStringW.KERNEL32 ref: 00000001800017B3

Strings

TLS callback: process attach, xrefs: 00000001800017AC
TLS callback: thread attach, xrefs: 000000018000177D

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CreateDebugEventOutputString
String ID: TLS callback: process attach$TLS callback: thread attach
API String ID: 2860077079-2667624547
Opcode ID: 91143723f62c5719960f3cbda51544ccb74cdddfd188f9b911d0301cc6200eba
Instruction ID: 13de91be540606a459de39574c6e4a4224f3989bcdd82a6e98ac9e425c767a12
Opcode Fuzzy Hash: 91143723f62c5719960f3cbda51544ccb74cdddfd188f9b911d0301cc6200eba
Instruction Fuzzy Hash: C2113574A02A088AF7D7CBE1B8957D832A1A78C3C5F48C121FD0A422A0DF39429DC710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400D87FC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400213E4: EnterCriticalSection.KERNEL32 ref: 0000000140021422
Part of subcall function 00000001400213E4: InitializeCriticalSection.KERNEL32 ref: 000000014002143E
Part of subcall function 00000001400213E4: LeaveCriticalSection.KERNEL32 ref: 0000000140021452

GetProfileIntW.KERNEL32 ref: 00000001400D8870
GetProfileIntW.KERNEL32 ref: 00000001400D8890

Strings

DragMinDist, xrefs: 00000001400D8862
DragDelay, xrefs: 00000001400D8882
windows, xrefs: 00000001400D8869, 00000001400D8889

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CriticalSection$Profile$EnterInitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 2203521320-2101198082
Opcode ID: e09f57b2594d6d87155fad0858b9837fe7f8f07bb651bf55aea1384f56e30652
Instruction ID: a30147725d4f5c4712633966980b7926cfb785217bf7f7cf62e7a26ea07aa225
Opcode Fuzzy Hash: e09f57b2594d6d87155fad0858b9837fe7f8f07bb651bf55aea1384f56e30652
Instruction Fuzzy Hash: 33112572521B059BF7129F26E44879833A0F799B3AF410219CB58466F6EBBDC589CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400082E8, Relevance: 7.7, APIs: 5, Instructions: 164COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0000000140008441
CreateDialogIndirectParamW.USER32 ref: 000000014000847E
DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0000000140008517
GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0000000140008528
GlobalFree.KERNEL32 ref: 0000000140008531

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeIndirectLockParamUnlockWindow
String ID:
API String ID: 1794613203-0
Opcode ID: 36ac5b6d9a8941413435bc60104badd2f5545f2797de695cf1081ff73b8fae9a
Instruction ID: bbd51f1b2c9fb3e4118800c6d872f8cf9958807669711ac25830b0edb4b905c1
Opcode Fuzzy Hash: 36ac5b6d9a8941413435bc60104badd2f5545f2797de695cf1081ff73b8fae9a
Instruction Fuzzy Hash: 1E51A372205B8182EA5AEB67A8503EE63A0FB89FD0F444129FF9A477A5DF34C845C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140154BA4, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,0000000140154CB9,?,?,?,?,0000000140024A3C), ref: 0000000140154BCD
DecodePointer.KERNEL32(?,?,?,0000000140154CB9,?,?,?,?,0000000140024A3C), ref: 0000000140154BDD

Part of subcall function 0000000140156F4C: _errno.LIBCMT ref: 0000000140156F55
Part of subcall function 0000000140156F4C: _invalid_parameter_noinfo.LIBCMT ref: 0000000140156F60

EncodePointer.KERNEL32(?,?,?,0000000140154CB9,?,?,?,?,0000000140024A3C), ref: 0000000140154C5B

Part of subcall function 000000014015C688: realloc.LIBCMT ref: 000000014015C6B3
Part of subcall function 000000014015C688: Sleep.KERNEL32(?,?,00000000,0000000140154C4B,?,?,?,0000000140154CB9,?,?,?,?,0000000140024A3C), ref: 000000014015C6CF

EncodePointer.KERNEL32(?,?,?,0000000140154CB9,?,?,?,?,0000000140024A3C), ref: 0000000140154C6B
EncodePointer.KERNEL32(?,?,?,0000000140154CB9,?,?,?,?,0000000140024A3C), ref: 0000000140154C78

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: a7fef7b8352f96f2f49d7ed5bd03b0c279b3e847f99dc439c1538f6fa9b82a9d
Instruction ID: a63e4b148bcf802eadb84626116b67609d0dd805a4b65fed85d7b2360886a250
Opcode Fuzzy Hash: a7fef7b8352f96f2f49d7ed5bd03b0c279b3e847f99dc439c1538f6fa9b82a9d
Instruction Fuzzy Hash: 25212A31302B5482EB529B63E9583D9A3A5B78CFD8F484825DF4E0B7B5DB79C585C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140003484, Relevance: 7.5, APIs: 5, Instructions: 41libraryCOMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 00000001400034AD
LoadLibraryW.KERNEL32 ref: 00000001400034C4
GetLastError.KERNEL32 ref: 00000001400034DF
DeactivateActCtx.KERNEL32 ref: 00000001400034F2
SetLastError.KERNEL32 ref: 00000001400034FE

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateLibraryLoad
String ID:
API String ID: 390198777-0
Opcode ID: c5e293d310dce74593145fdd518703decf3910f8a18384ca08f17969a4f0642b
Instruction ID: e683ef7653e9ea4f5a87a2d2965428b1415d152203efb5143b7486b6b6956aea
Opcode Fuzzy Hash: c5e293d310dce74593145fdd518703decf3910f8a18384ca08f17969a4f0642b
Instruction Fuzzy Hash: 59014C72204A4482EB629B27F84479AA6A4F78CFC1F194524EF594B778DF3DC4458700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140003E74, Relevance: 4.6, APIs: 3, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

memmove_s.LIBCMT ref: 0000000140003F20
memcpy_s.LIBCMT ref: 0000000140003F2A
memcpy_s.LIBCMT ref: 0000000140004017

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: memcpy_s$memmove_s
String ID:
API String ID: 2881915579-0
Opcode ID: d66fa21fcb89d196d5e04e7f4c5d1b6b1648c2faa10b73c18d9be65a92d589ef
Instruction ID: 13fe4325ec0dc38ce89534ee57184b7721bc25640689c3dc7bd55b1ae3a470b7
Opcode Fuzzy Hash: d66fa21fcb89d196d5e04e7f4c5d1b6b1648c2faa10b73c18d9be65a92d589ef
Instruction Fuzzy Hash: 035102B6701A4585EB0AEF17E5543EDA765FB8CBC0F548129FB1907BA5CB35C8118700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002DC8, Relevance: 4.6, APIs: 3, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 0000000140002E23
RegQueryValueExW.ADVAPI32 ref: 0000000140002E53
RegCloseKey.ADVAPI32 ref: 0000000140002E9B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: bc6cff4458073c524b4180194124dd8424f3298114f7fd20bf079c6d36e6a262
Instruction ID: f71c0bf15fb1f2bff4ea6d5df06f35f0f7136590934fe178f518f03e127045cf
Opcode Fuzzy Hash: bc6cff4458073c524b4180194124dd8424f3298114f7fd20bf079c6d36e6a262
Instruction Fuzzy Hash: 8E314FB3610A80DBEB61CF22E884BD933A0F3187ADF541215FB0D47AA8DB78D885C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400024DC, Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

_itow.LIBCMT ref: 0000000140002525

Part of subcall function 000000014016B25C: xtoa.LIBCMT ref: 000000014016B278

_itow.LIBCMT ref: 0000000140002539
_itow.LIBCMT ref: 000000014000254D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _itow$xtoa
String ID:
API String ID: 158661582-0
Opcode ID: 2d3a3922f5f7bf6a16deb8c4cf1b51d91c40a4b8389e27c9e8f5e2d084831faf
Instruction ID: b08afd1a056ea51c603aae7d80a7b9ad8b178cd6cbdc143748c19d4b4bf88a9f
Opcode Fuzzy Hash: 2d3a3922f5f7bf6a16deb8c4cf1b51d91c40a4b8389e27c9e8f5e2d084831faf
Instruction Fuzzy Hash: 8411A13035028087E606AB43A8507EE621697CAFD0F184038BF4B0BBEBCD3DD9018740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015F848, Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014015F86B
RtlAllocateHeap.NTDLL(?,?,00000000,000000014015C637,?,?,?,000000014015AA8B,?,?,00000018,0000000140156059), ref: 000000014015F89F
_callnewh.LIBCMT ref: 000000014015F8B6

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AllocateHeap_callnewh_errno
String ID:
API String ID: 638267422-0
Opcode ID: 962dab79c17ac8fdfe494987895a3bdba823120161847823926d89dbeb5fb5f9
Instruction ID: bd87de62efebc8666f019b4e36733f6b9f93f433b82a5b8de8421a7ef3ee8fb6
Opcode Fuzzy Hash: 962dab79c17ac8fdfe494987895a3bdba823120161847823926d89dbeb5fb5f9
Instruction Fuzzy Hash: D7114C3130664086FF5B5B27D6447E962D19B9CFE4F0C8A288B254F6F8EBBAC8509741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

RtlpNtOpenKey.NTDLL ref: 0000000180002C36

Strings

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList, xrefs: 0000000180002BE7

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: OpenRtlp
String ID: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UAC\COMAutoApprovalList
API String ID: 2893929204-3411063540
Opcode ID: fa70462b364a80615b0930a94f141768019b09ba859b160873eb653f66363a18
Instruction ID: 4e2fa412fe1fe2dc53f04cfb5f2bb0b0e9ab8309a6190356007f67e43cb60965
Opcode Fuzzy Hash: fa70462b364a80615b0930a94f141768019b09ba859b160873eb653f66363a18
Instruction Fuzzy Hash: BA315273210B949AE762CF21D880BD937A4F748B98F559126FE4E47B58EF34C299C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001B30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0000000140001B8C

Strings

_ElvFunc, xrefs: 0000000140001B6E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: _ElvFunc
API String ID: 2941638530-892560642
Opcode ID: 63292f68687b78b892faa5132dc7df1c91f24965a4bf1d27da3cff898d41be5d
Instruction ID: f16652dd2ad1ccccb50743743bf8797549a40be6db1820eeedfdcb6abf0a19a5
Opcode Fuzzy Hash: 63292f68687b78b892faa5132dc7df1c91f24965a4bf1d27da3cff898d41be5d
Instruction Fuzzy Hash: 59017C71601A0582EA05AB2AE8513993760FBC5BB4F904315E77D477F1DF38C851C744

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400BEC6C, Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00000001400BEDF4
CreateCompatibleDC.GDI32 ref: 00000001400BEE03

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CompatibleCreate
String ID:
API String ID: 3111197059-0
Opcode ID: d768af12ff248e0dc69eb8f7ae5a68ae799214d7741860193fc106a586396ce7
Instruction ID: 491e10b16f643cb53afe7b0906ba9bd223f1a44cb6e357fdd09642c73fc5146a
Opcode Fuzzy Hash: d768af12ff248e0dc69eb8f7ae5a68ae799214d7741860193fc106a586396ce7
Instruction Fuzzy Hash: 1761C772501B8085E7418F35E9403D8B7FCFB68B98F18423ADB984BBA9DF7485A4C790

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400027B0, Relevance: 3.1, APIs: 2, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00000000,0000000140002D0A,?,?,?,00000001400012C0), ref: 0000000140002822
VirtualProtect.KERNEL32(?,?,00000000,0000000140002D0A,?,?,?,00000001400012C0), ref: 000000014000287F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: ba379bad051316654865e9e4f062ac2559f8c53fb75408cf511cbb70a9974521
Instruction ID: 6fa6472316e2e36f3fdfda8698bd75f220f27b5464f7fd7630ac82b1b076d477
Opcode Fuzzy Hash: ba379bad051316654865e9e4f062ac2559f8c53fb75408cf511cbb70a9974521
Instruction Fuzzy Hash: 263189B6705A4087E756CF2AE944BAD37A1F788FC8F588102EF4A573A8DB38C945C701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E6EC, Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018580: GetWindowDC.USER32 ref: 00000001400185BF

Part of subcall function 00000001400188D4: SelectObject.GDI32(?,?,00000000,0000000140015F78), ref: 0000000140018904
Part of subcall function 00000001400188D4: SelectObject.GDI32(?,?,00000000,0000000140015F78), ref: 000000014001891F

GetTextMetricsW.GDI32 ref: 000000014001E758
GetTextMetricsW.GDI32 ref: 000000014001E79C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MetricsObjectSelectText$Window
String ID:
API String ID: 1921638516-0
Opcode ID: ddc070019667d21379c3b817bdd11dc7e27ea87d0b22340df5dfd395e228ff35
Instruction ID: 2b999344856c4920b47872e0c1a9f444ca52aabea943806e20093fb7cacb8386
Opcode Fuzzy Hash: ddc070019667d21379c3b817bdd11dc7e27ea87d0b22340df5dfd395e228ff35
Instruction Fuzzy Hash: CF310432701A84ABEB19DF66D8943DD7361F748798F840126AF2A8B7A9DF34CA15C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F718, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014000F76B
GetWindow.USER32 ref: 000000014000F78D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-0
Opcode ID: 219e5de8ba322cade749662eb6f286d127ba8eab8d5a7ab829fb69757d066e4e
Instruction ID: fc8538277c9b0b3a4ac940275272186486788c04e14fa9dc4ce47b408ac318ef
Opcode Fuzzy Hash: 219e5de8ba322cade749662eb6f286d127ba8eab8d5a7ab829fb69757d066e4e
Instruction Fuzzy Hash: 52113D7221464086EB25DB23F5543AA73A1FB8CFD9F448525EB4D47BA5EF38C8109B01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800086A0, Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 00000001800086D2
SHGetPathFromIDListW.SHELL32 ref: 00000001800086F9

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: FolderFromListLocationPathSpecial
String ID:
API String ID: 4082711253-0
Opcode ID: 71f2c1e93379fa6d12e89ff48aadce70b3cdc56e47d51651213bfe1d93b94b13
Instruction ID: a56562d9700250eb7056d02fef5906dc8bc8b0d2183487c3eabc0b89e9b51620
Opcode Fuzzy Hash: 71f2c1e93379fa6d12e89ff48aadce70b3cdc56e47d51651213bfe1d93b94b13
Instruction Fuzzy Hash: DF118232218A8892DB51CF61E59439A7360FB887D4F44A215FBAD07AD9DF3CC258C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800085E0, Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 0000000180008612
SHGetPathFromIDListW.SHELL32 ref: 0000000180008639

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: FolderFromListLocationPathSpecial
String ID:
API String ID: 4082711253-0
Opcode ID: 88b1f26f9d83468ba4dae8422dd686669e8fab3da6e459c0422bb2df6fa84342
Instruction ID: 11286cfbcb307368df4eadc45b36d67c3a2819914de47289d0f50b8fea47da88
Opcode Fuzzy Hash: 88b1f26f9d83468ba4dae8422dd686669e8fab3da6e459c0422bb2df6fa84342
Instruction Fuzzy Hash: 66118232214A8896DB51CF51E49479A7360FB887E4F44A215FBAD07AD9DF3CC258C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B7C4, Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 000000014000B81B
CallWindowProcW.USER32 ref: 000000014000B832

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: 82bb7afbfa862befb514044eac10ef5ca91323d325537cf4d7613500760e6114
Instruction ID: 5e5ac174aad4b3c07b63683a9cc69db069b720c3353d7e47513647600642f034
Opcode Fuzzy Hash: 82bb7afbfa862befb514044eac10ef5ca91323d325537cf4d7613500760e6114
Instruction Fuzzy Hash: 7D011636714B8485EA15CB47E4907A8B764F799FC4F688025EF4A03B68CF39C552C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015C688, Relevance: 3.0, APIs: 2, Instructions: 37sleepCOMMON

Download Yara Rule

APIs

realloc.LIBCMT ref: 000000014015C6B3

Part of subcall function 00000001401557E8: malloc.LIBCMT ref: 0000000140155805

Sleep.KERNEL32(?,?,00000000,0000000140154C4B,?,?,?,0000000140154CB9,?,?,?,?,0000000140024A3C), ref: 000000014015C6CF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Sleepmallocrealloc
String ID:
API String ID: 276608700-0
Opcode ID: cdcf78e2606893c8032822aa8caebadf5d645ecd3dfd9430aca0b3cbb392e8fa
Instruction ID: 04f77590d91c4e459ec81c49df3fabbeee001657528994032bebeacb8b4bc640
Opcode Fuzzy Hash: cdcf78e2606893c8032822aa8caebadf5d645ecd3dfd9430aca0b3cbb392e8fa
Instruction Fuzzy Hash: 8901AD36620B808AEA569F17951039AB2A1F78CFE0F4D5126EF590BBA0DB39DD40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400332BC, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00000001400332D6
SetErrorMode.KERNEL32 ref: 00000001400332E3

Part of subcall function 0000000140014E80: GetModuleFileNameW.KERNEL32 ref: 0000000140014ECC
Part of subcall function 0000000140014E80: SetLastError.KERNEL32 ref: 0000000140014EE6

Part of subcall function 0000000140032FF0: GetModuleFileNameW.KERNEL32 ref: 0000000140033059
Part of subcall function 0000000140032FF0: PathFindExtensionW.SHLWAPI ref: 0000000140033075

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Error$FileModeModuleName$ExtensionFindLastPath
String ID:
API String ID: 3856306541-0
Opcode ID: 586bfcbd3ed663a69bc291389e4e2c21115ad91c15d98e44d820c37339971198
Instruction ID: ff9fca96275644465fe71e87a74ee1ccd2db552894b3d690818a9117f3eeab2b
Opcode Fuzzy Hash: 586bfcbd3ed663a69bc291389e4e2c21115ad91c15d98e44d820c37339971198
Instruction Fuzzy Hash: 7D014F3260578081FB46AB62B4853DD66A4FB8CB80F5C8538B7894B7B6CF35C4818301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140011580, Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000001400115BB
SetWindowsHookExW.USER32 ref: 00000001400115D2

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 8ad1b6cc13bfa35ad82d2a50b5156949f3c59cb7f5140c028a33bc17d91ff678
Instruction ID: 5001d2bbf9be1eb68d84e59635873c6dcd8a35630b790d527b4766ed6b90fb58
Opcode Fuzzy Hash: 8ad1b6cc13bfa35ad82d2a50b5156949f3c59cb7f5140c028a33bc17d91ff678
Instruction Fuzzy Hash: 00018171601E0481EB1A9B67E4947D863A0EF8CBC8F501015F7190BABAEE39C588C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005AC0, Relevance: 3.0, APIs: 2, Instructions: 17threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000140005AD9
SetWindowsHookExW.USER32 ref: 0000000140005AEF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 2919cd8e7d5101f14b689c0ade9adde16939adf0ca0db5fc12d3fa5b925b0965
Instruction ID: 9143d19de11b0bb0dd3bb12284c0394bc6060e51dd9315acca699b11774fa0f7
Opcode Fuzzy Hash: 2919cd8e7d5101f14b689c0ade9adde16939adf0ca0db5fc12d3fa5b925b0965
Instruction Fuzzy Hash: 0CE08CB0A0064481FB2677BAA885B983691EB0EBA6F841204EB240F2F1DF38C0C88701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400026C4, Relevance: 2.6, APIs: 2, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,0000000140002CE5,?,?,?,00000001400012C0), ref: 0000000140002731
VirtualAlloc.KERNEL32(?,?,?,0000000140002CE5,?,?,?,00000001400012C0), ref: 000000014000275D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2fb1c72e46752a2507161d0c89529716d08367b30d8000a3af35914e3d8f2fc4
Instruction ID: 28aee1d7fdb587f29ff38dd01f49958648d66125669cc7b1273ab539cddc5934
Opcode Fuzzy Hash: 2fb1c72e46752a2507161d0c89529716d08367b30d8000a3af35914e3d8f2fc4
Instruction Fuzzy Hash: 1E2179B671465086D719CB03FA84B9EB7A1F74CBD1F458415EF4907765DB38C4A2CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015C584, Relevance: 2.5, APIs: 2, Instructions: 35sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000000014015C5AF

Part of subcall function 00000001401556AC: _FF_MSGBANNER.LIBCMT ref: 00000001401556DC
Part of subcall function 00000001401556AC: RtlAllocateHeap.NTDLL(?,?,00000018,0000000140002DA0), ref: 0000000140155701
Part of subcall function 00000001401556AC: _callnewh.LIBCMT ref: 000000014015571A
Part of subcall function 00000001401556AC: _errno.LIBCMT ref: 0000000140155725
Part of subcall function 00000001401556AC: _errno.LIBCMT ref: 0000000140155730

Sleep.KERNEL32(?,?,?,000000014015E459,?,?,00000000,000000014015E503,?,?,00000000,000000014015A9F9,?,?,00000000,000000014015AAB0), ref: 000000014015C5C2

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _errno$AllocateHeapSleep_callnewhmalloc
String ID:
API String ID: 3606348469-0
Opcode ID: b588d367f3396e4a184c0b692e7853239f580eef77a6661b79b7746df66e5aa2
Instruction ID: 88714615757311d59d494f25ed5b26ab3214a83b5a84948068f9b0641aaf8ca4
Opcode Fuzzy Hash: b588d367f3396e4a184c0b692e7853239f580eef77a6661b79b7746df66e5aa2
Instruction Fuzzy Hash: 33018C32220B848AEA129F47A45039977A0F78CFA0F5D4115EF490B7A5EF79E881CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001898, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 00000001400018D5

Part of subcall function 00000001400011C0: LoadResource.KERNEL32 ref: 00000001400011DD

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Resource$FindLoad
String ID:
API String ID: 2619053042-0
Opcode ID: 61299a80cb2baa5ddb31358264eff51f8ed9ecd9d646ef94b97f919ce8975d02
Instruction ID: 90c861f7fcc8838ca9de4b027f00c9476570e7af4a447d3e18d8cc38312f474c
Opcode Fuzzy Hash: 61299a80cb2baa5ddb31358264eff51f8ed9ecd9d646ef94b97f919ce8975d02
Instruction Fuzzy Hash: 45217876701A9086EB0ADF16A4A53ED67A1B78CBC0F548029EB9D47BA5DF39D811C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001434, Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00000001400014AE

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: f415cfbd1c01ff5a07367c1721c8ea63a104035b1095ed3f20613595809a11ee
Instruction ID: 34762f509ac4f81b72cd5985a5b1682b1779c7e1745058e527489d8fde0d16a2
Opcode Fuzzy Hash: f415cfbd1c01ff5a07367c1721c8ea63a104035b1095ed3f20613595809a11ee
Instruction Fuzzy Hash: EE112676B01B4482EB149F6AE44529CB7A5FBC8FD4F188016EB5947B65DE74C881C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007FDC, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetNextDlgTabItem.USER32 ref: 0000000140008079

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ItemNext
String ID:
API String ID: 4145397660-0
Opcode ID: 38159672ed185ef9e546b28fba6b8d3c0f36fe20ffc94dd467412b6efe24ba75
Instruction ID: d3a61d9f9af76e6e125dcb2baa919b098eaa27272f1efb779ae66e8f13595423
Opcode Fuzzy Hash: 38159672ed185ef9e546b28fba6b8d3c0f36fe20ffc94dd467412b6efe24ba75
Instruction Fuzzy Hash: 3F117CB1201B8581FEA6DB77A5547E92390BB8CFC4F084535AF991B3A6DE3AC4448310

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F950, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b08e17445c2c762feca2e988ba69b9362fa09f6858b55592959441959c511c2
Instruction ID: e480ba6142520e62b6baf6ad5564c518d341ae1a25d4bb9d233d31736a2e3bf3
Opcode Fuzzy Hash: 3b08e17445c2c762feca2e988ba69b9362fa09f6858b55592959441959c511c2
Instruction Fuzzy Hash: 08F08C7220875082EA21DB43B4007A9A6A4E7E8FC0F6C8125FF8803B69DF38C551A642

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400010EC, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001548: LoadIconW.USER32 ref: 00000001400015A8

Part of subcall function 0000000140008560: FindResourceW.KERNEL32 ref: 00000001400085CD
Part of subcall function 0000000140008560: LoadResource.KERNEL32 ref: 00000001400085D9
Part of subcall function 0000000140008560: LockResource.KERNEL32 ref: 00000001400085EF

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0000000140001143

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Resource$ContextExternalLoad$BaseBase::~Concurrency::details::FindIconLock
String ID:
API String ID: 639982490-0
Opcode ID: f4d9c8e4df27fb387ad3a648c2567c1733832477e48916a08b0c733b7b07cf01
Instruction ID: 4e4f6820898635d676e396915d2ea7e8c434fbc47d7238b97318b89ca3b0422f
Opcode Fuzzy Hash: f4d9c8e4df27fb387ad3a648c2567c1733832477e48916a08b0c733b7b07cf01
Instruction Fuzzy Hash: BFF0687233598492E671E761F8523DE7390FBD8764F841221B7AE476F6DE38C5448700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001290, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140002BFC: VirtualAlloc.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002C49
Part of subcall function 0000000140002BFC: VirtualAlloc.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002C63
Part of subcall function 0000000140002BFC: GetProcessHeap.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002C75
Part of subcall function 0000000140002BFC: HeapAlloc.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002C84
Part of subcall function 0000000140002BFC: VirtualAlloc.KERNEL32(?,?,?,00000001400012C0), ref: 0000000140002CB0

ExitProcess.KERNEL32 ref: 00000001400012FD

Part of subcall function 0000000140002B4C: FreeLibrary.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BA6
Part of subcall function 0000000140002B4C: free.LIBCMT ref: 0000000140002BBB
Part of subcall function 0000000140002B4C: VirtualFree.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BD1
Part of subcall function 0000000140002B4C: GetProcessHeap.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BD7
Part of subcall function 0000000140002B4C: HeapFree.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BE5

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AllocHeapVirtual$FreeProcess$ExitLibraryfree
String ID:
API String ID: 1153028573-0
Opcode ID: 70a7a408e2a11379826d9f32a765ff97af7f8402d9a6bba8e431807fad499f05
Instruction ID: 7b623e6c7b120b2c61e825385401d66c8440be1e66ee7d3a350a8af64ea6f2dc
Opcode Fuzzy Hash: 70a7a408e2a11379826d9f32a765ff97af7f8402d9a6bba8e431807fad499f05
Instruction Fuzzy Hash: 94F03AB030164181EE5AEBA7B9957E962916B8CBC0F084036AB0A477F7DE38C5548704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013868, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

SetWindowPos.USER32 ref: 00000001400138A2

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 01a291ab2ea7d53f40cf977e09ef0ec3fdbc733b6db34e73a0cd6d8dbd75e17f
Instruction ID: fdeed4fc43f196f39eae89709554109410baa7688e5e4f1571141ac92c2f52e1
Opcode Fuzzy Hash: 01a291ab2ea7d53f40cf977e09ef0ec3fdbc733b6db34e73a0cd6d8dbd75e17f
Instruction Fuzzy Hash: 0F01AC76A18740CBD7A0CF2AD48474AB7E1F388784F144125FB8987B28DB39C4458F04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001548, Relevance: 1.5, APIs: 1, Instructions: 27windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00000001400015A8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: IconLoad
String ID:
API String ID: 2457776203-0
Opcode ID: 83136bcfeaef5d216818273d9d019069ab6239c1860ebc2d782afbad3227492b
Instruction ID: 657e6a72722ef2435f88025b8f0bef9ea57193568045831c0b29cb0100465cee
Opcode Fuzzy Hash: 83136bcfeaef5d216818273d9d019069ab6239c1860ebc2d782afbad3227492b
Instruction Fuzzy Hash: AFF01231201B8092D616AB65F9513C97364F788BE0F508325B7AC477F6DF35D5A5C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008FF0, Relevance: 1.5, APIs: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014000904E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8753b231086d8d235b96047afdee54f0cc2c1edbec35c9e226a272bf2762fd22
Instruction ID: 2151763ebe50b35573a3987127163f58bfd5f13bc1516468e66215b49fba3f20
Opcode Fuzzy Hash: 8753b231086d8d235b96047afdee54f0cc2c1edbec35c9e226a272bf2762fd22
Instruction Fuzzy Hash: 92F0F9B25186808BC370CF19E44075A76A0F389798F500319F69C83B94D73DC5118F04

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E130, Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 000000014000E159

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d766e95e5fe2beb429078f504e7c5626d90b0db7f1032a0b3288b7d09be82532
Instruction ID: 17a0614b9d4b60dbfef95cb8eece3e954983d69af7b00e3d43ea41b0b4dd8b78
Opcode Fuzzy Hash: d766e95e5fe2beb429078f504e7c5626d90b0db7f1032a0b3288b7d09be82532
Instruction Fuzzy Hash: D9D05B76B12680CAE754CB3DD855B893650F7CEB4CFD41130D6444B6B0C73680138B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A840, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A440: GetModuleFileNameA.KERNEL32 ref: 000000018000A48C

ExitProcess.KERNEL32 ref: 000000018000A84B

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ExitFileModuleNameProcess
String ID:
API String ID: 778004563-0
Opcode ID: 924823d54448024731e9f9dbbf7356945b99d0e92e40eeefae6c1f9123e817ac
Instruction ID: ae226c1083b3e84086870181e3ba839f431c0b968d906d40ad9d3a27836675bc
Opcode Fuzzy Hash: 924823d54448024731e9f9dbbf7356945b99d0e92e40eeefae6c1f9123e817ac
Instruction Fuzzy Hash: 6EA0243050140C51F3CD7370045F3CC103017CC35CF00440D7703400414C1C417C4301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800083B0, Relevance: 1.4, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00000001800083E9

Memory Dump Source

Source File: 00000000.00000002.687465392.0000000180001000.00000040.00000001.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.687461542.0000000180000000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.687487410.0000000180027000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687575907.00000001800DC000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687581595.00000001800E1000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.687591899.00000001800EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 7f0fa137eb737640148bd4e7b39b91041de766b2f62fa0ec8a61a29e3564a50e
Instruction ID: 2f1fb19c361a65c23886f21907b6cd3f55be32eee7cfb6cb37f38e2b8846fa87
Opcode Fuzzy Hash: 7f0fa137eb737640148bd4e7b39b91041de766b2f62fa0ec8a61a29e3564a50e
Instruction Fuzzy Hash: 37613632211A4999EB51DF65C8943DC33A0FB49BE9F458222EA6E477E4DF39C249D310

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015C604, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014015F848: _errno.LIBCMT ref: 000000014015F86B

Sleep.KERNEL32(?,?,?,000000014015AA8B,?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018), ref: 000000014015C649

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: 669d3f650be51ffe023db7de81c585ccbbad970ecfcc73eaf576246cc5daa0b7
Instruction ID: fe1ee07c52b05f70c4f01a697b5973d10eeda96c3b2c3cae9f3998f59bd58797
Opcode Fuzzy Hash: 669d3f650be51ffe023db7de81c585ccbbad970ecfcc73eaf576246cc5daa0b7
Instruction Fuzzy Hash: 3201A232620B8085EA468F17A454799B6A1F38CFE0F491125EF5907BA0CB35D991C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016AD0, Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000000140016AF5

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 54febd72cfbfdd59f7820d605860781bbd4765f4c9fe6d6af7225d46d2136357
Instruction ID: 407ca4d082a9032a679708d4b2621c5d557bfbcad3a45ec76ac7e25ddb5ae00c
Opcode Fuzzy Hash: 54febd72cfbfdd59f7820d605860781bbd4765f4c9fe6d6af7225d46d2136357
Instruction Fuzzy Hash: 5CE02B7271028082EB05CF17E59036DB6E0FF9C790F9DC424E7054B791DB7AC8808B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002D74, Relevance: 1.3, APIs: 1, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000000140002D9B

Part of subcall function 00000001401556AC: _FF_MSGBANNER.LIBCMT ref: 00000001401556DC
Part of subcall function 00000001401556AC: RtlAllocateHeap.NTDLL(?,?,00000018,0000000140002DA0), ref: 0000000140155701
Part of subcall function 00000001401556AC: _callnewh.LIBCMT ref: 000000014015571A
Part of subcall function 00000001401556AC: _errno.LIBCMT ref: 0000000140155725
Part of subcall function 00000001401556AC: _errno.LIBCMT ref: 0000000140155730

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _errno$AllocateHeap_callnewhmalloc
String ID:
API String ID: 2243056865-0
Opcode ID: b35183051354567e631540f208890e39a1d43a925a4915fc06ea803bc2a49be6
Instruction ID: f78953cbb1a70c77ded885a141c5b27a0ea8e6347eb06b1e281d86bd76d9225d
Opcode Fuzzy Hash: b35183051354567e631540f208890e39a1d43a925a4915fc06ea803bc2a49be6
Instruction Fuzzy Hash: A6E0467032A64580FE97DB17B290BBC52909F8CBC0F4C0026BF0D4B7A5EE38C8918300

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00000001400BE1D0, Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 364COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00000001400BE2F4

Strings

, xrefs: 00000001400BE611

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-3916222277
Opcode ID: b346069d058eb964a5b54db20d5fd3e9d7c8654d99c1cd66873ddad020267633
Instruction ID: d0644e094aede9f633651fef856ab369cf27c418d6b21ef8fe0940e8cbb314a3
Opcode Fuzzy Hash: b346069d058eb964a5b54db20d5fd3e9d7c8654d99c1cd66873ddad020267633
Instruction Fuzzy Hash: 2AF14C32314A8086EB229F66E8947DE73B1F788BD8F540125EB5A5BBB9DF38C545C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004472C, Relevance: 39.4, APIs: 26, Instructions: 445keyboardCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400447BE
GetParent.USER32 ref: 00000001400447E4
UpdateWindow.USER32 ref: 0000000140044835
SetCursor.USER32 ref: 0000000140044861
GetAsyncKeyState.USER32 ref: 00000001400448CE
UpdateWindow.USER32 ref: 00000001400449DE
InflateRect.USER32 ref: 0000000140044A49
SetCapture.USER32 ref: 0000000140044A53
SetCursor.USER32 ref: 0000000140044A6F
IsWindow.USER32 ref: 0000000140044B26
GetCursorPos.USER32 ref: 0000000140044B64
ScreenToClient.USER32 ref: 0000000140044B72
PtInRect.USER32 ref: 0000000140044B8D
RedrawWindow.USER32 ref: 0000000140044C11
GetParent.USER32 ref: 0000000140044C2B
GetParent.USER32 ref: 0000000140044C48
RedrawWindow.USER32 ref: 0000000140044C65
RedrawWindow.USER32 ref: 0000000140044C8F
GetParent.USER32 ref: 0000000140044C99
GetParent.USER32 ref: 0000000140044CBE
GetParent.USER32 ref: 0000000140044CD0
InvalidateRect.USER32 ref: 0000000140044D17
RedrawWindow.USER32 ref: 0000000140044E71

Part of subcall function 0000000140041458: InvalidateRect.USER32 ref: 00000001400414DA
Part of subcall function 0000000140041458: InflateRect.USER32 ref: 000000014004154F
Part of subcall function 0000000140041458: RedrawWindow.USER32 ref: 0000000140041566

Part of subcall function 00000001400D88EC: CopyRect.USER32 ref: 00000001400D894E

UpdateWindow.USER32 ref: 0000000140044DB2
UpdateWindow.USER32 ref: 0000000140044E23
SetCapture.USER32 ref: 0000000140044E2F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Parent$Rect$Redraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientCopyScreenState
String ID:
API String ID: 1086551493-0
Opcode ID: 03817acff036ebf5a0447f1281f62f9558b332fc647314066ceb6ac258c6345d
Instruction ID: 1a3a1ff8a12b82526ca9240c1add46048fc121100268c0ee1121628eaa9d6b23
Opcode Fuzzy Hash: 03817acff036ebf5a0447f1281f62f9558b332fc647314066ceb6ac258c6345d
Instruction Fuzzy Hash: E1222376300A8092EB1ADF27DA947ED23A5F788BD8F018025EB0A577B0DF79D8658744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018EA0, Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 296windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 0000000140018F34
CreateCompatibleDC.GDI32 ref: 0000000140018F50
CreateCompatibleDC.GDI32 ref: 0000000140018F6C
GetObjectW.GDI32 ref: 0000000140018F92
CreateBitmap.GDI32 ref: 0000000140018FC1
CreateBitmap.GDI32 ref: 0000000140018FF5
CreatePatternBrush.GDI32 ref: 000000014001900D
CreateBitmap.GDI32 ref: 000000014001903C
SelectObject.GDI32 ref: 0000000140019057
SelectObject.GDI32 ref: 0000000140019071
GetPixel.GDI32 ref: 000000014001909D

Part of subcall function 0000000140017608: SetBkColor.GDI32 ref: 0000000140017624
Part of subcall function 0000000140017608: SetBkColor.GDI32 ref: 0000000140017635

BitBlt.GDI32 ref: 00000001400190DF
BitBlt.GDI32 ref: 0000000140019122
SelectObject.GDI32 ref: 0000000140019142
FillRect.USER32 ref: 0000000140019196
BitBlt.GDI32 ref: 00000001400191E2
BitBlt.GDI32 ref: 0000000140019217
BitBlt.GDI32 ref: 0000000140019248
SelectObject.GDI32 ref: 000000014001925A
SelectObject.GDI32 ref: 0000000140019270
SelectObject.GDI32 ref: 0000000140019286

Strings

, xrefs: 00000001400190B0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CreateObject$Select$BitmapCompatible$Color$BrushFillPatternPixelRect
String ID:
API String ID: 1390051538-3916222277
Opcode ID: 5f6a69f796381dd8c78958af101ab4b8875594870b41dbea76965a05b32b06e9
Instruction ID: 07aea426854482ea078885f17444b3d7934c2db9627fef81821a18a26879973f
Opcode Fuzzy Hash: 5f6a69f796381dd8c78958af101ab4b8875594870b41dbea76965a05b32b06e9
Instruction Fuzzy Hash: DBD11632614B508AEB11DB66E8847DE77B4F788B94F500126EF4997BA9DF38C545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140076074, Relevance: 36.6, APIs: 24, Instructions: 556windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140076146
SendMessageW.USER32 ref: 000000014007616C
GetCursorPos.USER32 ref: 0000000140076180
ScreenToClient.USER32 ref: 000000014007618E
SendMessageW.USER32 ref: 00000001400763E2
IsWindow.USER32 ref: 0000000140076427
SendMessageW.USER32 ref: 0000000140076452
SendMessageW.USER32 ref: 000000014007654F
IsWindow.USER32 ref: 0000000140076582
MessageBeep.USER32 ref: 00000001400765BE
GetCursorPos.USER32 ref: 00000001400765E9
ScreenToClient.USER32 ref: 00000001400765F7
GetClientRect.USER32 ref: 0000000140076628
MapWindowPoints.USER32 ref: 000000014007664E
PtInRect.USER32 ref: 000000014007665C
MapWindowPoints.USER32 ref: 000000014007668B
HideCaret.USER32 ref: 00000001400766CF
GetClientRect.USER32 ref: 00000001400766E6
MapWindowPoints.USER32 ref: 00000001400766FF
PtInRect.USER32 ref: 000000014007670D
PtInRect.USER32 ref: 0000000140076744
PtInRect.USER32 ref: 0000000140076772
PtInRect.USER32 ref: 00000001400767B0
MapWindowPoints.USER32 ref: 000000014007689E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$MessageWindow$Send$ClientPoints$CursorScreen$BeepCaretHide
String ID:
API String ID: 1836756369-0
Opcode ID: 603fdb9e8b11f363dd09d1f9fa3aaadeeb5a8b538078f80d3283cde0708b6ae8
Instruction ID: 4f4ce99ce4397889b0f8487635fc6cd3cb056e3405e3c9b9bfaccd0488fb9f02
Opcode Fuzzy Hash: 603fdb9e8b11f363dd09d1f9fa3aaadeeb5a8b538078f80d3283cde0708b6ae8
Instruction Fuzzy Hash: 5C422876701A4086EB66AF76C8947ED23A1F788FD8F548126EB1A877B5CF39C855C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400BE798, Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 310windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00000001400BE95D
GetObjectW.GDI32 ref: 00000001400BE970
CreateCompatibleDC.GDI32 ref: 00000001400BE9C5
GetObjectW.GDI32 ref: 00000001400BE9E2
SelectObject.GDI32 ref: 00000001400BEA03
CreateCompatibleBitmap.GDI32 ref: 00000001400BEA39
SelectObject.GDI32 ref: 00000001400BEA53
CreateCompatibleDC.GDI32 ref: 00000001400BEA6E
SelectObject.GDI32 ref: 00000001400BEA87
SelectObject.GDI32 ref: 00000001400BEA9E
DeleteObject.GDI32 ref: 00000001400BEAA7
DeleteObject.GDI32 ref: 00000001400BEBBA

Strings

, xrefs: 00000001400BEABD

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$BitmapImageLoad
String ID:
API String ID: 3777495891-3916222277
Opcode ID: d971b8f43f82a640c4750da7bfbf08c2af7e25e8386179e4b2a297f3ebbbcbb0
Instruction ID: 18283e4d2a0c4d04f0d8ce7f23afcf4fdeeaba26b4e3dcef3f8d4153485ce781
Opcode Fuzzy Hash: d971b8f43f82a640c4750da7bfbf08c2af7e25e8386179e4b2a297f3ebbbcbb0
Instruction Fuzzy Hash: 61D18C36204A8086EB569F62E8547EE73B1F788BD8F144125EF4A4BBB5DF38D499C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140024BFC, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 233windowCOMMON

Download Yara Rule

APIs

CreateRectRgnIndirect.GDI32 ref: 0000000140024C66
CopyRect.USER32 ref: 0000000140024C7F
InflateRect.USER32 ref: 0000000140024C94
IntersectRect.USER32 ref: 0000000140024CA5
CreateRectRgnIndirect.GDI32 ref: 0000000140024CAF
CreateRectRgn.GDI32 ref: 0000000140024CCB
CombineRgn.GDI32 ref: 0000000140024CF1
CreateRectRgn.GDI32 ref: 0000000140024D49
SetRectRgn.GDI32 ref: 0000000140024D73
CopyRect.USER32 ref: 0000000140024D80
InflateRect.USER32 ref: 0000000140024D96
IntersectRect.USER32 ref: 0000000140024DA7
SetRectRgn.GDI32 ref: 0000000140024DC5
CombineRgn.GDI32 ref: 0000000140024DDA
CreateRectRgn.GDI32 ref: 0000000140024DF5
CombineRgn.GDI32 ref: 0000000140024E16
PatBlt.GDI32 ref: 0000000140024E7B

Part of subcall function 0000000140024998: CreateBitmap.GDI32 ref: 0000000140024A00
Part of subcall function 0000000140024998: CreatePatternBrush.GDI32 ref: 0000000140024A11
Part of subcall function 0000000140024998: DeleteObject.GDI32 ref: 0000000140024A21

Part of subcall function 00000001400188D4: SelectObject.GDI32(?,?,00000000,0000000140015F78), ref: 0000000140018904
Part of subcall function 00000001400188D4: SelectObject.GDI32(?,?,00000000,0000000140015F78), ref: 000000014001891F

Part of subcall function 0000000140017F94: SelectClipRgn.GDI32 ref: 0000000140017FC4
Part of subcall function 0000000140017F94: SelectClipRgn.GDI32 ref: 0000000140017FDF

PatBlt.GDI32 ref: 0000000140024EE8

Strings

I, xrefs: 0000000140024ED8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeletePattern
String ID: I
API String ID: 1332805902-3707901625
Opcode ID: 9d40f8ad81eab59ef1a2f9b57ef69a365f2d678882313d300574e05fb59bbe9d
Instruction ID: af9218e76fddc17c5ecbd2e1bc9952f2c71f17b83e63016caf70d464b2b9e365
Opcode Fuzzy Hash: 9d40f8ad81eab59ef1a2f9b57ef69a365f2d678882313d300574e05fb59bbe9d
Instruction Fuzzy Hash: 6DA1FA36B04A548AEB11DBB6E894BDE3371B749BD8F404129EF1D67AA8DF34C50AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018AB8, Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 250windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 0000000140018B29

Part of subcall function 0000000140018A6C: CreateSolidBrush.GDI32 ref: 0000000140018A93

GetSysColor.USER32 ref: 0000000140018B3F
CreateCompatibleDC.GDI32 ref: 0000000140018B53
CreateCompatibleDC.GDI32 ref: 0000000140018B6F
GetObjectW.GDI32 ref: 0000000140018B95
CreateBitmap.GDI32 ref: 0000000140018BB8
CreateBitmap.GDI32 ref: 0000000140018BE6
SelectObject.GDI32 ref: 0000000140018C08
SelectObject.GDI32 ref: 0000000140018C21
GetPixel.GDI32 ref: 0000000140018C4D

Part of subcall function 0000000140017608: SetBkColor.GDI32 ref: 0000000140017624
Part of subcall function 0000000140017608: SetBkColor.GDI32 ref: 0000000140017635

BitBlt.GDI32 ref: 0000000140018C90
BitBlt.GDI32 ref: 0000000140018CD3
SelectObject.GDI32 ref: 0000000140018CE9
BitBlt.GDI32 ref: 0000000140018D71
BitBlt.GDI32 ref: 0000000140018DB0
SelectObject.GDI32 ref: 0000000140018DD6
SelectObject.GDI32 ref: 0000000140018DEC

Strings

, xrefs: 0000000140018C61

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$CreateSelect$Color$BitmapCompatible$BrushPixelSolid
String ID:
API String ID: 3358463585-3916222277
Opcode ID: 3f0a225bcd2cce91c38cf47d82e3c1326d402f3146e489debe88787c5a9f5846
Instruction ID: 3fe5c8f086f1860e07f390befd51ff5b26c0edacfc84c371c180d4c240e80e93
Opcode Fuzzy Hash: 3f0a225bcd2cce91c38cf47d82e3c1326d402f3146e489debe88787c5a9f5846
Instruction Fuzzy Hash: D6C10632715A408AEB21DF66E8907DD33B1F788B98F500125EF4A6BBA9DF38C955C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007AAC4, Relevance: 30.3, APIs: 20, Instructions: 343keyboardwindowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32 ref: 000000014007AB0D
GetKeyState.USER32 ref: 000000014007AB54

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: BeepMessageState
String ID:
API String ID: 1934685646-0
Opcode ID: 2f3481ce4c0457b5a9ec85409a092679745b2c8961a6b8844b091a37e6a25d2e
Instruction ID: ca87bbaf18077a0b6da564017a970690d429bc3b5db561b2afe09d4dab6a7cf8
Opcode Fuzzy Hash: 2f3481ce4c0457b5a9ec85409a092679745b2c8961a6b8844b091a37e6a25d2e
Instruction Fuzzy Hash: 27F1387AB00A45DAEB21CFA6D4407ED3361F389B9DF504516EF1A63AA8CB3CCA45C741

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007A4D8, Relevance: 28.9, APIs: 19, Instructions: 417windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014007A518
SendMessageW.USER32 ref: 000000014007A52C
MessageBeep.USER32 ref: 000000014007A5B7
SendMessageW.USER32 ref: 000000014007A738
SendMessageW.USER32 ref: 000000014007A74D
SendMessageW.USER32 ref: 000000014007A769
SendMessageW.USER32 ref: 000000014007A77E
SendMessageW.USER32 ref: 000000014007A793
SendMessageW.USER32 ref: 000000014007A7F5
MessageBeep.USER32 ref: 000000014007A8A0
SendMessageW.USER32 ref: 000000014007A97B
SendMessageW.USER32 ref: 000000014007A990
SendMessageW.USER32 ref: 000000014007A9AC
SendMessageW.USER32 ref: 000000014007A9C1
SendMessageW.USER32 ref: 000000014007A9D6
SendMessageW.USER32 ref: 000000014007AA51
MessageBeep.USER32 ref: 000000014007AA6F
SendMessageW.USER32 ref: 000000014007AA86
SendMessageW.USER32 ref: 000000014007AA9B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Message$Send$Beep
String ID:
API String ID: 877464050-0
Opcode ID: 15fa241d3e518debc259456c3fbb0f105feaf9d3f9da5b49f8f5fd204d02cd82
Instruction ID: 031c61a0a7ad59447539516d7ce692c22b88fb9c1799496e97db95dad6a25a8c
Opcode Fuzzy Hash: 15fa241d3e518debc259456c3fbb0f105feaf9d3f9da5b49f8f5fd204d02cd82
Instruction Fuzzy Hash: 9702EA7A710A5586EB16DF66D840BED3362F789BD8F404102EF1A67AA5CF3CC851C741

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400DE6A4, Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00000001400DE970
VUUU, xrefs: 00000001400DE99A
, xrefs: 00000001400DEB44
VUUU, xrefs: 00000001400DE943

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID:
String ID: $VUUU$VUUU$VUUU
API String ID: 0-2221618125
Opcode ID: d1dc95a13742be9f1670d80e3d279eef535a809866c66b32f72144c074850e9d
Instruction ID: 7ec858af1e1fbed5d6363de3dd7a034d046b633887641f41ad0466dd23da0b78
Opcode Fuzzy Hash: d1dc95a13742be9f1670d80e3d279eef535a809866c66b32f72144c074850e9d
Instruction Fuzzy Hash: E0E1E5327046908AE716EF76D4507ED33A1FB48B98F10412AEF4A9BBE5DB38D806C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014010E08C, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014010E1A0
IsRectEmpty.USER32 ref: 000000014010E1DD
IsRectEmpty.USER32 ref: 000000014010E20E
IsRectEmpty.USER32 ref: 000000014010E22C
GetWindowRect.USER32 ref: 000000014010E259
SetRectEmpty.USER32 ref: 000000014010E313

Part of subcall function 0000000140002D74: malloc.LIBCMT ref: 0000000140002D9B

GetWindowRect.USER32 ref: 000000014010E296
PtInRect.USER32 ref: 000000014010E2DA
OffsetRect.USER32 ref: 000000014010E2F2

Part of subcall function 00000001400AFA6C: SetRectEmpty.USER32 ref: 00000001400AFB7F
Part of subcall function 00000001400AFA6C: SetRectEmpty.USER32 ref: 00000001400AFB8C

Strings

, xrefs: 000000014010E155

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Empty$Window$CursorOffsetmalloc
String ID:
API String ID: 1075161071-3916222277
Opcode ID: cd69ae7bc9ba47aaecf5c644f8a3bd4eab205a6157be4639655028c609b66849
Instruction ID: 57d741c25ac43249d7173a444e7b830fd9169c1ce9cd883af0bf8e309d4dab53
Opcode Fuzzy Hash: cd69ae7bc9ba47aaecf5c644f8a3bd4eab205a6157be4639655028c609b66849
Instruction Fuzzy Hash: 67F135B2700A408AEB56DF67D9947ED33A4F748B88F044126DF4A97AA4EF38D455C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002220, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 133networkwindowCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000000014000229A
SendMessageW.USER32 ref: 00000001400022B4
_cwprintf_s_l.LIBCMT ref: 0000000140002319
inet_ntoa.WS2_32 ref: 0000000140002370
_cwprintf_s_l.LIBCMT ref: 0000000140002384
inet_ntoa.WS2_32 ref: 00000001400023A5
_cwprintf_s_l.LIBCMT ref: 00000001400023B9
_cwprintf_s_l.LIBCMT ref: 00000001400023E7
_cwprintf_s_l.LIBCMT ref: 0000000140002415
htons.WS2_32 ref: 0000000140002437
_cwprintf_s_l.LIBCMT ref: 000000014000244C

Part of subcall function 0000000140008B38: SendMessageW.USER32 ref: 0000000140008B5A

Strings

%-5d, xrefs: 000000014000240A
%-5d, xrefs: 00000001400023DC
%-15s, xrefs: 0000000140002379, 00000001400023AE
%-4d, xrefs: 0000000140002441

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l$MessageSendinet_ntoa$htonsrecv
String ID: %-15s$ %-4d$ %-5d$%-5d
API String ID: 1261567995-2643228025
Opcode ID: 2490adc055d128ce1133ad1014c58f75f89045d40cf1a63362e8f23056c60c55
Instruction ID: f436b07506dc80d941037bec47272386ee364610de24237355ede40b81b5b08d
Opcode Fuzzy Hash: 2490adc055d128ce1133ad1014c58f75f89045d40cf1a63362e8f23056c60c55
Instruction Fuzzy Hash: 1851A1B2210A9682EB26DF22E4507DE7761F788BE8F854212FB5E076B6DF34D545C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005A694, Relevance: 25.7, APIs: 17, Instructions: 241windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014005A70A
InvalidateRect.USER32 ref: 000000014005A71E
UpdateWindow.USER32 ref: 000000014005A728
GetMessageW.USER32 ref: 000000014005A76C
DispatchMessageW.USER32 ref: 000000014005A77A
PeekMessageW.USER32 ref: 000000014005A791
GetCapture.USER32 ref: 000000014005A79B
SetCapture.USER32 ref: 000000014005A7AA
GetCapture.USER32 ref: 000000014005A7B8
GetWindowRect.USER32 ref: 000000014005A7E4
SetCursorPos.USER32 ref: 000000014005A80D
GetCapture.USER32 ref: 000000014005A813
GetMessageW.USER32 ref: 000000014005A836
DispatchMessageW.USER32 ref: 000000014005A85E
ReleaseCapture.USER32 ref: 000000014005A8AF
IsWindow.USER32 ref: 000000014005A8B8
SendMessageW.USER32 ref: 000000014005A8D5

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendUpdate
String ID:
API String ID: 4077352625-0
Opcode ID: b89444b77d056b03a076f5600f53369f3be69f1b1dc13914e1e1d0633f6ee5c6
Instruction ID: fc22083c879e2d487ab1c66f4ef0c7e6a13ee360536eb6640979c00043504cf3
Opcode Fuzzy Hash: b89444b77d056b03a076f5600f53369f3be69f1b1dc13914e1e1d0633f6ee5c6
Instruction Fuzzy Hash: 54A15C3570264586FB66DB67E854BE923A1BB8DBC4F084021AF0A57BA5EF3AC546C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400900A0, Relevance: 18.2, APIs: 12, Instructions: 219windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400900E7
GetFocus.USER32 ref: 00000001400900F5
IsChild.USER32 ref: 0000000140090133
SendMessageW.USER32 ref: 0000000140090171

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ChildFocusMessageSendWindow
String ID:
API String ID: 1631116926-0
Opcode ID: 029c150686b520dd39bfb05f531aed452f1ea942e259497be7a39df1c28b8b0e
Instruction ID: 808033e187e0dd8b419153e94e0544d0835ee112324060b340c75049e0bf261e
Opcode Fuzzy Hash: 029c150686b520dd39bfb05f531aed452f1ea942e259497be7a39df1c28b8b0e
Instruction Fuzzy Hash: 649137313016518AFF669F23D8547E923A4BB8CFD4F188026AF5A9B7B1EF79C9418350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140021100, Relevance: 18.1, APIs: 12, Instructions: 140windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140020CB4: LoadCursorW.USER32 ref: 0000000140020CCE
Part of subcall function 0000000140020CB4: LoadCursorW.USER32 ref: 0000000140020CEE

PeekMessageW.USER32 ref: 0000000140021149
PostMessageW.USER32 ref: 00000001400211BE
SendMessageW.USER32 ref: 00000001400211DE
GetCursorPos.USER32 ref: 0000000140021204
PeekMessageW.USER32 ref: 0000000140021241
WaitMessage.USER32 ref: 000000014002127C
ReleaseCapture.USER32 ref: 0000000140021298
SetCapture.USER32 ref: 00000001400212A2
ReleaseCapture.USER32 ref: 00000001400212B0
SendMessageW.USER32 ref: 00000001400212C5
SendMessageW.USER32 ref: 00000001400212FD
PostMessageW.USER32 ref: 0000000140021328

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease$Wait
String ID:
API String ID: 2899155438-0
Opcode ID: 6792ff458fbe6382b2e6af5ddc3e3f0c0cb4e8d9b880b7e334b282dc47d374f6
Instruction ID: eaf7d7f845e7a47df67f59e7c0042392513fe870e4eca2432aae137a784c7b21
Opcode Fuzzy Hash: 6792ff458fbe6382b2e6af5ddc3e3f0c0cb4e8d9b880b7e334b282dc47d374f6
Instruction Fuzzy Hash: 4C517D36310681C2E766DF63E805BEE26A1FBD8F89F554029EF4947AA8DF39C805C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140090DC0, Relevance: 16.6, APIs: 11, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0000000140090DEC
GetSystemMetrics.USER32 ref: 0000000140090DFA
IsIconic.USER32 ref: 0000000140090E0E
GetWindowRect.USER32 ref: 0000000140090E60
IsIconic.USER32 ref: 0000000140090E84
GetSystemMetrics.USER32 ref: 0000000140090E91
OffsetRect.USER32 ref: 0000000140090EA5
GetSystemMetrics.USER32 ref: 0000000140090EB0
IsIconic.USER32 ref: 0000000140090EE7
GetSystemMetrics.USER32 ref: 0000000140090EF6
GetSystemMetrics.USER32 ref: 0000000140090F04

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MetricsSystem$Iconic$Rect$OffsetWindow
String ID:
API String ID: 3418670059-0
Opcode ID: 09c9aa93c110be2ac22ec24663347018b717fb7be780dc10ec238a59554bb2a7
Instruction ID: 16f5b900ca6f3f38491fb82b3323588dad8f09a6bdb985995424992b9d83d71e
Opcode Fuzzy Hash: 09c9aa93c110be2ac22ec24663347018b717fb7be780dc10ec238a59554bb2a7
Instruction Fuzzy Hash: 79411676A10A448AEB058F76D8543ED77B0F348B99F048429DF0A97764EF38C955C790

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014AD0, Relevance: 15.2, APIs: 10, Instructions: 250filecommemoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0000000140014B68
CopyMetaFileW.GDI32 ref: 0000000140014B77
GlobalUnlock.KERNEL32 ref: 0000000140014B89
GlobalFree.KERNEL32 ref: 0000000140014B92
GlobalUnlock.KERNEL32 ref: 0000000140014B9A
lstrlenW.KERNEL32 ref: 0000000140014C01
CoTaskMemAlloc.OLE32 ref: 0000000140014C1E
memcpy_s.LIBCMT ref: 0000000140014C3E
OleDuplicateData.OLE32 ref: 0000000140014CB7
CopyFileW.KERNEL32 ref: 0000000140014DCA

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Global$CopyFileUnlock$AllocDataDuplicateFreeLockMetaTasklstrlenmemcpy_s
String ID:
API String ID: 3597158810-0
Opcode ID: b339d355f547c120a0ac3eb52d8668421f568afa14e92bebe0838c2e922e8aec
Instruction ID: 12152cb6087ac377b12f1ae3fc52b05160e76055723cedaaa3edcf2e99bfe52f
Opcode Fuzzy Hash: b339d355f547c120a0ac3eb52d8668421f568afa14e92bebe0838c2e922e8aec
Instruction Fuzzy Hash: 17A16D32205A4182EB669F2BD4947AD73A0F78DFE4F048525BB5A4BBB4CF3AC454C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140091184, Relevance: 15.1, APIs: 10, Instructions: 134windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00000001400911C5
ScreenToClient.USER32 ref: 0000000140091267
GetSystemMetrics.USER32 ref: 0000000140091272
GetSystemMetrics.USER32 ref: 000000014009127F
IsIconic.USER32 ref: 0000000140091293
GetSystemMetrics.USER32 ref: 00000001400912A0
PtInRect.USER32 ref: 00000001400912E4
PtInRect.USER32 ref: 0000000140091307
GetSystemMetrics.USER32 ref: 000000014009131F
PtInRect.USER32 ref: 0000000140091337

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MetricsSystem$Rect$ClientIconicScreenVisibleWindow
String ID:
API String ID: 1122842830-0
Opcode ID: 0d62277aaf98e1e3bc2b8ba5dacf9c917d75718b7bfc5a6a32e31e4fa9d790b9
Instruction ID: 4b60ed3752cabc6faebf2688e8475aa4006138fbef26ea1cd1d72cb0bc848893
Opcode Fuzzy Hash: 0d62277aaf98e1e3bc2b8ba5dacf9c917d75718b7bfc5a6a32e31e4fa9d790b9
Instruction Fuzzy Hash: 59512732310A5086EB569B66D8947ED23A4F78CFC8F448126FF5A87AA4EF38C545C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005A1C4, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014005A234
GetParent.USER32 ref: 000000014005A25A
GetParent.USER32 ref: 000000014005A26C
SetParent.USER32 ref: 000000014005A299
GetWindowRect.USER32 ref: 000000014005A335
SetParent.USER32 ref: 000000014005A3A4
GetClientRect.USER32 ref: 000000014005A3D1

Strings

7, xrefs: 000000014005A44E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Parent$RectWindow$Client
String ID: 7
API String ID: 3043635113-1790921346
Opcode ID: e279d00798498cb134c30fe766668d3380d5b9575179136453d05c16733b10d5
Instruction ID: f2c2b328dbb82d146dc5254b2f5b64646e319c68dcba72adff2ea2a7ec4a283e
Opcode Fuzzy Hash: e279d00798498cb134c30fe766668d3380d5b9575179136453d05c16733b10d5
Instruction Fuzzy Hash: DB811276701A4586EB55DF26E858BAE27A4FB8DFC8F049025EF0A47B68DF3AC415C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140074934, Relevance: 13.7, APIs: 9, Instructions: 187windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400184DC: GetDC.USER32 ref: 000000014001851B

Part of subcall function 0000000140071F98: GetStockObject.GDI32 ref: 0000000140071FB6

GetTextMetricsW.GDI32 ref: 00000001400749A4
GetClientRect.USER32 ref: 00000001400749D5
GetStockObject.GDI32 ref: 0000000140074A06
SendMessageW.USER32 ref: 0000000140074A29
SendMessageW.USER32 ref: 0000000140074A9D
SendMessageW.USER32 ref: 0000000140074AD1
SelectObject.GDI32 ref: 0000000140074B09
GetSystemMetrics.USER32 ref: 0000000140074B73
RedrawWindow.USER32 ref: 0000000140074C1C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageObjectSend$MetricsStock$ClientRectRedrawSelectSystemTextWindow
String ID:
API String ID: 1942730005-0
Opcode ID: 67707138812445d9792717b002d93a9c4d2c1380cdac7e36aeb43e13f650ac9a
Instruction ID: 011a15c2e2439beaedf5fd74503d20c21a503fd2c267581f85ec9d54fbd3b5cd
Opcode Fuzzy Hash: 67707138812445d9792717b002d93a9c4d2c1380cdac7e36aeb43e13f650ac9a
Instruction Fuzzy Hash: 21913772711A808BE719CF3AD9847ED77A1F788B99F104125EB1947BA8DF38D865CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400365D8, Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140086F44: GetParent.USER32 ref: 0000000140086F4C
Part of subcall function 0000000140086F44: GetParent.USER32 ref: 0000000140086F55

GetParent.USER32 ref: 000000014003664A
SendMessageW.USER32 ref: 0000000140036665
GetClientRect.USER32 ref: 00000001400366E2
GetClientRect.USER32 ref: 00000001400366F8

Part of subcall function 00000001400180C0: ClientToScreen.USER32 ref: 00000001400180D9
Part of subcall function 00000001400180C0: ClientToScreen.USER32 ref: 00000001400180E7

GetWindowRect.USER32 ref: 000000014003671A

Part of subcall function 0000000140013868: SetWindowPos.USER32 ref: 00000001400138A2

GetParent.USER32 ref: 0000000140036784
SendMessageW.USER32 ref: 00000001400367A1
SendMessageW.USER32 ref: 00000001400367E5
PostMessageW.USER32 ref: 0000000140036812

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientMessageParent$RectSend$ScreenWindow$Post
String ID:
API String ID: 1863548712-0
Opcode ID: b341dc84a516e8ec3788b3d152295bb393972f61a4e4333907dc992a1b6159ed
Instruction ID: 79fc7bdf8f3d1e1247a5786f57d875b3805bbe07d5a747f7dd3e0ee160978559
Opcode Fuzzy Hash: b341dc84a516e8ec3788b3d152295bb393972f61a4e4333907dc992a1b6159ed
Instruction Fuzzy Hash: 4B710576B206508AEB15CF7AE894BDD37B0F788B88F045125EF0A97B68DF34D5058B40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400DC700, Relevance: 12.2, APIs: 8, Instructions: 158windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018580: GetWindowDC.USER32 ref: 00000001400185BF

CreateCompatibleDC.GDI32 ref: 00000001400DC75A
CreateCompatibleBitmap.GDI32 ref: 00000001400DC789
FillRect.USER32 ref: 00000001400DC821
OpenClipboard.USER32 ref: 00000001400DC86D

Part of subcall function 00000001400184B4: DeleteDC.GDI32 ref: 00000001400184D1

Part of subcall function 00000001400185E4: ReleaseDC.USER32 ref: 0000000140018610

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CompatibleCreate$BitmapClipboardDeleteFillOpenRectReleaseWindow
String ID:
API String ID: 458906932-0
Opcode ID: 7d6dfc06b84d7bdc44159752428c13354c754cb9f2c5309785bee35fa84b8073
Instruction ID: 7c7011ed0aa2abadc61e3f504cb25eb3c7a4f3cfddf320e5d7d2fb998d91bca8
Opcode Fuzzy Hash: 7d6dfc06b84d7bdc44159752428c13354c754cb9f2c5309785bee35fa84b8073
Instruction Fuzzy Hash: 7E61733222494192EA62DB27E854BDEA360FBCDB90F405125FB9E876F5DF39C605CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140154B40, Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014015C44B
RtlLookupFunctionEntry.KERNEL32 ref: 000000014015C46A
RtlVirtualUnwind.KERNEL32 ref: 000000014015C4B6
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000014015C8D3), ref: 000000014015C528
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000014015C8D3), ref: 000000014015C540
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000014015C8D3), ref: 000000014015C54D
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000014015C8D3), ref: 000000014015C566
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000014015C8D3), ref: 000000014015C574

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: de5fadc12308395c65317237703eb135592410b0b349b04363a68763ee18bc46
Instruction ID: fa6acfef4c6eb2a15a31220fb9e2fe9ebdfccfe5abae3c94d1347bcbf65b2e6e
Opcode Fuzzy Hash: de5fadc12308395c65317237703eb135592410b0b349b04363a68763ee18bc46
Instruction Fuzzy Hash: 1E31F735104B8486EB629B56F8987D9B3A4F78CB64F900016DB8E47BB5EFBCC894C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002C960, Relevance: 11.2, APIs: 7, Instructions: 689COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 000000014002D086
VariantClear.OLEAUT32 ref: 000000014002D0A5

Part of subcall function 0000000140032508: VariantChangeType.OLEAUT32 ref: 000000014003252A

VariantClear.OLEAUT32 ref: 000000014002D2A6
VariantClear.OLEAUT32 ref: 000000014002D2B2

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Variant$Clear$ChangeType
String ID:
API String ID: 3653133554-0
Opcode ID: 6eaacb679a0bcc94fcdb2f54fa998455404707e4b5fe17978495d9736b7c3949
Instruction ID: 4469df8593cca6825286f9dc6438fb37f5879381323215473dc747d998de31ab
Opcode Fuzzy Hash: 6eaacb679a0bcc94fcdb2f54fa998455404707e4b5fe17978495d9736b7c3949
Instruction Fuzzy Hash: 9C628A72610A8486EB62CF26D494BDD37A5F798BC8F61412AEB4D47BA8CF34CD85C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400223C0, Relevance: 10.7, APIs: 7, Instructions: 220filestringCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 0000000140022437
PathIsUNCW.SHLWAPI ref: 0000000140022509
GetVolumeInformationW.KERNEL32 ref: 000000014002253F
CharUpperW.USER32 ref: 0000000140022584
FindFirstFileW.KERNEL32 ref: 000000014002259E
FindClose.KERNEL32 ref: 00000001400225B1
lstrlenW.KERNEL32 ref: 00000001400225D1

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: FindPath$CharCloseFileFirstFullInformationNameUpperVolumelstrlen
String ID:
API String ID: 1291283320-0
Opcode ID: d0657d5d2bdd7f3a60a736214990080c5ce23782cfcfa536a1415a863e273ea2
Instruction ID: 7a0f942e3eec21d3e1f9341ea2efae34916521d6a301e4e2b5d743c8ec3a3ed2
Opcode Fuzzy Hash: d0657d5d2bdd7f3a60a736214990080c5ce23782cfcfa536a1415a863e273ea2
Instruction Fuzzy Hash: 7281D532300A0152FA26ABA798587ED6294BB8DBE4F544A19FF69876F5DF38CC458700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006CC48, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 000000014006CCCA
GetNumberFormatW.KERNEL32 ref: 000000014006CCF3
GetLocaleInfoW.KERNEL32 ref: 000000014006CD24
lstrlenW.KERNEL32 ref: 000000014006CD2F

Strings

KB, xrefs: 000000014006CDD7, 000000014006CDE6
%I64d, xrefs: 000000014006CCC0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: FormatInfoLocaleNumber_cwprintf_s_llstrlen
String ID: KB$%I64d
API String ID: 2697667663-1636307857
Opcode ID: 65bfd6845ed01e35739b0e26cb5970c68473c3a4aa67c2c0b3ce6fdf6311928c
Instruction ID: 81a54eb191ed7492c7e1605f64d185959a1a03433fbb6e57f285c9e4568cff92
Opcode Fuzzy Hash: 65bfd6845ed01e35739b0e26cb5970c68473c3a4aa67c2c0b3ce6fdf6311928c
Instruction Fuzzy Hash: F141C172315A4481EB12AB2BE890BE93761E789FE4F505222EB2E477F5DF38C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140090C1C, Relevance: 10.6, APIs: 7, Instructions: 113windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0000000140090C5D
IsWindowVisible.USER32 ref: 0000000140090C8C
IsWindowVisible.USER32 ref: 0000000140090CCD
RedrawWindow.USER32 ref: 0000000140090CF5
RedrawWindow.USER32 ref: 0000000140090D11
RedrawWindow.USER32 ref: 0000000140090D3B
RedrawWindow.USER32 ref: 0000000140090D88

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Redraw$Visible
String ID:
API String ID: 1637130220-0
Opcode ID: 4414306e352575db355f281657eea98b7dd4f9f0169f582cced4c9672310571c
Instruction ID: 265d125d8cac02ecabb0a5487691f60022894b847934b95a1beb9b73f81abc0d
Opcode Fuzzy Hash: 4414306e352575db355f281657eea98b7dd4f9f0169f582cced4c9672310571c
Instruction Fuzzy Hash: 6C416D36311A5086EBA6DB67D4507EA63A4FB8CFC9F148126EF4A4B6B4DF39C4428740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006C8BC, Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014006C91C
SendMessageW.USER32 ref: 000000014006C94D
SendMessageW.USER32 ref: 000000014006C9A0
RedrawWindow.USER32 ref: 000000014006C9B5
GetParent.USER32 ref: 000000014006C9F8
GetParent.USER32 ref: 000000014006CA0F
SendMessageW.USER32 ref: 000000014006CA2D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$Parent$RedrawWindow
String ID:
API String ID: 601679388-0
Opcode ID: 10f0eb6dea3327fd3342417ffef694b1c2db9048f75ba0b59f6ac519b1f64455
Instruction ID: 70bc99f407e93e7ccf13e643f1468458614d2dc3ec3c06d04e33f2183f383fde
Opcode Fuzzy Hash: 10f0eb6dea3327fd3342417ffef694b1c2db9048f75ba0b59f6ac519b1f64455
Instruction Fuzzy Hash: 12413C36220A8082EB16DF67E854BA92362FB8DFD8F184525EF0D477B9DE39C4418701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140040B54, Relevance: 9.6, APIs: 6, Instructions: 565COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140040BE1

Part of subcall function 000000014001F4FC: GetClientRect.USER32 ref: 000000014001F571

GetClientRect.USER32 ref: 0000000140040C9B
SetRectEmpty.USER32 ref: 000000014004103F
IntersectRect.USER32 ref: 0000000140041078
IntersectRect.USER32 ref: 00000001400410BD
InflateRect.USER32 ref: 00000001400413A2

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Client$Intersect$EmptyInflate
String ID:
API String ID: 2565724523-0
Opcode ID: 3e2b2ae7ccbb8a7244811b94db8c9312e97ecdb2876fb0328b015749b222f87b
Instruction ID: bf78222b62df833ecb992db1267b68b997d6579d34f513e75771c294aa0826ac
Opcode Fuzzy Hash: 3e2b2ae7ccbb8a7244811b94db8c9312e97ecdb2876fb0328b015749b222f87b
Instruction Fuzzy Hash: 4B42BD32710B90C6EB16CB62E540BED73A0FB88BC8F018126EF4A67BA5DB74C955C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A760, Relevance: 9.3, APIs: 6, Instructions: 294memoryCOMMON

Download Yara Rule

APIs

MapDialogRect.USER32 ref: 000000014000A84A
SysAllocStringLen.OLEAUT32 ref: 000000014000A870

Part of subcall function 0000000140002D74: malloc.LIBCMT ref: 0000000140002D9B

CLSIDFromString.OLE32 ref: 000000014000A9D5
CLSIDFromProgID.OLE32 ref: 000000014000A9DD
SetWindowPos.USER32 ref: 000000014000AAC7
SysFreeString.OLEAUT32 ref: 000000014000AB2B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: String$From$AllocDialogFreeProgRectWindowmalloc
String ID:
API String ID: 1120981667-0
Opcode ID: 691032ca50baaa47a8d86d342bacb1b658bff73fdd5d9fe6997f1bdef61356a1
Instruction ID: 58405641e73d9caeb7d2368e2ffaedff52a0707cfc9c3f9257335c0c1765294f
Opcode Fuzzy Hash: 691032ca50baaa47a8d86d342bacb1b658bff73fdd5d9fe6997f1bdef61356a1
Instruction Fuzzy Hash: 80D17E76604B908AE715CF6AE4407AE77F1F788B98F104116EF5A87BA8EB38D445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003C644, Relevance: 9.2, APIs: 6, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 000000014003C6D7
GetMenuItemID.USER32 ref: 000000014003C6EE
GetMenuItemCount.USER32 ref: 000000014003C72E
GetMenuItemID.USER32 ref: 000000014003C752
SendMessageW.USER32 ref: 000000014003C7B3
GetMenuState.USER32 ref: 000000014003C825

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Menu$Item$Count$MessageSendState
String ID:
API String ID: 1967460588-0
Opcode ID: 41d86fe7f54d3252d8738b246c1117ed89bb23f4d04a181943eae4223287cbcb
Instruction ID: 8a061c0c79c68ebdd250dd7eef4819ebbb099818c0133da1706e10290853a7fd
Opcode Fuzzy Hash: 41d86fe7f54d3252d8738b246c1117ed89bb23f4d04a181943eae4223287cbcb
Instruction Fuzzy Hash: 0771E632221A8182EB679B27D854BEE6390FB8DBE4F141225EF1A977F5CF34C9518740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015C7A0, Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014015C80D
RtlLookupFunctionEntry.KERNEL32 ref: 000000014015C825
RtlVirtualUnwind.KERNEL32 ref: 000000014015C85F
IsDebuggerPresent.KERNEL32 ref: 000000014015C895
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014015C89F
UnhandledExceptionFilter.KERNEL32 ref: 000000014015C8AA

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 8f360ba3e0e1a3023d794bfdc25d8e406b4aa35c4960f596d1bc53af1efa52dc
Instruction ID: f86b1ef95985370c9b132e6f1eda42c029e2767094bb05384772ba6644bdf1a3
Opcode Fuzzy Hash: 8f360ba3e0e1a3023d794bfdc25d8e406b4aa35c4960f596d1bc53af1efa52dc
Instruction Fuzzy Hash: BD318D32214B808AEB61CF26E8847DE73A4F788B58F540116EB9D47BA9DF38C585CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003910C, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 262libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001E7FC: CoInitialize.OLE32 ref: 000000014001E834
Part of subcall function 000000014001E7FC: CoCreateInstance.OLE32 ref: 000000014001E861

GetModuleHandleW.KERNEL32 ref: 00000001400393AF
GetProcAddress.KERNEL32 ref: 00000001400393C4

Strings

AFX_SUPERBAR_TAB, xrefs: 00000001400391A8
DWMAPI, xrefs: 00000001400393A8
DwmSetWindowAttribute, xrefs: 00000001400393BA

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressCreateHandleInitializeInstanceModuleProc
String ID: AFX_SUPERBAR_TAB$DWMAPI$DwmSetWindowAttribute
API String ID: 3544014753-136793874
Opcode ID: a366edae3fa05eb61f74dc7c665224f5a6b16ab7ac2b41ef08969907bdafbbbf
Instruction ID: 3603b3010496ce36de678ec70b5051e5f27c58998c2c84a9a00741cbeb4072ec
Opcode Fuzzy Hash: a366edae3fa05eb61f74dc7c665224f5a6b16ab7ac2b41ef08969907bdafbbbf
Instruction Fuzzy Hash: C0B15B72301A4186EB569F26C4907DA23A0FB49BE8F049225EB2E47BE9DF38C955C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015892C, Relevance: 7.6, APIs: 5, Instructions: 80memorythreadCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000000014015897E
GetSystemInfo.KERNEL32 ref: 0000000140158995
SetThreadStackGuarantee.KERNEL32 ref: 00000001401589A7
VirtualAlloc.KERNEL32 ref: 00000001401589FA
VirtualProtect.KERNEL32 ref: 0000000140158A14

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Virtual$AllocGuaranteeInfoProtectQueryStackSystemThread
String ID:
API String ID: 513674450-0
Opcode ID: f51826e5b3c2b67e3d34fb6dabb49d7077bd84c9cb6993543db56bb348979f64
Instruction ID: e35993bdde3c22ea8bf18f322eb688a3db882136b952ea2849ab48cd11fba7b4
Opcode Fuzzy Hash: f51826e5b3c2b67e3d34fb6dabb49d7077bd84c9cb6993543db56bb348979f64
Instruction Fuzzy Hash: 42315C32310A958AEB65CF32E8947D933A4F74CB88F485426AF0E8BB58DF39D645C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005AD18, Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014005AD65
SendMessageW.USER32 ref: 000000014005AD8F
SendMessageW.USER32 ref: 000000014005ADC3
SendMessageW.USER32 ref: 000000014005ADE3
SetRectEmpty.USER32 ref: 000000014005AE15

Part of subcall function 00000001400D9464: SendMessageW.USER32 ref: 00000001400D94A0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$EmptyRect
String ID:
API String ID: 4004678023-0
Opcode ID: 15c3de08b345170973a13407e9f52af163bb5c730fd04fa8e4e961f861f0e0d9
Instruction ID: fb56e143332ce5409e1fad8b4fc40d774160b12b04d6a98f94a861e668444fe8
Opcode Fuzzy Hash: 15c3de08b345170973a13407e9f52af163bb5c730fd04fa8e4e961f861f0e0d9
Instruction Fuzzy Hash: 3F31B072311A8087FF55CF66E995BEAA3A0FB8DBD5F401111AF5A47AA4CF39C0168700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400768F8, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 431keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 000000014007696B

Part of subcall function 00000001400722D0: IsRectEmpty.USER32 ref: 000000014007231A
Part of subcall function 00000001400722D0: InvertRect.USER32 ref: 0000000140072339
Part of subcall function 00000001400722D0: SetRectEmpty.USER32 ref: 000000014007234B

GetAsyncKeyState.USER32 ref: 0000000140076DC3
GetAsyncKeyState.USER32 ref: 0000000140076E41

Strings

(, xrefs: 0000000140076E50

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AsyncRectState$Empty$Invert
String ID: (
API String ID: 3412082714-3887548279
Opcode ID: e91edcdff9ccf23becdba9ec804003742f2a380e0d172c0927b245c270772beb
Instruction ID: 4487b9a79423101ac4961401e6923aecf507cd435446fcaecc94344054772881
Opcode Fuzzy Hash: e91edcdff9ccf23becdba9ec804003742f2a380e0d172c0927b245c270772beb
Instruction Fuzzy Hash: AF026272701A4186EB6AAF3AC5947ED63A1F74CBD4F144126EB1A47BB5CF39C861CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005EAE4, Relevance: 4.8, APIs: 3, Instructions: 267keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 000000014005EB14
GetWindowRect.USER32 ref: 000000014005EB79
GetCursorPos.USER32 ref: 000000014005EBD9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CursorRectStateWindow
String ID:
API String ID: 3412758350-0
Opcode ID: bd46d10739a8afb3bf3f38cc69873ef8307af45e04373baac8fed676a23729fb
Instruction ID: 11f521b3f5ddb2870d6dfaf849c68152ea229bd8867307014647d8c4957afc8c
Opcode Fuzzy Hash: bd46d10739a8afb3bf3f38cc69873ef8307af45e04373baac8fed676a23729fb
Instruction Fuzzy Hash: 9FB1A872310B8186EB5ADF2794887ED27A0BB4CBC8F044425EF59573A5EF36C895C310

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005C3D4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 314COMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 000000014005C7A5

Strings

DUMMY, xrefs: 000000014005C588

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientScreen
String ID: DUMMY
API String ID: 3917795285-3097505935
Opcode ID: 6851958fa95e78564fd732046996a8ad4dfeca168b0d2b196b493a456cca121f
Instruction ID: f0f36c5314db7d97ddc0d18ad439377c318a44a81a500ecb1208022b4f532ab7
Opcode Fuzzy Hash: 6851958fa95e78564fd732046996a8ad4dfeca168b0d2b196b493a456cca121f
Instruction Fuzzy Hash: 33D1AE32311A8086EB25EB27D4507EE63A0FB89BE4F444225EB5E47BE5EF39C944C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400F0FA4, Relevance: 3.3, APIs: 2, Instructions: 255COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400F1108

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 6214fe33e4b44640c4c1801a8b9c85dec5ad0b228751a82b7fa06c2d58e60962
Instruction ID: 32e953d0c8f1bec27451689ee466596d6842724385be6f4391926d3a61628ca4
Opcode Fuzzy Hash: 6214fe33e4b44640c4c1801a8b9c85dec5ad0b228751a82b7fa06c2d58e60962
Instruction Fuzzy Hash: 83A1EF32B10A848AE7199F6AD8503ED77B0F388BD9F044125EF2953BA4DF74D591CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140162354, Relevance: 3.2, APIs: 2, Instructions: 235COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00000001401625C6

Part of subcall function 0000000140161E54: _errno.LIBCMT ref: 0000000140161E5D
Part of subcall function 0000000140161E54: _invalid_parameter_noinfo.LIBCMT ref: 0000000140161E68

_get_daylight.LIBCMT ref: 000000014016264C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _get_daylight$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3559991230-0
Opcode ID: 60f4f27b565b5e3f257567224cfe6705b79ed811ce1a34dbb63c72a742cf4982
Instruction ID: 45f3f4b56f52016cd0a07df8b55b908a1ea3c8fbc2551ebafde47813afebd97e
Opcode Fuzzy Hash: 60f4f27b565b5e3f257567224cfe6705b79ed811ce1a34dbb63c72a742cf4982
Instruction Fuzzy Hash: 18912972B106414BD72ECB2AED51BD86696F3EC740F588535EF0A8BBE4EB78D9008740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140042E18, Relevance: 3.1, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140042F80

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: RedrawWindow
String ID:
API String ID: 2219533335-0
Opcode ID: d420327b0c2e20710e13aeef425d74be4de90289ab916096f6ea3c22917c98ea
Instruction ID: d3b57072ed72b95ecf2322e046e034a057a150d35f9d6b1148a2e964420c7ba5
Opcode Fuzzy Hash: d420327b0c2e20710e13aeef425d74be4de90289ab916096f6ea3c22917c98ea
Instruction Fuzzy Hash: E6417977B10A408BEB54CB66D198BAE33B1F388BD9F554125EF0A07B58CF39C5558B40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400926C4, Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 0000000140092744
PostMessageW.USER32 ref: 000000014009279B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: IconicMessagePost
String ID:
API String ID: 288454118-0
Opcode ID: 8ceb3f6354dcbd444a72c1de9b9807b97369e3d7a95ebe2b63d590884671f146
Instruction ID: 196f76cc7b0560501830781cfb8d3bff0ec02929c6b28b7d39540bf8189cc0b3
Opcode Fuzzy Hash: 8ceb3f6354dcbd444a72c1de9b9807b97369e3d7a95ebe2b63d590884671f146
Instruction Fuzzy Hash: 4C21B076614A4586FB769AA6E4843EEA361F38CBC4F144135EF8653BA2DE38C8418340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400668D4, Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00000001400668EC
IsIconic.USER32 ref: 00000001400668FF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: d0b243073ec024a855e4704771b3bb3fb9d2ff7626a74cc2401f70e3fc5f614e
Instruction ID: caee6ac879ea5f59b406638ea7ce97ca4a4d2bd6ed3ee10825bc099781813ccd
Opcode Fuzzy Hash: d0b243073ec024a855e4704771b3bb3fb9d2ff7626a74cc2401f70e3fc5f614e
Instruction Fuzzy Hash: 7DF0623031854082E7159B3BAAD03BD6293BBCDBD4F608624FB6D472F5DF34C8464200

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E7FC, Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000000014001E834
CoCreateInstance.OLE32 ref: 000000014001E861

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: 8ff62f1d93a1f39a369d70547c26b74f26a85472c81fb6d8d60bd986325842fd
Instruction ID: 7cc6f62a34a8725eb9cab78b97b24a6a17e6e7e9d0818e4cff19bb185b9ba2b1
Opcode Fuzzy Hash: 8ff62f1d93a1f39a369d70547c26b74f26a85472c81fb6d8d60bd986325842fd
Instruction Fuzzy Hash: D601FB326156C182EB568B26E5443DD73A0F74CB88F58413AEB084B6B4DF3AD65AC704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140092B98, Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140092C1B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Parent
String ID:
API String ID: 975332729-0
Opcode ID: 3ba6b99948d1c7e67f4518cd5ec6184a019736f4dc0edf478c562aa585bf2c22
Instruction ID: 26a39e9e06644ce6c961481a101ad76d14e644a975b1cfd4bb466e4ea8e69d18
Opcode Fuzzy Hash: 3ba6b99948d1c7e67f4518cd5ec6184a019736f4dc0edf478c562aa585bf2c22
Instruction Fuzzy Hash: C8C16D32311A8182EA66EB27E4547EE63A1FB8DBD4F484125BF5A4B7E5DF38C941C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140084BF4, Relevance: 1.7, APIs: 1, Instructions: 218COMMON

Download Yara Rule

APIs

GetBkColor.GDI32 ref: 0000000140084D4B

Part of subcall function 0000000140024A70: SetBkColor.GDI32 ref: 0000000140024AA1
Part of subcall function 0000000140024A70: ExtTextOutW.GDI32 ref: 0000000140024AED

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Color$Text
String ID:
API String ID: 657580467-0
Opcode ID: 341b28d51d463f965b40c4560f645e553d5bf83941e33f815aae2ec0976b49fc
Instruction ID: 6dea8fc57dd88a4bf5bced41691eb4e5f649b63920105b23916b98e3f115e95b
Opcode Fuzzy Hash: 341b28d51d463f965b40c4560f645e553d5bf83941e33f815aae2ec0976b49fc
Instruction Fuzzy Hash: DEA16C73B006508AE762CF7AD8447DD7BA0F78CB98F144219AF4957BA9DB38D980CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140038030, Relevance: 1.5, APIs: 1, Instructions: 29windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 0000000140038064

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: fb3e903d3760d5398c728c9c8ced5774ae5dd0a55c4aba1ec78d0be3ee1bd993
Instruction ID: 50e268aeed68b0f4f39061ace09dff08a314a3b6b3d1ab73fdfb3b2456ff275d
Opcode Fuzzy Hash: fb3e903d3760d5398c728c9c8ced5774ae5dd0a55c4aba1ec78d0be3ee1bd993
Instruction Fuzzy Hash: C7F01D22714A8181EA95DB67E8443AA6760B78CBC0F548075BB5E87765DF34C5568700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140154D44, Relevance: 1.5, APIs: 1, Instructions: 14timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140154D4D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 84a6c3c29a033bafdea42f0a39ab49030484466b38c60d531c1ee808d3b969de
Instruction ID: 7e15b92b972413aef35f253b0370aeaa00be2005e9261fd750947beeccac3d87
Opcode Fuzzy Hash: 84a6c3c29a033bafdea42f0a39ab49030484466b38c60d531c1ee808d3b969de
Instruction Fuzzy Hash: A9D05E75776584C3DA858F2AEC86A896322F38CB95F901001FA4F43F28CA2CCC17CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140078D58, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ca51d4ffef845e7af39127faf1f431dbd7f4dab75556b0c061a503c11a6935
Instruction ID: 6873a219d354d8eb1c7a931844eaee67f6db159661d82c27c55d51013597ec85
Opcode Fuzzy Hash: 45ca51d4ffef845e7af39127faf1f431dbd7f4dab75556b0c061a503c11a6935
Instruction Fuzzy Hash: E3C1F372340A4586EB6ADB2BC4047ED23A2F788BE4F644615EF2A436F5DB7DC881C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046614, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cb6806c4054104b1560998267f4c41ade1c2e8cbe6e381abbdfbcdff6e5487
Instruction ID: 645ac642489f842f7336a1a5c4983c4aa870af64408fd8b3b69afb4c8dea107d
Opcode Fuzzy Hash: 45cb6806c4054104b1560998267f4c41ade1c2e8cbe6e381abbdfbcdff6e5487
Instruction Fuzzy Hash: 8A715A35300651A6FB62DF3BE950FE62361FBA8798F558025AF09839F5FB31C8458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401660E0, Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001401660F5

Part of subcall function 0000000140155564: RtlDeleteBoundaryDescriptor.NTDLL(?,?,00000000,000000014015AAC4,?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018), ref: 000000014015557A
Part of subcall function 0000000140155564: _errno.LIBCMT ref: 0000000140155584
Part of subcall function 0000000140155564: GetLastError.KERNEL32(?,?,00000000,000000014015AAC4,?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018), ref: 000000014015558C

free.LIBCMT ref: 00000001401660FE
free.LIBCMT ref: 0000000140166107
free.LIBCMT ref: 0000000140166110
free.LIBCMT ref: 0000000140166119
free.LIBCMT ref: 0000000140166122
free.LIBCMT ref: 000000014016612A
free.LIBCMT ref: 0000000140166133
free.LIBCMT ref: 000000014016613C
free.LIBCMT ref: 0000000140166145
free.LIBCMT ref: 000000014016614E
free.LIBCMT ref: 0000000140166157
free.LIBCMT ref: 0000000140166160
free.LIBCMT ref: 0000000140166169
free.LIBCMT ref: 0000000140166172
free.LIBCMT ref: 000000014016617B
free.LIBCMT ref: 0000000140166187
free.LIBCMT ref: 0000000140166193
free.LIBCMT ref: 000000014016619F
free.LIBCMT ref: 00000001401661AB
free.LIBCMT ref: 00000001401661B7
free.LIBCMT ref: 00000001401661C3
free.LIBCMT ref: 00000001401661CF
free.LIBCMT ref: 00000001401661DB
free.LIBCMT ref: 00000001401661E7
free.LIBCMT ref: 00000001401661F3
free.LIBCMT ref: 00000001401661FF
free.LIBCMT ref: 000000014016620B
free.LIBCMT ref: 0000000140166217
free.LIBCMT ref: 0000000140166223
free.LIBCMT ref: 000000014016622F
free.LIBCMT ref: 000000014016623B
free.LIBCMT ref: 0000000140166247
free.LIBCMT ref: 0000000140166253
free.LIBCMT ref: 000000014016625F
free.LIBCMT ref: 000000014016626B
free.LIBCMT ref: 0000000140166277
free.LIBCMT ref: 0000000140166283
free.LIBCMT ref: 000000014016628F
free.LIBCMT ref: 000000014016629B
free.LIBCMT ref: 00000001401662A7
free.LIBCMT ref: 00000001401662B3
free.LIBCMT ref: 00000001401662BF
free.LIBCMT ref: 00000001401662CB
free.LIBCMT ref: 00000001401662D7
free.LIBCMT ref: 00000001401662E3
free.LIBCMT ref: 00000001401662EF
free.LIBCMT ref: 00000001401662FB
free.LIBCMT ref: 0000000140166307
free.LIBCMT ref: 0000000140166313
free.LIBCMT ref: 000000014016631F
free.LIBCMT ref: 000000014016632B
free.LIBCMT ref: 0000000140166337
free.LIBCMT ref: 0000000140166343
free.LIBCMT ref: 000000014016634F
free.LIBCMT ref: 000000014016635B
free.LIBCMT ref: 0000000140166367
free.LIBCMT ref: 0000000140166373
free.LIBCMT ref: 000000014016637F
free.LIBCMT ref: 000000014016638B
free.LIBCMT ref: 0000000140166397
free.LIBCMT ref: 00000001401663A3
free.LIBCMT ref: 00000001401663AF
free.LIBCMT ref: 00000001401663BB
free.LIBCMT ref: 00000001401663C7
free.LIBCMT ref: 00000001401663D3
free.LIBCMT ref: 00000001401663DF
free.LIBCMT ref: 00000001401663EB
free.LIBCMT ref: 00000001401663F7
free.LIBCMT ref: 0000000140166403
free.LIBCMT ref: 000000014016640F
free.LIBCMT ref: 000000014016641B
free.LIBCMT ref: 0000000140166427
free.LIBCMT ref: 0000000140166433
free.LIBCMT ref: 000000014016643F
free.LIBCMT ref: 000000014016644B
free.LIBCMT ref: 0000000140166457
free.LIBCMT ref: 0000000140166463
free.LIBCMT ref: 000000014016646F
free.LIBCMT ref: 000000014016647B
free.LIBCMT ref: 0000000140166487
free.LIBCMT ref: 0000000140166493
free.LIBCMT ref: 000000014016649F
free.LIBCMT ref: 00000001401664AB
free.LIBCMT ref: 00000001401664B7
free.LIBCMT ref: 00000001401664C3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: free$BoundaryDeleteDescriptorErrorLast_errno
String ID:
API String ID: 2077213501-0
Opcode ID: 7ab6f9aacd4369846c505c836686dfbbf9e437f04a08eab20c60e52b2112374c
Instruction ID: 45e2bf27de56a914cbbf44de08f080a39a4312a2838b0eb4e4e2ed62011ec355
Opcode Fuzzy Hash: 7ab6f9aacd4369846c505c836686dfbbf9e437f04a08eab20c60e52b2112374c
Instruction Fuzzy Hash: 9AA142322616C4C5EB47FA32D8E53EC1322AB88F44F0C8132AB4F5E5B6DE22C845C760

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400586B4, Relevance: 49.9, APIs: 33, Instructions: 356COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014005870C
PtInRect.USER32 ref: 000000014005871A
GetClientRect.USER32 ref: 0000000140058734
PtInRect.USER32 ref: 000000014005874E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$ClientWindow
String ID:
API String ID: 23228050-0
Opcode ID: 756f69503740cf9dbbb9334788055bbc16e4f4b65aea04822d6a8cdae31b1561
Instruction ID: 7ddd6b0ee597b23fae15ea2c0de2b4cc712e4c0180e8b281088b6bd9ed5e32b1
Opcode Fuzzy Hash: 756f69503740cf9dbbb9334788055bbc16e4f4b65aea04822d6a8cdae31b1561
Instruction Fuzzy Hash: FBF11436714A418BFB21CF76E884BED33B1A748B88F140616AF5A63BA8DF39D505C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400161FC, Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 423windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 000000014001629A
GetMenuItemInfoW.USER32 ref: 00000001400162FF
wcsnlen.LIBCMT ref: 0000000140016314
CopyRect.USER32 ref: 0000000140016357
GetObjectW.GDI32 ref: 000000014001638A
GetSystemMetrics.USER32 ref: 00000001400163A3
GetSystemMetrics.USER32 ref: 00000001400163B1
GetSysColor.USER32 ref: 00000001400163F6
CreateCompatibleDC.GDI32 ref: 000000014001640B
GetTextExtentPoint32W.GDI32 ref: 0000000140016444
CopyRect.USER32 ref: 000000014001645D
GetSysColor.USER32 ref: 0000000140016474
GetSysColor.USER32 ref: 00000001400164A5
GetSysColor.USER32 ref: 00000001400164B2
GetSysColor.USER32 ref: 00000001400164F2
GetSysColor.USER32 ref: 0000000140016511

Part of subcall function 00000001400247A4: SetBkColor.GDI32 ref: 00000001400247DC
Part of subcall function 00000001400247A4: ExtTextOutW.GDI32 ref: 0000000140024807

GetSysColor.USER32 ref: 0000000140016556

Part of subcall function 0000000140017648: SetBkMode.GDI32 ref: 0000000140017663
Part of subcall function 0000000140017648: SetBkMode.GDI32 ref: 0000000140017674

ExtTextOutW.GDI32 ref: 00000001400165C8
GetSysColor.USER32 ref: 00000001400165D7
GetSysColor.USER32 ref: 000000014001661A
GetSysColor.USER32 ref: 0000000140016627
GetSysColor.USER32 ref: 0000000140016670
ExtTextOutW.GDI32 ref: 00000001400166CA
CreateCompatibleDC.GDI32 ref: 0000000140016734
InflateRect.USER32 ref: 0000000140016765
BitBlt.GDI32 ref: 000000014001679D

Strings

, xrefs: 000000014001676B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Color$Text$Rect$CompatibleCopyCreateInfoItemMenuMetricsModeSystem$ExtentInflateObjectPoint32wcsnlen
String ID:
API String ID: 2475881999-3916222277
Opcode ID: efdb90a3a5a0d14400ab1d373772124aa4e02a72cc88e5b9db461b2992ff4fae
Instruction ID: 4b68ff7bcad76b05a3b3231e4a898e6b49498b6191608d0f68be6e424ef088be
Opcode Fuzzy Hash: efdb90a3a5a0d14400ab1d373772124aa4e02a72cc88e5b9db461b2992ff4fae
Instruction Fuzzy Hash: 2E126A76214A408BE715DF3AD848BDD77A1F788B98F144215EF4A8BBA8CF79D844CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400BEEE4, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 268windowCOMMON

Download Yara Rule

APIs

CopyImage.USER32 ref: 00000001400BEF63
GetObjectW.GDI32 ref: 00000001400BEFA4
DeleteObject.GDI32 ref: 00000001400BEFF8
CreateCompatibleDC.GDI32 ref: 00000001400BF01B
GetObjectW.GDI32 ref: 00000001400BF038
GetObjectW.GDI32 ref: 00000001400BF07C
SelectObject.GDI32 ref: 00000001400BF099
SelectObject.GDI32 ref: 00000001400BF0C8
CreateCompatibleBitmap.GDI32 ref: 00000001400BF0ED
SelectObject.GDI32 ref: 00000001400BF108
CreateCompatibleDC.GDI32 ref: 00000001400BF123
SelectObject.GDI32 ref: 00000001400BF13C
SelectObject.GDI32 ref: 00000001400BF157
DeleteObject.GDI32 ref: 00000001400BF160
BitBlt.GDI32 ref: 00000001400BF1AD
SelectObject.GDI32 ref: 00000001400BF1C0
SelectObject.GDI32 ref: 00000001400BF1D6
SelectObject.GDI32 ref: 00000001400BF1E9
DeleteObject.GDI32 ref: 00000001400BF1F2
BitBlt.GDI32 ref: 00000001400BF237
SelectObject.GDI32 ref: 00000001400BF244
SelectObject.GDI32 ref: 00000001400BF257
DeleteObject.GDI32 ref: 00000001400BF269
DeleteObject.GDI32 ref: 00000001400BF2B7

Strings

, xrefs: 00000001400BF20B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$BitmapCopyImage
String ID:
API String ID: 3904437521-3916222277
Opcode ID: 55458a599a797832ed1a4a444be1e70348ddbf05391a4511bed99d0a1b10e3ce
Instruction ID: 68af51f32060cf68003aec57808cb52f02dce2a09bdf10722cf2b53e173b1291
Opcode Fuzzy Hash: 55458a599a797832ed1a4a444be1e70348ddbf05391a4511bed99d0a1b10e3ce
Instruction Fuzzy Hash: FFC14932215A808AEB169FA6D8847EE73B0F788BD8F444521EF0A5BAB5DF38D545C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E9C8, Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140003484: ActivateActCtx.KERNEL32 ref: 00000001400034AD

GetProcAddress.KERNEL32 ref: 000000014001E9F7
GetProcAddress.KERNEL32 ref: 000000014001EA12
GetProcAddress.KERNEL32 ref: 000000014001EA2D
GetProcAddress.KERNEL32 ref: 000000014001EA48
GetProcAddress.KERNEL32 ref: 000000014001EAA9
GetProcAddress.KERNEL32 ref: 000000014001EAC4
GetProcAddress.KERNEL32 ref: 000000014001EADF

Strings

DwmIsCompositionEnabled, xrefs: 000000014001EAD1
UxTheme.dll, xrefs: 000000014001E9D5
EndBufferedPaint, xrefs: 000000014001EA3A
DrawThemeParentBackground, xrefs: 000000014001E9ED
DwmExtendFrameIntoClientArea, xrefs: 000000014001EA9F
DrawThemeTextEx, xrefs: 000000014001EA04
dwmapi.dll, xrefs: 000000014001EA81
DwmDefWindowProc, xrefs: 000000014001EAB6
BeginBufferedPaint, xrefs: 000000014001EA1F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressProc$Activate
String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 2388279185-3875329446
Opcode ID: 40f32ea0b0cb1037f7fb039ec9fd6e12348789b417c1e510a83348f68cd74b89
Instruction ID: 10fc8ae7a63e359c28f02ad023ba3009484680be3c57539a6c588be402937d47
Opcode Fuzzy Hash: 40f32ea0b0cb1037f7fb039ec9fd6e12348789b417c1e510a83348f68cd74b89
Instruction Fuzzy Hash: FF31C336601B85D1EB46DF62E8987D823A4FB4CF88F485235EE190B279DF78C699C310

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B03C, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 256keyboardwindowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 000000014003B169
IsWindow.USER32 ref: 000000014003B1F1
SendMessageW.USER32 ref: 000000014003B218
GetKeyState.USER32 ref: 000000014003B28A
GetKeyState.USER32 ref: 000000014003B2A1
ImmGetContext.IMM32 ref: 000000014003B2B7
ImmGetOpenStatus.IMM32 ref: 000000014003B2C7
ImmReleaseContext.IMM32 ref: 000000014003B2E5
GetFocus.USER32 ref: 000000014003B310
IsWindow.USER32 ref: 000000014003B35B
IsWindow.USER32 ref: 000000014003B3EA
ClientToScreen.USER32 ref: 000000014003B3FD
IsWindow.USER32 ref: 000000014003B425
ClientToScreen.USER32 ref: 000000014003B45E

Part of subcall function 00000001400A21D8: GetWindowRect.USER32 ref: 00000001400A221D
Part of subcall function 00000001400A21D8: KillTimer.USER32(?,?,?,?,?,?,?,?,?,?,?,0000000140090C73), ref: 00000001400A225A

Strings

y, xrefs: 000000014003B2FB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusKillMessageOpenRectReleaseSendStatusTimer
String ID: y
API String ID: 3335632768-4225443349
Opcode ID: 4106064bf8585fa22f5df84f889a1780f33b746706802813b38fec0131cbe041
Instruction ID: 65cabf6e3a5a9194e2385c2b3d415d2f35614891bcacb71feb66ca118ccc4bc9
Opcode Fuzzy Hash: 4106064bf8585fa22f5df84f889a1780f33b746706802813b38fec0131cbe041
Instruction Fuzzy Hash: AFB14675600A0082FB6B9B27D5643EF67A0F78DBC8F104126EB29476F9DF39C8918741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140020E68, Relevance: 24.2, APIs: 16, Instructions: 168windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 0000000140020F25
SendMessageW.USER32 ref: 0000000140020F48
ReleaseCapture.USER32 ref: 0000000140020F8F
GetMessageW.USER32 ref: 0000000140020FA3
PeekMessageW.USER32 ref: 0000000140020FC2
DispatchMessageW.USER32 ref: 0000000140020FCB
PeekMessageW.USER32 ref: 0000000140020FFD
GetCapture.USER32 ref: 000000014002100D
ReleaseCapture.USER32 ref: 0000000140021018
PeekMessageW.USER32 ref: 0000000140021037
PeekMessageW.USER32 ref: 0000000140021052
GetMessageW.USER32 ref: 0000000140021068
TranslateMessage.USER32 ref: 0000000140021086
DispatchMessageW.USER32 ref: 00000001400210A6
GetCursorPos.USER32 ref: 00000001400210B4
PeekMessageW.USER32 ref: 00000001400210E5

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Message$Peek$Capture$DispatchRelease$CursorSendTranslate
String ID:
API String ID: 605349011-0
Opcode ID: 7cb8c0b11b6e568815ffc8ef306ee75b02231b3ad691da3bbca3ce3ef4463d8e
Instruction ID: b5e2a2abed85c38bf0e3c35d7db9809b6f69f942891fe5dfeb100c3a5b1dd342
Opcode Fuzzy Hash: 7cb8c0b11b6e568815ffc8ef306ee75b02231b3ad691da3bbca3ce3ef4463d8e
Instruction Fuzzy Hash: 7261713131068086FB768F27D8487ED62A1F79CFC5F598029EB4A87AA5DF79C8848740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012AF0, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140012B4F
_errno.LIBCMT ref: 0000000140012B56
_snwprintf_s.LIBCMT ref: 0000000140012B78
_errno.LIBCMT ref: 0000000140012B7D
_errno.LIBCMT ref: 0000000140012B8A
_errno.LIBCMT ref: 0000000140012BD0
_errno.LIBCMT ref: 0000000140012BD7
_snwprintf_s.LIBCMT ref: 0000000140012C0B
_errno.LIBCMT ref: 0000000140012C10
_errno.LIBCMT ref: 0000000140012C1A
_errno.LIBCMT ref: 0000000140012C59

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 0000000140012BF3
Afx:%p:%x, xrefs: 0000000140012B5B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _errno$_snwprintf_s
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 3671385064-2801496823
Opcode ID: 728ae87532b5cb506a71af699a030f4b28887c4405e801282e00d74c5d6bb2e0
Instruction ID: b9b7af6a53155cf693547258a769ca208c76c4f7cdd9f3a37e629fce892a0104
Opcode Fuzzy Hash: 728ae87532b5cb506a71af699a030f4b28887c4405e801282e00d74c5d6bb2e0
Instruction Fuzzy Hash: F9516E32200744CAE76AAF6294113DD33A5F78CBC4F894426FB491B7B5CB3AC965C791

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066268, Relevance: 22.7, APIs: 15, Instructions: 204windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 0000000140066301
GetDlgItem.USER32 ref: 00000001400663A7
ShowWindow.USER32(?,?,?,0000000140037025), ref: 00000001400663B5
GetMenu.USER32 ref: 00000001400663C8
InvalidateRect.USER32(?,?,?,0000000140037025), ref: 00000001400663F6
GetDlgItem.USER32 ref: 0000000140066440
SetWindowLongW.USER32 ref: 0000000140066460
GetDlgItem.USER32 ref: 000000014006647B
GetDlgItem.USER32 ref: 0000000140066494
SetWindowLongW.USER32 ref: 00000001400664AD
SetWindowLongW.USER32 ref: 00000001400664BE
InvalidateRect.USER32(?,?,?,0000000140037025), ref: 00000001400664D9
SetMenu.USER32(?,?,?,0000000140037025), ref: 00000001400664F3
GetDlgItem.USER32 ref: 0000000140066543
ShowWindow.USER32(?,?,?,0000000140037025), ref: 0000000140066554

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$Ctrl
String ID:
API String ID: 599340499-0
Opcode ID: b7b436c71b10eecb9f0f326abb0277be2efa4de5ac8f4cf26e87c568c18ccbba
Instruction ID: 0d59f04ab6783d9b8f118bf96fff9081c204c9266b4d480e778efdf175f3912c
Opcode Fuzzy Hash: b7b436c71b10eecb9f0f326abb0277be2efa4de5ac8f4cf26e87c568c18ccbba
Instruction Fuzzy Hash: 65914936201A9486EB569F27D85479933A2FB8DFD4F288925EF1E077A8DF35C8958300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C4FEC, Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 178COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400C508A
_cwprintf_s_l.LIBCMT ref: 00000001400C509D

Part of subcall function 00000001400C4414: GetWindowRect.USER32 ref: 00000001400C442C

GetWindowRect.USER32 ref: 00000001400C5107

Strings

%sPane-%d, xrefs: 00000001400C5083
RectRecentDocked, xrefs: 00000001400C5184
IsFloating, xrefs: 00000001400C51CB
RecentRowIndex, xrefs: 00000001400C51B6
MRUWidth, xrefs: 00000001400C51E4
RecentFrameAlignment, xrefs: 00000001400C519D
RectRecentFloat, xrefs: 00000001400C516B
%sPane-%d%x, xrefs: 00000001400C5096
PinState, xrefs: 00000001400C51FD

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: RectWindow_cwprintf_s_l
String ID: %sPane-%d$%sPane-%d%x$IsFloating$MRUWidth$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 3874920457-1120251949
Opcode ID: 278ee478880029487aeb6e20192dfed6801563efc00b80b8e4563f05fdfda930
Instruction ID: e737a41b44530619c22297d9d24d5c51611ba07f61d8c8e8394cf12605cbd54f
Opcode Fuzzy Hash: 278ee478880029487aeb6e20192dfed6801563efc00b80b8e4563f05fdfda930
Instruction Fuzzy Hash: 7071567A701B4592EB49DB2AC8487DD27A4FB89FE5F448212EF2A437A4DF34C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007E950, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 201windowCOMMON

Download Yara Rule

APIs

RealizePalette.GDI32 ref: 000000014007E9AB
InflateRect.USER32 ref: 000000014007EA9D
InflateRect.USER32 ref: 000000014007EAC5
InflateRect.USER32 ref: 000000014007EAEB
GetNearestPaletteIndex.GDI32 ref: 000000014007EB12

Part of subcall function 000000014007E7AC: GetSystemPaletteEntries.GDI32 ref: 000000014007E83F
Part of subcall function 000000014007E7AC: CreatePalette.GDI32 ref: 000000014007E8A0

Part of subcall function 0000000140018A6C: CreateSolidBrush.GDI32 ref: 0000000140018A93

FillRect.USER32 ref: 000000014007EB36
InflateRect.USER32 ref: 000000014007EB63
FillRect.USER32 ref: 000000014007EBC6
InflateRect.USER32 ref: 000000014007EC1F

Strings

iii, xrefs: 000000014007EACB, 000000014007EBF9
, xrefs: 000000014007EC00

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Inflate$Palette$CreateFill$BrushEntriesIndexNearestRealizeSolidSystem
String ID: iii$
API String ID: 2867256457-462628325
Opcode ID: def1cd46bd3d76d30f5fba5ea1a21a485dfc5eead4d17c7765a6d7d5f4962af3
Instruction ID: 3604e3753e5ce24d57017ed0c0ad34c585eb5bfb1529ea0cc33fdf4404d56c91
Opcode Fuzzy Hash: def1cd46bd3d76d30f5fba5ea1a21a485dfc5eead4d17c7765a6d7d5f4962af3
Instruction Fuzzy Hash: 89914736B00A408AEB12DB66D598BED7361F749BDCF404625EF1917BA8DF388946C780

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C4D3C, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 184COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400C4DDC
_cwprintf_s_l.LIBCMT ref: 00000001400C4DEF

Part of subcall function 00000001400A07A8: _cwprintf_s_l.LIBCMT ref: 00000001400A0842

Strings

%sPane-%d, xrefs: 00000001400C4DD5
RectRecentDocked, xrefs: 00000001400C4EBB
IsFloating, xrefs: 00000001400C4F1E
RecentRowIndex, xrefs: 00000001400C4F02
MRUWidth, xrefs: 00000001400C4F3A
RecentFrameAlignment, xrefs: 00000001400C4EE7
RectRecentFloat, xrefs: 00000001400C4E9F
%sPane-%d%x, xrefs: 00000001400C4DE8
PinState, xrefs: 00000001400C4F56

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %sPane-%d$%sPane-%d%x$IsFloating$MRUWidth$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 2941638530-1120251949
Opcode ID: 30c8d58875fcbee4f9307f85005a08f97b5b564f0bae113da113d3e6a57f04e4
Instruction ID: 0dc90cbae24b2532efb6d20a30168e264134e0a139232b5c01d624250d1f19a1
Opcode Fuzzy Hash: 30c8d58875fcbee4f9307f85005a08f97b5b564f0bae113da113d3e6a57f04e4
Instruction Fuzzy Hash: D38159B6701B4186EB45DB6AD8487DC23A0F749FE8F459212DE2E577A4DF74C885C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140070A50, Relevance: 18.2, APIs: 12, Instructions: 220windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140070ACD
ClientToScreen.USER32 ref: 0000000140070B0B
SendMessageW.USER32 ref: 0000000140070B6F
SHGetDesktopFolder.SHELL32 ref: 0000000140070B9A
GetParent.USER32 ref: 0000000140070BC6
CreatePopupMenu.USER32 ref: 0000000140070C1D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$ClientCreateDesktopFolderMenuParentPopupScreen
String ID:
API String ID: 2994660099-0
Opcode ID: 2c8d0aa70a1d03f0d045baa57d9b429c7708ff5550f2eeb5baaf0972d883519c
Instruction ID: 6673552ca4909417d11dc15da8475683d633e3bf6fbceed879fa31b1c626884b
Opcode Fuzzy Hash: 2c8d0aa70a1d03f0d045baa57d9b429c7708ff5550f2eeb5baaf0972d883519c
Instruction Fuzzy Hash: E7A10376701B0086EB26DFA6E8507DD33A1FB88B98F044225EF0957BA8DF39D859C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007C080, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 207stringwindowCOMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 000000014007C0FE
DrawFocusRect.USER32 ref: 000000014007C112
CreateSolidBrush.GDI32 ref: 000000014007C140
GetBkColor.GDI32 ref: 000000014007C169
CreateSolidBrush.GDI32 ref: 000000014007C171
FillRect.USER32 ref: 000000014007C19D
GetObjectW.GDI32 ref: 000000014007C234
lstrcpyW.KERNEL32 ref: 000000014007C242
CreateFontIndirectW.GDI32 ref: 000000014007C272

Strings

$, xrefs: 000000014007C2DE

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CreateRect$BrushSolid$ColorCopyDrawFillFocusFontIndirectObjectlstrcpy
String ID: $
API String ID: 841727867-3993045852
Opcode ID: db99583564949187b9319dd106d4b99a718e0e583d8faffd4e806b12b2f2ffed
Instruction ID: d60c02f383bce62fecd88bc4a0cab7d1b7ce1907f1bf6e15f6c5a3eee40bdda6
Opcode Fuzzy Hash: db99583564949187b9319dd106d4b99a718e0e583d8faffd4e806b12b2f2ffed
Instruction Fuzzy Hash: 1391AC32310A4086EB12DF66D854BDD3371FB88BA8F444126EF1A57BA8DF38C959C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014016AA3C, Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014016AA64
_invalid_parameter_noinfo.LIBCMT ref: 000000014016AA6F
__wtomb_environ.LIBCMT ref: 000000014016AB51
_errno.LIBCMT ref: 000000014016AB5A
free.LIBCMT ref: 000000014016AC4B
SetEnvironmentVariableA.KERNEL32 ref: 000000014016AD7C
_errno.LIBCMT ref: 000000014016AD89
free.LIBCMT ref: 000000014016AD97
free.LIBCMT ref: 000000014016ADA4
free.LIBCMT ref: 000000014016ADCB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
String ID:
API String ID: 101574016-0
Opcode ID: b29249a283d2891ea17a14ea78d76c6fbb984d3bb27a5b1db12c95115a78bf82
Instruction ID: 631446a8cf12c37cf44a61eecd3a2664da807abad7f2603f4578f14bc92ecb15
Opcode Fuzzy Hash: b29249a283d2891ea17a14ea78d76c6fbb984d3bb27a5b1db12c95115a78bf82
Instruction Fuzzy Hash: 6EA1D33121174047FA17AB57AD103EA2695BB4CFA4F988A269F5E4B7F5DF3DC8218B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007325C, Relevance: 16.6, APIs: 11, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00000001400732B6
ReleaseCapture.USER32 ref: 00000001400732C1
GetClientRect.USER32 ref: 00000001400732D7
GetSystemMetrics.USER32 ref: 00000001400732F6
GetSystemMetrics.USER32 ref: 0000000140073320
SendMessageW.USER32 ref: 000000014007335D
SendMessageW.USER32 ref: 000000014007338C
GetCapture.USER32 ref: 00000001400733B7
ReleaseCapture.USER32 ref: 00000001400733C2
GetClientRect.USER32 ref: 00000001400733D8
RedrawWindow.USER32 ref: 000000014007342C

Part of subcall function 00000001400722D0: IsRectEmpty.USER32 ref: 000000014007231A
Part of subcall function 00000001400722D0: InvertRect.USER32 ref: 0000000140072339
Part of subcall function 00000001400722D0: SetRectEmpty.USER32 ref: 000000014007234B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$InvertRedrawWindow
String ID:
API String ID: 1941718639-0
Opcode ID: dd84e7ac3c97d3ba8efe919b3517654a5311a42713cf9e01754b60231d6dc4e9
Instruction ID: e7d2199b1de3808fcda1ca808bc9a859208d4748ce4b207675130c03cc15b3ce
Opcode Fuzzy Hash: dd84e7ac3c97d3ba8efe919b3517654a5311a42713cf9e01754b60231d6dc4e9
Instruction Fuzzy Hash: 3351F136210A44CAE725DF3AE88479E77A1F78CB89F455225EF4A43B68CF39D841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140074718, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 155COMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 00000001400748AC

Part of subcall function 00000001400731EC: RedrawWindow.USER32 ref: 000000014007320A

Strings

MFCPropertyGrid_ModifiedProperties, xrefs: 000000014007487B
MFCPropertyGrid_DescriptionArea, xrefs: 0000000140074792
Property, xrefs: 000000014007483B
MFCPropertyGrid_VSDotNetLook, xrefs: 00000001400748B9
MFCPropertyGrid_AlphabeticMode, xrefs: 0000000140074855
Value, xrefs: 0000000140074834
MFCPropertyGrid_DescriptionRows, xrefs: 00000001400747E8
MFCPropertyGrid_HeaderCtrl, xrefs: 0000000140074820

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: RedrawWindow
String ID: MFCPropertyGrid_AlphabeticMode$MFCPropertyGrid_DescriptionArea$MFCPropertyGrid_DescriptionRows$MFCPropertyGrid_HeaderCtrl$MFCPropertyGrid_ModifiedProperties$MFCPropertyGrid_VSDotNetLook$Property$Value
API String ID: 2219533335-2695045869
Opcode ID: 1739f536e81f9766bd094036aaf26d1998f05c4c9c2938f9be68fc889b3743fd
Instruction ID: 6da66f977703b521301d13311a5a3f31ce193895d8e17b955b35ae7b219f6fa3
Opcode Fuzzy Hash: 1739f536e81f9766bd094036aaf26d1998f05c4c9c2938f9be68fc889b3743fd
Instruction Fuzzy Hash: D9518172B00A4596FB01EF7AD8407DD23A1BB897E8F445226EF2A576E9DF38C845C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400DE140, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,?,?,?,?,?,00000000,000000014001335F,?,?,?,0000000140008154), ref: 00000001400DE184

Strings

, xrefs: 00000001400DE255

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-3916222277
Opcode ID: 50f25406d6000e54a53536f177f600985c5a6548ffaf36ff70181feb47b730a4
Instruction ID: d243b626481a253976a66f4cba7e936815e066a77f0c4e4019342b6946c79963
Opcode Fuzzy Hash: 50f25406d6000e54a53536f177f600985c5a6548ffaf36ff70181feb47b730a4
Instruction Fuzzy Hash: 26515E72701A408AFB21EF66D8947ED73A0FB48B98F404525EF195B7A9DF34C905C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140052EE8, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 0000000140052F2D

Part of subcall function 00000001400E155C: CreateCompatibleDC.GDI32 ref: 00000001400E1616

DrawFocusRect.USER32 ref: 0000000140052F9D
InflateRect.USER32 ref: 0000000140052FAE
InflateRect.USER32 ref: 0000000140052FF3
InflateRect.USER32 ref: 000000014005304A
CreateHatchBrush.GDI32 ref: 000000014005306B
FillRect.USER32 ref: 0000000140053088

Strings

iii, xrefs: 0000000140052FD9
, xrefs: 0000000140052FF9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Inflate$Create$BrushCompatibleDrawFillFocusHatch
String ID: iii$
API String ID: 1827052314-462628325
Opcode ID: a1c84c689e1a6aed45395366514775e6798c8e4c9f1e8c8891c6c80769142bbc
Instruction ID: f2445e5f08dcdc5ff099eb4aa084456abdb134f8726f58e8febe4e2ab6e1acaf
Opcode Fuzzy Hash: a1c84c689e1a6aed45395366514775e6798c8e4c9f1e8c8891c6c80769142bbc
Instruction Fuzzy Hash: 585149327206608AE712DB67E948BDC7365F34DBE8F404226EF1A13BA4CB79C945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140132140, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

EqualRect.USER32 ref: 000000014013216F
EqualRect.USER32 ref: 0000000140132183
CreateRectRgn.GDI32 ref: 00000001401321D6
CreateRectRgn.GDI32 ref: 000000014013220D
CreateRectRgnIndirect.GDI32 ref: 0000000140132218
CombineRgn.GDI32 ref: 000000014013223B
SetWindowRgn.USER32 ref: 000000014013224C
RedrawWindow.USER32 ref: 00000001401322DB

Strings

X, xrefs: 000000014013227B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Create$EqualWindow$CombineIndirectRedraw
String ID: X
API String ID: 1400420921-3081909835
Opcode ID: 0de9bcd5db356a5841b8971ca76c0b54e03f7c8ee6bee98acac6de56935c9ed0
Instruction ID: cbd9ae6d8f7796cc3cc42fa539bc4efc0af9ba1316ebfeb33be6a29014d1f98d
Opcode Fuzzy Hash: 0de9bcd5db356a5841b8971ca76c0b54e03f7c8ee6bee98acac6de56935c9ed0
Instruction Fuzzy Hash: 6B515A767106908AF715DF66E948BEE7760F74CB98F048224DF5917AA8DF38E494CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006A3E0, Relevance: 15.4, APIs: 10, Instructions: 424COMMON

Download Yara Rule

APIs

PathRemoveFileSpecW.SHLWAPI ref: 000000014006A4D3
wcsnlen.LIBCMT ref: 000000014006A4E1
CoTaskMemFree.OLE32 ref: 000000014006A575
PathRemoveFileSpecW.SHLWAPI ref: 000000014006A69A
CoTaskMemFree.OLE32 ref: 000000014006A6CE
PathRemoveFileSpecW.SHLWAPI ref: 000000014006A735
wcsnlen.LIBCMT ref: 000000014006A742
CoTaskMemFree.OLE32 ref: 000000014006A7B4
PathFindFileNameW.SHLWAPI ref: 000000014006A8CC
PathFindExtensionW.SHLWAPI ref: 000000014006A92A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Path$File$FreeRemoveSpecTask$Findwcsnlen$ExtensionName
String ID:
API String ID: 1633840222-0
Opcode ID: 203828cef36641f4b9a3a2094d02f4f1777f7050d31689e4018c1f39df920277
Instruction ID: 870b0453b46a32a6cd2bf88187d94c00e8a2eee05fd07763d02dc2b0ddf19673
Opcode Fuzzy Hash: 203828cef36641f4b9a3a2094d02f4f1777f7050d31689e4018c1f39df920277
Instruction Fuzzy Hash: 7D122376701A058AEB05EF2AD8903ED23A1FB89F98F244512EF1E577A8DF38C855C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140042FAC, Relevance: 15.3, APIs: 10, Instructions: 284windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 0000000140043020
EnableMenuItem.USER32 ref: 000000014004303E
CheckMenuItem.USER32 ref: 0000000140043075
EnableMenuItem.USER32 ref: 0000000140043091
EnableMenuItem.USER32 ref: 00000001400430B7
EnableMenuItem.USER32 ref: 00000001400430C9
EnableMenuItem.USER32 ref: 00000001400430DB
EnableMenuItem.USER32 ref: 0000000140043139
CheckMenuItem.USER32 ref: 0000000140043156
UpdateWindow.USER32 ref: 0000000140043398

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ItemMenu$Enable$Check$UpdateWindow
String ID:
API String ID: 2733832559-0
Opcode ID: 8714fc4b496b7fb7fbfad6f209ae1ea7c7afd6051f1558758ae806c838106282
Instruction ID: c231bd1814412e9da5982cc605ca2cdb6bcee4bbc2daf34c8bf173d1ee0a820a
Opcode Fuzzy Hash: 8714fc4b496b7fb7fbfad6f209ae1ea7c7afd6051f1558758ae806c838106282
Instruction Fuzzy Hash: 3CC1563630068086EB2A9F27C5847EA63A1F78CFD4F15A135EF19077B4CB79D8668748

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009A448, Relevance: 15.2, APIs: 10, Instructions: 238COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014009A49D
GetWindowRect.USER32 ref: 000000014009A501
CopyRect.USER32 ref: 000000014009A519
PtInRect.USER32 ref: 000000014009A5EB
PtInRect.USER32 ref: 000000014009A615
PtInRect.USER32 ref: 000000014009A64A
PtInRect.USER32 ref: 000000014009A674
PtInRect.USER32 ref: 000000014009A6E7
PtInRect.USER32 ref: 000000014009A718
PtInRect.USER32 ref: 000000014009A758

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID:
API String ID: 642869531-0
Opcode ID: f4b99205baa2157d043a506a127d10d146891247f2de2665d9611672f6bba5e6
Instruction ID: 05a2e5b23c2e4046ba52521713c9760659f8d545cbdfe3a28ec81119516ef074
Opcode Fuzzy Hash: f4b99205baa2157d043a506a127d10d146891247f2de2665d9611672f6bba5e6
Instruction Fuzzy Hash: 66B1E572B10A118EEB56CF6AD8847DD37B0F749788F55411AEF0A93B68DB38D845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014011ED1C, Relevance: 15.2, APIs: 10, Instructions: 235COMMON

Download Yara Rule

APIs

EqualRect.USER32 ref: 000000014011ED6C
GetTextExtentPoint32W.GDI32 ref: 000000014011EEA0
MonitorFromPoint.USER32 ref: 000000014011EF30
GetMonitorInfoW.USER32 ref: 000000014011EF3D
CopyRect.USER32 ref: 000000014011EF4F
SystemParametersInfoW.USER32 ref: 000000014011EF63
InvalidateRect.USER32 ref: 000000014011F021
UpdateWindow.USER32 ref: 000000014011F02B
LoadCursorW.USER32 ref: 000000014011F03D
SetCursor.USER32 ref: 000000014011F046

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$CursorInfoMonitor$CopyEqualExtentFromInvalidateLoadParametersPointPoint32SystemTextUpdateWindow
String ID:
API String ID: 321205079-0
Opcode ID: a24fea1ae43aefb815c0465a16cfca4d278852ae171f51bd85c4b94086aabfda
Instruction ID: b2e85528f3c787adf9936372c6194d9ad56a07712c16c0c830ecce1ddbee5c1e
Opcode Fuzzy Hash: a24fea1ae43aefb815c0465a16cfca4d278852ae171f51bd85c4b94086aabfda
Instruction Fuzzy Hash: 7DB18872B006418BEB1ACFBAD5847EC77A1F74CB98F048125DB095B6A9EF38D855CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140090948, Relevance: 15.1, APIs: 10, Instructions: 126windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000000014009098D
IsWindowVisible.USER32 ref: 00000001400909A2
GetSystemMetrics.USER32 ref: 00000001400909D2
GetSystemMetrics.USER32 ref: 00000001400909E0
GetSystemMetrics.USER32 ref: 00000001400909ED
IsWindowVisible.USER32 ref: 0000000140090A1A
IsWindowVisible.USER32 ref: 0000000140090A2F
IsZoomed.USER32 ref: 0000000140090A71
GetSystemMetrics.USER32 ref: 0000000140090A8D
GetSystemMetrics.USER32 ref: 0000000140090AE3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MetricsSystem$VisibleWindow$Zoomed
String ID:
API String ID: 331015031-0
Opcode ID: a0cde800b29f3990bfb8abdeecc300f6d74fd8db95b3a0c0a0ffa2e4d1ff5a5a
Instruction ID: 0f557c792f48cc14f681f5fcd19b0006c472fd2b4db25870d2e0be5932c00eb3
Opcode Fuzzy Hash: a0cde800b29f3990bfb8abdeecc300f6d74fd8db95b3a0c0a0ffa2e4d1ff5a5a
Instruction Fuzzy Hash: 4C51FC36210B848AEB969F27D4543ED73A4F788FC8F548039EB4A872B5EF34C8818351

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140020D24, Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0000000140020D53
WindowFromPoint.USER32 ref: 0000000140020D61
GetActiveWindow.USER32 ref: 0000000140020D89
GetCurrentThreadId.KERNEL32 ref: 0000000140020DA5
GetWindowThreadProcessId.USER32 ref: 0000000140020DB8
GetDesktopWindow.USER32 ref: 0000000140020DC9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: 300c48814a5ed2d3c0e3c3f5167d966ebfca743e6d387502f53e607a9311c126
Instruction ID: 90fa10f691dac64a6f3197af1c7c4ab3eb72548e9eb6d7d4c5fe58fea1994db8
Opcode Fuzzy Hash: 300c48814a5ed2d3c0e3c3f5167d966ebfca743e6d387502f53e607a9311c126
Instruction Fuzzy Hash: 2F31433120175585FE67AB63A8587E962A0BB8DFD4F090829EF0A037B6DF78DC91C201

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140084588, Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 00000001400845BD
GetWindowRect.USER32 ref: 00000001400845DF
SetRect.USER32 ref: 0000000140084622
InvalidateRect.USER32 ref: 0000000140084636
SetRect.USER32 ref: 0000000140084653
InvalidateRect.USER32 ref: 0000000140084667
SetRect.USER32 ref: 0000000140084694
InvalidateRect.USER32 ref: 00000001400846A8
SetRect.USER32 ref: 00000001400846C5
InvalidateRect.USER32 ref: 00000001400846D9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 621e5bd63ea12edcd1fad511d68109cecfaba83a77baf59a27c5be1f0f5ed7d5
Instruction ID: 3d8a9e9ba62f9f6cf5b0fdccbedefbec3759bfe9cf6e8cdbeb5f23a84001ba7f
Opcode Fuzzy Hash: 621e5bd63ea12edcd1fad511d68109cecfaba83a77baf59a27c5be1f0f5ed7d5
Instruction Fuzzy Hash: 48413436710A248AFB228B66E988BDD37B1F78CB88F444101DF0917A68DF79D655CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400485A0, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 207COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 000000014004864B
_cwprintf_s_l.LIBCMT ref: 000000014004865E
IsWindow.USER32 ref: 000000014004871C
free.LIBCMT ref: 00000001400487F8

Strings

Name, xrefs: 000000014004876C
%sMFCToolBar-%d, xrefs: 0000000140048644
%sMFCToolBar-%d%x, xrefs: 0000000140048657
Buttons, xrefs: 00000001400487A3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l$Windowfree
String ID: %sMFCToolBar-%d$%sMFCToolBar-%d%x$Buttons$Name
API String ID: 1266699259-3132478384
Opcode ID: e825c563f0c1f9d67111bb7fe540b15cde5a1086fa6c1727f4f7c48790c4fe40
Instruction ID: 679fd13db3dc9e3e7543d44d530fe959eaf7445556e3bffdd913e36cf23d4e10
Opcode Fuzzy Hash: e825c563f0c1f9d67111bb7fe540b15cde5a1086fa6c1727f4f7c48790c4fe40
Instruction Fuzzy Hash: 7381A272201A4182EB16AB2AE4503DE6760FB89FE4F459626EF5E477F5DF38C445C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066D3C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 0000000140066D66
GetParent.USER32 ref: 0000000140066D75
GetWindowThreadProcessId.USER32 ref: 0000000140066D96
GetCurrentProcessId.KERNEL32 ref: 0000000140066D9C
GetActiveWindow.USER32 ref: 0000000140066DF2
SendMessageW.USER32 ref: 0000000140066E0B
SendMessageW.USER32 ref: 0000000140066E2A

Strings

, xrefs: 0000000140066E11

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageProcessSendWindow$ActiveCurrentFocusParentThread
String ID:
API String ID: 4099184364-3916222277
Opcode ID: 8188678389c932b744aad178a7f20dea6a01c79d06244ac488b5d24346ab1f74
Instruction ID: c9576e1e6346dde1fdfee2705cccc488544e3329bbf44d1fed4c9126d86366d3
Opcode Fuzzy Hash: 8188678389c932b744aad178a7f20dea6a01c79d06244ac488b5d24346ab1f74
Instruction Fuzzy Hash: B5318D36710A8486EB56CF37E8447D937A2FB89F88F684524EB4A476B4CF3AC845C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022DCC, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 0000000140022E0E
GetStockObject.GDI32 ref: 0000000140022E1C
GetObjectW.GDI32 ref: 0000000140022E34
GetDC.USER32 ref: 0000000140022E45
GetDeviceCaps.GDI32 ref: 0000000140022E64
MulDiv.KERNEL32 ref: 0000000140022E76
ReleaseDC.USER32 ref: 0000000140022E84

Strings

System, xrefs: 0000000140022E07

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: d306a73af0cf83b75a05bc0b3be5f7bd22a43fcaadf8b72a3b4787169c3224a1
Instruction ID: e0e26129c3f602026b34bc035f8b1bd9754756c0f12a23f70040f8742f075c26
Opcode Fuzzy Hash: d306a73af0cf83b75a05bc0b3be5f7bd22a43fcaadf8b72a3b4787169c3224a1
Instruction Fuzzy Hash: 02213931304B4496EB669B22F858B9A73A1F74CF84F444529EE9A47BA8DF3CD945CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140042350, Relevance: 13.7, APIs: 9, Instructions: 192windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32 ref: 000000014004239A
ScreenToClient.USER32 ref: 0000000140042408
UpdateWindow.USER32 ref: 000000014004247B
UpdateWindow.USER32 ref: 00000001400424C8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: UpdateWindow$BeepClientMessageScreen
String ID:
API String ID: 1712693409-0
Opcode ID: f58da98ef6ae06a60e2436be4e73b00f9b7007941ae3e4d9fe19e1f733730342
Instruction ID: 7281d45bee94c51e7cad4e12acb5b13ea28cb6e878d26a94a5616cb72a0ac4f1
Opcode Fuzzy Hash: f58da98ef6ae06a60e2436be4e73b00f9b7007941ae3e4d9fe19e1f733730342
Instruction Fuzzy Hash: 6C814836700A4086EB16DF63E8547ED23A1F789BD8F554135EF0A4BBA8DF38C8558744

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400BA30C, Relevance: 13.7, APIs: 9, Instructions: 188COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00000001400BA367

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: ee0a9c45f23a533de5ae17e12e61c1336b0051b82d4bae1bd7fa6358fec4fa27
Instruction ID: 11a0f36c691e3205b78ab3bf900d5cd773b9b890ff61657e2d218c91239777a0
Opcode Fuzzy Hash: ee0a9c45f23a533de5ae17e12e61c1336b0051b82d4bae1bd7fa6358fec4fa27
Instruction Fuzzy Hash: C4616032314A8086E7229F5BE44479AA7B0F78DBD4F544125FF4A977B4DB3DC9458B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014858, Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00000001400148AF
GetSubMenu.USER32 ref: 00000001400148DA
GetMenuState.USER32 ref: 00000001400148F1
GetSubMenu.USER32 ref: 0000000140014948
GetMenuStringW.USER32 ref: 000000014001496D
AppendMenuW.USER32 ref: 00000001400149EF
GetMenuItemCount.USER32 ref: 0000000140014A30
GetMenuItemID.USER32 ref: 0000000140014A59
InsertMenuW.USER32 ref: 0000000140014A7A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Menu$Item$Count$AppendInsertStateString
String ID:
API String ID: 420201382-0
Opcode ID: 2168daf55ab128776337c7c5f1d19977117434ef8df0735fdc9d38185cb8695d
Instruction ID: 005ca6a1c972cca4da3538d492dadd42fed747a9a858133f4d08096823ac554d
Opcode Fuzzy Hash: 2168daf55ab128776337c7c5f1d19977117434ef8df0735fdc9d38185cb8695d
Instruction Fuzzy Hash: AB61BF32614A8086E722CF16E84479BB7A0F789BD9F100111FF9A4BBB8CF79C445CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140072690, Relevance: 13.7, APIs: 9, Instructions: 160COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014007272B
InvalidateRect.USER32 ref: 0000000140072786
InvalidateRect.USER32 ref: 0000000140072797
InvalidateRect.USER32 ref: 000000014007282B
InvalidateRect.USER32 ref: 000000014007283C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Invalidate$Empty
String ID:
API String ID: 1126320529-0
Opcode ID: c8853c6a5d58490479b13141c2eba7f4bd6b85b1a11f62bbcf9f39745dead602
Instruction ID: 528ed229029bb9fa0450e8aa8b1ef25244967332e46b2fc6b4e9e3b2eec29de9
Opcode Fuzzy Hash: c8853c6a5d58490479b13141c2eba7f4bd6b85b1a11f62bbcf9f39745dead602
Instruction Fuzzy Hash: 23714836B10A548AEB568F66C9847EC33B0F788F99F148125DF0A67B68DF39C485C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006E474, Relevance: 13.6, APIs: 9, Instructions: 138windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014006E4BB
GetFocus.USER32 ref: 000000014006E4E6
ScreenToClient.USER32 ref: 000000014006E531
SendMessageW.USER32 ref: 000000014006E574
SetCapture.USER32 ref: 000000014006E594
ReleaseCapture.USER32 ref: 000000014006E5DE
ScreenToClient.USER32 ref: 000000014006E5FB
GetSystemMetrics.USER32 ref: 000000014006E630
GetSystemMetrics.USER32 ref: 000000014006E64F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
String ID:
API String ID: 3871486171-0
Opcode ID: e3313711170ec6e88c5753584dc6fc68a2a834c42e4e0f41d1eadc27a8ca286f
Instruction ID: 5acb5cbb5e9497cfd8df5076e1a8d34a6c1c5b0fa2302872d372f2c7b9c1b670
Opcode Fuzzy Hash: e3313711170ec6e88c5753584dc6fc68a2a834c42e4e0f41d1eadc27a8ca286f
Instruction Fuzzy Hash: 48513732211B8086EB668F2AD9807EC67A1F78CBD8F250526FF1E477A5DF35C8918740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140084340, Relevance: 13.6, APIs: 9, Instructions: 134timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0000000140084367
GetCursorPos.USER32 ref: 000000014008438B
ScreenToClient.USER32 ref: 000000014008439A
GetCapture.USER32 ref: 000000014008440F
ClientToScreen.USER32 ref: 000000014008445F
WindowFromPoint.USER32 ref: 000000014008446A
IsChild.USER32 ref: 0000000140084484
KillTimer.USER32 ref: 00000001400844C9
KillTimer.USER32 ref: 00000001400844EC

Part of subcall function 000000014001237C: GetForegroundWindow.USER32 ref: 00000001400123A0
Part of subcall function 000000014001237C: GetLastActivePopup.USER32 ref: 00000001400123B5

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorForegroundFromLastPointPopupState
String ID:
API String ID: 3566347107-0
Opcode ID: af16cb61ef9677b338bd15afe49513efe74ceef247cdc94d2348ec10fab62a6d
Instruction ID: afdac9210b5123e9565ff34a2f3efee621f099c55fa44b3e15ba6806e72aa7fa
Opcode Fuzzy Hash: af16cb61ef9677b338bd15afe49513efe74ceef247cdc94d2348ec10fab62a6d
Instruction Fuzzy Hash: F8512736201A6482EF16DB23E8547A96691FB88FE4F055621EF2E0BBE9DF39D5458300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060350, Relevance: 13.6, APIs: 9, Instructions: 127COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(?,?,?,?,?,?,?,0000000140035FAF), ref: 000000014006039F
ValidateRect.USER32(?,?,?,?,?,?,?,0000000140035FAF), ref: 00000001400603D2
UpdateWindow.USER32 ref: 00000001400603DC
LockWindowUpdate.USER32(?,?,?,?,?,?,?,0000000140035FAF), ref: 00000001400603EE
ValidateRect.USER32(?,?,?,?,?,?,?,0000000140035FAF), ref: 000000014006041A
UpdateWindow.USER32 ref: 0000000140060424
LockWindowUpdate.USER32(?,?,?,?,?,?,?,0000000140035FAF), ref: 0000000140060436
IsWindow.USER32 ref: 00000001400604CD
ShowWindow.USER32 ref: 00000001400604E3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Update$Lock$RectValidate$Show
String ID:
API String ID: 3683107044-0
Opcode ID: 6fedc6c34b7b2726f3e567b4e01c4679ac9400cbf5f5d85e3615daf22c1d59f0
Instruction ID: 484ce94ac611cf3b2522f0a1ad4813e0b5a04306b8bf24b511bde86285cb6ae3
Opcode Fuzzy Hash: 6fedc6c34b7b2726f3e567b4e01c4679ac9400cbf5f5d85e3615daf22c1d59f0
Instruction Fuzzy Hash: 19514D71240A9186EB6A9B17D9543EA6362FB8CFC4F288825EF1D477B9DF39C551C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400722D0, Relevance: 13.6, APIs: 9, Instructions: 112windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400184DC: GetDC.USER32 ref: 000000014001851B

IsRectEmpty.USER32 ref: 000000014007231A
InvertRect.USER32 ref: 0000000140072339
SetRectEmpty.USER32 ref: 000000014007234B
GetClientRect.USER32 ref: 0000000140072396
GetSystemMetrics.USER32 ref: 00000001400723B6
GetSystemMetrics.USER32 ref: 00000001400723E1
SendMessageW.USER32 ref: 0000000140072423
SendMessageW.USER32 ref: 0000000140072452
InvertRect.USER32 ref: 0000000140072465

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$EmptyInvertMessageMetricsSendSystem$Client
String ID:
API String ID: 3620722296-0
Opcode ID: 8123c73eef85e21c324699e6a3dd7a59e9e4b5bede921260e2acc41e60911ead
Instruction ID: 577d817ec5f8a71af152ff765630c05c301b9fa7496dfd9c7f031e8f713da769
Opcode Fuzzy Hash: 8123c73eef85e21c324699e6a3dd7a59e9e4b5bede921260e2acc41e60911ead
Instruction Fuzzy Hash: 39513A32610A80CAE725CF76E8847DE73A0F78CB99F415225EF5A836A4EF38D405CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015500C, Relevance: 13.6, APIs: 9, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014015506D
_errno.LIBCMT ref: 00000001401550A3
_errno.LIBCMT ref: 00000001401550B1
_errno.LIBCMT ref: 00000001401550BD
_errno.LIBCMT ref: 00000001401550FF
_errno.LIBCMT ref: 0000000140155109
_errno.LIBCMT ref: 000000014015512D
_invalid_parameter_noinfo.LIBCMT ref: 0000000140155138

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: a3e37573e1f87a9b521d3896c1b3318f2d53cd3f9b7653475e4b1230597c3534
Instruction ID: 9b8a16b034ffc8f44c43a6426637c71aa92dbfcb9b472b1c9678d4ed7646cdb4
Opcode Fuzzy Hash: a3e37573e1f87a9b521d3896c1b3318f2d53cd3f9b7653475e4b1230597c3534
Instruction Fuzzy Hash: 4831A171500B4085EB22AF63D5A03DE76A0AB5CFE8F584211EF6A0B7F6DB3AC4408751

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001469C, Relevance: 13.6, APIs: 9, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32 ref: 00000001400146BE
GlobalAlloc.KERNEL32 ref: 00000001400146D4
GlobalSize.KERNEL32 ref: 00000001400146E9
GlobalLock.KERNEL32 ref: 00000001400146F7
GlobalLock.KERNEL32 ref: 0000000140014703
GlobalSize.KERNEL32 ref: 000000014001470F
memcpy_s.LIBCMT ref: 0000000140014720
GlobalUnlock.KERNEL32 ref: 0000000140014752
GlobalUnlock.KERNEL32 ref: 000000014001475B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Global$Size$LockUnlock$Allocmemcpy_s
String ID:
API String ID: 2627076235-0
Opcode ID: 1f91fb0e81f23c917aa2552c6b63a909cf01b1278318c3275aee6a1ef6c4f1c8
Instruction ID: 45797eda34b2dbbba1c9815c5a50adb32fbe37c77c6a9e48ee732dddccb05a9b
Opcode Fuzzy Hash: 1f91fb0e81f23c917aa2552c6b63a909cf01b1278318c3275aee6a1ef6c4f1c8
Instruction Fuzzy Hash: 0A215934205B5586FB5AAF5368987A862E5BB8EFC0F580425FF4A8BBB5DF39C4418301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140080CB8, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 401COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 0000000140080E3C
SetRectEmpty.USER32 ref: 0000000140080E48
InflateRect.USER32 ref: 0000000140080EF3
OffsetRect.USER32 ref: 0000000140080F8D
GetTextExtentPoint32W.GDI32 ref: 0000000140080FE5
IsRectEmpty.USER32 ref: 0000000140081052

Strings

mmm, xrefs: 0000000140080FB8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$EmptyInflate$ExtentOffsetPoint32Text
String ID: mmm
API String ID: 3048652965-1545505134
Opcode ID: 18d984b26ea760f3407292905b27f4e48255401e2158999fb1d3011f1ce32fe8
Instruction ID: 780233ebb9d0685ba387a3ef8e1b31319faa0b883eea6ff17dda03a02a63fcec
Opcode Fuzzy Hash: 18d984b26ea760f3407292905b27f4e48255401e2158999fb1d3011f1ce32fe8
Instruction Fuzzy Hash: 5302AD73600B858AEB65CF3AD4447DD37A5F788B98F084625EF4A57AA8CF38D581CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004404, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32 ref: 00000001400044CF
_cwprintf_s_l.LIBCMT ref: 0000000140004569

Part of subcall function 0000000140003F54: memcpy_s.LIBCMT ref: 0000000140004017

SysAllocString.OLEAUT32 ref: 0000000140004698
SysAllocString.OLEAUT32 ref: 000000014000471B
SysFreeString.OLEAUT32 ref: 000000014000476C

Strings

%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 000000014000455E
RestartByRestartManager, xrefs: 00000001400045B1, 00000001400045C0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: String$Alloc$CreateFreeGuid_cwprintf_s_lmemcpy_s
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
API String ID: 2811436864-5890034
Opcode ID: 3ed39084595278ba7e0d3f18d422813546c5a66ee7f65fb9010b453d0cfb18fc
Instruction ID: fb83c43bc4e28b71882c420608d5fe02d8c7318f38a15c980b2f7762212ee737
Opcode Fuzzy Hash: 3ed39084595278ba7e0d3f18d422813546c5a66ee7f65fb9010b453d0cfb18fc
Instruction Fuzzy Hash: 3FC19DB2701A4186EB15DF26E8503ED77A0FB49BA8F454225EF1E47BA6EF38C844C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400DEF9C, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 262COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00000001400DF029

Strings

, xrefs: 00000001400DF2A1

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CompatibleCreate
String ID:
API String ID: 3111197059-3916222277
Opcode ID: 59cf212ac7441860e131e8db5188ad40edb8737d0632140132c3e4fe129e5a95
Instruction ID: 6d1d7bd4ebf8212b90acbc7432a673478b4a4a238ebf3bf08163339981b6f9bc
Opcode Fuzzy Hash: 59cf212ac7441860e131e8db5188ad40edb8737d0632140132c3e4fe129e5a95
Instruction Fuzzy Hash: 77B19E72705A508AE712DF76D4503ED37A2FB88BD8F408126EF499BBA9DB34C906D740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007C8E8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014007C954

Part of subcall function 0000000140018068: ScreenToClient.USER32 ref: 0000000140018081
Part of subcall function 0000000140018068: ScreenToClient.USER32 ref: 000000014001808F

SetRectEmpty.USER32 ref: 000000014007C98D
ScreenToClient.USER32 ref: 000000014007C9BC
PtInRect.USER32 ref: 000000014007C9CE
SetCapture.USER32 ref: 000000014007C9DC
RedrawWindow.USER32 ref: 000000014007CA03

Part of subcall function 0000000140013868: SetWindowPos.USER32 ref: 00000001400138A2

Strings

', xrefs: 000000014007C913

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientRectScreenWindow$CaptureEmptyRedraw
String ID: '
API String ID: 1696171173-1997036262
Opcode ID: ebc59a1167ba7d8edff8540cd21ad9bff83d012cbf9883fc92a188adbbdbc42a
Instruction ID: f6b40e856ed67753d1f3bbfffe14b4d14d82c3a5dc142f0b9bd1a4ef477995b3
Opcode Fuzzy Hash: ebc59a1167ba7d8edff8540cd21ad9bff83d012cbf9883fc92a188adbbdbc42a
Instruction Fuzzy Hash: BF31AB72210681D7EB19DF76E598BDDB360F788B88F148129EB0A47664EF39C065CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044EA0, Relevance: 12.3, APIs: 8, Instructions: 312timewindowCOMMON

Download Yara Rule

APIs

SetCursor.USER32 ref: 0000000140044F8F

Part of subcall function 00000001400184DC: GetDC.USER32 ref: 000000014001851B

Part of subcall function 0000000140024BFC: CreateRectRgnIndirect.GDI32 ref: 0000000140024C66
Part of subcall function 0000000140024BFC: CopyRect.USER32 ref: 0000000140024C7F
Part of subcall function 0000000140024BFC: InflateRect.USER32 ref: 0000000140024C94
Part of subcall function 0000000140024BFC: IntersectRect.USER32 ref: 0000000140024CA5
Part of subcall function 0000000140024BFC: CreateRectRgnIndirect.GDI32 ref: 0000000140024CAF
Part of subcall function 0000000140024BFC: CreateRectRgn.GDI32 ref: 0000000140024CCB
Part of subcall function 0000000140024BFC: CombineRgn.GDI32 ref: 0000000140024CF1
Part of subcall function 0000000140024BFC: CreateRectRgn.GDI32 ref: 0000000140024D49
Part of subcall function 0000000140024BFC: SetRectRgn.GDI32 ref: 0000000140024D73

Part of subcall function 0000000140018540: ReleaseDC.USER32 ref: 000000014001856C

GetFocus.USER32 ref: 000000014004502E
SetTimer.USER32 ref: 0000000140045101
GetParent.USER32 ref: 00000001400451AA
SendMessageW.USER32 ref: 00000001400451CA
KillTimer.USER32 ref: 000000014004530A
SetTimer.USER32 ref: 000000014004532A
UpdateWindow.USER32 ref: 000000014004534A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Create$Timer$Indirect$CombineCopyCursorFocusInflateIntersectKillMessageParentReleaseSendUpdateWindow
String ID:
API String ID: 1486959152-0
Opcode ID: 1c78602588aae895dcecf81131eb193ceecce5f51a5c3f19b41d648a45c3866e
Instruction ID: d88fd48ac49751da522126159d23be18717c14a5328b0ddab1e48612cca584ec
Opcode Fuzzy Hash: 1c78602588aae895dcecf81131eb193ceecce5f51a5c3f19b41d648a45c3866e
Instruction Fuzzy Hash: 1CE17B322006818AEB66AF26D4803EC33E1F349FD9F194136EF0A5B7B6DA74C895C754

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400347EC, Relevance: 12.3, APIs: 8, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7117f623f8de2277ff3ef181a0b36043e08fff7f49fda5344cc8b9d016c82e4
Instruction ID: 012b3f8ba39038e786fadebdba5bfb43b6b67d068d9155a3de70a35183a3347c
Opcode Fuzzy Hash: d7117f623f8de2277ff3ef181a0b36043e08fff7f49fda5344cc8b9d016c82e4
Instruction Fuzzy Hash: 3EB19132600A5582EB579FABD4143EE67A0F788FC8F558522EF161BBB8CF78D8458341

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400387DC, Relevance: 12.3, APIs: 8, Instructions: 265COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140038865
OffsetRect.USER32 ref: 000000014003887B

Part of subcall function 0000000140035B30: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000001400BC3C3,?,00000020,00000001400BE90F), ref: 0000000140035B73
Part of subcall function 0000000140035B30: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000001400BC3C3,?,00000020,00000001400BE90F), ref: 0000000140035B86

Part of subcall function 0000000140038280: malloc.LIBCMT ref: 00000001400382AB
Part of subcall function 0000000140038280: CreateDIBSection.GDI32 ref: 000000014003832B

Part of subcall function 00000001400184DC: GetDC.USER32 ref: 000000014001851B

CreateCompatibleDC.GDI32 ref: 00000001400388F2
SelectObject.GDI32 ref: 0000000140038911

Part of subcall function 0000000140038280: free.LIBCMT ref: 0000000140038367

SelectObject.GDI32 ref: 000000014003896C
CreateCompatibleDC.GDI32 ref: 0000000140038AF6
SelectObject.GDI32 ref: 0000000140038B18
SelectObject.GDI32 ref: 0000000140038B56

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ObjectSelect$CreateSection$CompatibleCriticalRect$EnterLeaveOffsetWindowfreemalloc
String ID:
API String ID: 4129283992-0
Opcode ID: c8f949fdd636239690f01b9ec7daa6bece24544e18a57dd16f4c8162c5e5e4ea
Instruction ID: de3e3a21cfc2feab22073569751725b0de19ae24f3864073b15ce8a40efa60cb
Opcode Fuzzy Hash: c8f949fdd636239690f01b9ec7daa6bece24544e18a57dd16f4c8162c5e5e4ea
Instruction Fuzzy Hash: 01C149326146808AEB22DF7AD8507DEB7A0F798BD8F144216FF5957AB9DB34C941CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006A09C, Relevance: 12.2, APIs: 8, Instructions: 235windowCOMMON

Download Yara Rule

APIs

wcsnlen.LIBCMT ref: 000000014006A19F
CoTaskMemFree.OLE32 ref: 000000014006A1BB
GetParent.USER32 ref: 000000014006A292
SendMessageW.USER32 ref: 000000014006A2AF
wcsnlen.LIBCMT ref: 000000014006A2D0
GetParent.USER32 ref: 000000014006A31D
SendMessageW.USER32 ref: 000000014006A33A
wcsnlen.LIBCMT ref: 000000014006A35B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: wcsnlen$MessageParentSend$FreeTask
String ID:
API String ID: 656347825-0
Opcode ID: c289686658484abbb867155f782eb1502dc1c463b6953d3513adc29c23ae8279
Instruction ID: 0a979c0cf749e10137557447ec49781ed97d8b5d53bc1e0ba0a75ea38170915a
Opcode Fuzzy Hash: c289686658484abbb867155f782eb1502dc1c463b6953d3513adc29c23ae8279
Instruction Fuzzy Hash: FDA18A72700A4186EB06EF66C8443EC2762FB8ABD8F244515EF1E973A9DF39C955C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F078, Relevance: 12.1, APIs: 8, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014000F0E8
BeginDeferWindowPos.USER32 ref: 000000014000F102
GetTopWindow.USER32 ref: 000000014000F116
GetDlgCtrlID.USER32 ref: 000000014000F12D
SendMessageW.USER32 ref: 000000014000F166
GetWindow.USER32 ref: 000000014000F174
CopyRect.USER32 ref: 000000014000F19A
EndDeferWindowPos.USER32 ref: 000000014000F220

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 913b3f66cf97b12bebfaf40245b2ff5e2d46b33f1fd8225c90d06645bb4d5431
Instruction ID: 7ae4d60b9f7a9b8c3a49624ba1f1a60aaad9594884c949e3534a14a977e300a5
Opcode Fuzzy Hash: 913b3f66cf97b12bebfaf40245b2ff5e2d46b33f1fd8225c90d06645bb4d5431
Instruction Fuzzy Hash: DD512976B106508AFB56CFA6E8407ED33B1B74CB98F148415EF0A27B68DB34C842E740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140038490, Relevance: 12.1, APIs: 8, Instructions: 136windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400384EC
GetParent.USER32 ref: 000000014003851F
SetParent.USER32 ref: 000000014003857D
GetTopWindow.USER32 ref: 000000014003862E
GetWindow.USER32 ref: 000000014003864D
IsWindow.USER32 ref: 0000000140038674
GetParent.USER32 ref: 0000000140038681
DestroyWindow.USER32 ref: 0000000140038690

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Parent$DestroyMessageSend
String ID:
API String ID: 2635554982-0
Opcode ID: 023c990ecd6356101d1f8c4092e24c585cd08113c6b97c1cfa8caf4ed2933a73
Instruction ID: 882c437b23a1e123c176d6a394ca7a51cd9be9d987321a0a5e62df4a739bd141
Opcode Fuzzy Hash: 023c990ecd6356101d1f8c4092e24c585cd08113c6b97c1cfa8caf4ed2933a73
Instruction Fuzzy Hash: EB615532605B8082EB66DF23D5947AA23A0FB98FD4F184625EF1E0B7B9DF39C4418740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140090758, Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400907D6
MonitorFromPoint.USER32 ref: 0000000140090818
GetMonitorInfoW.USER32 ref: 0000000140090825
CopyRect.USER32 ref: 0000000140090837
CopyRect.USER32 ref: 0000000140090845
SystemParametersInfoW.USER32 ref: 0000000140090881
GetSystemMetrics.USER32 ref: 0000000140090910
GetSystemMetrics.USER32 ref: 000000014009091E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: RectSystem$CopyInfoMetricsMonitor$FromParametersPointWindow
String ID:
API String ID: 1563237627-0
Opcode ID: 9650f0cc369068b94f8285af703433f6253af8bdb5e73b27170d1ab8a0ae76f4
Instruction ID: faa99096855647ea24341fc1bda6ffca171c1d1adc881d948110d5aec8a22eb0
Opcode Fuzzy Hash: 9650f0cc369068b94f8285af703433f6253af8bdb5e73b27170d1ab8a0ae76f4
Instruction Fuzzy Hash: 1C611572A10640DEEB19CF7AC8597ED77B1F74878DF048425EB0897AA8DB34D654CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C30F0, Relevance: 12.1, APIs: 8, Instructions: 136windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00000001400C3132
IsWindow.USER32 ref: 00000001400C3153
DestroyWindow.USER32 ref: 00000001400C3164
GetParent.USER32 ref: 00000001400C3184
IsRectEmpty.USER32 ref: 00000001400C3244
IsWindowVisible.USER32 ref: 00000001400C3291
MapWindowPoints.USER32 ref: 00000001400C32AD
SendMessageW.USER32 ref: 00000001400C32CF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: 2215e8138798c27f1a432551d078fe0dad6849549f7d55408fcab0aca2c83251
Instruction ID: 221a9eb68353e394afbd383c1101a0657aa31a314b091333a97e216dd7f1fa00
Opcode Fuzzy Hash: 2215e8138798c27f1a432551d078fe0dad6849549f7d55408fcab0aca2c83251
Instruction Fuzzy Hash: 51515732315B9485FB6A9F66D8597E923A0FB88FC8F084135EF4A476A9DF38C445C350

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400808BC, Relevance: 12.1, APIs: 8, Instructions: 96windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014008096F
SendMessageW.USER32 ref: 00000001400809A1
IsWindow.USER32 ref: 00000001400809AA
RedrawWindow.USER32 ref: 00000001400809C3
IsWindow.USER32 ref: 00000001400809D4
ReleaseCapture.USER32 ref: 00000001400809E7
KillTimer.USER32 ref: 0000000140080A06
SendMessageW.USER32 ref: 0000000140080A2D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
String ID:
API String ID: 3014619129-0
Opcode ID: cf3942302110c3a5c99bc117241b9d2975e42948e8a1a7e4df2b9ffc3fc51bf0
Instruction ID: 8006debe16f77e1ace78ae4890985e8573e29cc1b2a989bbc1eb8c8d2de584db
Opcode Fuzzy Hash: cf3942302110c3a5c99bc117241b9d2975e42948e8a1a7e4df2b9ffc3fc51bf0
Instruction Fuzzy Hash: FE417837201781C6EBAA8B23D9557E932A5F78CFC4F284125EB8507B61CF35C6A2CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400170D4, Relevance: 12.1, APIs: 8, Instructions: 86COMMON

Download Yara Rule

APIs

GetWindowTextW.USER32 ref: 000000014001712A
_snwscanf.LIBCMT ref: 0000000140017140

Part of subcall function 0000000140156D08: vscan_fn.LIBCMT ref: 0000000140156D34

Part of subcall function 0000000140016F88: SetFocus.USER32 ref: 0000000140016FB5
Part of subcall function 0000000140016F88: SendMessageW.USER32 ref: 0000000140016FD2

_errno.LIBCMT ref: 000000014001716D
_errno.LIBCMT ref: 0000000140017174
_wcsftime_l.LIBCMT ref: 0000000140017192
_errno.LIBCMT ref: 0000000140017197
_errno.LIBCMT ref: 00000001400171A1
_errno.LIBCMT ref: 00000001400171E0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _errno$FocusMessageSendTextWindow_snwscanf_wcsftime_lvscan_fn
String ID:
API String ID: 642130051-0
Opcode ID: 3788094aa3d03fb3c9fdaf071a37c376cead2ec43f7ab3eeb626562483b4d6c1
Instruction ID: d2d2cc61f318abc07b5958f35fae14d8618c2e2e7d60e73d04d7a4340c51815a
Opcode Fuzzy Hash: 3788094aa3d03fb3c9fdaf071a37c376cead2ec43f7ab3eeb626562483b4d6c1
Instruction Fuzzy Hash: CC319E3221124096FB67AF67E815BDE3260A78DBC4F484121FB590B7E6CF3AC985CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400E29F0, Relevance: 12.1, APIs: 8, Instructions: 85COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 00000001400E2A1D
GetParent.USER32 ref: 00000001400E2A37
GetClientRect.USER32 ref: 00000001400E2A7C
MapWindowPoints.USER32 ref: 00000001400E2A94
PtInRect.USER32 ref: 00000001400E2AA2
GetClientRect.USER32 ref: 00000001400E2AD7
MapWindowPoints.USER32 ref: 00000001400E2AEF
PtInRect.USER32 ref: 00000001400E2AFD

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Client$PointsWindow$ParentScreen
String ID:
API String ID: 1944725958-0
Opcode ID: b7436ac9e9607255edaef33c35541d0b17286ed5a0a7da14b6215fd3389bf361
Instruction ID: 95cc6cf0fcbbfcfcc33a7dba0f54aad7b1923369e4cf3aea18afb31d08f894f5
Opcode Fuzzy Hash: b7436ac9e9607255edaef33c35541d0b17286ed5a0a7da14b6215fd3389bf361
Instruction Fuzzy Hash: C7310472711A0586EF129B66E8543ED23A0FB8CFD9F080425EF0E57B69EF38C5058380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014450, Relevance: 12.1, APIs: 8, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0000000140014478
GetMenuItemCount.USER32 ref: 0000000140014484
GetSubMenu.USER32 ref: 0000000140014496
GetMenuItemCount.USER32 ref: 00000001400144AC
GetSubMenu.USER32 ref: 00000001400144BF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Menu$CountItem
String ID:
API String ID: 3435231853-0
Opcode ID: dbb7245e59f68b48379254d5f56623765e2b2a0d6a4fa26e8da4bc9b54366c47
Instruction ID: 3cd607bf038f7b67848a1ecd878e651acfe601dd0ef319e595bf931e229d047d
Opcode Fuzzy Hash: dbb7245e59f68b48379254d5f56623765e2b2a0d6a4fa26e8da4bc9b54366c47
Instruction Fuzzy Hash: 74218E34304A1587FB179FA7B8907AA52A2B78CFD8F644425BF064B775DE7AC856C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015E3F8, Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000014015E41F

Part of subcall function 0000000140159F5C: _set_error_mode.LIBCMT ref: 0000000140159F65
Part of subcall function 0000000140159F5C: _set_error_mode.LIBCMT ref: 0000000140159F74

Part of subcall function 0000000140159CFC: _set_error_mode.LIBCMT ref: 0000000140159D41
Part of subcall function 0000000140159CFC: _set_error_mode.LIBCMT ref: 0000000140159D52
Part of subcall function 0000000140159CFC: GetModuleFileNameW.KERNEL32 ref: 0000000140159DB4

Part of subcall function 00000001401558F8: ExitProcess.KERNEL32 ref: 0000000140155907

Part of subcall function 000000014015C584: malloc.LIBCMT ref: 000000014015C5AF
Part of subcall function 000000014015C584: Sleep.KERNEL32(?,?,?,000000014015E459,?,?,00000000,000000014015E503,?,?,00000000,000000014015A9F9,?,?,00000000,000000014015AAB0), ref: 000000014015C5C2

_errno.LIBCMT ref: 000000014015E461
_lock.LIBCMT ref: 000000014015E475
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000000,000000014015E503,?,?,00000000,000000014015A9F9,?,?,00000000,000000014015AAB0,?,?,00000018,0000000140156059), ref: 000000014015E48B
free.LIBCMT ref: 000000014015E498
_errno.LIBCMT ref: 000000014015E49D
LeaveCriticalSection.KERNEL32(?,?,00000000,000000014015E503,?,?,00000000,000000014015A9F9,?,?,00000000,000000014015AAB0,?,?,00000018,0000000140156059), ref: 000000014015E4C0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: b5d6b5fb549fee16f5460b080848d2d4ba3f68f4d2b6330bf83364b9fc4a52b8
Instruction ID: 5d5a96fed3c1ebfac2292d10fd1d2795d2d73bf3692a58e8241d238a53045681
Opcode Fuzzy Hash: b5d6b5fb549fee16f5460b080848d2d4ba3f68f4d2b6330bf83364b9fc4a52b8
Instruction Fuzzy Hash: DD218431A5164081F76BAB23E4947EE62D5E78CF94F4C4424A74A8F6F2CF7DC8408751

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E1E4, Relevance: 12.1, APIs: 8, Instructions: 57COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 000000014001E202
GetSystemMetrics.USER32 ref: 000000014001E213
SetRectEmpty.USER32 ref: 000000014001E226
EnumDisplayMonitors.USER32 ref: 000000014001E23E
SystemParametersInfoW.USER32 ref: 000000014001E257
SystemParametersInfoW.USER32 ref: 000000014001E285
SystemParametersInfoW.USER32 ref: 000000014001E2A5
SystemParametersInfoW.USER32 ref: 000000014001E2CD

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 49ccd609a4ffd96ab8f54e4b0ee883f6608fdf69b43f4e9097255c2c25349996
Instruction ID: 68550a79694932581bb3c1d4ff8d87e2623c55c808519eadf8d506b2d89c8506
Opcode Fuzzy Hash: 49ccd609a4ffd96ab8f54e4b0ee883f6608fdf69b43f4e9097255c2c25349996
Instruction Fuzzy Hash: B9213B326106C1E7F70E8F72EA587D9B7A1F788749F408019D75A076A0CF79907ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005099C, Relevance: 10.7, APIs: 7, Instructions: 232windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400509D2
GetTextExtentPoint32W.GDI32 ref: 0000000140050BBE

Part of subcall function 000000014009A8A8: SendMessageW.USER32 ref: 000000014009A8DF
Part of subcall function 000000014009A8A8: SendMessageW.USER32 ref: 000000014009A8FF
Part of subcall function 000000014009A8A8: GetClassLongPtrW.USER32 ref: 000000014009A9B7
Part of subcall function 000000014009A8A8: GetClassLongPtrW.USER32 ref: 000000014009A9CC

GetSystemMetrics.USER32 ref: 0000000140050A35
GetSystemMetrics.USER32 ref: 0000000140050A43
GetSystemMetrics.USER32 ref: 0000000140050A5B
GetSystemMetrics.USER32 ref: 0000000140050A6A
DrawIconEx.USER32 ref: 0000000140050B13

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MetricsSystem$ClassLongMessageSend$DrawExtentIconParentPoint32Text
String ID:
API String ID: 928954478-0
Opcode ID: 1aa1d5571cb23486355a365294de46c71005d604385011ec10c4f151eb02f09a
Instruction ID: c19a0a1c0a9d0a677418b162b5fd142c49a2f2e44909df353cad40acc97da41c
Opcode Fuzzy Hash: 1aa1d5571cb23486355a365294de46c71005d604385011ec10c4f151eb02f09a
Instruction Fuzzy Hash: 1E917B76710A418AEB05DF7AD4947AD33A1F788BD8F408229EF5A93BA4DF38C845C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000EC68, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000014000ECF0
GetProcAddress.KERNEL32 ref: 000000014000ED1E
ScreenToClient.USER32 ref: 000000014000EDC2

Part of subcall function 0000000140003484: ActivateActCtx.KERNEL32 ref: 00000001400034AD

Strings

GetGestureInfo, xrefs: 000000014000ECE9
CloseGestureInfoHandle, xrefs: 000000014000ED17
user32.dll, xrefs: 000000014000ECAA

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressProc$ActivateClientScreen
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 2781704992-2905070798
Opcode ID: db3c86669cde7c6a3b6e5feed30116c2b0e0d2b7393cae35b3be7e6939e19c81
Instruction ID: 5f465e7d75fb43c67b765eb27429842ebc406e842babc2d0c37685d347f07839
Opcode Fuzzy Hash: db3c86669cde7c6a3b6e5feed30116c2b0e0d2b7393cae35b3be7e6939e19c81
Instruction Fuzzy Hash: E78102B6212B8485EB56DF27E8447A937A4F748FE8F084226EE1A577B4DF34C9418740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022C18, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0000000140022C50
lstrlenW.KERNEL32 ref: 0000000140022C98
memmove_s.LIBCMT ref: 0000000140022D20
memmove_s.LIBCMT ref: 0000000140022D6C

Strings

System, xrefs: 0000000140022C2A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: memmove_s$GlobalLocklstrlen
String ID: System
API String ID: 2064771451-3470857405
Opcode ID: c385fdda561922424afa88111352050d55bff8198f006e60d9eab1b2380f9eea
Instruction ID: a7c3179ae56de31e51e9c4f03522cf1338ec8e00af3fe2413f5d9b8cb6137dd6
Opcode Fuzzy Hash: c385fdda561922424afa88111352050d55bff8198f006e60d9eab1b2380f9eea
Instruction Fuzzy Hash: 3C51F93220025166FB2AAFA795953FE62A0FB4C7D4F648A19FF258B5F5DB34CC95C200

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006EDD4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 133windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018624: BeginPaint.USER32(?,?,?,?,?,0000000140007B6C), ref: 000000014001865E

FillRect.USER32 ref: 000000014006EE23
InflateRect.USER32 ref: 000000014006EE5E

Part of subcall function 0000000140017648: SetBkMode.GDI32 ref: 0000000140017663
Part of subcall function 0000000140017648: SetBkMode.GDI32 ref: 0000000140017674

Part of subcall function 0000000140017708: SetTextColor.GDI32 ref: 0000000140017724
Part of subcall function 0000000140017708: SetTextColor.GDI32 ref: 0000000140017735

GetParent.USER32 ref: 000000014006EEB8
SendMessageW.USER32 ref: 000000014006EED4

Part of subcall function 00000001400188D4: SelectObject.GDI32(?,?,00000000,0000000140015F78), ref: 0000000140018904
Part of subcall function 00000001400188D4: SelectObject.GDI32(?,?,00000000,0000000140015F78), ref: 000000014001891F

Strings

$, xrefs: 000000014006EF63
mmm, xrefs: 000000014006EE7A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ColorModeObjectRectSelectText$BeginFillInflateMessagePaintParentSend
String ID: $$mmm
API String ID: 2831168041-2121012940
Opcode ID: 72d469fca32c71b60844e5d59afe3351aceb042936d5bcc8a753e7db9d08057f
Instruction ID: 7fe27c53826e8c32a37ab61d6107eaea9ca91f83995ddb382b2c8246072d0a9b
Opcode Fuzzy Hash: 72d469fca32c71b60844e5d59afe3351aceb042936d5bcc8a753e7db9d08057f
Instruction Fuzzy Hash: 79518632701A848AFB16EB66D8547DC2371FB88B98F504626AF1D57AE6EF34C904C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066B7C, Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0000000140066BE8
GetWindow.USER32 ref: 0000000140066BF4
IsWindowEnabled.USER32 ref: 0000000140066C09
SendMessageW.USER32 ref: 0000000140066C3E
EnableWindow.USER32 ref: 0000000140066C4E
GetWindow.USER32 ref: 0000000140066C71
memcpy_s.LIBCMT ref: 0000000140066CEB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$DesktopEnableEnabledMessageSendmemcpy_s
String ID:
API String ID: 687856882-0
Opcode ID: 407e3bd7411df60969c77e0d4df8c062b81db0894d575f2fa61cbd5ad2df9603
Instruction ID: 1deffcfa45060d2ed8a2fb5ed5ea67dbbe9d805e8df10cc716a45811eb84c706
Opcode Fuzzy Hash: 407e3bd7411df60969c77e0d4df8c062b81db0894d575f2fa61cbd5ad2df9603
Instruction Fuzzy Hash: C7418131204B4182FB56AB37E8443E962A5EB8DBE4F684A25FB5D877F6DF39C4418600

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007F208, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014007F2ED
InflateRect.USER32 ref: 000000014007F359
InflateRect.USER32 ref: 000000014007F393
InflateRect.USER32 ref: 000000014007F3C9

Strings

iii, xrefs: 000000014007F2C9, 000000014007F33C
, xrefs: 000000014007F315, 000000014007F368

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: InflateRect
String ID: iii$
API String ID: 2073123975-462628325
Opcode ID: e6a65b328b4297dd1fa313fe0faf6926d6c8c121229e0223a7a974990ece3ab2
Instruction ID: 23586ee7b147a5ad77279d14e30852efa9c8897553a692452351f66f50c682cd
Opcode Fuzzy Hash: e6a65b328b4297dd1fa313fe0faf6926d6c8c121229e0223a7a974990ece3ab2
Instruction Fuzzy Hash: 63517B327406508BE66B9F279508BE9B7A0F74DFE4F148226AF15137F4CB789991CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400268A8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107comCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32 ref: 00000001400268FD
GetStockObject.GDI32 ref: 0000000140026910
GetObjectW.GDI32 ref: 000000014002693E
GetDeviceCaps.GDI32 ref: 00000001400269A9
OleCreateFontIndirect.OLEAUT32 ref: 00000001400269E4

Strings

(, xrefs: 0000000140026944

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$Stock$CapsCreateDeviceFontIndirect
String ID: (
API String ID: 545130359-3887548279
Opcode ID: 381b608d399f0e728f1578eb51373fa737216e857f982d182afa165211322f59
Instruction ID: 7c0ed80226887d3c107d1852a561ab8058160844c448844168c92e2ccdc0620b
Opcode Fuzzy Hash: 381b608d399f0e728f1578eb51373fa737216e857f982d182afa165211322f59
Instruction Fuzzy Hash: FD518A72711A408AE711CB76D8907ED77B0F7487A8F004229EF6D57AA9DF38C959C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400708C4, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140070920
SendMessageW.USER32 ref: 0000000140070948
SHGetDesktopFolder.SHELL32 ref: 0000000140070975
SendMessageW.USER32 ref: 00000001400709AD
SendMessageW.USER32 ref: 00000001400709F4
SendMessageW.USER32 ref: 0000000140070A09
RedrawWindow.USER32 ref: 0000000140070A1E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$DesktopFolderRedrawWindow
String ID:
API String ID: 898402146-0
Opcode ID: 22cfd3b5b5461815e261cb8675fab1147b95fad7b9ef202f6527c71f09af5211
Instruction ID: 3cfd3ab144fde8e63288132ba337194efbe9448585c784cfc3c690c915258562
Opcode Fuzzy Hash: 22cfd3b5b5461815e261cb8675fab1147b95fad7b9ef202f6527c71f09af5211
Instruction Fuzzy Hash: AF410877310A84DAEB11DF62E850BDD23A1F788B88F448122EF0D4BAA9DF39D519C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006224, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140006296
RegCreateKeyExW.ADVAPI32 ref: 000000014000631B
RegCreateKeyExW.ADVAPI32 ref: 000000014000639C
RegCloseKey.ADVAPI32 ref: 00000001400063AB
RegCloseKey.ADVAPI32 ref: 00000001400063BA

Part of subcall function 0000000140006038: GetModuleHandleW.KERNEL32 ref: 0000000140006065
Part of subcall function 0000000140006038: GetProcAddress.KERNEL32 ref: 000000014000607A

Strings

software, xrefs: 0000000140006257, 000000014000627A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: 02b5cdb7630e6b99934bc5a97975d27bebf3f5b7bdca450e1e8ee1913dd1310a
Instruction ID: a25326a6d54623c165420ffe713b4ef1aaa010eb6678dd9381aa8ce6c5dc8c24
Opcode Fuzzy Hash: 02b5cdb7630e6b99934bc5a97975d27bebf3f5b7bdca450e1e8ee1913dd1310a
Instruction Fuzzy Hash: B4414C72205B9086EB61CF22F480B9A77A5F7887D8F541225FF9E03B28DB38C194C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400040E0, Relevance: 10.6, APIs: 7, Instructions: 100COMMONLIBRARYCODE

Download Yara Rule

APIs

GlobalDeleteAtom.KERNEL32 ref: 00000001400041D6
GlobalDeleteAtom.KERNEL32 ref: 00000001400041E8
free.LIBCMT ref: 0000000140004233
free.LIBCMT ref: 000000014000423F
free.LIBCMT ref: 000000014000424B
free.LIBCMT ref: 0000000140004257
free.LIBCMT ref: 0000000140004263

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: free$AtomDeleteGlobal
String ID:
API String ID: 622211665-0
Opcode ID: 894070186622278d75e318e4722547bf3177b7de71bd4debdd02e496e6a18b6d
Instruction ID: 478349a539330067a1c58cf9d622b13cf14b173c1b7e0e97b05abd1c32af397c
Opcode Fuzzy Hash: 894070186622278d75e318e4722547bf3177b7de71bd4debdd02e496e6a18b6d
Instruction Fuzzy Hash: 1C412276201A8481EF56EF66E4903ED3361EB88F94F188125DB4E4B7B6CF75C885C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140080530, Relevance: 10.6, APIs: 7, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014008055F
GetNextDlgGroupItem.USER32 ref: 0000000140080584
GetNextDlgGroupItem.USER32 ref: 00000001400805E4
SendMessageW.USER32(?,?,00000000,0000000140080B63), ref: 000000014008061F
GetParent.USER32 ref: 0000000140080631
GetWindowLongW.USER32 ref: 0000000140080654
SendMessageW.USER32(?,?,00000000,0000000140080B63), ref: 0000000140080669

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: GroupItemMessageNextParentSend$LongWindow
String ID:
API String ID: 789784501-0
Opcode ID: 8582a9e8c68535ae5689a13deddee10dfeb1b8500e04885741e04c08a507a410
Instruction ID: 8ba5053038a69ad3a0f26696d5d2509ec5da14da9d84095ae13117c42d425b8c
Opcode Fuzzy Hash: 8582a9e8c68535ae5689a13deddee10dfeb1b8500e04885741e04c08a507a410
Instruction Fuzzy Hash: 4531BC76301A9082EE96DB27A8007EA63A0F78CFC4F084136EF0A47779EE39C541C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003A54C, Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014003A587
DestroyAcceleratorTable.USER32 ref: 000000014003A5D0
GetTopWindow.USER32 ref: 000000014003A61C
GetWindow.USER32 ref: 000000014003A63B
IsWindow.USER32 ref: 000000014003A662
GetParent.USER32 ref: 000000014003A66F
DestroyWindow.USER32 ref: 000000014003A67E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Destroy$AcceleratorMessageParentSendTable
String ID:
API String ID: 1621014984-0
Opcode ID: 3d1e2453f8fb919a8eb5c8ee091e1ef8d8cd01b67544898a93ab98355ef10e8d
Instruction ID: 1678bbe4c0783537c992edb69aa07a2a9be7e7c81465e90e3204924b5f4dd457
Opcode Fuzzy Hash: 3d1e2453f8fb919a8eb5c8ee091e1ef8d8cd01b67544898a93ab98355ef10e8d
Instruction Fuzzy Hash: D9416C72211A8482EB52DF22E4887ED73A0F799FE4F580625EB5A07AB5CF3DC545C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400904F0, Relevance: 10.6, APIs: 7, Instructions: 79windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 0000000140090523
SendMessageW.USER32(?,?,?,000000014003B3C2), ref: 000000014009054F
GetFocus.USER32(?,?,?,000000014003B3C2), ref: 0000000140090569
IsChild.USER32 ref: 0000000140090593
SendMessageW.USER32(?,?,?,000000014003B3C2), ref: 00000001400905CA
IsWindowVisible.USER32 ref: 00000001400905E7
SendMessageW.USER32(?,?,?,000000014003B3C2), ref: 0000000140090607

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$Window$ChildFocusVisible
String ID:
API String ID: 1252167185-0
Opcode ID: ac870da89e0a5bdd787c58c4825d08df9d2b584a85ac4b87637969c80270c8f0
Instruction ID: 423eba69d09e0463866ebce1385ce1f5160a81c73c4f1ca925afd4f1e62cbf87
Opcode Fuzzy Hash: ac870da89e0a5bdd787c58c4825d08df9d2b584a85ac4b87637969c80270c8f0
Instruction Fuzzy Hash: 29310875311A818AEA56CF17E8547EA67A0FB8CFD4F144026EF1A8B7B0EF75C8528740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140038CB0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140038030: IsIconic.USER32 ref: 0000000140038064

GetWindowRect.USER32 ref: 0000000140038D57

Part of subcall function 0000000140018068: ScreenToClient.USER32 ref: 0000000140018081
Part of subcall function 0000000140018068: ScreenToClient.USER32 ref: 000000014001808F

Part of subcall function 00000001400387DC: GetWindowRect.USER32 ref: 0000000140038865
Part of subcall function 00000001400387DC: OffsetRect.USER32 ref: 000000014003887B
Part of subcall function 00000001400387DC: CreateCompatibleDC.GDI32 ref: 00000001400388F2
Part of subcall function 00000001400387DC: SelectObject.GDI32 ref: 0000000140038911
Part of subcall function 00000001400387DC: SelectObject.GDI32 ref: 000000014003896C

GetModuleHandleW.KERNEL32 ref: 0000000140038D99
GetProcAddress.KERNEL32 ref: 0000000140038DAE
DeleteObject.GDI32 ref: 0000000140038DCC

Strings

DWMAPI, xrefs: 0000000140038D92
DwmSetIconicLivePreviewBitmap, xrefs: 0000000140038DA4

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ObjectRect$ClientScreenSelectWindow$AddressCompatibleCreateDeleteHandleIconicModuleOffsetProc
String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
API String ID: 361077708-239049650
Opcode ID: 54bf5b911c1f502e29f13bb6c4df9d8110602cf2921d02a0d26f6ad59d0bcd86
Instruction ID: ae858d3bfdad252cc618ee3bf8e184814468d25aebab3c45041fd95248d03955
Opcode Fuzzy Hash: 54bf5b911c1f502e29f13bb6c4df9d8110602cf2921d02a0d26f6ad59d0bcd86
Instruction Fuzzy Hash: D2311772B11A409AEB02DBB2D4587ED37B0B788B89F444416DF091BB69DF38C659C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140070DB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140070E0B
SendMessageW.USER32 ref: 0000000140070E56
SendMessageW.USER32 ref: 0000000140070E70
SendMessageW.USER32 ref: 0000000140070E94
SendMessageW.USER32 ref: 0000000140070EAC

Strings

@, xrefs: 0000000140070E2F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend
String ID: @
API String ID: 3850602802-2766056989
Opcode ID: 0fb2c85cbcae3d65d34872790468d2d9457f021c7d900df039d8a1acb32a84d3
Instruction ID: b810609f0af43424fc1f21ae270ac4e0f52046748329727b7b8c72bfe3cb8867
Opcode Fuzzy Hash: 0fb2c85cbcae3d65d34872790468d2d9457f021c7d900df039d8a1acb32a84d3
Instruction Fuzzy Hash: 58218D71710680C2FB669F52D850BD92261FB8CBC8F548525FB494BBA4DF3DC9558701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010BB4, Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0000000140010C28
SetActiveWindow.USER32 ref: 0000000140010C35
SendMessageW.USER32 ref: 0000000140010C52
IsWindow.USER32 ref: 0000000140010C5B
SetActiveWindow.USER32 ref: 0000000140010C68
IsWindow.USER32 ref: 0000000140010C71
SetFocus.USER32 ref: 0000000140010C7E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID:
API String ID: 1556911595-0
Opcode ID: 6a25c30fab17df08bed1aad8e680586b7063283a4c9126e0da50c2f8ee4232ac
Instruction ID: e7bc5f50c9e6db1aec0ffe25f866a764fad589b4f70aa19142cc326793d21bf0
Opcode Fuzzy Hash: 6a25c30fab17df08bed1aad8e680586b7063283a4c9126e0da50c2f8ee4232ac
Instruction Fuzzy Hash: 94214F31310A95C5FB6A9B27A8447E966A0EB8DFC4F180121FF854BBB5DF7AC5418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400547B0, Relevance: 10.6, APIs: 7, Instructions: 68keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00000001400547EA
GetAsyncKeyState.USER32 ref: 0000000140054808
GetKeyboardState.USER32 ref: 0000000140054838
GetKeyboardLayout.USER32 ref: 0000000140054850
MapVirtualKeyW.USER32 ref: 000000014005485D
ToUnicodeEx.USER32 ref: 0000000140054886
CharUpperW.USER32 ref: 0000000140054891

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual
String ID:
API String ID: 298839909-0
Opcode ID: 9e51aef277dbfef9e7e354ff82e1daf09ed74842b3a38cc40be82d987d0bf7c0
Instruction ID: 3581ec4034648379c9c7298072d70713c97294545cbb00cfaad1efd8cdfd1347
Opcode Fuzzy Hash: 9e51aef277dbfef9e7e354ff82e1daf09ed74842b3a38cc40be82d987d0bf7c0
Instruction Fuzzy Hash: A8318231604A8483FB22DF22E8947EE73A1F78CB84F544025EB4A47AB9DF79C845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140164FA4, Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140164FC7
_errno.LIBCMT ref: 0000000140164FCF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 1eb9c7ce253c479792460a28c5571d756ac43cbb374699178b94623942866f05
Instruction ID: 59ef7774d25f3de8cc01ecc46976be2544ff0edcb936f99d18ce5ca634dc87eb
Opcode Fuzzy Hash: 1eb9c7ce253c479792460a28c5571d756ac43cbb374699178b94623942866f05
Instruction Fuzzy Hash: 1421AE3221064046F7176F279D517EE6661A798FA1F094604BB2A0B2F3CAB9C84187A1

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140158DD8, Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140158E01
_invalid_parameter_noinfo.LIBCMT ref: 0000000140158E0C
_getptd.LIBCMT ref: 0000000140158E32
CreateThread.KERNEL32 ref: 0000000140158E70
GetLastError.KERNEL32(?,?,?,?,?,00000001400D8E07), ref: 0000000140158E82
free.LIBCMT ref: 0000000140158E8D
ResumeThread.KERNEL32(?,?,?,?,?,00000001400D8E07), ref: 0000000140158EBF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Thread$CreateErrorLastResume_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3220277038-0
Opcode ID: eb1ca011717da64d4cc5adc57dd058ed9d9cdce191acf08cd26f740bf4d1d608
Instruction ID: 402d8050fe05c79427aef14c70f22155923b980e15e81157fa0e632e295fa50f
Opcode Fuzzy Hash: eb1ca011717da64d4cc5adc57dd058ed9d9cdce191acf08cd26f740bf4d1d608
Instruction Fuzzy Hash: AE217F31211B4085EB16ABA7A9413ED72A0FB4CFA0F5C0A25EF6D1B7E2DF79D4108300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140020B88, Relevance: 10.6, APIs: 7, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0000000140020B95
SendMessageW.USER32(?,?,?,0000000140020CAB,?,?,00000000,0000000140004873), ref: 0000000140020BAB
GetFocus.USER32(?,?,?,0000000140020CAB,?,?,00000000,0000000140004873), ref: 0000000140020BCA
SendMessageW.USER32(?,?,?,0000000140020CAB,?,?,00000000,0000000140004873), ref: 0000000140020BE0

Part of subcall function 0000000140010AF8: GetParent.USER32 ref: 0000000140010B21

GetLastActivePopup.USER32 ref: 0000000140020C12
SendMessageW.USER32(?,?,?,0000000140020CAB,?,?,00000000,0000000140004873), ref: 0000000140020C28

Part of subcall function 0000000140010AF8: GetWindowLongW.USER32 ref: 0000000140010B45
Part of subcall function 0000000140010AF8: GetParent.USER32 ref: 0000000140010B54

SendMessageW.USER32(?,?,?,0000000140020CAB,?,?,00000000,0000000140004873), ref: 0000000140020C55

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$Parent$ActiveCaptureFocusLastLongPopupWindow
String ID:
API String ID: 3194460488-0
Opcode ID: a46d3eb06fc8195e76aaa728e1fe26556ae3be6685ba75dea8eca6521639fa88
Instruction ID: bbe7acb3120ccfe6340864dfc3874b2b9d5eaba264fd1e0a092328274d287cc0
Opcode Fuzzy Hash: a46d3eb06fc8195e76aaa728e1fe26556ae3be6685ba75dea8eca6521639fa88
Instruction Fuzzy Hash: 5021307431179182FE6B5F27A965BE91550AB9DFC8F545029BF0A0BBA2EE3DD8404700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000307C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400030A5
GetProcAddress.KERNEL32 ref: 00000001400030C3
GetProcAddress.KERNEL32 ref: 00000001400030D6

Strings

RegisterApplicationRecoveryCallback, xrefs: 00000001400030C9
RegisterApplicationRestart, xrefs: 00000001400030B9
KERNEL32.DLL, xrefs: 0000000140003095

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
API String ID: 667068680-723216104
Opcode ID: 39558250b50fac553253a50e1706a050ce4c12adb14490ccbf6994dc6ca481de
Instruction ID: 8b2ae9ab864da245f68b61cb4192c8723ecfe7ab86e32f6effd79102f21bfa29
Opcode Fuzzy Hash: 39558250b50fac553253a50e1706a050ce4c12adb14490ccbf6994dc6ca481de
Instruction Fuzzy Hash: 29114875311B5981EA56DB13B9407D9B7A8FB9CFC0F480421EF4907B68EF38D4418700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140003130, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014000314E
GetProcAddress.KERNEL32 ref: 000000014000316C
GetProcAddress.KERNEL32 ref: 000000014000317F

Strings

ApplicationRecoveryFinished, xrefs: 0000000140003172
KERNEL32.DLL, xrefs: 0000000140003147
ApplicationRecoveryInProgress, xrefs: 0000000140003162

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
API String ID: 667068680-4287352451
Opcode ID: f07f91f5c75b53938aa2e259b8796ad6f4e499a9683c2803fa245b8498c749f2
Instruction ID: 8e6781c3c5aa00a8e712289ea843b764013ec287799bdf629ef2fd69c1f707b2
Opcode Fuzzy Hash: f07f91f5c75b53938aa2e259b8796ad6f4e499a9683c2803fa245b8498c749f2
Instruction Fuzzy Hash: 40112531626B4486EB16DB66F8443E963A4FB8CFC0F485525EB4A077A8EF38C8458700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401069EC, Relevance: 9.4, APIs: 6, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f882662bbc87573f42169722f9dcd365b795edc70ece9972cd5a0830b4ab9d
Instruction ID: 3b75f64a65f3190b5fb09f8ca3f77381687e61bff500c0583f16005caa997489
Opcode Fuzzy Hash: d1f882662bbc87573f42169722f9dcd365b795edc70ece9972cd5a0830b4ab9d
Instruction Fuzzy Hash: D2126C72710A458AEB11CF7AE4507AE77B0F788B98F044216EF9A63BA4DF38D545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005E488, Relevance: 9.2, APIs: 6, Instructions: 215COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014005E4CC
GetWindowRect.USER32 ref: 000000014005E5D7
GetParent.USER32 ref: 000000014005E5E1
GetParent.USER32 ref: 000000014005E5FF
OffsetRect.USER32 ref: 000000014005E6E6
OffsetRect.USER32 ref: 000000014005E6F5

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$OffsetParentWindow
String ID:
API String ID: 4200989157-0
Opcode ID: 5b8b0da08413322dd3e872e64bd6f9f2c9d2271d2fa3929be0054d1e2e6e2cec
Instruction ID: ee74cad985495dbaa2460279c72bfbb33375283925ed8ec4f87ddf357d4e688d
Opcode Fuzzy Hash: 5b8b0da08413322dd3e872e64bd6f9f2c9d2271d2fa3929be0054d1e2e6e2cec
Instruction Fuzzy Hash: CAA12476B106908AEB59CFA6E484BDD7BB1B348BD8F504019EF4A63B58DF39C945CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140074C54, Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400138E0: GetParent.USER32 ref: 00000001400138F7
Part of subcall function 00000001400138E0: GetParent.USER32 ref: 000000014001390E
Part of subcall function 00000001400138E0: GetParent.USER32 ref: 000000014001392D
Part of subcall function 00000001400138E0: SetFocus.USER32 ref: 000000014001394F

GetClientRect.USER32 ref: 0000000140074CA7
SetCapture.USER32 ref: 0000000140074CD4

Part of subcall function 000000014007249C: IsRectEmpty.USER32 ref: 00000001400724D9
Part of subcall function 000000014007249C: InvertRect.USER32 ref: 00000001400724EE
Part of subcall function 000000014007249C: SetRectEmpty.USER32 ref: 0000000140072503

SetCapture.USER32 ref: 0000000140074D31
PtInRect.USER32 ref: 0000000140074E2A
GetCapture.USER32 ref: 0000000140074E4B
ReleaseCapture.USER32 ref: 0000000140074E56

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Capture$Parent$Empty$ClientFocusInvertRelease
String ID:
API String ID: 54144319-0
Opcode ID: 0a4838b14d800187ae70e9b1aa87c118c652ae1f24b583ca52fd0cfd4e84f1c6
Instruction ID: 7ba75bd49235687bef3a1d4c06c779d10a46af9ccc6281c6f2064b68dd781327
Opcode Fuzzy Hash: 0a4838b14d800187ae70e9b1aa87c118c652ae1f24b583ca52fd0cfd4e84f1c6
Instruction Fuzzy Hash: 0B918F32311A9086EB55DB2BD998BEE2365F788FD5F054226EF1A477A9CF38C481C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140072C28, Relevance: 9.1, APIs: 6, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140072C99
SendMessageW.USER32 ref: 0000000140072CDB
SendMessageW.USER32 ref: 0000000140072D0D
SendMessageW.USER32 ref: 0000000140072D9C
SendMessageW.USER32 ref: 0000000140072DBF
PtInRect.USER32 ref: 0000000140072DDD

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$Rect$Client
String ID:
API String ID: 4194289498-0
Opcode ID: aba7eb0dc827aabf785ad2fabe13fcc7c2a6e47fc7faeb0d4f73faae7d938c70
Instruction ID: d327b169ea3f2a58e2ddf26cc493e9f14a16d85ac64677327efb857612f97239
Opcode Fuzzy Hash: aba7eb0dc827aabf785ad2fabe13fcc7c2a6e47fc7faeb0d4f73faae7d938c70
Instruction Fuzzy Hash: CA510636611A40CAE761CF3AD8947ED37A1F788F88F595126EF0A47768DE35C842C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140038280, Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000001400382AB

Part of subcall function 00000001401556AC: _FF_MSGBANNER.LIBCMT ref: 00000001401556DC
Part of subcall function 00000001401556AC: RtlAllocateHeap.NTDLL(?,?,00000018,0000000140002DA0), ref: 0000000140155701
Part of subcall function 00000001401556AC: _callnewh.LIBCMT ref: 000000014015571A
Part of subcall function 00000001401556AC: _errno.LIBCMT ref: 0000000140155725
Part of subcall function 00000001401556AC: _errno.LIBCMT ref: 0000000140155730

CreateDIBSection.GDI32 ref: 000000014003832B
free.LIBCMT ref: 0000000140038367

Part of subcall function 0000000140155564: RtlDeleteBoundaryDescriptor.NTDLL(?,?,00000000,000000014015AAC4,?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018), ref: 000000014015557A
Part of subcall function 0000000140155564: _errno.LIBCMT ref: 0000000140155584
Part of subcall function 0000000140155564: GetLastError.KERNEL32(?,?,00000000,000000014015AAC4,?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018), ref: 000000014015558C

memcpy_s.LIBCMT ref: 000000014003838B
free.LIBCMT ref: 00000001400383C3
free.LIBCMT ref: 00000001400383D5

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _errnofree$AllocateBoundaryCreateDeleteDescriptorErrorHeapLastSection_callnewhmallocmemcpy_s
String ID:
API String ID: 1573770261-0
Opcode ID: 65476563a6ca0706b5eef82f7335e03d93b5cf7fbc6c80436aadac606f138df8
Instruction ID: b93af07f18dff378f1c01a2c50557e3c0f8380557273f9c9531050505c1e28fb
Opcode Fuzzy Hash: 65476563a6ca0706b5eef82f7335e03d93b5cf7fbc6c80436aadac606f138df8
Instruction Fuzzy Hash: 6A418C7220074086EB77AA27A5503DEA3A1FB8CFC4F588425AF464BBB6EB78D5548700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A21D8, Relevance: 9.1, APIs: 6, Instructions: 109keyboardtimewindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400A221D

Part of subcall function 00000001400A1958: GetParent.USER32 ref: 00000001400A1971
Part of subcall function 00000001400A1958: GetSystemMenu.USER32(?,?,?,?,?,?,?,00000001400A2249), ref: 00000001400A1997
Part of subcall function 00000001400A1958: SetMenuDefaultItem.USER32(?,?,?,?,?,?,?,00000001400A2249), ref: 00000001400A19C6
Part of subcall function 00000001400A1958: GetParent.USER32 ref: 00000001400A19D0
Part of subcall function 00000001400A1958: IsZoomed.USER32 ref: 00000001400A19E2
Part of subcall function 00000001400A1958: EnableMenuItem.USER32 ref: 00000001400A19FB
Part of subcall function 00000001400A1958: EnableMenuItem.USER32 ref: 00000001400A1A10
Part of subcall function 00000001400A1958: EnableMenuItem.USER32 ref: 00000001400A1A25
Part of subcall function 00000001400A1958: EnableMenuItem.USER32 ref: 00000001400A1A6D
Part of subcall function 00000001400A1958: GetParent.USER32 ref: 00000001400A1A77
Part of subcall function 00000001400A1958: DeleteMenu.USER32(?,?,?,?,?,?,?,00000001400A2249), ref: 00000001400A1A9F
Part of subcall function 00000001400A1958: DeleteMenu.USER32(?,?,?,?,?,?,?,00000001400A2249), ref: 00000001400A1AB1
Part of subcall function 00000001400A1958: GetParent.USER32 ref: 00000001400A1ABB
Part of subcall function 00000001400A1958: DeleteMenu.USER32(?,?,?,?,?,?,?,00000001400A2249), ref: 00000001400A1AE3
Part of subcall function 00000001400A1958: GetParent.USER32 ref: 00000001400A1AF7

KillTimer.USER32(?,?,?,?,?,?,?,?,?,?,?,0000000140090C73), ref: 00000001400A225A
GetKeyState.USER32 ref: 00000001400A22A5
GetKeyState.USER32 ref: 00000001400A22BC
GetFocus.USER32 ref: 00000001400A231A
SetTimer.USER32 ref: 00000001400A2368

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Menu$ItemParent$Enable$Delete$StateTimer$DefaultFocusKillRectSystemWindowZoomed
String ID:
API String ID: 3553910245-0
Opcode ID: 23392c6d9903c2ef316028558e09c9d1bb555c03d7486aa53c3ff59838b8600f
Instruction ID: f9c82055d4b6edda534df0256347a7eb3f2ebe9eaee57e148cdf3536daf8ea96
Opcode Fuzzy Hash: 23392c6d9903c2ef316028558e09c9d1bb555c03d7486aa53c3ff59838b8600f
Instruction Fuzzy Hash: A841EC7271464092FA669B2BD5443E96290F7AEBD5F100235FF0A0BBB1DE78C9D18B01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400D88EC, Relevance: 9.1, APIs: 6, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D87FC: GetProfileIntW.KERNEL32 ref: 00000001400D8870
Part of subcall function 00000001400D87FC: GetProfileIntW.KERNEL32 ref: 00000001400D8890

CopyRect.USER32 ref: 00000001400D894E
GetCursorPos.USER32 ref: 00000001400D8960
SetRect.USER32 ref: 00000001400D897E
IsRectEmpty.USER32 ref: 00000001400D89A3
InflateRect.USER32 ref: 00000001400D89B9
DoDragDrop.OLE32 ref: 00000001400D8A22

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyInflate
String ID:
API String ID: 1351899944-0
Opcode ID: 37fd7b38f54034a48517b91bb17490bd5671b884b27fac27099ea77e5c7446a5
Instruction ID: 5c6829040a9a78c6d59697faa5f4ec490ddbbd6243c19538f29407c8959d5c1c
Opcode Fuzzy Hash: 37fd7b38f54034a48517b91bb17490bd5671b884b27fac27099ea77e5c7446a5
Instruction Fuzzy Hash: 6F416E3221464486EA62DB17E8547EEB3A0FB8DBD4F485126AF8A077B8DF38C446C711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140080130, Relevance: 9.1, APIs: 6, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014008017F
GetClientRect.USER32 ref: 0000000140080247
GetCursorPos.USER32 ref: 000000014008025C
ScreenToClient.USER32 ref: 000000014008026B
PtInRect.USER32 ref: 000000014008027B
SetCursor.USER32 ref: 000000014008028C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientCursorRect$MessageScreenSend
String ID:
API String ID: 277080217-0
Opcode ID: 16a9636e03e8c131787ed867fe90dee4a01aa4a55560df4787a53117d6aaaf30
Instruction ID: 72980ad98c27474a6f8902822a989ba80de790b6070d894d3e6afbf6bc8c6fcd
Opcode Fuzzy Hash: 16a9636e03e8c131787ed867fe90dee4a01aa4a55560df4787a53117d6aaaf30
Instruction Fuzzy Hash: FC419E73215A4082FFA2CB52E4587EE6760FB89BD9F040121EB4A0BAB5CF7DC646C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003C0F8, Relevance: 9.1, APIs: 6, Instructions: 88COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32 ref: 000000014003C129
GetTopWindow.USER32 ref: 000000014003C17A
GetWindow.USER32 ref: 000000014003C1C8
IsWindow.USER32 ref: 000000014003C1F7
GetParent.USER32 ref: 000000014003C204
DestroyWindow.USER32 ref: 000000014003C213

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Destroy$AcceleratorParentTable
String ID:
API String ID: 3451810566-0
Opcode ID: fb4f4d52c2347312c4092d6f6c8d420f7be4ef6f573927edf16ef144af17acb5
Instruction ID: 3bec0293c10d9481d71401684771e9345197f67de0dab630550ae5c0cb4c910b
Opcode Fuzzy Hash: fb4f4d52c2347312c4092d6f6c8d420f7be4ef6f573927edf16ef144af17acb5
Instruction Fuzzy Hash: 4E418036214B4482EB62DB23E5447AA63B0F78DFE4F140225EF5A477A5CF38C955C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003E4F8, Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32 ref: 000000014003E528
GetTopWindow.USER32 ref: 000000014003E57A
GetWindow.USER32 ref: 000000014003E5BB
IsWindow.USER32 ref: 000000014003E5E2
GetParent.USER32 ref: 000000014003E5EF
DestroyWindow.USER32 ref: 000000014003E5FE

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Destroy$AcceleratorParentTable
String ID:
API String ID: 3451810566-0
Opcode ID: c0225f60cd744e04aed0c3e4d9106d4d8afd96d913450a9fd5f71e97700cefa4
Instruction ID: 3fd6f6492ec0856c3b7acf50747c7ae7c8c3c1f4b8ded5780b2d396a0a3f2cd1
Opcode Fuzzy Hash: c0225f60cd744e04aed0c3e4d9106d4d8afd96d913450a9fd5f71e97700cefa4
Instruction Fuzzy Hash: 36415A72214E8486EB66DB23E5487AA63A0F798FE4F140221EF5A077F9DF78C945C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C6344, Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00000001400C641A
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00000001400C6434
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00000001400C6441
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00000001400C644E
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00000001400C645B
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00000001400C6468

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::
String ID:
API String ID: 1690591649-0
Opcode ID: 7265d63791e1b19f3edd3c9d1adee766319ce7340f2380735de2642b944ba268
Instruction ID: 99b9961afc6abedf13ca1eb9bb9c24108acf04c5c7f3430aff4debae6fe9a9a9
Opcode Fuzzy Hash: 7265d63791e1b19f3edd3c9d1adee766319ce7340f2380735de2642b944ba268
Instruction Fuzzy Hash: C8316F72306A8092EB15AF3AC8453DD23A0F789F94F588235EB5D872B9DF78C985C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140073FFC, Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014007405F
GetClientRect.USER32 ref: 000000014007407D
GetSystemMetrics.USER32 ref: 000000014007409F
GetSystemMetrics.USER32 ref: 00000001400740CC
InvalidateRect.USER32 ref: 00000001400740F6
UpdateWindow.USER32 ref: 0000000140074100

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MetricsRectSystem$ClientInvalidateMessageSendUpdateWindow
String ID:
API String ID: 896808119-0
Opcode ID: 4b7c59d9901c761af2ac5a43911552561a69eaef4112513fb012891d44a7edfa
Instruction ID: c511e9b6e8c6c489efcd9010a4903a2f87ddf7203634dd44ddbceb59dcad66b6
Opcode Fuzzy Hash: 4b7c59d9901c761af2ac5a43911552561a69eaef4112513fb012891d44a7edfa
Instruction Fuzzy Hash: F8312336210A40CBE721CF76E88879D37B0F78CB99F510225EB1A47AA9CF79D485CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006604, Relevance: 9.1, APIs: 6, Instructions: 72registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32 ref: 0000000140006656
RegDeleteValueW.ADVAPI32 ref: 000000014000667C
RegCloseKey.ADVAPI32 ref: 00000001400066C4

Part of subcall function 0000000140006224: RegCloseKey.ADVAPI32 ref: 00000001400063AB
Part of subcall function 0000000140006224: RegCloseKey.ADVAPI32 ref: 00000001400063BA

WritePrivateProfileStringW.KERNEL32 ref: 00000001400066E3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Close$Delete$PrivateProfileStringValueWrite
String ID:
API String ID: 1330817964-0
Opcode ID: 44a2976962da78c0a832bfa79483ee09d33acffca5ec7cfea44c7209f9fe1fd7
Instruction ID: 537dda439eeb5f03a88ee389a3fa5b97e8a10f44cf71c122bd5539dad39cbbdb
Opcode Fuzzy Hash: 44a2976962da78c0a832bfa79483ee09d33acffca5ec7cfea44c7209f9fe1fd7
Instruction Fuzzy Hash: 2E21B075701B9485EA56DB63B554BEAA7E2BB8DFC0F084025AF0927BB4DF39C1048700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140156778, Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001401567A3
_invalid_parameter_noinfo.LIBCMT ref: 00000001401567AE
_getptd.LIBCMT ref: 00000001401567D4
CreateThread.KERNEL32 ref: 0000000140156829
GetLastError.KERNEL32(?,?,?,00000000,?,0000000140005EB8), ref: 0000000140156834
free.LIBCMT ref: 000000014015683F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: df38925a348bd2b5cef53c7e3f1fbe881b7ec94f13802559ab9e3553c712a9d1
Instruction ID: 27d33cde8538c7ee84a0898a2f8eaee99f0f82add6669be813608c9ac33fc7ef
Opcode Fuzzy Hash: df38925a348bd2b5cef53c7e3f1fbe881b7ec94f13802559ab9e3553c712a9d1
Instruction Fuzzy Hash: 6921653120478086EB56AF77A5517DAB390F788FD4F484225AF69077E6DF39D4508740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008004C, Relevance: 9.1, APIs: 6, Instructions: 54windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014008006B
SendMessageW.USER32 ref: 00000001400800A1
SetCapture.USER32 ref: 00000001400800CD
InvalidateRect.USER32 ref: 00000001400800EA
UpdateWindow.USER32 ref: 00000001400800F4
SetTimer.USER32 ref: 0000000140080110

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CaptureInvalidateMessageParentRectSendTimerUpdateWindow
String ID:
API String ID: 3683363781-0
Opcode ID: d9501b2148e72c87e423a6e35ef3d6862d53828d44fdc670acd20950e9183e12
Instruction ID: 3046aed26e39f53a59711a381aa38105ec6eeca35f6517791089655d39714984
Opcode Fuzzy Hash: d9501b2148e72c87e423a6e35ef3d6862d53828d44fdc670acd20950e9183e12
Instruction Fuzzy Hash: 0021387671168082EB5ADF27E6897E96360F78CFC4F144025EB4A07B61DF3AC4928B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140072A08, Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0000000140072A31
ReleaseCapture.USER32 ref: 0000000140072A3C
GetCapture.USER32 ref: 0000000140072A63
ReleaseCapture.USER32 ref: 0000000140072A6E
GetCapture.USER32 ref: 0000000140072A78
ReleaseCapture.USER32 ref: 0000000140072A83

Part of subcall function 00000001400722D0: IsRectEmpty.USER32 ref: 000000014007231A
Part of subcall function 00000001400722D0: InvertRect.USER32 ref: 0000000140072339
Part of subcall function 00000001400722D0: SetRectEmpty.USER32 ref: 000000014007234B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Capture$RectRelease$Empty$Invert
String ID:
API String ID: 2029503137-0
Opcode ID: ff33a0fc6bc42e9343731b95b399f4fb06cbdf0036a646a452c1775f035566df
Instruction ID: 4fd3ce45d47c7a89952fec79054d08e5fba55cac33941b69a2c0c8a5eb27e548
Opcode Fuzzy Hash: ff33a0fc6bc42e9343731b95b399f4fb06cbdf0036a646a452c1775f035566df
Instruction Fuzzy Hash: 37118E32301940D7EB1AAB63CA483ED2361FB0CBD6F080120DB15076B5CF78D8A5C701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015AA58, Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018,0000000140002DA0), ref: 000000014015AA62
FlsGetValue.KERNEL32(?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018,0000000140002DA0), ref: 000000014015AA70
SetLastError.KERNEL32(?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018,0000000140002DA0), ref: 000000014015AAC8

Part of subcall function 000000014015C604: Sleep.KERNEL32(?,?,?,000000014015AA8B,?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018), ref: 000000014015C649

FlsSetValue.KERNEL32(?,?,00000018,0000000140156059,?,?,?,?,000000014015574A,?,?,00000018,0000000140002DA0), ref: 000000014015AA9C
free.LIBCMT ref: 000000014015AABF

Part of subcall function 000000014015A9A0: _lock.LIBCMT ref: 000000014015A9F4
Part of subcall function 000000014015A9A0: _lock.LIBCMT ref: 000000014015AA13

GetCurrentThreadId.KERNEL32 ref: 000000014015AAB0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 2775d209e400eda27944a5320f1e50e4524e97c8205c13b984e5cebb49d40e08
Instruction ID: 87e360d6d360ea8625b257b7bc954d49d371b694b0d3af9534913383273a74c4
Opcode Fuzzy Hash: 2775d209e400eda27944a5320f1e50e4524e97c8205c13b984e5cebb49d40e08
Instruction Fuzzy Hash: 4601FF3520274586FB57AB67E4987A862A1AB8CF60F5C8624DB260B3F5EF3DC844C611

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400489E8, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0000000140048A9A
_cwprintf_s_l.LIBCMT ref: 0000000140048AAC

Strings

%sMFCToolBar-%d, xrefs: 0000000140048A93
%sMFCToolBar-%d%x, xrefs: 0000000140048AA5
Buttons, xrefs: 0000000140048B58

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %sMFCToolBar-%d$%sMFCToolBar-%d%x$Buttons
API String ID: 2941638530-3567013142
Opcode ID: 60df1e717ca1852404fc0458e854bafac5689d32999c9bf971f11ed7f65f6499
Instruction ID: 94210f64a3bafa48af3efe05c0b832c55d37723ab81a59c1ff32b4044bcef12e
Opcode Fuzzy Hash: 60df1e717ca1852404fc0458e854bafac5689d32999c9bf971f11ed7f65f6499
Instruction Fuzzy Hash: FFA1AB72301A8486EB65DB2AD4447DE73A0FB89FE4F458522EF5A43BA5DF78C884C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032C58, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 235stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,0000000140032F6D), ref: 0000000140032CF6
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,0000000140032F6D), ref: 0000000140032DB2
wcsnlen.LIBCMT ref: 0000000140032E39

Strings

1, xrefs: 0000000140032DF2
1, xrefs: 0000000140032C9F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: lstrlen$wcsnlen
String ID: 1$1
API String ID: 1105126865-2061416233
Opcode ID: 9f7edd7af31941af7152ecf0617050a6c2be9eeba637065dd9fb6bb1979617a6
Instruction ID: ec3b765fa6ef037e4a084725f3645a9e6470001c3bed8436cf81308337638a61
Opcode Fuzzy Hash: 9f7edd7af31941af7152ecf0617050a6c2be9eeba637065dd9fb6bb1979617a6
Instruction Fuzzy Hash: C081C23660064185EB2BAF27D4543EE63A0FB8CBD4F998126FF5A477F5DB38C8918205

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032FF0, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140033059
PathFindExtensionW.SHLWAPI ref: 0000000140033075

Strings

.HLP, xrefs: 00000001400331D2
.INI, xrefs: 0000000140033231
.CHM, xrefs: 000000014003319C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2295281026-4017452060
Opcode ID: cb30247b98fc6cacfd23767955c3d5127c5ea0d53f394c22075bb63f4cbdb987
Instruction ID: 970e52f3ef37784c53ccdd130a0d1f32ed96442d747adb6cc8767238dbf29b0f
Opcode Fuzzy Hash: cb30247b98fc6cacfd23767955c3d5127c5ea0d53f394c22075bb63f4cbdb987
Instruction Fuzzy Hash: AD718D31200B8144FB67AB6794953EA23A4FB4DBC4F980925FB5D8B6BADF36C584C341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140134BC4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140134B04: OleGetClipboard.OLE32 ref: 0000000140134B1E

ReleaseStgMedium.OLE32 ref: 0000000140134C6C
ReleaseStgMedium.OLE32 ref: 0000000140134D04

Strings

', xrefs: 0000000140134C1B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MediumRelease$Clipboard
String ID: '
API String ID: 3486090133-1997036262
Opcode ID: c79cbf419181aded3865ae1dec49eaf20464169994fe7c78aede3ea28a72f049
Instruction ID: 2eb17a94d7490a5da16115170a460fac995d29f05b84946502303243f7f789b7
Opcode Fuzzy Hash: c79cbf419181aded3865ae1dec49eaf20464169994fe7c78aede3ea28a72f049
Instruction Fuzzy Hash: 82714B32209B9082FA669B97E4503D9A3A0F79DFD0F144125AB8E47BB9DF39D945C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400070C4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140007259
RegEnumKeyW.ADVAPI32 ref: 0000000140007275
RegCloseKey.ADVAPI32 ref: 0000000140007297
RegQueryValueW.ADVAPI32 ref: 00000001400072AF

Strings

Software\, xrefs: 000000014000719F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CloseEnumOpenQueryValue
String ID: Software\
API String ID: 3984146545-964853688
Opcode ID: f434e4ebecd1ef56b2dd0a849bddd222edba9841bfc0388fdd3aa0e70b54f24f
Instruction ID: 59378e19bcca218128962f92db72a5a70c4c89ae09c35a725c6ac5426f299419
Opcode Fuzzy Hash: f434e4ebecd1ef56b2dd0a849bddd222edba9841bfc0388fdd3aa0e70b54f24f
Instruction Fuzzy Hash: EA616072714A8582EB51DB2AE844BDA63A1F788BE4F445221FB6E877E4DF7CC445C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140077154, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 000000014011E928: SetRectEmpty.USER32 ref: 000000014011E97F

SetRectEmpty.USER32 ref: 000000014007732B
SetRectEmpty.USER32 ref: 000000014007733F
SetRectEmpty.USER32 ref: 000000014007734C

Strings

True, xrefs: 000000014007738D, 000000014007739C
False, xrefs: 00000001400773AF, 00000001400773BE

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: EmptyRect
String ID: False$True
API String ID: 2270935405-1895882422
Opcode ID: baa85324531feb0efb808be9a73876913023b6bb826a068f50957ed89deb279f
Instruction ID: 362087e7eab3487d89eff12def403dfb92a637b5663eeaa862d68862669e8145
Opcode Fuzzy Hash: baa85324531feb0efb808be9a73876913023b6bb826a068f50957ed89deb279f
Instruction Fuzzy Hash: B271F332101F8087D7699F35F8803DAB7A8FB48741F404219DBAAA37A1DF39E5A5DB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006EA0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140006F97
RegEnumKeyW.ADVAPI32 ref: 0000000140006FBC
RegCloseKey.ADVAPI32 ref: 0000000140007082

Strings

Software\Classes\, xrefs: 0000000140006F08

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CloseEnumOpen
String ID: Software\Classes\
API String ID: 1332880857-1121929649
Opcode ID: d96067ca82a7f3b35bd6257b5fed1c2b30b382d3654c4956bced0b3c1b823701
Instruction ID: 7905b7a3487c1e7f12c83fbb8e667edcec03195a8bbe037c5e130833f5e3dccb
Opcode Fuzzy Hash: d96067ca82a7f3b35bd6257b5fed1c2b30b382d3654c4956bced0b3c1b823701
Instruction Fuzzy Hash: E25184B2715A8582EB51DB2AF48479AA361F788BE0F544221FB6D43BF9DF38C845C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A07A8, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400A0842
_cwprintf_s_l.LIBCMT ref: 00000001400A0854

Strings

IsVisible, xrefs: 00000001400A08EC
%sBasePane-%d, xrefs: 00000001400A083B
%sBasePane-%d%x, xrefs: 00000001400A084D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %sBasePane-%d$%sBasePane-%d%x$IsVisible
API String ID: 2941638530-4027084908
Opcode ID: 2ed565ade2f46cb39522dffa4e0502c5fc546e76b23099195cfc6f0aad69244c
Instruction ID: e7c625e714261373b8aed93786a7afb54f3d68130d6fb02f256b88cdadd0df69
Opcode Fuzzy Hash: 2ed565ade2f46cb39522dffa4e0502c5fc546e76b23099195cfc6f0aad69244c
Instruction Fuzzy Hash: 25518C72B01B4986EB01DB2AD84079D23A0FB89FE4F448212EF6E577A5DF78C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A0970, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400A0A02
_cwprintf_s_l.LIBCMT ref: 00000001400A0A14

Strings

IsVisible, xrefs: 00000001400A0A5A
%sBasePane-%d, xrefs: 00000001400A09FB
%sBasePane-%d%x, xrefs: 00000001400A0A0D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %sBasePane-%d$%sBasePane-%d%x$IsVisible
API String ID: 2941638530-4027084908
Opcode ID: 25c32583c9f9b44c86600d6976cd34d0a9ce1383b3c3b1e2b039fb694ef9b463
Instruction ID: ed73349a996ac099a558a85a018c6cd75da4006dd15cb1016f8460c14037f662
Opcode Fuzzy Hash: 25c32583c9f9b44c86600d6976cd34d0a9ce1383b3c3b1e2b039fb694ef9b463
Instruction Fuzzy Hash: 96416772701B0482EB059B6AD8807EC23A0B799FE4F448326EF2A577E5CF34C885C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E870, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014000E978
GetWindowLongPtrW.USER32 ref: 000000014000E987
GetWindowLongPtrW.USER32 ref: 000000014000E9A1
SetWindowLongPtrW.USER32 ref: 000000014000E9C9

Strings

@, xrefs: 000000014000E968

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @
API String ID: 2178440468-2766056989
Opcode ID: 4b1b86d55bee0aa894044c17785638ec56d257edd1ec0c5beac24e11a43c3172
Instruction ID: fff19269396c9da64ab6f1f7bfd1c25fd71bf25ff61b50a5d5ff5cdc5c9f2f5d
Opcode Fuzzy Hash: 4b1b86d55bee0aa894044c17785638ec56d257edd1ec0c5beac24e11a43c3172
Instruction Fuzzy Hash: 5E417972301B8082EBA6EB62E59039D73A1FB88FC4F584215EB4D07BA5CF39C851C341

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000EAF4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000014000EB80
GetProcAddress.KERNEL32 ref: 000000014000EBAE

Part of subcall function 0000000140003484: ActivateActCtx.KERNEL32 ref: 00000001400034AD

Strings

CloseTouchInputHandle, xrefs: 000000014000EBA7
user32.dll, xrefs: 000000014000EB3C
GetTouchInputInfo, xrefs: 000000014000EB79

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressProc$Activate
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 2388279185-1853737257
Opcode ID: 7bcd6e18c89b5a0ee52cb894df96b975e5f4c5824d84d89d9cb44b8ab43d2f0b
Instruction ID: 674a03b7be5368f96fd3ebee21f70eb9bf67c97f23cb6d0d31ffe2903fc52381
Opcode Fuzzy Hash: 7bcd6e18c89b5a0ee52cb894df96b975e5f4c5824d84d89d9cb44b8ab43d2f0b
Instruction Fuzzy Hash: 57416CB1240B8081FA56DB23A8587E573A4B79DFE0F080225FB6A577F0DF79CA018340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004ABB0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014004AC5E
ScreenToClient.USER32 ref: 000000014004AC6D
free.LIBCMT ref: 000000014004ACD5
SendMessageW.USER32 ref: 000000014004ACFE

Strings

@, xrefs: 000000014004AC93

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientCursorMessageScreenSendfree
String ID: @
API String ID: 1997331945-2766056989
Opcode ID: d0f0373757ebc08ed2594c5f6ff89a870126492b9b8f82b2dc71e29569976964
Instruction ID: 964366eea80c9c1a97caf0b4c4563dbffc6a0e0ab6583960b4dceba896ba3d29
Opcode Fuzzy Hash: d0f0373757ebc08ed2594c5f6ff89a870126492b9b8f82b2dc71e29569976964
Instruction Fuzzy Hash: 15418D32614A8082EB62DB13E4947D973A0FB9DBA8F454225EB5E47BB5DF3CC845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400060F0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140006121
GetProcAddress.KERNEL32 ref: 000000014000613A
RegCreateKeyExW.ADVAPI32 ref: 0000000140006201

Strings

RegCreateKeyTransactedW, xrefs: 0000000140006130
Advapi32.dll, xrefs: 000000014000611A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: d0bef51350e641903b93814aada60ecbd3475644e0119cde3df2de94724071ea
Instruction ID: e5eb9f8341e7a536efec92736299cbac4e97a217b2f66a6f081ef37457842352
Opcode Fuzzy Hash: d0bef51350e641903b93814aada60ecbd3475644e0119cde3df2de94724071ea
Instruction Fuzzy Hash: AA31E376608B8486EB61CF56F48479AB3A5F78CBC4F144126EB9D83B69DF38C485CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140038BE4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140038C23
GetProcAddress.KERNEL32 ref: 0000000140038C38
DeleteObject.GDI32 ref: 0000000140038C87

Part of subcall function 00000001400387DC: GetWindowRect.USER32 ref: 0000000140038865
Part of subcall function 00000001400387DC: OffsetRect.USER32 ref: 000000014003887B
Part of subcall function 00000001400387DC: CreateCompatibleDC.GDI32 ref: 00000001400388F2
Part of subcall function 00000001400387DC: SelectObject.GDI32 ref: 0000000140038911
Part of subcall function 00000001400387DC: SelectObject.GDI32 ref: 000000014003896C

Strings

DwmSetIconicThumbnail, xrefs: 0000000140038C2E
DWMAPI, xrefs: 0000000140038C11

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$RectSelect$AddressCompatibleCreateDeleteHandleModuleOffsetProcWindow
String ID: DWMAPI$DwmSetIconicThumbnail
API String ID: 1122452334-3761315311
Opcode ID: f1b225342cebea5cf88aee0c5757d368529468c2e0a817117dd3fe00f5bab149
Instruction ID: 9cde2bd7b4dfa7e7a816b07cbae715f79fbff8247e62265668201bb9920dcb61
Opcode Fuzzy Hash: f1b225342cebea5cf88aee0c5757d368529468c2e0a817117dd3fe00f5bab149
Instruction Fuzzy Hash: BD117636312B8881EA629B17A4447AA77A0EB8CFC0F485026EF4D03B64DF38D445C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006038, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140006065
GetProcAddress.KERNEL32 ref: 000000014000607A
RegOpenKeyExW.ADVAPI32 ref: 00000001400060CD

Strings

RegOpenKeyTransactedW, xrefs: 0000000140006070
Advapi32.dll, xrefs: 000000014000605E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1337834000-3913318428
Opcode ID: 823e50985d2f76f5f683f0cbe0175e25aa830953b4a2309a9750c6d2d76f2305
Instruction ID: c343ee73282695ab5fa9b71c693c41e4e2ac164b5d9e47239ab62c00bc3414ed
Opcode Fuzzy Hash: 823e50985d2f76f5f683f0cbe0175e25aa830953b4a2309a9750c6d2d76f2305
Instruction Fuzzy Hash: A6112372208B54C2EA22CB66F84479AB3A1F788FD4F184225EB8917B78CF38C4418B01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064E18, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140064E81
SendMessageW.USER32 ref: 0000000140064E9E

Strings

F, xrefs: 0000000140064E56
G, xrefs: 0000000140064E5E
E, xrefs: 0000000140064E66

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend
String ID: E$F$G
API String ID: 3850602802-2285628837
Opcode ID: 256c5c326a83ae47373976dd64b2d1c66c7c5fcaabf4a31c02ec2c52d56b052d
Instruction ID: e953018724f22510b84fb92976922089004aa49496d65506a20dc8b619a2d175
Opcode Fuzzy Hash: 256c5c326a83ae47373976dd64b2d1c66c7c5fcaabf4a31c02ec2c52d56b052d
Instruction Fuzzy Hash: A411A57171069086FB769B13E9847E92691F78CBC4F284836FF4807BE5CB3AC4818740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001A3D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001A406
GetProcAddress.KERNEL32 ref: 000000014001A41B

Part of subcall function 0000000140006C80: GetModuleHandleW.KERNEL32 ref: 0000000140006CA5
Part of subcall function 0000000140006C80: GetProcAddress.KERNEL32 ref: 0000000140006CBA

Strings

RegDeleteKeyExW, xrefs: 000000014001A411
Advapi32.dll, xrefs: 000000014001A3FF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: a36724835cba7b98259a117d0ed0601340068d9adb1bb18ce3b283179fd6372e
Instruction ID: 0ebe8cc1a51a708eb955468f1629185fccb3446b7ed8e0dd2fcb0b123509c151
Opcode Fuzzy Hash: a36724835cba7b98259a117d0ed0601340068d9adb1bb18ce3b283179fd6372e
Instruction Fuzzy Hash: AC113C7161668482FF168B27F44CBA923A0AB8DFD4F044525EF1A0B7B4DB7DC5858311

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400351F8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000001400354D8), ref: 0000000140035225
GetProcAddress.KERNEL32(?,?,?,00000001400354D8), ref: 000000014003523A
GetFileAttributesExW.KERNEL32(?,?,?,00000001400354D8), ref: 0000000140035262

Strings

kernel32.dll, xrefs: 000000014003521E
GetFileAttributesTransactedW, xrefs: 0000000140035230

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressAttributesFileHandleModuleProc
String ID: GetFileAttributesTransactedW$kernel32.dll
API String ID: 3217448241-1378992308
Opcode ID: 6d622c70eca75d6dcfac8f8d13177a171f88a5508061f5548fd5a45da1248b1f
Instruction ID: df182c38b14bbacb1a256de50fdde66d1938c2cabd4163e7d9effaf662feb20d
Opcode Fuzzy Hash: 6d622c70eca75d6dcfac8f8d13177a171f88a5508061f5548fd5a45da1248b1f
Instruction Fuzzy Hash: CF015A3170AA84C5EB56AB53E84439A63A0EB9EFC1F1C8425EF4A43774CF78C982C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006C80, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140006CA5
GetProcAddress.KERNEL32 ref: 0000000140006CBA
RegDeleteKeyW.ADVAPI32 ref: 0000000140006CEF

Strings

RegDeleteKeyTransactedW, xrefs: 0000000140006CB0
Advapi32.dll, xrefs: 0000000140006C9E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 588496660-2168864297
Opcode ID: 9d0775ef054e7ce680c8af6e2d36b4ef15af5a098728733e74f9baa5b0acc9ff
Instruction ID: 8f87bf3c9f7aca5af542ca3de47ff3605ba25311c13374d79ca07895ba93b482
Opcode Fuzzy Hash: 9d0775ef054e7ce680c8af6e2d36b4ef15af5a098728733e74f9baa5b0acc9ff
Instruction Fuzzy Hash: BD010C7121568082FB66CB26F854BAAA3A2E74DFC8F188425EF8917BB4CF3DC551C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400826D8, Relevance: 7.8, APIs: 5, Instructions: 310stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140015AC0: ActivateActCtx.KERNEL32(?,?,?,000000014008273B), ref: 0000000140015AEE

lstrlenA.KERNEL32 ref: 0000000140082755
memcpy_s.LIBCMT ref: 00000001400827C6
VariantClear.OLEAUT32 ref: 000000014008299D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ActivateClearVariantlstrlenmemcpy_s
String ID:
API String ID: 347659384-0
Opcode ID: 092183c94ebb1259ca5ae34fdd76da0adac0ad05cf225a17b6f1ca6c905e07ab
Instruction ID: a96c5a90bf376fbd2677b7d16ce25f0d922fe7330391fdaa04a0b3ee6d2c5118
Opcode Fuzzy Hash: 092183c94ebb1259ca5ae34fdd76da0adac0ad05cf225a17b6f1ca6c905e07ab
Instruction Fuzzy Hash: DAD18D37100A808AEB7A9F2698843ED23A4FB0D7E8F544616FB6A47BF5DB34C655C341

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400CB264, Relevance: 7.7, APIs: 5, Instructions: 166COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400CB2EC
EqualRect.USER32 ref: 00000001400CB31B
BeginDeferWindowPos.USER32 ref: 00000001400CB32A
EndDeferWindowPos.USER32 ref: 00000001400CB352

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$DeferRect$BeginEqual
String ID:
API String ID: 2366145349-0
Opcode ID: 74e592846ae260f0249528be17d933f1d1e4f93d768b25a60fca9e94d6c0bfdb
Instruction ID: bf4f56e661ff66141fb1396a5e04d513a323ac483283cea008c48bbc1b42234d
Opcode Fuzzy Hash: 74e592846ae260f0249528be17d933f1d1e4f93d768b25a60fca9e94d6c0bfdb
Instruction Fuzzy Hash: 7D715A33B24B508AFB19CBA2E9487ED73B0B708BD9F544415EF1927AA9CB78C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006A50, Relevance: 7.7, APIs: 5, Instructions: 155registryCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32 ref: 0000000140006C47

Part of subcall function 00000001400063D8: RegCloseKey.ADVAPI32 ref: 0000000140006486

RegQueryValueExW.ADVAPI32 ref: 0000000140006B25
RegQueryValueExW.ADVAPI32 ref: 0000000140006B86
wcsnlen.LIBCMT ref: 0000000140006B96
RegCloseKey.ADVAPI32 ref: 0000000140006BBE

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CloseQueryValue$PrivateProfileStringwcsnlen
String ID:
API String ID: 206682969-0
Opcode ID: 6b696c37e2fb120164b9bc334ccf9aae7cee82e0b0df4c01cc1a19b5745bb7d5
Instruction ID: bbc0bec00f37091b64fee0470bf907058df80d0b3238fc1b2943cfcab8d6f8d8
Opcode Fuzzy Hash: 6b696c37e2fb120164b9bc334ccf9aae7cee82e0b0df4c01cc1a19b5745bb7d5
Instruction Fuzzy Hash: 97519CB2301A4086EB56DB36A8547EE73A1FB88BD8F405125BB5E47BA9DF38C4858700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140082C58, Relevance: 7.6, APIs: 5, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000140082CE6
SysAllocString.OLEAUT32 ref: 0000000140082D2B
SysAllocString.OLEAUT32 ref: 0000000140082D95
SysAllocString.OLEAUT32 ref: 0000000140082DDD
SysAllocString.OLEAUT32 ref: 0000000140082E32

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 6dfe34a89cbd03ff48b417104f494aec6a3e6bccfc87c6811beee0c28ddb72ee
Instruction ID: 8f46e67792505aed1edaddb4bc7853d40e01bbde44993b1225f58af3f5c2d111
Opcode Fuzzy Hash: 6dfe34a89cbd03ff48b417104f494aec6a3e6bccfc87c6811beee0c28ddb72ee
Instruction Fuzzy Hash: 50613BB7210F4487E751DB26D88039D77A0F788BA4F444221EB6987BE5DF78C995C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140042634, Relevance: 7.6, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140042721
ScreenToClient.USER32 ref: 0000000140042750
ScreenToClient.USER32 ref: 00000001400427AA
PtInRect.USER32 ref: 00000001400427DE
SetCursor.USER32 ref: 000000014004280C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: 5965edc7fa4b71b5f716fe4e88a97c8f3a948f4a30608b07317e41d5fbd023e1
Instruction ID: 542b7dea1a2545df3d4aabf95b32061a3f5ee91a2d5bc97c0be10e1ed695524f
Opcode Fuzzy Hash: 5965edc7fa4b71b5f716fe4e88a97c8f3a948f4a30608b07317e41d5fbd023e1
Instruction Fuzzy Hash: C8514532B10A408AEB16DB27E9847ED73A0F748BD9F494026EF0907AA9DF78C4958744

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002ED18, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 000000014002EEC8

Part of subcall function 000000014002E36C: VariantClear.OLEAUT32 ref: 000000014002ECF6

Part of subcall function 000000014003253C: VariantCopy.OLEAUT32 ref: 000000014003254A

VariantClear.OLEAUT32 ref: 000000014002EDD0
SysFreeString.OLEAUT32 ref: 000000014002EE9D
SysFreeString.OLEAUT32 ref: 000000014002EEAC
SysFreeString.OLEAUT32 ref: 000000014002EEBB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Variant$ClearFreeString$Copy
String ID:
API String ID: 3003973349-0
Opcode ID: ac0bf1f4f88068e8b2086974bf3895e5c8fec2b3f34a3e3dbcab522a3d3bc2b1
Instruction ID: d2f97f4e73016f8f1d2d308f7a1fd20e9f6974eafdf23f7920d4d28bc01e14a7
Opcode Fuzzy Hash: ac0bf1f4f88068e8b2086974bf3895e5c8fec2b3f34a3e3dbcab522a3d3bc2b1
Instruction Fuzzy Hash: EF518B32341A848AEB62CF66D4547ED3374FB48B98F51522AEF1E57AA8DF34C949C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140070230, Relevance: 7.6, APIs: 5, Instructions: 122windowmemoryCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32 ref: 0000000140070269
SHGetDesktopFolder.SHELL32 ref: 000000014007027E
GlobalAlloc.KERNEL32 ref: 0000000140070297
SendMessageW.USER32 ref: 000000014007039B
SendMessageW.USER32 ref: 00000001400703B3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: FolderMessageSend$AllocDesktopGlobalLocationSpecial
String ID:
API String ID: 1965538066-0
Opcode ID: be09044015a97ba25ed2217a471ee53e8bf0eee9bfa5f60d33d11f7803452fb5
Instruction ID: b01502da8970acb43c3404f7df9b181b1c04f80f540aef1098e4154845a576c5
Opcode Fuzzy Hash: be09044015a97ba25ed2217a471ee53e8bf0eee9bfa5f60d33d11f7803452fb5
Instruction Fuzzy Hash: 66517776701A408AE7058F7AD8547ED23B1FB88BA8F048329EF2947BE9DF39C1558340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002948, Relevance: 7.6, APIs: 5, Instructions: 93libraryloaderCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 0000000140002990
LoadLibraryA.KERNEL32 ref: 00000001400029B2
realloc.LIBCMT ref: 00000001400029D7

Part of subcall function 00000001401557E8: malloc.LIBCMT ref: 0000000140155805

GetProcAddress.KERNEL32 ref: 0000000140002A38
IsBadReadPtr.KERNEL32 ref: 0000000140002A68

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Read$AddressLibraryLoadProcmallocrealloc
String ID:
API String ID: 127335102-0
Opcode ID: cea8f199c73d725b9cacc388d34ad4c689cbf5dc99f4c2acf68b09e3d2ab8b8f
Instruction ID: 757a31ffa88d09af759843ea5e4baaba9dee7cc2598208a66f41e3edcc531505
Opcode Fuzzy Hash: cea8f199c73d725b9cacc388d34ad4c689cbf5dc99f4c2acf68b09e3d2ab8b8f
Instruction Fuzzy Hash: D3316872704B048BEB26CB1AE8947AA77A4FB89BC4F494425EF5D073A5DF38C852C705

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004A3A0, Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 000000014004A3D7
LoadCursorW.USER32 ref: 000000014004A401
LoadCursorW.USER32 ref: 000000014004A424
CreatePen.GDI32 ref: 000000014004A4A7

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CursorLoad$Create
String ID:
API String ID: 1516763891-0
Opcode ID: 0716edf7723a662f6e95fae5aa3720ab706e560126b25971971d2598b9a8084f
Instruction ID: 50e3199cb46c78ee1206782df08e9e66485910907aafa93db230cb75d5890883
Opcode Fuzzy Hash: 0716edf7723a662f6e95fae5aa3720ab706e560126b25971971d2598b9a8084f
Instruction Fuzzy Hash: 11416B70640A4581FE17BB73A85D7ED2290AB8EBD5F480035AB0A4B3F2DEBDC4848355

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009A190, Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000000014009A1EB
SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,0000000140036C6C), ref: 000000014009A21A
GetWindowRect.USER32 ref: 000000014009A22F
SendMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,0000000140036C6C), ref: 000000014009A2B5
RedrawWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,0000000140036C6C), ref: 000000014009A2D1

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$MessageSend$RectRedrawVisible
String ID:
API String ID: 1695962874-0
Opcode ID: 8bd51dd6573c540f3aa7aa2d87f4430b7ab59fa242f2e5d4fc187b8633519e77
Instruction ID: 8cb16b94ad4a088e157b199f1df5fe3ec693aa0bfee399c9cefdcb17342b36c4
Opcode Fuzzy Hash: 8bd51dd6573c540f3aa7aa2d87f4430b7ab59fa242f2e5d4fc187b8633519e77
Instruction Fuzzy Hash: 184148367206948AEB11CF6AD454BAE77A5F78DFC8F144126EF4957B68CF39C4028B80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036148, Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00000001400361BA
SelectObject.GDI32(?), ref: 00000001400361CB
AlphaBlend.MSIMG32(?), ref: 0000000140036230
SelectObject.GDI32 ref: 0000000140036245
DeleteDC.GDI32 ref: 0000000140036268

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ObjectSelect$AlphaBlendCompatibleCreateDelete
String ID:
API String ID: 3820319696-0
Opcode ID: 910c69f0a213be2e03e38b52362cceb47004988f00e9327a780fa460beda4051
Instruction ID: 8d18bc7fbb51ba4bedcb027bb40fd6baad443849b9caed77020fb38a94a73ee7
Opcode Fuzzy Hash: 910c69f0a213be2e03e38b52362cceb47004988f00e9327a780fa460beda4051
Instruction Fuzzy Hash: CD419276205790CAD7A1CF26E484B4E77A9F74DB94F254125DB8983B29CB35C881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400BC1F8, Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,00000001400BC3C3,?,00000020,00000001400BE90F), ref: 00000001400BC21D
GlobalLock.KERNEL32 ref: 00000001400BC23B
CreateStreamOnHGlobal.OLE32 ref: 00000001400BC259
EnterCriticalSection.KERNEL32 ref: 00000001400BC272
LeaveCriticalSection.KERNEL32 ref: 00000001400BC317

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream
String ID:
API String ID: 983187867-0
Opcode ID: 8cc6a40d446647607aa0aa75cffb6bc96b8b97dcff5a60276eed7c17ddbf868c
Instruction ID: 35c033032e564f5df16d8460d75279d209ae87ad3b2ce7aa08347285675972bb
Opcode Fuzzy Hash: 8cc6a40d446647607aa0aa75cffb6bc96b8b97dcff5a60276eed7c17ddbf868c
Instruction Fuzzy Hash: DF316D72620B0086EB16EB57E848B9923B0F78CBE1F654129EB29073F6DF79C944C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400847F4, Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018580: GetWindowDC.USER32 ref: 00000001400185BF

GetClientRect.USER32 ref: 0000000140084844
GetWindowRect.USER32 ref: 0000000140084862

Part of subcall function 0000000140018068: ScreenToClient.USER32 ref: 0000000140018081
Part of subcall function 0000000140018068: ScreenToClient.USER32 ref: 000000014001808F

OffsetRect.USER32 ref: 0000000140084884

Part of subcall function 0000000140017794: ExcludeClipRect.GDI32 ref: 00000001400177C1
Part of subcall function 0000000140017794: ExcludeClipRect.GDI32 ref: 00000001400177E1

OffsetRect.USER32 ref: 00000001400848A7

Part of subcall function 00000001400177F4: IntersectClipRect.GDI32 ref: 0000000140017821
Part of subcall function 00000001400177F4: IntersectClipRect.GDI32 ref: 0000000140017841

SendMessageW.USER32 ref: 00000001400848DE

Part of subcall function 00000001400185E4: ReleaseDC.USER32 ref: 0000000140018610

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 890540625-0
Opcode ID: 41a36498bb93cbd0b5eeaa83f6ed179d9daaea727ccc3eb4977c627f6aeed1c2
Instruction ID: 952c7f3cfbbaffb1520779df4faa4fb0abd9889f5f4c820f07c3ae24c112d0b8
Opcode Fuzzy Hash: 41a36498bb93cbd0b5eeaa83f6ed179d9daaea727ccc3eb4977c627f6aeed1c2
Instruction Fuzzy Hash: D531F272B20A658AEB00DBA2D8557DC3331F349BAEF404512DE1E6BAA9DF74C509C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004AA10, Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014004A218: GetWindowRect.USER32 ref: 000000014004A283
Part of subcall function 000000014004A218: CreateRoundRectRgn.GDI32 ref: 000000014004A2BF
Part of subcall function 000000014004A218: SetWindowRgn.USER32 ref: 000000014004A2DC

GetSystemMenu.USER32 ref: 000000014004AAAA
DeleteMenu.USER32 ref: 000000014004AACC
DeleteMenu.USER32 ref: 000000014004AADE
DeleteMenu.USER32 ref: 000000014004AAF0
EnableMenuItem.USER32 ref: 000000014004AB15

Part of subcall function 0000000140041590: SetRectEmpty.USER32 ref: 00000001400415C1
Part of subcall function 0000000140041590: ReleaseCapture.USER32 ref: 00000001400415C7
Part of subcall function 0000000140041590: SetCapture.USER32 ref: 00000001400415DD
Part of subcall function 0000000140041590: GetCapture.USER32 ref: 0000000140041622
Part of subcall function 0000000140041590: ReleaseCapture.USER32 ref: 0000000140041635
Part of subcall function 0000000140041590: SetCapture.USER32 ref: 000000014004164B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CaptureMenu$DeleteRect$ReleaseWindow$CreateEmptyEnableItemRoundSystem
String ID:
API String ID: 2896308491-0
Opcode ID: a797873e470b573e0b9e3f6a77403e1bd92ba72d16aaba9a0817fbab62a825bb
Instruction ID: 44394a5a453c3096879ee702a1531938104353aff692c68d37a1148caa6407c9
Opcode Fuzzy Hash: a797873e470b573e0b9e3f6a77403e1bd92ba72d16aaba9a0817fbab62a825bb
Instruction Fuzzy Hash: 34315E35710A8086EBA29F23D4947E963A0EBCDFC4F598035EF0A4BB65DF38C8418740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140078440, Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014007846E
SendMessageW.USER32 ref: 00000001400784A7
SendMessageW.USER32 ref: 00000001400784D7
SendMessageW.USER32 ref: 0000000140078526
SendMessageW.USER32 ref: 000000014007853B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fe1bd1a6cb5663938efb86590901f3154fda278a4323ce29691b24869b633573
Instruction ID: 8acddad1c99585f482b59ace4a5df4bd41f7633c84fa748c7f915a1e0d2e5fe9
Opcode Fuzzy Hash: fe1bd1a6cb5663938efb86590901f3154fda278a4323ce29691b24869b633573
Instruction Fuzzy Hash: 993178B6250B81CAEB21CF62D800BDC3720F788B8DF504912FF1917A58CB38C946C791

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064ED0, Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140064F47
SendMessageW.USER32(?,?,?,?,?,?,?,0000000140039EC1), ref: 0000000140064F66
GetDesktopWindow.USER32 ref: 0000000140064F6C
SendMessageW.USER32(?,?,?,?,?,?,?,0000000140039EC1), ref: 0000000140064F9A
GetWindow.USER32 ref: 0000000140064FA8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$Window$Desktop
String ID:
API String ID: 697626773-0
Opcode ID: aba7e8f5ab57dd410674b4a4a2ad36cb4c8460fbf2d2ea4b15367790a030d02d
Instruction ID: 660098950733858a21d644e0dd3fe009b804d7de18244d4a7cebd35cbbad9e08
Opcode Fuzzy Hash: aba7e8f5ab57dd410674b4a4a2ad36cb4c8460fbf2d2ea4b15367790a030d02d
Instruction Fuzzy Hash: 0121A43031068082FB1A9B63E9157EE5292BB8DFC4F254425FF5A4BFA5EF39C4408301

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CFB0, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 000000014000CFE7
CreateWindowExW.USER32 ref: 000000014000D06A
GetLastError.KERNEL32 ref: 000000014000D084
DeactivateActCtx.KERNEL32 ref: 000000014000D097
SetLastError.KERNEL32 ref: 000000014000D0A3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateCreateDeactivateWindow
String ID:
API String ID: 3635781065-0
Opcode ID: a28a4dc8c3d6dc384266da3b34db15ba54cc034e5152bc5c2f3917e4dd5d78a4
Instruction ID: 478b844f315a397512abf4a4c8b708f1b2d67725f5f43492ec7aacb4c3a2c283
Opcode Fuzzy Hash: a28a4dc8c3d6dc384266da3b34db15ba54cc034e5152bc5c2f3917e4dd5d78a4
Instruction Fuzzy Hash: 7A31D776214B8486E7619B56F88479AB7E5F78CBC0F14402AEF8D83B68DF78C445CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400903E4, Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 0000000140090436
GetWindowRect.USER32 ref: 000000014009045B
PtInRect.USER32 ref: 0000000140090468
GetWindowRect.USER32 ref: 0000000140090491
PtInRect.USER32 ref: 000000014009049E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Window
String ID:
API String ID: 924285169-0
Opcode ID: 983b8341effc2ccf395289f78b04a4cda4b0446c41e85f63695d1f902a406dbd
Instruction ID: 3c2f25826f0250aaf2588a12e6cd9c1915c8ed8849c88a10f0a0a34914a9fd20
Opcode Fuzzy Hash: 983b8341effc2ccf395289f78b04a4cda4b0446c41e85f63695d1f902a406dbd
Instruction Fuzzy Hash: E6310972712A118AFB02DB62D8587ED33B0B748BAAF084425DB49576B9DF78C5498740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007249C, Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400184DC: GetDC.USER32 ref: 000000014001851B

IsRectEmpty.USER32 ref: 00000001400724D9
InvertRect.USER32 ref: 00000001400724EE
SetRectEmpty.USER32 ref: 0000000140072503
GetClientRect.USER32 ref: 0000000140072523
InvertRect.USER32 ref: 0000000140072575

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$EmptyInvert$Client
String ID:
API String ID: 2328105127-0
Opcode ID: f0a20f0060fa47b0f96d2c103e4a05ff0566470ba0808994430d002666eaecb8
Instruction ID: 7009a2335fc3ea584c1694582a69ce49f88553e251422c10ac46b918df58cfee
Opcode Fuzzy Hash: f0a20f0060fa47b0f96d2c103e4a05ff0566470ba0808994430d002666eaecb8
Instruction Fuzzy Hash: CD318932B10A40DAE714DB72D8847ED73B1F348B9AF404521EF1DA3A69DB38D965CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B8858, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00000001400B88A7
SelectObject.GDI32 ref: 00000001400B88BB
SetDIBColorTable.GDI32 ref: 00000001400B88D1
SelectObject.GDI32 ref: 00000001400B88E4
DeleteDC.GDI32 ref: 00000001400B8903

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ObjectSelect$ColorCompatibleCreateDeleteTable
String ID:
API String ID: 3899591553-0
Opcode ID: 7e5eb09d72c8d99abfe0ed8a658b08655f927f601875ce6dea40a1fd15ceace1
Instruction ID: 2b5e7e0b8b3a58b88e39a0a35d7d85f31e7454ab01538693bb3598d2a2bc0c2b
Opcode Fuzzy Hash: 7e5eb09d72c8d99abfe0ed8a658b08655f927f601875ce6dea40a1fd15ceace1
Instruction Fuzzy Hash: D2214932210B508AEB5A8F66D4947693374FB88FD8F545026EF4A57B79CF35C891C780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064458, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0000000140064471
GetWindowLongW.USER32 ref: 00000001400644B1
ShowWindow.USER32(?,?,?,0000000140066570,?,?,?,0000000140037025), ref: 00000001400644CC
GetWindow.USER32 ref: 0000000140064512

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$DesktopLongShow
String ID:
API String ID: 1948769292-0
Opcode ID: bc688d230990344f864994a62ff24e94a7ea155533921de2fb092f1c79a52e15
Instruction ID: 2c2d1ed236d53e5ad9b1738a1e059dc33088e959ce69eb5275fa39aa202ee49a
Opcode Fuzzy Hash: bc688d230990344f864994a62ff24e94a7ea155533921de2fb092f1c79a52e15
Instruction Fuzzy Hash: B6219631200B8447FB6ACB17AC143AA6392EB59FD0F285924EB5B073A6DF38C8418300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400BC334, Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,00000020,00000001400BE90F), ref: 00000001400BC372
LoadResource.KERNEL32(?,00000020,00000001400BE90F), ref: 00000001400BC38A
LockResource.KERNEL32(?,00000020,00000001400BE90F), ref: 00000001400BC39B
SizeofResource.KERNEL32(?,00000020,00000001400BE90F), ref: 00000001400BC3AF
FreeResource.KERNEL32(?,00000020,00000001400BE90F), ref: 00000001400BC3C8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: 01ac08799de8958622d7e2121a36748273dfc775b8f317e4b3a970e4c0d6433d
Instruction ID: b612e2aada4b2bc02d3d723650263713334d063394674a956c6fa84c840c2b10
Opcode Fuzzy Hash: 01ac08799de8958622d7e2121a36748273dfc775b8f317e4b3a970e4c0d6433d
Instruction Fuzzy Hash: 63118E31315B8085EA46DFA76988BAA62E0BB4EFD0F484435EF1A07B65EF38C5418340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140024818, Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

GetMapMode.GDI32 ref: 0000000140024836
GetDeviceCaps.GDI32 ref: 0000000140024879
GetDeviceCaps.GDI32 ref: 000000014002488A

Part of subcall function 0000000140018210: GetWindowExtEx.GDI32 ref: 0000000140018229
Part of subcall function 0000000140018210: GetViewportExtEx.GDI32 ref: 0000000140018238
Part of subcall function 0000000140018210: MulDiv.KERNEL32 ref: 0000000140018259
Part of subcall function 0000000140018210: MulDiv.KERNEL32 ref: 000000014001827D

MulDiv.KERNEL32 ref: 00000001400248AC
MulDiv.KERNEL32 ref: 00000001400248BC

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID:
API String ID: 2598972148-0
Opcode ID: c1e2679814eadaa2858d014a204ed85270a1feb217b462a3a9371724a8d840fe
Instruction ID: eac657af63fd1e49242d006de7a43dc9ce252686840de1d3378b159406823696
Opcode Fuzzy Hash: c1e2679814eadaa2858d014a204ed85270a1feb217b462a3a9371724a8d840fe
Instruction Fuzzy Hash: 7B11F939710A4083EB159F26E4987AEA361EB8DFD0F288426DB5A47768CF39CC468740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400248D8, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetMapMode.GDI32 ref: 00000001400248F6
GetDeviceCaps.GDI32 ref: 0000000140024939
GetDeviceCaps.GDI32 ref: 000000014002494A

Part of subcall function 000000014001818C: GetWindowExtEx.GDI32 ref: 00000001400181A5
Part of subcall function 000000014001818C: GetViewportExtEx.GDI32 ref: 00000001400181B4
Part of subcall function 000000014001818C: MulDiv.KERNEL32 ref: 00000001400181D5
Part of subcall function 000000014001818C: MulDiv.KERNEL32 ref: 00000001400181F9

MulDiv.KERNEL32 ref: 000000014002496A
MulDiv.KERNEL32 ref: 000000014002497D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID:
API String ID: 2598972148-0
Opcode ID: ba34fd6ca90d10131df7445e7b8588eec108d5e815461460d56463e755e871a9
Instruction ID: f0227bdef8c72b284ed9f56c4fc5a1e85bd2be9cf670ca2afa0b269fc0505d7e
Opcode Fuzzy Hash: ba34fd6ca90d10131df7445e7b8588eec108d5e815461460d56463e755e871a9
Instruction Fuzzy Hash: 5C110A75700A4083EB159F22E8987AA7361F78DFD0F248425DF9A477A8CF39CC868740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004EC04, Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 000000014004EC40
GetParent.USER32 ref: 000000014004EC56
GetClientRect.USER32 ref: 000000014004EC6D
GetParent.USER32 ref: 000000014004EC77
MapWindowPoints.USER32 ref: 000000014004EC98

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID:
API String ID: 3058756167-0
Opcode ID: a5b49e3d3974a3cf206968cec4ff9d40599d862dd49fdff779b7d35563bd9ad2
Instruction ID: 1ac46ebd2c3a5f2809956df8e127f456660349fe7a12ea54e1367eaa38f4b29a
Opcode Fuzzy Hash: a5b49e3d3974a3cf206968cec4ff9d40599d862dd49fdff779b7d35563bd9ad2
Instruction Fuzzy Hash: 1C114776214A8082EA159B66F4987AAB361FB8CFD9F004126EF8E43B64CF38C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007CF1C, Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014007CF3E
GetParent.USER32 ref: 000000014007CF68
PostMessageW.USER32 ref: 000000014007CF90
GetParent.USER32 ref: 000000014007CFA9
PostMessageW.USER32 ref: 000000014007CFD1

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Parent$MessagePost
String ID:
API String ID: 2076725448-0
Opcode ID: cdcc6fdc22c9e9894efecfdc7685069448ddcafab9f5c644d1a2f82fc61c839a
Instruction ID: 2daf5f725b8f655aad1858a13454cd2bfdf331331cfad70c2d74af51f78d3c25
Opcode Fuzzy Hash: cdcc6fdc22c9e9894efecfdc7685069448ddcafab9f5c644d1a2f82fc61c839a
Instruction Fuzzy Hash: CB11163571168082EE0ADB63B5643AA6360A78DFC8F044135FF0E5BB6ADE39C5458340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400570E4, Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

SetCapture.USER32 ref: 0000000140057105
GetCursorPos.USER32 ref: 0000000140057143
LoadCursorW.USER32 ref: 0000000140057176
SetCursor.USER32 ref: 000000014005717F
GetCursorPos.USER32 ref: 000000014005718C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Cursor$CaptureLoad
String ID:
API String ID: 1460996051-0
Opcode ID: e9376b93a6e77239ec606478ffd40dca929dcd85cc0831bacdfcc524a41bb4d6
Instruction ID: 1569ba4b989bc218a4b82c433eda5ec8bd3729d221f4cbb124fd9be12d7c5717
Opcode Fuzzy Hash: e9376b93a6e77239ec606478ffd40dca929dcd85cc0831bacdfcc524a41bb4d6
Instruction Fuzzy Hash: A821F931601A8581EF56DF67E8587E92360EB99FC9F084035EB0E4B3B5DE3AC4899315

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002B4C, Relevance: 7.6, APIs: 5, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BA6
free.LIBCMT ref: 0000000140002BBB
VirtualFree.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BD1
GetProcessHeap.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BD7
HeapFree.KERNEL32(?,?,?,0000000140002D3F,?,?,?,00000001400012C0), ref: 0000000140002BE5

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Free$Heap$LibraryProcessVirtualfree
String ID:
API String ID: 831075735-0
Opcode ID: 6ac62a77bbb3a6cce43fadfa29995754d2ab38eb1740dbf7484921f4acface18
Instruction ID: 65c5f84c1fb216ab80269f78d6d1410d0a1d3d94f351e0c7876cbae6784f0df7
Opcode Fuzzy Hash: 6ac62a77bbb3a6cce43fadfa29995754d2ab38eb1740dbf7484921f4acface18
Instruction Fuzzy Hash: 2A118972610A4082EB55DF67E49479973A0FB88F98F144625DB6A476F8CF34C492C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CDDC, Relevance: 7.5, APIs: 5, Instructions: 45registryCOMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 000000014000CE0C
RegisterClassW.USER32 ref: 000000014000CE25
GetLastError.KERNEL32 ref: 000000014000CE41
DeactivateActCtx.KERNEL32 ref: 000000014000CE55
SetLastError.KERNEL32 ref: 000000014000CE61

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateClassDeactivateRegister
String ID:
API String ID: 402371002-0
Opcode ID: 0ebbfd8d1a880ab05df4d7138127200cd154379e2aa22e1735fe77e0dc3a7ef1
Instruction ID: 72293ebe108c3628bf3388a874c06c1adbaa260d71b6d0a2239dddbf418427db
Opcode Fuzzy Hash: 0ebbfd8d1a880ab05df4d7138127200cd154379e2aa22e1735fe77e0dc3a7ef1
Instruction Fuzzy Hash: E6116976214B9482E7219B26E4447AAB3A4FB8CFD1F595115EF8A477B4DF38C441C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CE80, Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140012A68), ref: 000000014000CEAF
GetClassInfoW.USER32 ref: 000000014000CEC7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140012A68), ref: 000000014000CEDE
DeactivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140012A68), ref: 000000014000CEF1
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140012A68), ref: 000000014000CEFD

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateClassDeactivateInfo
String ID:
API String ID: 1248994726-0
Opcode ID: a27387b88edce1088706fc2d9686ddbc99585a1f6c33a59d807a35db240a0caa
Instruction ID: ac00bceb0d6c0a97b3f64c9f20a6a176df96c101060f1198d6ed8a68e365859a
Opcode Fuzzy Hash: a27387b88edce1088706fc2d9686ddbc99585a1f6c33a59d807a35db240a0caa
Instruction Fuzzy Hash: 82018C72204B8182E7119BA7E8847AAA7A5FB8CFD1F184135EF4987778CFB8C4498701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CF18, Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 000000014000CF47
GetClassInfoExW.USER32 ref: 000000014000CF5F
GetLastError.KERNEL32 ref: 000000014000CF76
DeactivateActCtx.KERNEL32 ref: 000000014000CF89
SetLastError.KERNEL32 ref: 000000014000CF95

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateClassDeactivateInfo
String ID:
API String ID: 1248994726-0
Opcode ID: c9a960cdc5b98aa9eff6260b36fce243f72d58575e37609e00be588f57a6565e
Instruction ID: dbdd3642dc0c8267ba176efcc86c547241461e2a602915aaf9a3105d5e2e6f0c
Opcode Fuzzy Hash: c9a960cdc5b98aa9eff6260b36fce243f72d58575e37609e00be588f57a6565e
Instruction Fuzzy Hash: ED018C72204B8182EB119FA3B8847AAA7A5FB8CFD1F184135EF4987778CF78C4498701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140020AF0, Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 0000000140020B0A
SendMessageW.USER32 ref: 0000000140020B30
ClientToScreen.USER32 ref: 0000000140020B41
GetWindowLongW.USER32 ref: 0000000140020B4F
GetParent.USER32 ref: 0000000140020B5E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 1b98adafd262570aa75c733690eb0c5a3c3c9109bc8c20341a784f62ab307b32
Instruction ID: 24506f09f76eecc60dd5ebeb33aca21dd082c0dfa10eb9e48d63405520a44274
Opcode Fuzzy Hash: 1b98adafd262570aa75c733690eb0c5a3c3c9109bc8c20341a784f62ab307b32
Instruction Fuzzy Hash: FD01B12132478082EB528F1BA6853BAA261FB88BD1F405125FE5643BB9DF7CC9498700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014014EAFC, Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 000000014014EB1A
GlobalLock.KERNEL32 ref: 000000014014EB2B
CreateDCW.GDI32 ref: 000000014014EB55
GlobalUnlock.KERNEL32(?,?,?,000000014014ED39), ref: 000000014014EB61
GlobalUnlock.KERNEL32(?,?,?,000000014014ED39), ref: 000000014014EB6F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: ec7e6ef878dd4056c21a6e244599bd42cc85fea0260fd2882768301ccfc14b17
Instruction ID: 83728f8bf46cd744069c8bb9420f488bd5b648063b95676f24377cb305c4e38d
Opcode Fuzzy Hash: ec7e6ef878dd4056c21a6e244599bd42cc85fea0260fd2882768301ccfc14b17
Instruction Fuzzy Hash: F7012D3160565582EE669B17B5847B9A2E0EB5CFD4F485531EF8747B74EF3CC4418300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014015AD50, Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014015AD87
GetCurrentProcessId.KERNEL32 ref: 000000014015AD92
GetCurrentThreadId.KERNEL32 ref: 000000014015AD9E
GetTickCount.KERNEL32 ref: 000000014015ADAA
QueryPerformanceCounter.KERNEL32 ref: 000000014015ADBB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 1176603d26c24d338d3f1b1ea677ddd4f27970e01bc1473c738b397ff2e20285
Instruction ID: 778f561e591a7860c1dc15af84e9c352da9d81d0a7793e41745227f6fb31dc80
Opcode Fuzzy Hash: 1176603d26c24d338d3f1b1ea677ddd4f27970e01bc1473c738b397ff2e20285
Instruction Fuzzy Hash: 45015B31255A4482E7A28F22E8847996360F74DF91F446521EF6E47BB4DB7CCD968340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064CBC, Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 0000000140064CEC
PostMessageW.USER32 ref: 0000000140064D05
GetCapture.USER32 ref: 0000000140064D0B
ReleaseCapture.USER32 ref: 0000000140064D17
PostMessageW.USER32 ref: 0000000140064D4D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: f1c124cc8df63aa99e76f69a26a1133db932f6764dc4429472c5ce5f3ae79f16
Instruction ID: 4b8cf2c2bd4e145d56cb21f6d00d4caf4e30d50bcca516ac4fafe5134ccf9b71
Opcode Fuzzy Hash: f1c124cc8df63aa99e76f69a26a1133db932f6764dc4429472c5ce5f3ae79f16
Instruction Fuzzy Hash: 21018F32721541C3FB269F62E858BAA2660FB98F8DF505424EF1907EA4EF3AC0458B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007C7CC, Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 000000014007C7E8
RedrawWindow.USER32 ref: 000000014007C80B
PtInRect.USER32 ref: 000000014007C826
ReleaseCapture.USER32 ref: 000000014007C836
RedrawWindow.USER32 ref: 000000014007C84B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: RectRedrawWindow$CaptureRelease
String ID:
API String ID: 1080614547-0
Opcode ID: 849b7dac542a7e402fbdac539d57e3460c254b35b4b7ed504405d3cc39793a74
Instruction ID: ce71c991147fc1e75852e9e858246db124b6d96f635e8c8489a030707b10b9e5
Opcode Fuzzy Hash: 849b7dac542a7e402fbdac539d57e3460c254b35b4b7ed504405d3cc39793a74
Instruction Fuzzy Hash: 8B012C76A10690C2FB658B73E458FE82260E758F89F084439DF02572B4DF7DC4468710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400381DC, Relevance: 7.5, APIs: 5, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 000000014003821E
EnterCriticalSection.KERNEL32 ref: 000000014003822B
EnterCriticalSection.KERNEL32 ref: 0000000140038240
GdiplusShutdown.GDIPLUS ref: 0000000140038252
LeaveCriticalSection.KERNEL32 ref: 0000000140038266

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: 53eca0f12ffb6928e98bebb7d66d37f06a38996b1d967d9d94a287263610c603
Instruction ID: 38739bd9191d0e7b069c82094bf5e22cc2fffe90788eeb1a2ccaa3b6f6ad3b14
Opcode Fuzzy Hash: 53eca0f12ffb6928e98bebb7d66d37f06a38996b1d967d9d94a287263610c603
Instruction Fuzzy Hash: 38112A72512A008AEB56DB16E888BE93370F71CF2AF200A04D71A061F0CBB9C65BC784

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140159088, Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140159091
_errno.LIBCMT ref: 0000000140159099

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: c9ca9f45759c5bceeabb886aa84ffaf01f5978fb8e526404072b7bcb145e9ed3
Instruction ID: 190db75476c07390cadd81c9caeded92d33b9d2f887192085e3914a1a17b536c
Opcode Fuzzy Hash: c9ca9f45759c5bceeabb886aa84ffaf01f5978fb8e526404072b7bcb145e9ed3
Instruction Fuzzy Hash: 64018CB2210A0484EA072B27C8913ED6264AB98F71F594700E73A0B3F6C77EC4418252

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140050614, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetBkColor.GDI32 ref: 000000014005066F
GetTextColor.GDI32 ref: 000000014005070D

Part of subcall function 0000000140017648: SetBkMode.GDI32 ref: 0000000140017663
Part of subcall function 0000000140017648: SetBkMode.GDI32 ref: 0000000140017674

Part of subcall function 00000001400188D4: SelectObject.GDI32(?,?,00000000,0000000140015F78), ref: 0000000140018904
Part of subcall function 00000001400188D4: SelectObject.GDI32(?,?,00000000,0000000140015F78), ref: 000000014001891F

GetBkColor.GDI32 ref: 0000000140050917

Strings

$, xrefs: 0000000140050809

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Color$ModeObjectSelect$Text
String ID: $
API String ID: 1460252324-3993045852
Opcode ID: c6df075b774ab249cca92e9bb85c0783471b0d7e61a82234b945257f027579c1
Instruction ID: 64fe14ab558e0b5ca25990a53cb860f949174546d1486a9e3fb9d51d15b5eef6
Opcode Fuzzy Hash: c6df075b774ab249cca92e9bb85c0783471b0d7e61a82234b945257f027579c1
Instruction Fuzzy Hash: 45B15636B14A548BE715CF7AD488BAD37A1F74CBC8F004615EF0A63BA8CB35D9458B40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400622F0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0000000140062386
free.LIBCMT ref: 0000000140062599

Strings

%sDockingManager-%d, xrefs: 000000014006237A
DockingPaneAndPaneDividers, xrefs: 000000014006257F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_lfree
String ID: %sDockingManager-%d$DockingPaneAndPaneDividers
API String ID: 52267941-4068244756
Opcode ID: b88ce1b3326419acbae801e108e8c930e8cd2a0e7f347a62d409c828f28afbdc
Instruction ID: 4f91799b38b84f01a5539dc4346fb95b19903c4f87e5c1e6a9ed9f232dbc51fd
Opcode Fuzzy Hash: b88ce1b3326419acbae801e108e8c930e8cd2a0e7f347a62d409c828f28afbdc
Instruction Fuzzy Hash: B391AF72201E8082EA169B27D9147DA6362FB89BE0F544612FF6E47BF5DF38C945C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007D1D0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140017648: SetBkMode.GDI32 ref: 0000000140017663
Part of subcall function 0000000140017648: SetBkMode.GDI32 ref: 0000000140017674

InflateRect.USER32 ref: 000000014007D37C
OffsetRect.USER32 ref: 000000014007D38B
OffsetRect.USER32 ref: 000000014007D3A3

Strings

%, xrefs: 000000014007D3BE

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$ModeOffset$Inflate
String ID: %
API String ID: 3790764107-2567322570
Opcode ID: 2932ba7e76a200afd0ec4e26e241c8e1f48179c1a5f04efade05387944efaee5
Instruction ID: 6a1ee29f5fa1a134d0dd6141be3c6f6601ea2db9118195a04d6f65d7720ef8b2
Opcode Fuzzy Hash: 2932ba7e76a200afd0ec4e26e241c8e1f48179c1a5f04efade05387944efaee5
Instruction Fuzzy Hash: 50516936B10A548AEB51DF7A8904BEE37A5F74CBC8F088226EF09577A8DB38D5558700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140052CAC, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 0000000140052D31
_cwprintf_s_l.LIBCMT ref: 0000000140052DDF
CreateRectRgnIndirect.GDI32 ref: 0000000140052E30

Part of subcall function 0000000140018A6C: CreateSolidBrush.GDI32 ref: 0000000140018A93

Strings

%d%%, xrefs: 0000000140052DD4

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CreateRect$BrushFillIndirectSolid_cwprintf_s_l
String ID: %d%%
API String ID: 1336714879-1518462796
Opcode ID: 56cffcb080434deabbfd52f9122d224ee7f36bb9e0efdefab55d503b9d4ce7ac
Instruction ID: 5335cbe596ff4f7d349c31f461f002360ff958c3e2549a8367f95b1842414535
Opcode Fuzzy Hash: 56cffcb080434deabbfd52f9122d224ee7f36bb9e0efdefab55d503b9d4ce7ac
Instruction Fuzzy Hash: 95616A36B00A408AEB11DF66D4547DD3371FB89BA8F504126EF5967BA8DF34C94AC780

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400671FC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 00000001400672A9
WideCharToMultiByte.KERNEL32 ref: 0000000140067345
SetWindowPos.USER32 ref: 00000001400673A9

Strings

P, xrefs: 000000014006732F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ByteCharCtrlMultiWideWindow
String ID: P
API String ID: 102189203-3110715001
Opcode ID: 77d987076da70331d391eab5be5e3ad91acf6ccb9d18d4fdbff4d2d25a1cfb72
Instruction ID: a8e74071d9d680fc8e14df082a422697dbdb314c9ed12116fcb9b9624c90c57c
Opcode Fuzzy Hash: 77d987076da70331d391eab5be5e3ad91acf6ccb9d18d4fdbff4d2d25a1cfb72
Instruction Fuzzy Hash: 2051D132200A4282FB259B2AD854BDE63A1FB89BB4F644715FB7D876F5DF78C9448700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003ADC8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0000000140096F35
free.LIBCMT ref: 0000000140097007

Strings

%sMDIClientArea-%d, xrefs: 0000000140096F29
MDITabsState, xrefs: 0000000140096FF0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_lfree
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 52267941-353449602
Opcode ID: 217c3805714e2e18d4027b94fe7daded5eee36936aa22062f9d3276600f27826
Instruction ID: 7d6c5f14f7ad958176fd4f0ca6ecf05048cd2c7bc0fbeff9492ba679eac4a5bd
Opcode Fuzzy Hash: 217c3805714e2e18d4027b94fe7daded5eee36936aa22062f9d3276600f27826
Instruction Fuzzy Hash: 11518172315A8182EB11DB2AE4507DE6360FBC9BE4F545222AB6D437F9DF38C845CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140068650, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00000001400686FD

Part of subcall function 0000000140003F54: memcpy_s.LIBCMT ref: 0000000140004017

Part of subcall function 0000000140003F54: wcsnlen.LIBCMT ref: 0000000140003FAA

swprintf.LIBCMT ref: 00000001400687B5

Part of subcall function 0000000140155FC0: _vswprintf_s_l.LIBCMT ref: 0000000140155FDA

Strings

:%d, xrefs: 00000001400686ED, 00000001400687A5
- , xrefs: 000000014006871B, 000000014006872A, 0000000140068763, 0000000140068772

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: swprintf$_vswprintf_s_lmemcpy_swcsnlen
String ID: - $:%d
API String ID: 621187927-2359489159
Opcode ID: 96329ec361aab98062c44452823d8a933b620af602a0e409f329cd425a714d04
Instruction ID: 83abbdcdc462e836fe36ed5d3af5bfa9cd03ae28798c0d1c4c90c7cfe130cce4
Opcode Fuzzy Hash: 96329ec361aab98062c44452823d8a933b620af602a0e409f329cd425a714d04
Instruction Fuzzy Hash: E4518D32710E4195EB26EB27D8517DC2365BB48BC8F944126AF1E5BAB6EF34C905C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400488A8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 000000014004893A
_cwprintf_s_l.LIBCMT ref: 000000014004894C

Strings

%sMFCToolBar-%d, xrefs: 0000000140048933
%sMFCToolBar-%d%x, xrefs: 0000000140048945

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %sMFCToolBar-%d$%sMFCToolBar-%d%x
API String ID: 2941638530-3776508225
Opcode ID: ff4e562cb4188f61d32fbdd9f6e162dce1232b2653e763be2e0818ecafac7409
Instruction ID: e2d0918110da44b0f2d174ca505ef89fbc2945dbffee0ec91369aeef1d6830df
Opcode Fuzzy Hash: ff4e562cb4188f61d32fbdd9f6e162dce1232b2653e763be2e0818ecafac7409
Instruction Fuzzy Hash: B7415772B00E4086EB159B6AD8457EC23A1FB89BF4F498726EF29577E5DF38C9418340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001087C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400213E4: EnterCriticalSection.KERNEL32 ref: 0000000140021422
Part of subcall function 00000001400213E4: InitializeCriticalSection.KERNEL32 ref: 000000014002143E
Part of subcall function 00000001400213E4: LeaveCriticalSection.KERNEL32 ref: 0000000140021452

GetProcAddress.KERNEL32 ref: 00000001400108F6
FreeLibrary.KERNEL32 ref: 0000000140010909

Strings

HtmlHelpW, xrefs: 00000001400108EC
hhctrl.ocx, xrefs: 00000001400108D3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CriticalSection$AddressEnterFreeInitializeLeaveLibraryProc
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 3379933665-3773518134
Opcode ID: 5cb877f24cf8501eb751f3a952355459559ae3c23f98bff53abaa6a23cde43eb
Instruction ID: 92e78cfa6aeaaa24a56306f4f419b489d392b40eebede4d56af339010b33d7a7
Opcode Fuzzy Hash: 5cb877f24cf8501eb751f3a952355459559ae3c23f98bff53abaa6a23cde43eb
Instruction Fuzzy Hash: 24214432211B5581EB06EB63E8543A963A4FB9CFC4F484429EB890B7A6DF79C950C380

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400368D4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014003696E
GetProcAddress.KERNEL32 ref: 0000000140036983

Strings

DwmInvalidateIconicBitmaps, xrefs: 0000000140036979
DWMAPI, xrefs: 0000000140036967

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DWMAPI$DwmInvalidateIconicBitmaps
API String ID: 1646373207-1098356003
Opcode ID: 9e6473f88fbdd94caa62b6264b4351e1c74cea8a0133e843eeac7d8446ddd219
Instruction ID: cd5cda062f0e62b02c58d3249c2046ce7c324a71c68bf5713755053b59dc382f
Opcode Fuzzy Hash: 9e6473f88fbdd94caa62b6264b4351e1c74cea8a0133e843eeac7d8446ddd219
Instruction Fuzzy Hash: 5A215072214B4586EB638B27E4443AA63E4F78CB99F489125EB8D476A8DF7CD584CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140034D1C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140034D48
GetProcAddress.KERNEL32 ref: 0000000140034D63

Strings

COMCTL32.DLL, xrefs: 0000000140034D41
TaskDialogIndirect, xrefs: 0000000140034D59

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$TaskDialogIndirect
API String ID: 1646373207-244319309
Opcode ID: 27b8847f9e1eb3e254eb3ae13684cad62beac6ff6810a3e443e30c8775e2ab03
Instruction ID: 300f7e3524f0e8f06c0f5f0ba034ac73b1b42df1cfcd8708db9ca738c3b70e27
Opcode Fuzzy Hash: 27b8847f9e1eb3e254eb3ae13684cad62beac6ff6810a3e443e30c8775e2ab03
Instruction Fuzzy Hash: EF218E31301B8091EB26DB62E5443DDA3A0FB4CB94F848621EB6D07AF5EF38D659C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140132084, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

EqualRect.USER32 ref: 00000001401320A4
SetWindowRgn.USER32 ref: 00000001401320CC
RedrawWindow.USER32 ref: 000000014013212E

Strings

X, xrefs: 00000001401320EB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$EqualRectRedraw
String ID: X
API String ID: 960909151-3081909835
Opcode ID: 270480f439d970108798cd0524f9fe08fee5bc362280411ff1c2489bb1dbebc9
Instruction ID: d6e7f257a25a52d3299581ab6f0c66514018eab14de9e07d83fce2b90aac711b
Opcode Fuzzy Hash: 270480f439d970108798cd0524f9fe08fee5bc362280411ff1c2489bb1dbebc9
Instruction Fuzzy Hash: 54116A72A1068087E715DF2AE588B9D7761F798B88F58C124EF890B668DF79D498CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004EB50, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 000000014004EB7D
InflateRect.USER32 ref: 000000014004EBBF
DrawEdge.USER32 ref: 000000014004EBE1

Strings

iii, xrefs: 000000014004EB83

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$DrawEdgeFillInflate
String ID: iii
API String ID: 785442924-940974255
Opcode ID: e4a354a6cab911887cd82985d571a0d524c850a87b9a27dddb39948ecb03a11d
Instruction ID: 56c3f05d69f54d20d863cbea8cd92cb8d886884e5003955f5841e96fd4424179
Opcode Fuzzy Hash: e4a354a6cab911887cd82985d571a0d524c850a87b9a27dddb39948ecb03a11d
Instruction Fuzzy Hash: 6D111C32614A8587D7218F26E594799B360F78CBA8F449219EB8907A69CF3CD945CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004C8A4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014004C8EA
InflateRect.USER32 ref: 000000014004C922

Strings

iii, xrefs: 000000014004C8CF, 000000014004C900
, xrefs: 000000014004C8C8, 000000014004C907

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: InflateRect
String ID: iii$
API String ID: 2073123975-462628325
Opcode ID: b93c8a059e8944fd940ed4d70d6b2701b15e4a27f72f678c994700c37965c78b
Instruction ID: 016e9aa797f82d2af14bb96562134dfd5f112c54f661e7a59eb3ba14fb045451
Opcode Fuzzy Hash: b93c8a059e8944fd940ed4d70d6b2701b15e4a27f72f678c994700c37965c78b
Instruction Fuzzy Hash: C201E93435024086E6269B37AA8CFA8B661E75DBE9F048224AE1507BF4CB7D9D818B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E1EC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000,000000014000F5E8,?,?,00000400,0000000140013249), ref: 000000014000E20E
LoadLibraryW.KERNEL32(?,?,?,?,?,?,00000000,000000014000F5E8,?,?,00000400,0000000140013249), ref: 000000014000E221
GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,000000014000F5E8,?,?,00000400,0000000140013249), ref: 000000014000E23F

Strings

InitCommonControls, xrefs: 000000014000E238

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: InitCommonControls
API String ID: 310444273-2489084829
Opcode ID: 5cef7fb9cfc0bb480069c907a9343fc8e485c2c089f55d1743d8792fb9a5ad09
Instruction ID: ad52bee693ae37bbf217a8531540adda567d403cb3c4e63fe35b62e88a6b1b85
Opcode Fuzzy Hash: 5cef7fb9cfc0bb480069c907a9343fc8e485c2c089f55d1743d8792fb9a5ad09
Instruction Fuzzy Hash: 5801E472202B85C5EF568F26E88435863A4E79CF88F188125DB9C47368DF38C9A6C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E2C4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,00080000,000000014000F5A3,?,?,00000400,0000000140013249), ref: 000000014000E2E6
LoadLibraryW.KERNEL32(?,?,00080000,000000014000F5A3,?,?,00000400,0000000140013249), ref: 000000014000E2F9
GetProcAddress.KERNEL32(?,?,00080000,000000014000F5A3,?,?,00000400,0000000140013249), ref: 000000014000E317

Strings

InitCommonControlsEx, xrefs: 000000014000E310

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: InitCommonControlsEx
API String ID: 310444273-2357626986
Opcode ID: 2464da50fd0023d02a947890cf1cce47538acf8dbfe7abe7b1c62496a6e77bab
Instruction ID: 3c48cbfd99e516a3953ed209923cf3604f4260014e4656f7eabe1c313022ab6d
Opcode Fuzzy Hash: 2464da50fd0023d02a947890cf1cce47538acf8dbfe7abe7b1c62496a6e77bab
Instruction Fuzzy Hash: C201F672202F84C5EB568F26E89835873A4E79CF98F289125DB4C47378DF38C9A6C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009A2FC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014009A321
LoadLibraryW.KERNEL32 ref: 000000014009A334
GetProcAddress.KERNEL32 ref: 000000014009A352

Strings

ImageList_GetIcon, xrefs: 000000014009A34B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_GetIcon
API String ID: 310444273-3623868649
Opcode ID: b82c362d3cdaaed20f76486c9ab55f4ec157866222b885b6d12a8261e1309d9d
Instruction ID: 1afc043fa3a32d2f4745f137ac931e11b06ba225519a56190a641513b4daeb4a
Opcode Fuzzy Hash: b82c362d3cdaaed20f76486c9ab55f4ec157866222b885b6d12a8261e1309d9d
Instruction Fuzzy Hash: 2F01F632202B85C9EF458F26E88479873A4E75CF88F188025DB4C47378EF38C9AAC341

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014000E406
LoadLibraryW.KERNEL32 ref: 000000014000E419
GetProcAddress.KERNEL32 ref: 000000014000E437

Strings

InitNetworkAddressControl, xrefs: 000000014000E430

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: InitNetworkAddressControl
API String ID: 310444273-1573002242
Opcode ID: 8c17545d40a02c0a3d0541f07b7a17ed477b3f8c665927cb126fde10207ccf64
Instruction ID: 83282d0babe854050122a94296e3d5be1af6fa0602bc649b5bacd95b11cb6375
Opcode Fuzzy Hash: 8c17545d40a02c0a3d0541f07b7a17ed477b3f8c665927cb126fde10207ccf64
Instruction Fuzzy Hash: 4E01A472202B85C5EB568F26E88475873A4E75CF88F189125DB5D47368DF38C9A6C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066A3C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140066A61
LoadLibraryW.KERNEL32 ref: 0000000140066A74
GetProcAddress.KERNEL32 ref: 0000000140066A92

Strings

ImageList_GetImageInfo, xrefs: 0000000140066A8B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_GetImageInfo
API String ID: 310444273-158344479
Opcode ID: 02b43920265ec0d5fc302f9d1c54084f19c9bc365fa1594a1eba101c055afbb6
Instruction ID: 819750bdecd9c332a1743048879b64667d0183303b1621e89f0b4369246aea0b
Opcode Fuzzy Hash: 02b43920265ec0d5fc302f9d1c54084f19c9bc365fa1594a1eba101c055afbb6
Instruction Fuzzy Hash: 3601F632202F85C5EB458F66E88479C73A5E758F98F288029DB4C47378EF38C9A6C341

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007CB18, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014007CB3A
LoadLibraryW.KERNEL32 ref: 000000014007CB4D
GetProcAddress.KERNEL32 ref: 000000014007CB6B

Strings

ImageList_ReplaceIcon, xrefs: 000000014007CB64

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_ReplaceIcon
API String ID: 310444273-3264144174
Opcode ID: 8472b7689dcb78066942f037ac0502f7787479bef48d9d24bd1e072af3f9b894
Instruction ID: 731c7f6610a579c34efdd3a6cde969e33f10aacd61c8ac5cfd057158e3f8df43
Opcode Fuzzy Hash: 8472b7689dcb78066942f037ac0502f7787479bef48d9d24bd1e072af3f9b894
Instruction Fuzzy Hash: 1201B632212F85C5EB558F26E89575C73A5E758F88F188029DB5D47378DF38C8A6C344

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007CC54, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014007CC79
LoadLibraryW.KERNEL32 ref: 000000014007CC8C
GetProcAddress.KERNEL32 ref: 000000014007CCAA

Strings

ImageList_AddMasked, xrefs: 000000014007CCA3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_AddMasked
API String ID: 310444273-822293376
Opcode ID: 7ea77dba61df6d013134bded1ee7b3fbf90e717aa718607b050de2ea0045abb9
Instruction ID: 5e70c24120ae2c2c6515db2624f7a9599ef060d4e759f9bff8b05e54d3ec3e65
Opcode Fuzzy Hash: 7ea77dba61df6d013134bded1ee7b3fbf90e717aa718607b050de2ea0045abb9
Instruction Fuzzy Hash: C401BB32212B85C5DB569F26E88479873A5E758F88F188035DB4D47378DF38C8D6D350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069034, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140069056
LoadLibraryW.KERNEL32 ref: 0000000140069069
GetProcAddress.KERNEL32 ref: 0000000140069087

Strings

GetOpenFileNameW, xrefs: 0000000140069080

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: GetOpenFileNameW
API String ID: 310444273-1384924626
Opcode ID: 05ca5829b7c74792ce3569bdb4717f8a5d4cdf214f8cc1eaea7dc0b2e467423d
Instruction ID: 55efa486bb266c4982af30de83fc39c5aafaefa1b4f1682a8cbe0630c43c39e2
Opcode Fuzzy Hash: 05ca5829b7c74792ce3569bdb4717f8a5d4cdf214f8cc1eaea7dc0b2e467423d
Instruction Fuzzy Hash: 2E01E432202B45C9EF558F66E88475873A9E75CF98F289025DB4D47778DF38C8A6C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069154, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140069176
LoadLibraryW.KERNEL32 ref: 0000000140069189
GetProcAddress.KERNEL32 ref: 00000001400691A7

Strings

GetSaveFileNameW, xrefs: 00000001400691A0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: GetSaveFileNameW
API String ID: 310444273-611885661
Opcode ID: 77526b237bb6f16eab962d79d8836eee063a4455a670587652b256413fb38bcd
Instruction ID: a280bac567392f4669dbdfd5145c0a300b5b1a356a60c9051d8f05cea39b92fe
Opcode Fuzzy Hash: 77526b237bb6f16eab962d79d8836eee063a4455a670587652b256413fb38bcd
Instruction Fuzzy Hash: BA01E432202B45C9EF458F26E88439873A9E758F98F289425DB4D47768DF38C8E6C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140009168, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014000918A
LoadLibraryW.KERNEL32 ref: 000000014000919D
GetProcAddress.KERNEL32 ref: 00000001400091BB

Strings

ImageList_Create, xrefs: 00000001400091B4

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_Create
API String ID: 310444273-2409378823
Opcode ID: a97fec5ba0b37b803da6770632de293d744ad88c6a3474bd50e97142596b0e4b
Instruction ID: 24dc1a4f09648e0cac7cc0494bb65fc22657b5dbd9683be487207d4aa374c17b
Opcode Fuzzy Hash: a97fec5ba0b37b803da6770632de293d744ad88c6a3474bd50e97142596b0e4b
Instruction Fuzzy Hash: 8901A432212B45C5EB558F26E88479963A5E75CF88F189025DB5D47378DF38C8A6C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140096718, Relevance: 6.4, APIs: 4, Instructions: 413windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 0000000140096759
GetWindow.USER32 ref: 0000000140096797
IsWindowVisible.USER32 ref: 00000001400968A5
GetWindow.USER32 ref: 0000000140096BF9

Part of subcall function 0000000140095E04: GetWindowRect.USER32 ref: 0000000140095EE9
Part of subcall function 0000000140095E04: GetWindowRect.USER32 ref: 0000000140095F08
Part of subcall function 0000000140095E04: UnionRect.USER32 ref: 0000000140095F1A

Part of subcall function 0000000140093A48: ActivateActCtx.KERNEL32 ref: 0000000140093A74
Part of subcall function 0000000140093A48: GetLastError.KERNEL32 ref: 0000000140093ABC
Part of subcall function 0000000140093A48: DeactivateActCtx.KERNEL32 ref: 0000000140093ACF
Part of subcall function 0000000140093A48: SetLastError.KERNEL32 ref: 0000000140093ADB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Rect$ErrorLast$ActivateDeactivateUnionVisible
String ID:
API String ID: 1581547046-0
Opcode ID: 078f944b1e312db265c20bd56b828524ce67d0572fe35cecbd369e23e9dbc4e5
Instruction ID: dc19da286d3d9615509094a4f7c44b8340da0735ac3e1297288acd83d42f0c1e
Opcode Fuzzy Hash: 078f944b1e312db265c20bd56b828524ce67d0572fe35cecbd369e23e9dbc4e5
Instruction Fuzzy Hash: 57F14472301A8182EB56EB37D5543EE23A5BB88FD4F448226EF1A4B7A5EF39C445C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400E049C, Relevance: 6.3, APIs: 4, Instructions: 273windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00000001400E05AD
CreateCompatibleBitmap.GDI32 ref: 00000001400E05E8
SelectObject.GDI32 ref: 00000001400E0666

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CompatibleCreate$BitmapObjectSelect
String ID:
API String ID: 4217721833-0
Opcode ID: 573d5333800de022044d62600d0c6420edb898773ddd7ee88788eb2c3d006aae
Instruction ID: 1ec0e95bfff6fb8092e2d6e5a6d9965a47f27cc5b909980f8c67f64e61f66584
Opcode Fuzzy Hash: 573d5333800de022044d62600d0c6420edb898773ddd7ee88788eb2c3d006aae
Instruction Fuzzy Hash: DBB16272B05A508AEB15CFB6D4503ED37B1F748798F51412AEF0DA7BA8DA34D845C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005E7A0, Relevance: 6.2, APIs: 4, Instructions: 218keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014005E7DA
GetKeyState.USER32 ref: 000000014005E7E5
IsRectEmpty.USER32 ref: 000000014005E84C
GetWindowRect.USER32 ref: 000000014005EA06

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: 61823af8c96e78e4c0469ea68bed5abe0c59dbc715510929a21b8bfb7051a7bb
Instruction ID: c8e2be4fc5aa9c5ac0b6bb00bf330a0655bfbfb14e56c68bf75530deed0d18f0
Opcode Fuzzy Hash: 61823af8c96e78e4c0469ea68bed5abe0c59dbc715510929a21b8bfb7051a7bb
Instruction Fuzzy Hash: A59178722006818AEB66DB63D944BED33A5FB8CBC4F048116EF49477A9DF39C586C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140058C6C, Relevance: 6.2, APIs: 4, Instructions: 188COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140058CC3
CopyRect.USER32 ref: 0000000140058CD0
GetClientRect.USER32 ref: 0000000140058CE6
SystemParametersInfoW.USER32 ref: 0000000140058E82

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$ClientCopyInfoParametersSystemWindow
String ID:
API String ID: 1264264222-0
Opcode ID: 4e92aa03f0dc65738e7b944351ddbf3cdc80218c137b71844a5c1f725f93b54e
Instruction ID: fe463c96152250ed2edf36fc867da26f60c8fed702f2cc3bb632dbe2c93c9d15
Opcode Fuzzy Hash: 4e92aa03f0dc65738e7b944351ddbf3cdc80218c137b71844a5c1f725f93b54e
Instruction Fuzzy Hash: CA813333B006418EEB26CFAAE485BED33B1F748788F004915EF4A67A68DA75D945CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014014F0A4, Relevance: 6.2, APIs: 4, Instructions: 187stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 000000014014F0E8
lstrcmpW.KERNEL32 ref: 000000014014F1AC
lstrcmpW.KERNEL32 ref: 000000014014F1DF
lstrcmpW.KERNEL32 ref: 000000014014F212

Part of subcall function 00000001400195C8: GlobalFlags.KERNEL32 ref: 00000001400195DA
Part of subcall function 00000001400195C8: GlobalUnlock.KERNEL32 ref: 00000001400195EA
Part of subcall function 00000001400195C8: GlobalFree.KERNEL32 ref: 00000001400195F7

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Global$lstrcmp$FlagsFreeLockUnlock
String ID:
API String ID: 3158084856-0
Opcode ID: 479b9b7176ec6153c4796c773e28a5adbae128ee971789357ce5e1bf3fb211ed
Instruction ID: 918fe8502ec3fce41ceefed1bcef9443fc909589691a959159e971bf7bd856f9
Opcode Fuzzy Hash: 479b9b7176ec6153c4796c773e28a5adbae128ee971789357ce5e1bf3fb211ed
Instruction Fuzzy Hash: CA916C36201A8185EB669F2AD4947EC23A4FB88FA8F554226EB2E4B7F5DF34C544D340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004830C, Relevance: 6.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 000000014004835C
LoadResource.KERNEL32 ref: 0000000140048374
LockResource.KERNEL32 ref: 000000014004838A
FreeResource.KERNEL32 ref: 000000014004857F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: d80ca1d5c8e92a13695bff74e55d463e30a15e6496dc39ff1804bee5460c434f
Instruction ID: b70ce8a7fd3249db4389933f1d2ff9559ebec5549d5bdca2eeb7575747564809
Opcode Fuzzy Hash: d80ca1d5c8e92a13695bff74e55d463e30a15e6496dc39ff1804bee5460c434f
Instruction Fuzzy Hash: 1371C472604A818AE7669F27A4507EEA7A0FB8CFD4F058635BF4A577B4EB38C4408704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006C528, Relevance: 6.2, APIs: 4, Instructions: 167windowmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 000000014006C5D8
SendMessageW.USER32 ref: 000000014006C621
SendMessageW.USER32 ref: 000000014006C6A9
SendMessageW.USER32 ref: 000000014006C6C8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$AllocGlobal
String ID:
API String ID: 1652254935-0
Opcode ID: 016e47ac5d006dd341e9cbb9d984803cdd8247b662b06398390c588ab957f4ae
Instruction ID: 4d51812aa033dd854bebb536c52803b87e26ccf25cfb77c897f2ce99905ab9ec
Opcode Fuzzy Hash: 016e47ac5d006dd341e9cbb9d984803cdd8247b662b06398390c588ab957f4ae
Instruction Fuzzy Hash: 41617776711A548AE711CFAAC840BDD37A2F788B98F504126EF1D57BA8CF38D456C780

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140090F30, Relevance: 6.2, APIs: 4, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(?,?,00000001,00000000), ref: 0000000140090F9D
IsMenu.USER32 ref: 0000000140090FBB
IsMenu.USER32 ref: 0000000140090FD0
RedrawWindow.USER32(?,?,00000001,00000000), ref: 000000014009116A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Menu$RedrawSystemWindow
String ID:
API String ID: 3438490404-0
Opcode ID: 6a15be9ae025efcd51fd30fc7c3c607b80d03a9fa8771276d7431ad1e30c8ff2
Instruction ID: 3c12b01ed0f4d643e913ef244f40ffe688becf8e9422a2f8901cc9ca285a151d
Opcode Fuzzy Hash: 6a15be9ae025efcd51fd30fc7c3c607b80d03a9fa8771276d7431ad1e30c8ff2
Instruction Fuzzy Hash: 99618E72701A808AEB1ADF67D4547ED27A1FB88BC4F144525EF1A5BBA9EF35C480C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140088540, Relevance: 6.2, APIs: 4, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140088615
SendMessageW.USER32 ref: 000000014008866A
RedrawWindow.USER32 ref: 000000014008867F
IsWindowVisible.USER32 ref: 0000000140088758

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSendWindow$RedrawVisible
String ID:
API String ID: 2376333906-0
Opcode ID: 7df965896fdfca4c366d78e089b699b8fb7916de9f537f63a44d477b5c7582d4
Instruction ID: 58bc0a5ff7c2e65848f1606e11de1751c5288edaa5738109c1e44da7721ce27d
Opcode Fuzzy Hash: 7df965896fdfca4c366d78e089b699b8fb7916de9f537f63a44d477b5c7582d4
Instruction Fuzzy Hash: 24615737201A8087EB66DF27D4547A963A1FB88FC4F588125EF0A0BBA5DF39D652C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001C50C, Relevance: 6.1, APIs: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140006224: RegCloseKey.ADVAPI32 ref: 00000001400063AB
Part of subcall function 0000000140006224: RegCloseKey.ADVAPI32 ref: 00000001400063BA

Part of subcall function 000000014001A55C: RegCloseKey.ADVAPI32 ref: 000000014001A5C3

RegEnumValueW.ADVAPI32 ref: 000000014001C6A0
RegCloseKey.ADVAPI32 ref: 000000014001C6BA
RegCloseKey.ADVAPI32 ref: 000000014001C711
RegCloseKey.ADVAPI32 ref: 000000014001C722

Part of subcall function 000000014001A5F0: RegQueryValueExW.ADVAPI32 ref: 000000014001A62A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Close$Value$EnumQuery
String ID:
API String ID: 4149552890-0
Opcode ID: 6ad8df28d454851027005662d5b6419c0b619f327f5fc7bc8d5284796b485318
Instruction ID: 5f0c7d9c46e3164bb81cd81b810238ffe28d1a58d4104084023bd5c2f58c4329
Opcode Fuzzy Hash: 6ad8df28d454851027005662d5b6419c0b619f327f5fc7bc8d5284796b485318
Instruction Fuzzy Hash: D8518F32215B8086EB11DF26E8447CE77A0F789BE8F544216EB595BBB8DF39C545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001ECD8, Relevance: 6.1, APIs: 4, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 000000014001ED47
SysStringLen.OLEAUT32 ref: 000000014001ED67
SysStringLen.OLEAUT32 ref: 000000014001ED92
SysFreeString.OLEAUT32 ref: 000000014001EE41

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f88b7342ab1ca2ca498b45dcd9ff8184317367a6c7d4d09b4d440e40f68ec9ed
Instruction ID: 59109d8955bdb065399a114772bf6712e264042b41a4a266bc32650cb236c890
Opcode Fuzzy Hash: f88b7342ab1ca2ca498b45dcd9ff8184317367a6c7d4d09b4d440e40f68ec9ed
Instruction Fuzzy Hash: 1251A072701A808AE765CF6AE8447DD33A1F748BA8F144229EF295BBE8DF39C445C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008898C, Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140088A7B
SetRectEmpty.USER32 ref: 0000000140088A88
SetRectEmpty.USER32 ref: 0000000140088B4C
SetRectEmpty.USER32 ref: 0000000140088BB0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 5a760c8a9ac0bf64e092222e332b33587a21e91909cad0c9a2c24401219509b9
Instruction ID: ad664635fd270bcf4fd163b37198920a45d3a4c2be6e7ae724b819740219514f
Opcode Fuzzy Hash: 5a760c8a9ac0bf64e092222e332b33587a21e91909cad0c9a2c24401219509b9
Instruction Fuzzy Hash: 27610972611B91DBE72ACF26D9447DC77A8F308B94F14022AF765837A0CB759572CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003E650, Relevance: 6.1, APIs: 4, Instructions: 128windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000000014003E680
IsWindowVisible.USER32 ref: 000000014003E68E
IsWindowVisible.USER32 ref: 000000014003E6D7
SendMessageW.USER32 ref: 000000014003E7B4

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: VisibleWindow$MessageSend
String ID:
API String ID: 1727553256-0
Opcode ID: 4eba12b57759a921ccba5e2fb9463630bc09e94120260adb4475451f2abcac6d
Instruction ID: 73486a81a77f246dd9c6a113e2b3c7efe4bfee044dfd3c3b4b47442ebbf66931
Opcode Fuzzy Hash: 4eba12b57759a921ccba5e2fb9463630bc09e94120260adb4475451f2abcac6d
Instruction Fuzzy Hash: 13517336701A8182EB1A9F27D85139E63A1FB89FE4F148225FB6A477F5DF78C8418740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004F68, Relevance: 6.1, APIs: 4, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0000000140004F96
CreateBitmap.GDI32 ref: 0000000140005060
LoadBitmapW.USER32 ref: 0000000140005079
SetMenuItemBitmaps.USER32 ref: 0000000140005127

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: BitmapMenu$BitmapsCheckCreateDimensionsItemLoadMark
String ID:
API String ID: 527726921-0
Opcode ID: ff60ce47035d1d6ada0cdc0df5b12ce4529c820c23e6626b4f25455a11ad2c57
Instruction ID: 7b950b4d300ef0c55dc20ab886cbff109510df46459207605fbea25862bbf4db
Opcode Fuzzy Hash: ff60ce47035d1d6ada0cdc0df5b12ce4529c820c23e6626b4f25455a11ad2c57
Instruction Fuzzy Hash: 7F512072710B88C6EB11EF22E848BDD73A1F74CB85F844126EB4947B60EB38D954C780

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003C9B0, Relevance: 6.1, APIs: 4, Instructions: 123windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 000000014003CA01
AppendMenuW.USER32 ref: 000000014003CA89
CheckMenuItem.USER32 ref: 000000014003CA9B
IsWindow.USER32 ref: 000000014003CAD7

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Menu$AppendCheckCreateItemPopupWindow
String ID:
API String ID: 2012662573-0
Opcode ID: cdd2ecd8bca10fd0afb0a733ce60067f13e55651646356c7753148d3d830303b
Instruction ID: 96a44a7f04c6d161235733b107f0da1404b48462437c360d151f4f557c30ad72
Opcode Fuzzy Hash: cdd2ecd8bca10fd0afb0a733ce60067f13e55651646356c7753148d3d830303b
Instruction Fuzzy Hash: 2D516736720A1486EB169B27D8157ED23A0BB8DBE4F44422AEF1997BE4DF38C955C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140076F84, Relevance: 6.1, APIs: 4, Instructions: 118windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140077024
ScreenToClient.USER32 ref: 0000000140077033
SendMessageW.USER32 ref: 000000014007710D
SendMessageW.USER32 ref: 0000000140077135

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$ClientCursorScreen
String ID:
API String ID: 41388912-0
Opcode ID: 6855740f3edd6283d022cfc83e01f12eb853fcaa6ed29f6a028b211394718d67
Instruction ID: 96f7d8397e8a14c0577eb94fef6de7b146588272fec2880d629e74b9cfcb368a
Opcode Fuzzy Hash: 6855740f3edd6283d022cfc83e01f12eb853fcaa6ed29f6a028b211394718d67
Instruction Fuzzy Hash: 1A516E72201A8182EB65DB2AE880BD973A1FB88BD4F445226EB5D477B5DF78C854C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007E1FC, Relevance: 6.1, APIs: 4, Instructions: 114windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014007E246
GetWindowRect.USER32 ref: 000000014007E30B
ReleaseCapture.USER32 ref: 000000014007E3DB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CaptureMessageRectReleaseSendWindow
String ID:
API String ID: 2919155594-0
Opcode ID: 9bc112919f0731c7ac691f658041dfc7ebf7d07059597ac51f1d9d2a57da9f8b
Instruction ID: 1a88a3601d88ceac9f7ddb421c8275abd2cbf99b11be141409a9c461ee3def86
Opcode Fuzzy Hash: 9bc112919f0731c7ac691f658041dfc7ebf7d07059597ac51f1d9d2a57da9f8b
Instruction Fuzzy Hash: D6513F36601B8086EB51DF62E4947DC73A8F788B98F484236EF494BBA8DF78C541C720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007C388, Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014007C3BE

Part of subcall function 000000014007BD8C: IsWindow.USER32 ref: 000000014007BD9D
Part of subcall function 000000014007BD8C: SendMessageW.USER32 ref: 000000014007BDC7
Part of subcall function 000000014007BD8C: SendMessageW.USER32 ref: 000000014007BDE0
Part of subcall function 000000014007BD8C: SendMessageW.USER32 ref: 000000014007BE0B
Part of subcall function 000000014007BD8C: SendMessageW.USER32 ref: 000000014007BE24

Part of subcall function 000000014011FE1C: SendMessageW.USER32 ref: 000000014011FE4E

Part of subcall function 000000014011FE84: SendMessageW.USER32 ref: 000000014011FEB6

SendMessageW.USER32 ref: 000000014007C46A

Part of subcall function 0000000140002D74: malloc.LIBCMT ref: 0000000140002D9B

SendMessageW.USER32 ref: 000000014007C4AB
SendMessageW.USER32 ref: 000000014007C4C0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$Window$malloc
String ID:
API String ID: 986012140-0
Opcode ID: deb3bf461786bda4edee9d504e99374551c393b250ca9585d7e4b909f1338e3d
Instruction ID: e2faaf6c29d9f2e0ca764f698be88f3f8d58738dd606224842e70a1d963748ac
Opcode Fuzzy Hash: deb3bf461786bda4edee9d504e99374551c393b250ca9585d7e4b909f1338e3d
Instruction Fuzzy Hash: 27419872315A8483EB169B67E8547EE6361F789BE4F444229BB6E47BF5DE3CC8048700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A194, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140015AC0: ActivateActCtx.KERNEL32(?,?,?,000000014008273B), ref: 0000000140015AEE

VariantClear.OLEAUT32 ref: 000000014002A226
SysFreeString.OLEAUT32 ref: 000000014002A2CA
SysFreeString.OLEAUT32 ref: 000000014002A2D9
SysFreeString.OLEAUT32 ref: 000000014002A2E8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: FreeString$ActivateClearVariant
String ID:
API String ID: 245964860-0
Opcode ID: 1d5ef34de28767fc696c93533414c9cb2b0889aec59e06e7f67c9bb162d722b5
Instruction ID: 3be149b94f5995c72db4cea8a874ee0869afcf883e4c5785e1e517b515b67cf8
Opcode Fuzzy Hash: 1d5ef34de28767fc696c93533414c9cb2b0889aec59e06e7f67c9bb162d722b5
Instruction Fuzzy Hash: F8513832700A45DAEB66DFA6D4503DD33B0FB48B88F44402AEF1A57A69DF39D958C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140074400, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400744A4
RedrawWindow.USER32 ref: 00000001400744BC
IsRectEmpty.USER32 ref: 0000000140074523
RedrawWindow.USER32 ref: 000000014007454A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: EmptyRectRedrawWindow
String ID:
API String ID: 1437620686-0
Opcode ID: 5f5e89573fd780a642c6d276b1bf324720922cd74476abe9211442db3e68846d
Instruction ID: 61f68cba2fdef5ba1187f50a0a2e50e33c76dd32c6d76cd6924ec53948bd142b
Opcode Fuzzy Hash: 5f5e89573fd780a642c6d276b1bf324720922cd74476abe9211442db3e68846d
Instruction Fuzzy Hash: CE418C32614A8083EB26CB2AE550BEE73A1F78CFC8F544121EF8947A69DB3CD4418F00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004E1FC, Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

GetTextColor.GDI32 ref: 000000014004E21D
OffsetRect.USER32 ref: 000000014004E26B
FillRect.USER32 ref: 000000014004E2AF
OffsetRect.USER32 ref: 000000014004E2DE

Part of subcall function 00000001400E155C: CreateCompatibleDC.GDI32 ref: 00000001400E1616

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$Offset$ColorCompatibleCreateFillText
String ID:
API String ID: 1625284823-0
Opcode ID: d1aef7633a82f826ddf70642cf96eb65b8585e30c6ee00cf321394a3ae65abe8
Instruction ID: 2f828814aed5b53e158201fd82166791adde8e8b0c0d3c94339a0821b4c10f98
Opcode Fuzzy Hash: d1aef7633a82f826ddf70642cf96eb65b8585e30c6ee00cf321394a3ae65abe8
Instruction Fuzzy Hash: 8031503131468086EB229B53AA48BDAB761F78DFE5F004225AF5907BF4DB78C901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400ED110, Relevance: 6.1, APIs: 4, Instructions: 88windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,?,?,000000014007E26F), ref: 00000001400ED13E
GetStockObject.GDI32 ref: 00000001400ED163
GetPaletteEntries.GDI32 ref: 00000001400ED18F
GetParent.USER32 ref: 00000001400ED20C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Object$EntriesPaletteParentStock
String ID:
API String ID: 4188070286-0
Opcode ID: 1a0d59185c63ef169eac0c7a70781ed32b4e59d11be5f66697425b5950b6daa8
Instruction ID: b0372cc994c18d30d38cba0aeae4de1fe3bf471c7abecb1a640c26b6c9389a4d
Opcode Fuzzy Hash: 1a0d59185c63ef169eac0c7a70781ed32b4e59d11be5f66697425b5950b6daa8
Instruction Fuzzy Hash: 5231043220168096EB169B67E4407EAB760F78DFE8F140126FF69577F6DB38C8468700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009C56C, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014009C5AB
GetWindowRect.USER32 ref: 000000014009C5EE
GetClientRect.USER32 ref: 000000014009C615

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: beb5cae759a8d69099b2093ecbdbf96782d98a1d38125124acc0d44c8aa93de6
Instruction ID: d1c19c334ab1bb071714c12d7f869e0afc9b01fe7549ef276c5f7186da2337f2
Opcode Fuzzy Hash: beb5cae759a8d69099b2093ecbdbf96782d98a1d38125124acc0d44c8aa93de6
Instruction Fuzzy Hash: 92314876214A848BEB25DB27E19476AB3A0F78CBD9F108121EF9E47B64DF38D551CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009A8A8, Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014009A8DF
SendMessageW.USER32 ref: 000000014009A8FF
GetClassLongPtrW.USER32 ref: 000000014009A9B7
GetClassLongPtrW.USER32 ref: 000000014009A9CC

Part of subcall function 000000014007CB8C: ActivateActCtx.KERNEL32 ref: 000000014007CBC3

Part of subcall function 0000000140093A48: ActivateActCtx.KERNEL32 ref: 0000000140093A74
Part of subcall function 0000000140093A48: GetLastError.KERNEL32 ref: 0000000140093ABC
Part of subcall function 0000000140093A48: DeactivateActCtx.KERNEL32 ref: 0000000140093ACF
Part of subcall function 0000000140093A48: SetLastError.KERNEL32 ref: 0000000140093ADB

Part of subcall function 000000014009A378: ActivateActCtx.KERNEL32 ref: 000000014009A3AF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Activate$ClassErrorLastLongMessageSend$Deactivate
String ID:
API String ID: 348901367-0
Opcode ID: 1cc79a1cecf66d2841748679676a32714c760c96eb9e7788eb96c3ce52e25026
Instruction ID: 4a4cc9aa4dd03f82f535d4a1057877c534e4376ed868d5af3958679a219e8640
Opcode Fuzzy Hash: 1cc79a1cecf66d2841748679676a32714c760c96eb9e7788eb96c3ce52e25026
Instruction Fuzzy Hash: FE313C76311A8082EF62DB26E490BD963A1FBC9BE4F444221FB5D4BBE5DF39C4448741

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007E7AC, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetSystemPaletteEntries.GDI32 ref: 000000014007E83F
GetObjectW.GDI32 ref: 000000014007E85B

Part of subcall function 0000000140002D74: malloc.LIBCMT ref: 0000000140002D9B

GetPaletteEntries.GDI32 ref: 000000014007E882
CreatePalette.GDI32 ref: 000000014007E8A0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Palette$Entries$CreateObjectSystemmalloc
String ID:
API String ID: 3480014781-0
Opcode ID: 1204c6bbee314c6bc55367e2cb91cde81f0008b5b89b362f4134647dd0b1ad2b
Instruction ID: 816ada887ff9c2cb779ec99d855012dae29cba31d117e727d860353266c3266c
Opcode Fuzzy Hash: 1204c6bbee314c6bc55367e2cb91cde81f0008b5b89b362f4134647dd0b1ad2b
Instruction Fuzzy Hash: F0312B36215A8082EB16DF22E4543EAB7A1FB8CBD0F588225EB9D47BB5DF38C541C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001294C, Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140012997
GetWindowTextLengthW.USER32 ref: 00000001400129A8
GetWindowTextW.USER32 ref: 00000001400129C4
wcsnlen.LIBCMT ref: 00000001400129DA

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: TextWindow$ItemLengthwcsnlen
String ID:
API String ID: 2196709654-0
Opcode ID: a5ac910acf556d330ead6681900faef29f2b58b66d1456dc7a82513b87287207
Instruction ID: 57f3ca399286f11ee64f33fc9311dc500e832543ab777ccbe54d73720a1dc1ad
Opcode Fuzzy Hash: a5ac910acf556d330ead6681900faef29f2b58b66d1456dc7a82513b87287207
Instruction Fuzzy Hash: E3215E35702A4082EB56EB1BE5943AD67A1BB8CFC0F144125EF5E4B7A9DF39C4618780

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007217C, Relevance: 6.1, APIs: 4, Instructions: 67stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400721DD
SendMessageW.USER32 ref: 0000000140072208
lstrlenW.KERNEL32 ref: 0000000140072216
SendMessageW.USER32 ref: 000000014007223F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSendlstrlen
String ID:
API String ID: 1933689666-0
Opcode ID: 7fa9105e47298506a423ade23c0b93766cdc0294a98b0b3964ff5addc2cc7086
Instruction ID: 644ea9a0efcba1e1918e52a777b0a58605fd37e0fb82968df2a339ee1313b243
Opcode Fuzzy Hash: 7fa9105e47298506a423ade23c0b93766cdc0294a98b0b3964ff5addc2cc7086
Instruction Fuzzy Hash: 1921483A600A8486EB51DF26D494B9D77A0F7CCFC4F694125EF9A43B68CF39C5468B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004A218, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014004A283
CreateRoundRectRgn.GDI32 ref: 000000014004A2BF
SetWindowRgn.USER32 ref: 000000014004A2DC
SetWindowRgn.USER32 ref: 000000014004A2FB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Rect$CreateRound
String ID:
API String ID: 4208751637-0
Opcode ID: 3160bb2272c68159466e99bacdcc0318d80dac75c5c7edc592cb9839dba434fc
Instruction ID: 0f713d2500470e497af3c03b70e7008698ad20239ac20fba8ea9ca0a24c5689c
Opcode Fuzzy Hash: 3160bb2272c68159466e99bacdcc0318d80dac75c5c7edc592cb9839dba434fc
Instruction Fuzzy Hash: C8312832B10B508AE721CB66E885BDD37B4F749B98F150225AF5957BA8DF39C5418700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140072E1C, Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140072E41
ScreenToClient.USER32 ref: 0000000140072E50
SetCursor.USER32 ref: 0000000140072E7D
PtInRect.USER32 ref: 0000000140072EF2

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Cursor$ClientRectScreen
String ID:
API String ID: 2390797981-0
Opcode ID: 69479461b0493033759f7bd7f637dd5acda53cd06e1bec4f9806efbe753b66f9
Instruction ID: e69440535f669f458aca84c3e92d5729cc3f2cb872dd82815460d4180383a7e9
Opcode Fuzzy Hash: 69479461b0493033759f7bd7f637dd5acda53cd06e1bec4f9806efbe753b66f9
Instruction Fuzzy Hash: 1D316B32204945C6EB229F26E9897EE73B0F788BD9F540435EB49472A8DF38C944CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A110, Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 000000014000A157
LoadResource.KERNEL32 ref: 000000014000A168
LockResource.KERNEL32 ref: 000000014000A179
FreeResource.KERNEL32 ref: 000000014000A1A9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 327b983b83447a5e0ef21f26b3fb1d8c10e96ed776aef055ae3468024f2a9950
Instruction ID: 8f31a042630d2e0f319ec35f4b608e95fb5906735535a3275fb55d43a906d7ba
Opcode Fuzzy Hash: 327b983b83447a5e0ef21f26b3fb1d8c10e96ed776aef055ae3468024f2a9950
Instruction Fuzzy Hash: 48212676301B9081EA16EB57A848BD9A7A5FB8EFD4F494029EF094BB65DF38C945C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008521C, Relevance: 6.1, APIs: 4, Instructions: 64windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140085264
SendMessageW.USER32 ref: 00000001400852A3
KillTimer.USER32 ref: 00000001400852BB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: KillMessageParentSendTimer
String ID:
API String ID: 2710755332-0
Opcode ID: 8e7861c84e35063d668d676bb1bdeb246f3f855a78247ca470c63ce6aa49c848
Instruction ID: c6af386f585a42b20a12284c11071271bfa2fca30757cc873f1ab1092e763a95
Opcode Fuzzy Hash: 8e7861c84e35063d668d676bb1bdeb246f3f855a78247ca470c63ce6aa49c848
Instruction Fuzzy Hash: 3D217132604A8482EB56AF22E4457D937A0F78AFE9F144635EF69077E5CF74C6548300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140056A0C, Relevance: 6.1, APIs: 4, Instructions: 63keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0000000140056A39
GetCursorPos.USER32 ref: 0000000140056A84
SetRectEmpty.USER32 ref: 0000000140056A96
IsRectEmpty.USER32 ref: 0000000140056ACC

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: EmptyRect$CursorState
String ID:
API String ID: 2369637639-0
Opcode ID: 2507f412434602ad867a3c54f6f855884f40b04f4bc144c43aeea1748a0201fb
Instruction ID: 762b10e611ab2f440d20bc35d170b798e4586236b7a136e4a74b246c9b01fbdd
Opcode Fuzzy Hash: 2507f412434602ad867a3c54f6f855884f40b04f4bc144c43aeea1748a0201fb
Instruction Fuzzy Hash: D6212432610A5089FB11CB62A8447DD73B8F74CBD8F840126AF4967B68DF39C5918750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400091DC, Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 0000000140009213
GetLastError.KERNEL32 ref: 000000014000927B
DeactivateActCtx.KERNEL32 ref: 000000014000928E
SetLastError.KERNEL32 ref: 000000014000929A

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivate
String ID:
API String ID: 2261068335-0
Opcode ID: 3f8354b81729116b2bb8154540c6985c61a87962521920cec33804e53421579f
Instruction ID: b861f16bfec65c2b5c99347523160ff735e53e8f5243931d690a8cb84a602fad
Opcode Fuzzy Hash: 3f8354b81729116b2bb8154540c6985c61a87962521920cec33804e53421579f
Instruction Fuzzy Hash: 00218C32314B8192E7919B67A88179EB2E9FBCCFC0F584025EF4A87B64DF78C8458700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014012A658, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000000,000000014012AAC1), ref: 000000014012A68F
LoadResource.KERNEL32(?,?,00000000,000000014012AAC1), ref: 000000014012A6A9
LockResource.KERNEL32(?,?,00000000,000000014012AAC1), ref: 000000014012A6BF
GlobalFree.KERNEL32 ref: 000000014012A705

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 36a671701df03b1eff74ffc63777d89676a0ca3cf23794d83bd475b41a6559d4
Instruction ID: 35ed3562b111b86dd37399760da080693b5d66925a797d0b3ca35ec0a754e942
Opcode Fuzzy Hash: 36a671701df03b1eff74ffc63777d89676a0ca3cf23794d83bd475b41a6559d4
Instruction Fuzzy Hash: E4218075201B8086FB5A9B2395443DDB2A5EB4CFC4F488419DF4D1BBA9DF38C8958740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022B54, Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,0000000140022F12), ref: 0000000140022B85
GlobalLock.KERNEL32 ref: 0000000140022B96
memcpy_s.LIBCMT ref: 0000000140022BAB
GlobalUnlock.KERNEL32(?,?,?,0000000140022F12), ref: 0000000140022BFA

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Global$AllocLockUnlockmemcpy_s
String ID:
API String ID: 2323231100-0
Opcode ID: 858feefc28c33c49f6aaa5ffd462fd7ab53161935ba50899021217727ace764c
Instruction ID: 44acfd20d9ca8c2c727867f827ca879f3664f7b50a280fe08791e912e25c6aa1
Opcode Fuzzy Hash: 858feefc28c33c49f6aaa5ffd462fd7ab53161935ba50899021217727ace764c
Instruction Fuzzy Hash: F511B23520164196FB6B9F97E4857EC63A0EB4CBC0F18882AFB19877B5DF38C8908700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009A378, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 000000014009A3AF
GetLastError.KERNEL32(?,?,?,?,?,?,000000014009A99C), ref: 000000014009A407
DeactivateActCtx.KERNEL32(?,?,?,?,?,?,000000014009A99C), ref: 000000014009A41A
SetLastError.KERNEL32(?,?,?,?,?,?,000000014009A99C), ref: 000000014009A426

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivate
String ID:
API String ID: 2261068335-0
Opcode ID: 6bf56cacf05402e3ff8829ae9d934b1f8dbd3e28322b75b7fa0ddd7f7c4fcfb4
Instruction ID: 83dd82d4350079794ced799b6cca64c1439ea0508064b259ddc804ea5df4eed6
Opcode Fuzzy Hash: 6bf56cacf05402e3ff8829ae9d934b1f8dbd3e28322b75b7fa0ddd7f7c4fcfb4
Instruction Fuzzy Hash: D0218E32310B9582EB529B67A88539AA2A4FBCDFD4F494035EF498B764DFBCC8458740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007CB8C, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 000000014007CBC3
GetLastError.KERNEL32 ref: 000000014007CC16
DeactivateActCtx.KERNEL32 ref: 000000014007CC29
SetLastError.KERNEL32 ref: 000000014007CC35

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivate
String ID:
API String ID: 2261068335-0
Opcode ID: 6ee816c23a1fc399d81abdf6909574f037947a1ab8983fef82944c7557a843b2
Instruction ID: 5b60bb146dacc5006875f7f7a84d9d39fac7f5933fb290a91ea5ec6fb359ea91
Opcode Fuzzy Hash: 6ee816c23a1fc399d81abdf6909574f037947a1ab8983fef82944c7557a843b2
Instruction Fuzzy Hash: 7021A232310B8582E7129F67A88179D6795FB8CFE0F484629EB59877A4CF78C8458301

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007CCD0, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 000000014007CD07
GetLastError.KERNEL32(?,?,?,?,?,?,000000014007CEDD), ref: 000000014007CD5E
DeactivateActCtx.KERNEL32(?,?,?,?,?,?,000000014007CEDD), ref: 000000014007CD71
SetLastError.KERNEL32(?,?,?,?,?,?,000000014007CEDD), ref: 000000014007CD7D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivate
String ID:
API String ID: 2261068335-0
Opcode ID: 86778ab83963495feb20d09f389ea80c24f4aa4075bdf6f36f20cd351333f891
Instruction ID: 6f64cab471d8d9c9406d1ef187a0bab3bd9451c1aebf36a5fb73609363a0e568
Opcode Fuzzy Hash: 86778ab83963495feb20d09f389ea80c24f4aa4075bdf6f36f20cd351333f891
Instruction Fuzzy Hash: 4621A232210B4182E7219F67A88179967A4FB8CFE0F584229EF59877A4CF78C8458700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066AB8, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 0000000140066AEF

Part of subcall function 0000000140066A3C: GetModuleHandleW.KERNEL32 ref: 0000000140066A61
Part of subcall function 0000000140066A3C: LoadLibraryW.KERNEL32 ref: 0000000140066A74
Part of subcall function 0000000140066A3C: GetProcAddress.KERNEL32 ref: 0000000140066A92

GetLastError.KERNEL32 ref: 0000000140066B3F
DeactivateActCtx.KERNEL32 ref: 0000000140066B52
SetLastError.KERNEL32 ref: 0000000140066B5E

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateHandleLibraryLoadModuleProc
String ID:
API String ID: 1520649096-0
Opcode ID: fbdd546538bdf94e83e705ca05b90b497fc2896d3a1e082d416da813b2e3cc11
Instruction ID: 2b14851de44b0208fe39882d09dcce88c2b9e3e7da3f41d0a2d081f4ae9f3d64
Opcode Fuzzy Hash: fbdd546538bdf94e83e705ca05b90b497fc2896d3a1e082d416da813b2e3cc11
Instruction Fuzzy Hash: 36118B32300B8182EB519F77A88139AA3E6FB8CFD0F584525EF098B764CF78C8858700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036CD0, Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140036CE8
SendMessageW.USER32 ref: 0000000140036D39
RedrawWindow.USER32 ref: 0000000140036D4E
SendMessageW.USER32 ref: 0000000140036D1A

Part of subcall function 0000000140087CCC: SendMessageW.USER32(?,?,?,0000000140036D8F), ref: 0000000140087D5A
Part of subcall function 0000000140087CCC: SendMessageW.USER32(?,?,?,0000000140036D8F), ref: 0000000140087D8E
Part of subcall function 0000000140087CCC: SendMessageW.USER32(?,?,?,0000000140036D8F), ref: 0000000140087DAA
Part of subcall function 0000000140087CCC: SendMessageW.USER32(?,?,?,0000000140036D8F), ref: 0000000140087DBF
Part of subcall function 0000000140087CCC: SendMessageW.USER32(?,?,?,0000000140036D8F), ref: 0000000140087DDB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MessageSend$ParentRedrawWindow
String ID:
API String ID: 2139789815-0
Opcode ID: 28ca2fac884ce83bb51a2465fd4433591020349f8db504929621570f91c2b948
Instruction ID: 1756492762ff014d37d76c9c393f0ea66be077feb02d5ea2c033f60711b6c76f
Opcode Fuzzy Hash: 28ca2fac884ce83bb51a2465fd4433591020349f8db504929621570f91c2b948
Instruction Fuzzy Hash: E3117C3671468083FB669B27E590BAA63A1F78DBC4F448424EF0E47BA4DF39C5458B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006544, Relevance: 6.1, APIs: 4, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32 ref: 00000001400065A3
RegCloseKey.ADVAPI32 ref: 00000001400065AE
swprintf.LIBCMT ref: 00000001400065CF
WritePrivateProfileStringW.KERNEL32 ref: 00000001400065E6

Part of subcall function 00000001400063D8: RegCloseKey.ADVAPI32 ref: 0000000140006486

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Close$PrivateProfileStringValueWriteswprintf
String ID:
API String ID: 581541481-0
Opcode ID: 5207dd9e152ad493f13b01abc862abbec95636334e3ea8a785f08f75ce7eab33
Instruction ID: fc688cab9c78bcbd9aad5169f75602ce6c09a284e1772bdb1ca5d3fee44e8537
Opcode Fuzzy Hash: 5207dd9e152ad493f13b01abc862abbec95636334e3ea8a785f08f75ce7eab33
Instruction Fuzzy Hash: 8011A372315B9442EB529B63B855BDA6364E78DFD9F884031BF0E17B64DF38C5468B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002206C, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140002D74: malloc.LIBCMT ref: 0000000140002D9B

GetCurrentProcess.KERNEL32 ref: 00000001400220AB
GetCurrentProcess.KERNEL32 ref: 00000001400220B4
DuplicateHandle.KERNEL32 ref: 00000001400220DB
GetLastError.KERNEL32 ref: 00000001400220FC

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLastmalloc
String ID:
API String ID: 1283020281-0
Opcode ID: 4feb2ed86f5a111a4e96f0ff319d5ec4de1c1529d0d56765822672051d86fa6f
Instruction ID: c07cbf2101ee197e89f1e7c3f9b7a8c17547f15550a4ce0017898ad7b5222ad2
Opcode Fuzzy Hash: 4feb2ed86f5a111a4e96f0ff319d5ec4de1c1529d0d56765822672051d86fa6f
Instruction Fuzzy Hash: 29212C36605B4487EB619B27E58439AB3A1F78CBD0F144229EBAD43BA9DF3CD451CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004D80, Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 0000000140004DCB
GetFocus.USER32 ref: 0000000140004DE8
GetParent.USER32 ref: 0000000140004DF8
SendMessageW.USER32 ref: 0000000140004E14

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: 7f032abf3cab5b262fad2dc5b3863c65a2f07b2dd77ac9c40b81fe7bbdad5e76
Instruction ID: a7adc0c8e989bf99d2c7632d6d06c5ccc53ccc2177d72c3b4f93e0aef10ac57f
Opcode Fuzzy Hash: 7f032abf3cab5b262fad2dc5b3863c65a2f07b2dd77ac9c40b81fe7bbdad5e76
Instruction Fuzzy Hash: 54118BB6620590C2EB66DF23F4507A96370F788F88F204211FB5A47A69CF79C8818744

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000EFCC, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000EFE8
GetTopWindow.USER32 ref: 000000014000EFF9

Part of subcall function 000000014000EFCC: GetWindow.USER32 ref: 000000014000F051

GetTopWindow.USER32 ref: 000000014000F031

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: e636cce0b887eead359fe3789852b5aa3d8db69ee4c6132a36baf01287e95e64
Instruction ID: 4b6a66930765b0b32a21ab87150bb62e52c9a9cde51b09a38a1941f6515904e4
Opcode Fuzzy Hash: e636cce0b887eead359fe3789852b5aa3d8db69ee4c6132a36baf01287e95e64
Instruction Fuzzy Hash: 1E112E7030578141EE66DB1774447B9A2909F9CFC0F189438BF4943B77EF39D451A640

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CC88, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 000000014000CCE8
SetBkColor.GDI32 ref: 000000014000CCF5
GetSysColor.USER32 ref: 000000014000CD09
SetTextColor.GDI32 ref: 000000014000CD14

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: e321e311f1532cdca9fb0ae761378fd264ced305db27d4657a141e8b49dece4a
Instruction ID: f7dea7a8ff3b2db4c033361b52b366ae4e97154a765a5bc1c26c7789598cd7bb
Opcode Fuzzy Hash: e321e311f1532cdca9fb0ae761378fd264ced305db27d4657a141e8b49dece4a
Instruction Fuzzy Hash: E111A07072560846FE66C767B554BE962D1AB9CBD4F244132EF4A47BB4CE3CCC414A00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E338, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 000000014000E364

Part of subcall function 000000014000E2C4: GetModuleHandleW.KERNEL32(?,?,00080000,000000014000F5A3,?,?,00000400,0000000140013249), ref: 000000014000E2E6
Part of subcall function 000000014000E2C4: LoadLibraryW.KERNEL32(?,?,00080000,000000014000F5A3,?,?,00000400,0000000140013249), ref: 000000014000E2F9
Part of subcall function 000000014000E2C4: GetProcAddress.KERNEL32(?,?,00080000,000000014000F5A3,?,?,00000400,0000000140013249), ref: 000000014000E317

GetLastError.KERNEL32 ref: 000000014000E3AC
DeactivateActCtx.KERNEL32 ref: 000000014000E3BF
SetLastError.KERNEL32 ref: 000000014000E3CB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateHandleLibraryLoadModuleProc
String ID:
API String ID: 1520649096-0
Opcode ID: 4c26f83d958abce418434e30609bc5026db76866080aa55d1ae837455ac7dd3c
Instruction ID: 43fa863c25c286084b3f815209fde8b4beaaca76caffc54606b6603626d21ace
Opcode Fuzzy Hash: 4c26f83d958abce418434e30609bc5026db76866080aa55d1ae837455ac7dd3c
Instruction Fuzzy Hash: 2A11737220479182E712DBA7B44539EA7A4FB8CBD4F484125EF4997664DFB8C9458700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140086E3C, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0000000140086E60
GetSubMenu.USER32 ref: 0000000140086E73
GetMenuItemCount.USER32 ref: 0000000140086E84
GetMenuItemID.USER32 ref: 0000000140086E98

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Menu$Item$Count
String ID:
API String ID: 879546783-0
Opcode ID: 5beaeb01dacd2240d03e88f0f1c95005c4227e4e2fcc02d18c8290d5b19dcc27
Instruction ID: 5b3018e1b4b9a16d0f51196cc63d842e1276d69d7b72f9deef97d0fc84d164f1
Opcode Fuzzy Hash: 5beaeb01dacd2240d03e88f0f1c95005c4227e4e2fcc02d18c8290d5b19dcc27
Instruction Fuzzy Hash: 5B116D3A714B4581FA568B77E5843A972A2FB8CFC0F254824EF1A93765DF39C5418340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400690A8, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 00000001400690D4

Part of subcall function 0000000140069034: GetModuleHandleW.KERNEL32 ref: 0000000140069056
Part of subcall function 0000000140069034: LoadLibraryW.KERNEL32 ref: 0000000140069069
Part of subcall function 0000000140069034: GetProcAddress.KERNEL32 ref: 0000000140069087

GetLastError.KERNEL32 ref: 000000014006911C
DeactivateActCtx.KERNEL32 ref: 000000014006912F
SetLastError.KERNEL32 ref: 000000014006913B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateHandleLibraryLoadModuleProc
String ID:
API String ID: 1520649096-0
Opcode ID: eacc750954b9a7f696da4a4c0df30f4cbef966f32fc28b690133b70535c4f3e2
Instruction ID: 159ab3ac156c802c825a0038e683629474d16579b78487cc69911bdd68156508
Opcode Fuzzy Hash: eacc750954b9a7f696da4a4c0df30f4cbef966f32fc28b690133b70535c4f3e2
Instruction Fuzzy Hash: 0D11863230478282EB119F67E84439EA3E5FB8CBD4F694525EF498BA64DFB8C8458700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400691C8, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32 ref: 00000001400691F4

Part of subcall function 0000000140069154: GetModuleHandleW.KERNEL32 ref: 0000000140069176
Part of subcall function 0000000140069154: LoadLibraryW.KERNEL32 ref: 0000000140069189
Part of subcall function 0000000140069154: GetProcAddress.KERNEL32 ref: 00000001400691A7

GetLastError.KERNEL32 ref: 000000014006923C
DeactivateActCtx.KERNEL32 ref: 000000014006924F
SetLastError.KERNEL32 ref: 000000014006925B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateHandleLibraryLoadModuleProc
String ID:
API String ID: 1520649096-0
Opcode ID: f5ffe8ce361d20a3dac4056a3087b073c3883657739f52f3dcbcb1a80262fc88
Instruction ID: ec6cbe2cca4572e270682b380dfa7ef1be61121eddabaac167614057a3cdf4c6
Opcode Fuzzy Hash: f5ffe8ce361d20a3dac4056a3087b073c3883657739f52f3dcbcb1a80262fc88
Instruction Fuzzy Hash: B211A33220478282E7119BA7E88039EA3E9FB8CBD4F594524EF4987A64DFB8C8458700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E458, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000014000F67E), ref: 000000014000E481

Part of subcall function 000000014000E3E4: GetModuleHandleW.KERNEL32 ref: 000000014000E406
Part of subcall function 000000014000E3E4: LoadLibraryW.KERNEL32 ref: 000000014000E419
Part of subcall function 000000014000E3E4: GetProcAddress.KERNEL32 ref: 000000014000E437

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000014000F67E), ref: 000000014000E4C7
DeactivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000014000F67E), ref: 000000014000E4DA
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000014000F67E), ref: 000000014000E4E6

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateHandleLibraryLoadModuleProc
String ID:
API String ID: 1520649096-0
Opcode ID: 518a2360267f0a33aacf9225b4928b05be3f914bff47035cfba15546081971e2
Instruction ID: 3a844b7ed865a9efa37f5f45d1437b58b220f014e619b77fc48a66e7692e078b
Opcode Fuzzy Hash: 518a2360267f0a33aacf9225b4928b05be3f914bff47035cfba15546081971e2
Instruction Fuzzy Hash: C6118E72204A8182E7229F26F84039EA3B0FB8CBC4F554125FF59977A9DF7CC8458704

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400546F4, Relevance: 6.0, APIs: 4, Instructions: 46keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 000000014005471F
GetKeyboardLayout.USER32 ref: 0000000140054749
MapVirtualKeyW.USER32 ref: 0000000140054756
ToUnicodeEx.USER32 ref: 000000014005477B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Keyboard$LayoutStateUnicodeVirtual
String ID:
API String ID: 961187839-0
Opcode ID: 8bd2d8649b9c5449fed3ef95baed46a2f8a3ce4b9ed12af5f952f4b8f4ba507d
Instruction ID: b9fe27098bcd61d36b32acd2a8910d1dfeca60529b9c01e97095eff08c734710
Opcode Fuzzy Hash: 8bd2d8649b9c5449fed3ef95baed46a2f8a3ce4b9ed12af5f952f4b8f4ba507d
Instruction Fuzzy Hash: A5119132204A8483E721EB22F8557CEB3A5FBCCB84F454126EB4947B69DF78C905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140056754, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400567A1
DestroyWindow.USER32 ref: 00000001400567B6
IsWindow.USER32 ref: 00000001400567DA
DestroyWindow.USER32 ref: 00000001400567EB

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 7e3fccc88713cf03c25499a5e80ee2794260d7a0d8f71c220c66f8c78f652980
Instruction ID: c8ad90ed63ba0b4df14b5bd0519060aa2e2fed85cb328e23cbaa0eb99cb1ea1b
Opcode Fuzzy Hash: 7e3fccc88713cf03c25499a5e80ee2794260d7a0d8f71c220c66f8c78f652980
Instruction Fuzzy Hash: 39115132605A9882FB96DB33E4943E963A0E78CFD4F184125EF494B3B4DF35C8958740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400582E8, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140058314
GetWindowRect.USER32 ref: 000000014005832D
WindowFromPoint.USER32 ref: 0000000140058338
PtInRect.USER32 ref: 0000000140058353

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: RectWindow$CursorFromPoint
String ID:
API String ID: 3445796726-0
Opcode ID: 10153566e4fc346b72a37bed28b6bb0d608666cb4fead96d89931db1d567ec85
Instruction ID: ede703bdce7187f548d9b000ee13a91aaa00aaa03ea6d24defc984ea8f2d32cd
Opcode Fuzzy Hash: 10153566e4fc346b72a37bed28b6bb0d608666cb4fead96d89931db1d567ec85
Instruction Fuzzy Hash: 6711E372714B4182EB218B16F49439AA3A0F78CBE4F890125EF9E47B68CE79C9958740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008858, Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 000000014000888E
LoadResource.KERNEL32 ref: 000000014000889A
LockResource.KERNEL32 ref: 00000001400088AB
FreeResource.KERNEL32 ref: 00000001400088CA

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: cf4f7b5bff23c6c0a29bbf147086021159a35d0cd25b135f94f0c99038b9e39c
Instruction ID: 764a702cc22084be9f6a1ab4f367d170437043bb7e3533d8be13a29d0baccd1a
Opcode Fuzzy Hash: cf4f7b5bff23c6c0a29bbf147086021159a35d0cd25b135f94f0c99038b9e39c
Instruction Fuzzy Hash: 67012875701A8086EA15EB53B888B9AA2A4FB8DFD0F884024EF5907725DF38D4858704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006E3A0, Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014006E3E7
GetSystemMetrics.USER32 ref: 000000014006E3FA
GetSystemMetrics.USER32 ref: 000000014006E409
SendMessageW.USER32 ref: 000000014006E428

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: MetricsSystem$ClientMessageRectSend
String ID:
API String ID: 2251314529-0
Opcode ID: d215b50d166d05b074f6fe2c685dede19b75f7c6749f3706df48cb33f954c0db
Instruction ID: 35de632cf7cf693fc7487639788797f27e2fd394660016ad2790a5f4bb9c49dc
Opcode Fuzzy Hash: d215b50d166d05b074f6fe2c685dede19b75f7c6749f3706df48cb33f954c0db
Instruction Fuzzy Hash: 6D113C36321B8086EB55CF76E8987AD63E1F78CB94F540525EB4D87B64DF39C8518700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000874F, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

EnableWindow.USER32 ref: 0000000140008798
GetActiveWindow.USER32 ref: 00000001400087A3
SetActiveWindow.USER32 ref: 00000001400087B2
FreeResource.KERNEL32 ref: 00000001400087D9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Active$EnableFreeResource
String ID:
API String ID: 3751187028-0
Opcode ID: 1c36c1af632904f5bf6f9d058f196377e9808f11323857d2219f93a020807413
Instruction ID: 376830780768e43b0ee19afb4bca16b7013c0b5e4558e967d95fc6d5acc670b6
Opcode Fuzzy Hash: 1c36c1af632904f5bf6f9d058f196377e9808f11323857d2219f93a020807413
Instruction Fuzzy Hash: 3D015E76309690C2E66ADB13F5443EE6361F788FE5F144011DF4A17BA8CF78C4968701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140030127, Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014003018C
GetFocus.USER32 ref: 0000000140030196

Part of subcall function 000000014002F51C: IsWindow.USER32 ref: 000000014002F53E
Part of subcall function 000000014002F51C: GetParent.USER32 ref: 000000014002F561

IsWindow.USER32 ref: 00000001400301B4
GetFocus.USER32 ref: 00000001400301BE

Part of subcall function 000000014002F7A4: IsChild.USER32 ref: 000000014002F7D4
Part of subcall function 000000014002F7A4: GetWindowLongW.USER32 ref: 000000014002F7F0

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$Focus$ChildLongParent
String ID:
API String ID: 1766597969-0
Opcode ID: 8ec277104b861f6336c8545de777ac1cd94ed74cdb2bd657804e936d1be81290
Instruction ID: 68d62abb1cd8adddd61b500fdad37869b0110380687c8b814730f58501cfbdb4
Opcode Fuzzy Hash: 8ec277104b861f6336c8545de777ac1cd94ed74cdb2bd657804e936d1be81290
Instruction Fuzzy Hash: F9F0677630159081EA43EB27B8143EF53A0AB89FD8F000025FF0AAB7B5DF39C8868700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001818C, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32 ref: 00000001400181A5
GetViewportExtEx.GDI32 ref: 00000001400181B4
MulDiv.KERNEL32 ref: 00000001400181D5
MulDiv.KERNEL32 ref: 00000001400181F9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: f1a6376054522a90fad5e1642366a1c6d638f88539e2980b53b1c68b7cbae6a5
Instruction ID: c0f50f9f7747a5546a1342e21d05db9b0749f491389eed6adc8809ec63942758
Opcode Fuzzy Hash: f1a6376054522a90fad5e1642366a1c6d638f88539e2980b53b1c68b7cbae6a5
Instruction Fuzzy Hash: 8901563671464087D7499F22F585B9D73A1F78CF80F04A425EB564B76ADF78E850CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018210, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32 ref: 0000000140018229
GetViewportExtEx.GDI32 ref: 0000000140018238
MulDiv.KERNEL32 ref: 0000000140018259
MulDiv.KERNEL32 ref: 000000014001827D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 4233740e7a229c712e9de7a8e5ae3100e6dfee7f8262d3d8249565cd6602f505
Instruction ID: 8b43417006aa83a30a308e0695605c519ade9b74f46d1f506a707a172f1a79ce
Opcode Fuzzy Hash: 4233740e7a229c712e9de7a8e5ae3100e6dfee7f8262d3d8249565cd6602f505
Instruction Fuzzy Hash: DD01563671464087D7499F22F585B9D73A1F78CF80F04A425EB564B76ADF78E850CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010AF8, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140010B21
GetWindowLongW.USER32 ref: 0000000140010B45
GetParent.USER32 ref: 0000000140010B54
GetWindow.USER32 ref: 0000000140010B61

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ParentWindow$Long
String ID:
API String ID: 941798831-0
Opcode ID: f95b1e39dab2fb8baa1bcbe7e8049c4e91195b78cc1c559ee1eff881f24b87d8
Instruction ID: c4302c74b9bb1671d59a62dbc30655a14a42426cec277c3e3aad306b4e6bac5a
Opcode Fuzzy Hash: f95b1e39dab2fb8baa1bcbe7e8049c4e91195b78cc1c559ee1eff881f24b87d8
Instruction Fuzzy Hash: 39F04F3021568082FE569B67B5943F91261BB8DFC8F584524FF5A0B7B1DF7AC4458300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001A248, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 000000014001A27C
GlobalHandle.KERNEL32 ref: 000000014001A28B
GlobalUnlock.KERNEL32 ref: 000000014001A297
GlobalFree.KERNEL32 ref: 000000014001A2A0

Part of subcall function 0000000140019FC0: EnterCriticalSection.KERNEL32(?,?,?,000000014001A114), ref: 000000014001A051
Part of subcall function 0000000140019FC0: LeaveCriticalSection.KERNEL32(?,?,?,000000014001A114), ref: 000000014001A069
Part of subcall function 0000000140019FC0: LocalFree.KERNEL32(?,?,?,000000014001A114), ref: 000000014001A073
Part of subcall function 0000000140019FC0: TlsSetValue.KERNEL32(?,?,?,000000014001A114), ref: 000000014001A08D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: FreeGlobal$CriticalSection$EnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1402163063-0
Opcode ID: dd6e1ec4871820f50bd11fd4a3c7611ef3bea5384fd6bec459db80401bb41f5e
Instruction ID: 276c8925a9c1ca5ecccfc33257f7d2adadf0ed83952fc752731aef1c639f0003
Opcode Fuzzy Hash: dd6e1ec4871820f50bd11fd4a3c7611ef3bea5384fd6bec459db80401bb41f5e
Instruction Fuzzy Hash: EBF03175301A41C2EE5A9F67D5947A86360FB4EFE4F189220EF190BAB4DF3AC4A5C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062630, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400626BF

Strings

%sDockingManager-%d, xrefs: 00000001400626B3
DockingPaneAndPaneDividers, xrefs: 000000014006289C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %sDockingManager-%d$DockingPaneAndPaneDividers
API String ID: 2941638530-4068244756
Opcode ID: a887b6f1ec2b6ba9bbce977d3b293f2084c4cab05d13cd9a71a6769cab208267
Instruction ID: 78d5bc1c6fecc97af53dad2c265614951b0f194c4270ce5bbe8daa04abb8a786
Opcode Fuzzy Hash: a887b6f1ec2b6ba9bbce977d3b293f2084c4cab05d13cd9a71a6769cab208267
Instruction Fuzzy Hash: 91B18972305E8582EB529B27D840BDE63A1FB88FE4F588612EB5E477A5DF78C845C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003ADB4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0000000140097111

Strings

%sMDIClientArea-%d, xrefs: 0000000140097105
MDITabsState, xrefs: 00000001400971B7

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 2941638530-353449602
Opcode ID: 9f81c94cdbdc1cddb183256aa76af593ac41d2ae5150b198774a464ce62df1f3
Instruction ID: 951e0782919e065530def80e6d515ea5f87c7d052f100eaecbb0789b04f9cdf6
Opcode Fuzzy Hash: 9f81c94cdbdc1cddb183256aa76af593ac41d2ae5150b198774a464ce62df1f3
Instruction Fuzzy Hash: EC718E73305A8582EB51DF6AD8407DE63A0FB89BE4F448226EB6E437A5DF78C845C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032970, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

Invalid DateTime, xrefs: 0000000140032A47, 0000000140032B17

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID:
String ID: Invalid DateTime
API String ID: 0-2190634649
Opcode ID: 3c46746fe081b0d7ec18927fb0276fe3bd7aca99264ca6547aefb728f5741523
Instruction ID: 108bcf822f121695faf7da809e5d8cdeee6103e6412d0e836bac40c3be00cfac
Opcode Fuzzy Hash: 3c46746fe081b0d7ec18927fb0276fe3bd7aca99264ca6547aefb728f5741523
Instruction Fuzzy Hash: 9F617C72701A4582EB069F3AC8553ED63A4EB89BE4F444616EB2D877F5DF34C845C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006E19C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014006E283
GetClientRect.USER32 ref: 000000014006E307

Strings

..., xrefs: 000000014006E2B3

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientMessageRectSend
String ID: ...
API String ID: 166717107-440645147
Opcode ID: d4bdce2c576edad744f89eee4f6425c6bdf1ea4c5b1792d02d804f2119c7f4b7
Instruction ID: 4eb366190c89ed588adf0fa9326515aff52a3ba1acae57ccf844b02b09be6f84
Opcode Fuzzy Hash: d4bdce2c576edad744f89eee4f6425c6bdf1ea4c5b1792d02d804f2119c7f4b7
Instruction Fuzzy Hash: EC519C72B10A808AFB16DF62D8447EC33B1F748BD9F284921EF091BAA9CF79C5418740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036DD8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400368D4: GetModuleHandleW.KERNEL32 ref: 000000014003696E
Part of subcall function 00000001400368D4: GetProcAddress.KERNEL32 ref: 0000000140036983

GetWindowRect.USER32 ref: 0000000140036E5B
SetWindowRgn.USER32 ref: 0000000140036EAE

Strings

, xrefs: 0000000140036E7F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Window$AddressHandleModuleProcRect
String ID:
API String ID: 171783891-3916222277
Opcode ID: 4224f591b619f5522c02b2ada9777c58b73b6798dbad2b092dc2b7ce6f7e7411
Instruction ID: 3388f79e16974cb93c2fb808fcf7a9b4cf5be1a33a2d4f03a13bed05aeb0d6a3
Opcode Fuzzy Hash: 4224f591b619f5522c02b2ada9777c58b73b6798dbad2b092dc2b7ce6f7e7411
Instruction Fuzzy Hash: 70518B77B006509AEB6ADF76D6857EE77A0B748BC8F04803AEF19437A4DB308961C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140048E6C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0000000140048EDA

Strings

LargeIcons, xrefs: 0000000140048F6E
%sMFCToolBarParameters, xrefs: 0000000140048ECF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %sMFCToolBarParameters$LargeIcons
API String ID: 2941638530-2076908790
Opcode ID: 9281a9f877f833decaaba8650c6533cdb6bad99ab1982595b487b906859da0cc
Instruction ID: 43067373c04678a4e8ffd53e4523f98308d98c0e037da1a7e603470c5cdfa008
Opcode Fuzzy Hash: 9281a9f877f833decaaba8650c6533cdb6bad99ab1982595b487b906859da0cc
Instruction Fuzzy Hash: 58413F72701B4586EB109F6AC84139D23A1FB89FE4F458626EB2D477E4DF78C859C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007CD9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 000000014007CE2F
GetObjectW.GDI32 ref: 000000014007CE4E

Strings

..., xrefs: 000000014007CDA7

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ImageLoadObject
String ID: ...
API String ID: 2222342736-440645147
Opcode ID: d2b9bd03d4a6b1cc750da8bb2915e9f4b749280383c30a05838e29d0ff184b3a
Instruction ID: b2a03226115ff42bfd9d1e2c4f75c54bde34a7805842650ba1122f69e8cf37c8
Opcode Fuzzy Hash: d2b9bd03d4a6b1cc750da8bb2915e9f4b749280383c30a05838e29d0ff184b3a
Instruction Fuzzy Hash: F2417E316216408AF7629F17E458BE977A0E78CBD0F58412ABF4907BA6CB7DC981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140058FEC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014005902C
RedrawWindow.USER32 ref: 0000000140059106

Strings

4, xrefs: 00000001400590D8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClientRectRedrawWindow
String ID: 4
API String ID: 804678526-4088798008
Opcode ID: 8d8c82c884f6fd6e8bf8ee87f9ddb636cc5a3782340417cc018095684ce0d862
Instruction ID: c5ba25a6e5e48e425a5f8283f5e68a144551032364a3a10d7f43cea7d130cc56
Opcode Fuzzy Hash: 8d8c82c884f6fd6e8bf8ee87f9ddb636cc5a3782340417cc018095684ce0d862
Instruction Fuzzy Hash: 9D415877B20A508BEB15CFA2D4447AD77B0F348B99F044519EF0927B68CB39DA41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140154E5C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140154E9D
_invalid_parameter_noinfo.LIBCMT ref: 0000000140154EA8

Strings

B, xrefs: 0000000140154EBF

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 78fccfdf3987baf5ddf8a193f0c0de328958b8306ad374332a593ca43157bee0
Instruction ID: ac3d1466f36f06a72cb67af36c5efc75dda74a52d98cf7aa8f991f15a7da8ea4
Opcode Fuzzy Hash: 78fccfdf3987baf5ddf8a193f0c0de328958b8306ad374332a593ca43157bee0
Instruction Fuzzy Hash: 81314C326206608AE712DF7AA4417DD37B4B70CBACF584216EF295BBA8DB36C441C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003C48C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000014003C575

Strings

USER32.DLL, xrefs: 000000014003C55A
ChangeWindowMessageFilter, xrefs: 000000014003C56B

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: AddressProc
String ID: ChangeWindowMessageFilter$USER32.DLL
API String ID: 190572456-4180284649
Opcode ID: caadbce5c8d138f9b031c56de317b961b5cdf90db199e332c6ea5091d339f98c
Instruction ID: 4e939c7e9f3b149310225624c38fd79018fd9301bbadb258e33577de10baabfb
Opcode Fuzzy Hash: caadbce5c8d138f9b031c56de317b961b5cdf90db199e332c6ea5091d339f98c
Instruction Fuzzy Hash: 6C215C32611B4182EB029B26E8443DD63A8FB89FD8F484135EF584B7F9DF78D5518710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004E91C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018580: GetWindowDC.USER32 ref: 00000001400185BF

GetWindowRect.USER32 ref: 000000014004E966
InflateRect.USER32 ref: 000000014004E9BF

Strings

iii, xrefs: 000000014004E9A9

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: RectWindow$Inflate
String ID: iii
API String ID: 1974394720-940974255
Opcode ID: 96105a936e80882ab6a0782b12329dcbe2b81ea0b0b26020159e19943890d067
Instruction ID: 65a283b63c8b73a494c8e7250a4ba8725c97c6b3fd327865c920f2f1c6175f4e
Opcode Fuzzy Hash: 96105a936e80882ab6a0782b12329dcbe2b81ea0b0b26020159e19943890d067
Instruction Fuzzy Hash: 05211932B20A108EFB11DBB6D8457EC3370F748BA9F444615DF1967AE9DB788A45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007E008, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014007E09C

Strings

iii, xrefs: 000000014007E081
, xrefs: 000000014007E0B4

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: InflateRect
String ID: iii$
API String ID: 2073123975-462628325
Opcode ID: ffbbacdef9e2007305f611a8569b8fe673a6724e6825943937723462f1d9d177
Instruction ID: d1406657105f7a920805b8a102d1da97ccba27b09cfdd750d1d258459b78df59
Opcode Fuzzy Hash: ffbbacdef9e2007305f611a8569b8fe673a6724e6825943937723462f1d9d177
Instruction Fuzzy Hash: C0214D3265079086E7269B23A808BD9B7A1F78DFD4F084115AF4407BA5CBBCD984CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400C0440, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52registryclipboardCOMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00000001400C04AB
RegisterClipboardFormatW.USER32 ref: 00000001400C04B8

Strings

ToolbarButton%p, xrefs: 00000001400C049F

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ClipboardFormatRegister_cwprintf_s_l
String ID: ToolbarButton%p
API String ID: 1862559383-899657487
Opcode ID: c2f9855a5087b680bee059b4147f1ceacf934613c7a925915be9a5d84af85b89
Instruction ID: 2ee2c786afe8733bf58ff97afa03b2e4717f0a6e9336f261c9877c69b0763537
Opcode Fuzzy Hash: c2f9855a5087b680bee059b4147f1ceacf934613c7a925915be9a5d84af85b89
Instruction Fuzzy Hash: 5C1160B5244B4182EA1ADB2AE4047AA7360F789BF1F584716EB69436F5DF78C841C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007AFDC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 000000014007B00C

Part of subcall function 00000001400798A4: SendMessageW.USER32 ref: 0000000140079904
Part of subcall function 00000001400798A4: MessageBeep.USER32 ref: 00000001400799B2

SendMessageW.USER32 ref: 000000014007B052

Strings

., xrefs: 000000014007B028

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: Message$Send$BeepState
String ID: .
API String ID: 4005977132-248832578
Opcode ID: 47d589e7002637ad271a30cb3b833af3de7fc1feb1c344688effc0efc51bab2a
Instruction ID: b5b43ef87fca550ccf51365e88df5427313b2c18efa9e611dd1bfa748613b494
Opcode Fuzzy Hash: 47d589e7002637ad271a30cb3b833af3de7fc1feb1c344688effc0efc51bab2a
Instruction Fuzzy Hash: E1115E3530469082EA219B13A5447EEA761F789BC4F544415FF8417BA6CF3ED4858B81

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004C208, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014004C247
InflateRect.USER32 ref: 000000014004C287

Strings

iii, xrefs: 000000014004C22B, 000000014004C264

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: InflateRect
String ID: iii
API String ID: 2073123975-940974255
Opcode ID: 69e2fbceedbdefc726a71d4b685647f81a83be0ce8473e5eae13d9c2e53dbddd
Instruction ID: 16c1fe7495fc4071c9708b119cff16cbb90ccb0d34aac02819ab19261da9e8c3
Opcode Fuzzy Hash: 69e2fbceedbdefc726a71d4b685647f81a83be0ce8473e5eae13d9c2e53dbddd
Instruction Fuzzy Hash: 6A11183136065086E7269B2BAB4CF98B721E74AFF4F008310AE1517FF5CBBC99428B40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140154E44, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140154DED
_invalid_parameter_noinfo.LIBCMT ref: 0000000140154DF8

Strings

B, xrefs: 0000000140154E24

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 5ee74ecee0c85cfc562377a45ab9270d097f475a80928ad70fdd4bf629d26977
Instruction ID: fb3500b40b852f48f0804901936c24314aa7a72bf73ee0480f3e810eb2782f8c
Opcode Fuzzy Hash: 5ee74ecee0c85cfc562377a45ab9270d097f475a80928ad70fdd4bf629d26977
Instruction Fuzzy Hash: 46118B72624A5086EB11DF12E4413DAB6A1F798FE8F584320AF680BBA5DF39C140CA00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009D010, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400673F8: SetRectEmpty.USER32 ref: 00000001400674E5

SetRectEmpty.USER32 ref: 000000014009D09A
SetRectEmpty.USER32 ref: 000000014009D0A7

Strings

, xrefs: 000000014009D074

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-3916222277
Opcode ID: 0dbf5ffb0a476053056d58d485493f77be2fb5fadf171f8168b9a4b3c10e185d
Instruction ID: f3be50a078f7ed53aeea1469e1a2339a8aa2315aba04f1b75b7f629806412791
Opcode Fuzzy Hash: 0dbf5ffb0a476053056d58d485493f77be2fb5fadf171f8168b9a4b3c10e185d
Instruction Fuzzy Hash: C8216A3A110BC589D7719F22BD887CA37A8F348B4CF544219DE991BB29CF35D2A9E704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001EB28, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 000000014001EB8E

Part of subcall function 0000000140003484: ActivateActCtx.KERNEL32 ref: 00000001400034AD

Strings

SHCreateItemFromParsingName, xrefs: 000000014001EB84
Shell32.dll, xrefs: 000000014001EB5D

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: ActivateAddressProc
String ID: SHCreateItemFromParsingName$Shell32.dll
API String ID: 557703559-214508289
Opcode ID: bfbd695a7d2dc2981de186b415aa0603c33800aa99841ef43f63d490a7a9a05c
Instruction ID: b425089b0913de602d021447131537bc00d14d89ef3db6b65e3cc31c7eb7a23d
Opcode Fuzzy Hash: bfbd695a7d2dc2981de186b415aa0603c33800aa99841ef43f63d490a7a9a05c
Instruction Fuzzy Hash: 04017131A0478081EA12CB17B8847DA63A4B79DBE4F544625EF6A5BBF4DF39C5418740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E158, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 000000014001E17D
CopyRect.USER32 ref: 000000014001E191

Strings

(, xrefs: 000000014001E175

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 029c27c7e513445eed0adac94b604619e5c50e873f80d25da9d86fba1a5c35c8
Instruction ID: bd8afc6862c5834f01f4aebfcc438d9c85e1ccbc7d723e21edb15653615bee46
Opcode Fuzzy Hash: 029c27c7e513445eed0adac94b604619e5c50e873f80d25da9d86fba1a5c35c8
Instruction Fuzzy Hash: 8211CE72604684CBD760DF35E484749B7E0FB8CB59F448025EA498B628DB38D984CF10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004C0C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014004C0F7
InflateRect.USER32 ref: 000000014004C120

Strings

iii, xrefs: 000000014004C0D8

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: InflateRect
String ID: iii
API String ID: 2073123975-940974255
Opcode ID: 2f8c4151ac21f4292d0dd1577f05b9012d8246df6b7596e37b4c93be2892bf07
Instruction ID: 219a6b7fa8ee2ad49d2264cec3d63c9fcae4b1e234ed401648fe45beca048a1d
Opcode Fuzzy Hash: 2f8c4151ac21f4292d0dd1577f05b9012d8246df6b7596e37b4c93be2892bf07
Instruction Fuzzy Hash: 9CF04F3535065086EB269B27AF4CF98A622D75EFF4F0492115E1607FF6CE3C89404B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004C848, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014004C87A

Strings

iii, xrefs: 000000014004C852
, xrefs: 000000014004C85C

Memory Dump Source

Source File: 00000000.00000002.687065278.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.687060971.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687245592.000000014017B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687311300.0000000140204000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687427501.00000001402ED000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.687432936.00000001402F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.687447370.0000000140304000.00000010.00020000.sdmp Download File
Associated: 00000000.00000002.687452058.0000000140305000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_#U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.jbxd

Similarity

API ID: InflateRect
String ID: iii$
API String ID: 2073123975-462628325
Opcode ID: 4e2ef95258d7d0c302a41dfe226fb78c9898578340c9aa83e7553c8051c9694f
Instruction ID: 9212dd924c7ce1b9418d020b96f8f5940149e14e6cbff3288163add10698ecf8
Opcode Fuzzy Hash: 4e2ef95258d7d0c302a41dfe226fb78c9898578340c9aa83e7553c8051c9694f
Instruction Fuzzy Hash: 75E06D3435064086E6268B33AE8CF94F622EB5DFF4F149225AE1107BF4CA7CD9404B40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report #U5e74#U7ec8#U63d0#U6210#U5206#U7ea2#U6838#U5bf9#U8868@i4.bat

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Signature Overview

AV Detection:

Privilege Escalation:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Function 00000001800090C0, Relevance: 83.1, APIs: 19, Strings: 28, Instructions: 864
filesleepCOMMON

Function 000000014002007C, Relevance: 51.4, APIs: 34, Instructions: 370
stringCOMMON

Function 00000001400206A8, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 185
libraryloaderCOMMON

Function 0000000140001D04, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 136
networkCOMMON

Function 0000000180002D40, Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228
sleepCOMMON

Function 00000001800088E0, Relevance: 12.1, APIs: 8, Instructions: 99
fileCOMMON

Function 000000014001F9A8, Relevance: 63.3, APIs: 42, Instructions: 305
COMMON

Function 000000014000DD34, Relevance: 24.2, APIs: 16, Instructions: 169
windowCOMMON

Function 00000001800078D0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 220
filetimeCOMMON

Function 0000000140001FB0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 154
windowCOMMON

Function 0000000140008560, Relevance: 15.2, APIs: 10, Instructions: 158
COMMON

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre