Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.29184.31872.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepMalware.29184.31872.exe
Analysis ID:1483370
MD5:d19a5ac8132e4040179f12eb9366d3b3
SHA1:62f90ee5a169215995ac39ee1e9dd18791f9dffa
SHA256:2ddec5cb7c8ac3965bf411207a223a485cb5811bc3d730237a956223860635f6
Tags:exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Clears Internet Explorer cache and cookies (likely to cover tracks)
Machine Learning detection for sample
PE file has nameless sections
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.FileRepMalware.29184.31872.exe (PID: 1936 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe" MD5: D19A5AC8132E4040179F12EB9366D3B3)
    • rundll32.exe (PID: 1880 cmdline: RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 MD5: 889B99C52A60DD49227C5E485A016679)
      • iexplore.exe (PID: 4328 cmdline: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList MD5: 6F0F06D6AB125A99E43335427066A4A1)
      • rundll32.exe (PID: 572 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:255 WinX:0 WinY:0 IEFrame:00000000 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Suricata Signatures

Timestamp:2024-07-27T04:24:24.545034+0200
SID:2022930
Source Port:443
Destination Port:49716
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-27T04:25:02.068281+0200
SID:2022930
Source Port:443
Destination Port:49722
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-27T04:24:08.716828+0200
SID:2830033
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeReversingLabs: Detection: 55%
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeVirustotal: Detection: 47%Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 8.219.190.98:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 8.219.190.98:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.iniJump to behavior
Source: Joe Sandbox ViewIP Address: 103.235.46.96 103.235.46.96
Source: Joe Sandbox ViewIP Address: 103.235.46.96 103.235.46.96
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /front/login HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Cache-Control: no-cacheHost: www.lofter.comConnection: Keep-AliveCookie: firstentry=%2Fpost.do%3FloftBlogName%3Ddnfex%26loftPostUrl%3D30905118_1c5d041cf%26|; usertrack=CpiybmakWkon69EmwDmKAg==
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: testHost: www.baidu.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /post/30905118_1c5d041cf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: dnfex.lofter.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /post/30905118_1c5d041cf HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: dnfex.lofter.comCache-Control: no-cacheCookie: NTESwebSI=430CB13F032D94B6ECF6B1785E3B439E.lofter-webapp-web-old-docker-lftpro-3-3nhsm-6bbi5-5456f799lrx6f-8080; firstentry=%2Fpost.do%3FloftBlogName%3Ddnfex%26loftPostUrl%3D30905118_1c5d041cf%26|; usertrack=CpiybmakWkon69EmwDmKAg==
Source: rundll32.exe, 00000005.00000003.2508950501.0000000002F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508672072.0000000002F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2510665570.0000000002F34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: URLhttp://www.facebook.com/ equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000005.00000003.2509991068.0000000002F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2509267494.0000000002F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2510072486.0000000002F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: URLhttp://www.twitter.com/ equals www.twitter.com (Twitter)
Source: rundll32.exe, 00000005.00000003.2509991068.0000000002F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2509267494.0000000002F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2510072486.0000000002F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: URLhttp://www.youtube.com/ equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000005.00000003.2508950501.0000000002F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508672072.0000000002F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2510665570.0000000002F34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000005.00000003.2509991068.0000000002F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2509267494.0000000002F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2510072486.0000000002F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: rundll32.exe, 00000005.00000003.2509991068.0000000002F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2509267494.0000000002F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2510072486.0000000002F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: www.baidu.com
Source: global trafficDNS traffic detected: DNS query: dnfex.lofter.com
Source: global trafficDNS traffic detected: DNS query: www.lofter.com
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.cn/GeoTrustRSACNCAG2.crt0
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000872000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.digicert.cn/DigiCertGlobalRootCA.crl0
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.digicert.cn/GeoTrustRSACNCAG2.crl0q
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543339642.0000000002744000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dnfex.lofter.com/post/30905118_1c5d041cf
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.cn0
Source: rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.amazon.com/
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.baidu.com
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.baidu.comtest
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
Source: rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.live.com/
Source: rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nytimes.com/
Source: rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.reddit.com/
Source: rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.twitter.com/
Source: rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wikipedia.com/
Source: rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lofter.lf127.net/1667220634500/core-js-stable.3.6.5.mini.js
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lofter.lf127.net/1671501343058/sha256.min.js
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lofter.lf127.net/1689134055346/captcha.js
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lofter.lf127.net/webpack/lofter-client-account/src/applications/login/pc.361cf238fde1df7564a
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542083550.0000000000897000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543381316.0000000002758000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543030975.0000000000898000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181220905.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181278421.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lofter.lf127.net/webpack/lofter-client-account/src/applications/login/pc.c340e0032e06ca157c9
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lofter.lf127.net/webpack/lofter-dll/dll_606a63b015f6fa133c2a.js
Source: rundll32.exe, 00000005.00000003.2510072486.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2509267494.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2510752660.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508672072.0000000002F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: rundll32.exe, 00000005.00000003.2509551645.0000000005ED6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2511159030.0000000005ED6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508950501.0000000002F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508672072.0000000002F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2510665570.0000000002F34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: rundll32.exe, 00000005.00000003.2509551645.0000000005ED6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2510072486.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2509267494.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2511159030.0000000005ED6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2510752660.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508672072.0000000002F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: rundll32.exe, 00000005.00000003.2510072486.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2509267494.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2510752660.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508672072.0000000002F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2kt
Source: rundll32.exe, 00000005.00000002.2511105403.0000000005ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: rundll32.exe, 00000005.00000002.2511105403.0000000005ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033Ri
Source: rundll32.exe, 00000005.00000002.2511159030.0000000005ED6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2510752660.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508672072.0000000002F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542083550.0000000000897000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543381316.0000000002758000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000872000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543030975.0000000000898000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181220905.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181278421.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s6.music.126.net/puzzle/puzzle
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543339642.0000000002744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shop366821780.taobao.com
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urswebzj.nosdn.127.net/webzj_cdn101/message.js
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000872000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000872000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/rpa-ua0
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.lofter.com/
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.lofter.com/at
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.lofter.com/front/login
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.lofter.com/front/login5&
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.lofter.com/front/loginK&
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownHTTPS traffic detected: 8.219.190.98:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 8.219.190.98:443 -> 192.168.2.6:49714 version: TLS 1.2

System Summary

barindex
Clears Internet Explorer cache and cookies (likely to cover tracks)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess created: C:\Windows\SysWOW64\rundll32.exe RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:255 WinX:0 WinY:0 IEFrame:00000000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess created: C:\Windows\SysWOW64\rundll32.exe RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:255 WinX:0 WinY:0 IEFrame:00000000Jump to behavior
PE file has nameless sections
Source: bass.dll.0.drStatic PE information: section name:
Source: bass.dll.0.drStatic PE information: section name:
Source: bass.dll.0.drStatic PE information: section name:
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10007A30 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_10007A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000DA90 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_1000DA90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1001C800 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_1001C800
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,0_2_10006010
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,0_2_100098B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100048E0 NtdllDefWindowProc_A,0_2_100048E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1001D8E0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,0_2_1001D8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10005900 IsWindowEnabled,EnableWindow,NtdllDefWindowProc_A,0_2_10005900
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10005940 GetCursorPos,GetWindowRect,PtInRect,PtInRect,PtInRect,PtInRect,PtInRect,KillTimer,NtdllDefWindowProc_A,0_2_10005940
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10006210 IsWindowEnabled,SendMessageA,SendMessageA,SendMessageA,IsZoomed,SendMessageA,NtdllDefWindowProc_A,0_2_10006210
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100062B0 IsWindowEnabled,SendMessageA,NtdllDefWindowProc_A,0_2_100062B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10012AD0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_10012AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10008310 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,0_2_10008310
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_1000D330
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1001D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_1001D330
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10009340 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,0_2_10009340
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10006350 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_10006350
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10020B70 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_10020B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10021370 GetPropA,NtdllDefWindowProc_A,IsWindowVisible,ShowWindow,NtdllDefWindowProc_A,NtdllDefWindowProc_A,SendMessageA,0_2_10021370
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000CBC0 GetPropA,NtdllDefWindowProc_A,0_2_1000CBC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10004BD0 NtdllDefWindowProc_A,0_2_10004BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000C3F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,0_2_1000C3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10012BF0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_10012BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000E440 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_1000E440
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10008CB0 GetPropA,NtdllDefWindowProc_A,0_2_10008CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100214B0 GetPropA,NtdllDefWindowProc_A,0_2_100214B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10004510 NtdllDefWindowProc_A,0_2_10004510
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10008D40 GetPropA,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,0_2_10008D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000FD50 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_1000FD50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1001FD50 GetPropA,GetPropA,NtdllDefWindowProc_A,FindWindowExA,GetPropA,GetWindowRect,0_2_1001FD50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10006560 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_10006560
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10013DA0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_10013DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10011630 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,CallWindowProcA,0_2_10011630
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10002E40 NtdllDefWindowProc_A,0_2_10002E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10014EA0 GetPropA,NtdllDefWindowProc_A,0_2_10014EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1001FEA0 GetPropA,NtdllDefWindowProc_A,InvalidateRect,CallWindowProcA,0_2_1001FEA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10008710 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,GetParent,0_2_10008710
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000F750 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_1000F750
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10014790 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_10014790
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1001E7F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,0_2_1001E7F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100175400_2_10017540
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100039700_2_10003970
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100022500_2_10002250
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10028B990_2_10028B99
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10017BA00_2_10017BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100293A10_2_100293A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000EDA00_2_1000EDA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1000B6E00_2_1000B6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: String function: 100260E2 appears 34 times
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.29184.31872.exe
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542351661.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSkinH_EL.dll vs SecuriteInfo.com.FileRepMalware.29184.31872.exe
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSkinH_EL.dll vs SecuriteInfo.com.FileRepMalware.29184.31872.exe
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeStatic PE information: Section: LBXX ZLIB complexity 0.9996162551245066
Source: bass.dll.0.drStatic PE information: Section: ZLIB complexity 0.999292652027027
Source: classification engineClassification label: mal76.evad.winEXE@7/8@3/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_1001B8F0 GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,FreeLibrary,0_2_1001B8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\ZYTS39GV.htmJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeFile created: C:\Users\user\AppData\Local\Temp\bass.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess created: C:\Windows\SysWOW64\rundll32.exe RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeReversingLabs: Detection: 55%
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeVirustotal: Detection: 47%
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess created: C:\Windows\SysWOW64\rundll32.exe RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:255 WinX:0 WinY:0 IEFrame:00000000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess created: C:\Windows\SysWOW64\rundll32.exe RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationListJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:255 WinX:0 WinY:0 IEFrame:00000000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: avifil32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: dciman32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile written: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeWindow detected: Number of UI elements: 14
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeStatic file information: File size 1700864 > 1048576
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeStatic PE information: Raw size of LBXX is bigger than: 0x100000 < 0x19ba00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeUnpacked PE file: 0.2.SecuriteInfo.com.FileRepMalware.29184.31872.exe.400000.0.unpack LBXX:EW;LBXX:EW;.rsrc:W; vs LBXX:ER;LBXX:ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: LBXX
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeStatic PE information: section name: LBXX
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeStatic PE information: section name: LBXX
Source: bass.dll.0.drStatic PE information: section name:
Source: bass.dll.0.drStatic PE information: section name:
Source: bass.dll.0.drStatic PE information: section name:
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_0040A175 push es; ret 0_2_0040A1C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_0040AC02 push es; ret 0_2_0040AC00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_00402CA7 push es; ret 0_2_00402CB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_004056A9 push es; ret 0_2_004056A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_00401F89 push es; ret 0_2_00401F12
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10026100 push eax; ret 0_2_1002612E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100209F7 pushfd ; mov dword ptr [esp], edx0_2_100209F9
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exeStatic PE information: section name: LBXX entropy: 7.999859282550719
Source: bass.dll.0.drStatic PE information: section name: entropy: 7.987642099223517
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeFile created: C:\Users\user\AppData\Local\Temp\bass.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10021800 IsZoomed,SendMessageA,IsIconic,SendMessageA,SendMessageA,GetSystemMenu,GetMenuState,SendMessageA,SendMessageA,KillTimer,GetMenuItemID,SendMessageA,CallWindowProcA,0_2_10021800
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,0_2_10006010
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,0_2_10023070
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,0_2_10023070
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,0_2_100098B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10004E30 IsWindowVisible,GetWindowRect,CreateCompatibleDC,SelectObject,SelectObject,SetBkMode,SelectObject,SetTextColor,DrawIconEx,GetWindowTextA,DrawTextA,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,SelectObject,DeleteDC,CreateCompatibleDC,SelectObject,DeleteObject,0_2_10004E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10025780 IsIconic,IsZoomed,IsRectEmpty,IsWindowVisible,0_2_10025780
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bass.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeAPI coverage: 4.4 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2732Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5448Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.iniJump to behavior
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542810747.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000003.2510072486.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2509267494.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2510752660.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2508672072.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW*w6
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationListJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exeCode function: 0_2_10019250 6E9E4BC0,GetVersion,0_2_10019250

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets3
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32		Cached Domain Credentials2
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.FileRepMalware.29184.31872.exe55%ReversingLabsWin32.PUA.FlyStudio
SecuriteInfo.com.FileRepMalware.29184.31872.exe48%VirustotalBrowse
SecuriteInfo.com.FileRepMalware.29184.31872.exe100%AviraTR/Agent.fabix
SecuriteInfo.com.FileRepMalware.29184.31872.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\bass.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\bass.dll1%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
www.wshifen.com0%VirustotalBrowse
lofter-oversea-sg.ntes53.netease.com0%VirustotalBrowse
dnfex.lofter.com0%VirustotalBrowse
www.lofter.com0%VirustotalBrowse
www.baidu.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.youtube.com/0%URL Reputationsafe
http://cacerts.digicert.cn/GeoTrustRSACNCAG2.crt00%Avira URL Cloudsafe
http://cacerts.digicert.cn/GeoTrustRSACNCAG2.crt01%VirustotalBrowse
http://www.baidu.com1%VirustotalBrowse
http://www.nytimes.com/0%Avira URL Cloudsafe
http://www.baidu.com0%Avira URL Cloudsafe
https://lofter.lf127.net/1667220634500/core-js-stable.3.6.5.mini.js0%VirustotalBrowse
http://www.baidu.comtest0%Avira URL Cloudsafe
http://ocsp.digicert.cn00%Avira URL Cloudsafe
http://www.nytimes.com/0%VirustotalBrowse
http://www.amazon.com/0%Avira URL Cloudsafe
https://lofter.lf127.net/1689134055346/captcha.js0%Avira URL Cloudsafe
https://s6.music.126.net/puzzle/puzzle0%Avira URL Cloudsafe
https://www.lofter.com/front/login5&0%Avira URL Cloudsafe
https://lofter.lf127.net/1667220634500/core-js-stable.3.6.5.mini.js0%Avira URL Cloudsafe
https://lofter.lf127.net/webpack/lofter-client-account/src/applications/login/pc.361cf238fde1df7564a0%Avira URL Cloudsafe
http://crl.digicert.cn/DigiCertGlobalRootCA.crl00%Avira URL Cloudsafe
https://www.lofter.com/front/loginK&0%Avira URL Cloudsafe
http://www.amazon.com/0%VirustotalBrowse
https://s6.music.126.net/puzzle/puzzle0%VirustotalBrowse
https://www.lofter.com/at0%Avira URL Cloudsafe
http://www.twitter.com/0%Avira URL Cloudsafe
https://lofter.lf127.net/webpack/lofter-client-account/src/applications/login/pc.361cf238fde1df7564a0%VirustotalBrowse
https://lofter.lf127.net/1671501343058/sha256.min.js0%Avira URL Cloudsafe
https://shop366821780.taobao.com0%Avira URL Cloudsafe
http://crl.digicert.cn/DigiCertGlobalRootCA.crl00%VirustotalBrowse
https://www.lofter.com/front/login0%Avira URL Cloudsafe
https://urswebzj.nosdn.127.net/webzj_cdn101/message.js0%Avira URL Cloudsafe
http://www.twitter.com/0%VirustotalBrowse
http://www.baidu.com/0%Avira URL Cloudsafe
https://lofter.lf127.net/1671501343058/sha256.min.js0%VirustotalBrowse
http://www.wikipedia.com/0%Avira URL Cloudsafe
https://shop366821780.taobao.com0%VirustotalBrowse
https://www.lofter.com/front/login0%VirustotalBrowse
https://www.lofter.com/0%Avira URL Cloudsafe
https://lofter.lf127.net/1689134055346/captcha.js0%VirustotalBrowse
http://www.live.com/0%Avira URL Cloudsafe
http://www.baidu.com/1%VirustotalBrowse
https://urswebzj.nosdn.127.net/webzj_cdn101/message.js0%VirustotalBrowse
http://crl.digicert.cn/GeoTrustRSACNCAG2.crl0q0%Avira URL Cloudsafe
http://www.wikipedia.com/0%VirustotalBrowse
http://www.reddit.com/0%Avira URL Cloudsafe
https://www.lofter.com/0%VirustotalBrowse
http://www.live.com/0%VirustotalBrowse
https://lofter.lf127.net/webpack/lofter-dll/dll_606a63b015f6fa133c2a.js0%Avira URL Cloudsafe
http://dnfex.lofter.com/post/30905118_1c5d041cf0%Avira URL Cloudsafe
https://lofter.lf127.net/webpack/lofter-client-account/src/applications/login/pc.c340e0032e06ca157c90%Avira URL Cloudsafe
http://www.reddit.com/0%VirustotalBrowse
https://lofter.lf127.net/webpack/lofter-dll/dll_606a63b015f6fa133c2a.js0%VirustotalBrowse
http://www.google.com/0%Avira URL Cloudsafe
http://dnfex.lofter.com/post/30905118_1c5d041cf0%VirustotalBrowse
http://crl.digicert.cn/GeoTrustRSACNCAG2.crl0q0%VirustotalBrowse
https://lofter.lf127.net/webpack/lofter-client-account/src/applications/login/pc.c340e0032e06ca157c90%VirustotalBrowse
http://www.google.com/0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.wshifen.com
103.235.46.96
truefalseunknown
lofter-oversea-sg.ntes53.netease.com
8.219.190.98
truefalseunknown
dnfex.lofter.com
unknown
unknownfalseunknown
www.baidu.com
unknown
unknownfalseunknown
www.lofter.com
unknown
unknownfalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://www.lofter.com/front/loginfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.baidu.com/false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://dnfex.lofter.com/post/30905118_1c5d041cffalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.baidu.comSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://cacerts.digicert.cn/GeoTrustRSACNCAG2.crt0SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://ocsp.digicert.cn0SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.baidu.comtestSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.nytimes.com/rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://lofter.lf127.net/1667220634500/core-js-stable.3.6.5.mini.jsSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.lofter.com/front/login5&SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://lofter.lf127.net/1689134055346/captcha.jsSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.amazon.com/rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://s6.music.126.net/puzzle/puzzleSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542083550.0000000000897000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543381316.0000000002758000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000872000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543030975.0000000000898000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181220905.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181278421.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000894000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://lofter.lf127.net/webpack/lofter-client-account/src/applications/login/pc.361cf238fde1df7564aSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crl.digicert.cn/DigiCertGlobalRootCA.crl0SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000866000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000872000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.lofter.com/front/loginK&SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.lofter.com/atSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.twitter.com/rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://lofter.lf127.net/1671501343058/sha256.min.jsSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://shop366821780.taobao.comSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543339642.0000000002744000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://urswebzj.nosdn.127.net/webzj_cdn101/message.jsSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.youtube.com/rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.wikipedia.com/rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.lofter.com/SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.live.com/rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.reddit.com/rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crl.digicert.cn/GeoTrustRSACNCAG2.crl0qSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000839000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543064481.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000840000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542121751.000000000083F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://lofter.lf127.net/webpack/lofter-dll/dll_606a63b015f6fa133c2a.jsSecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000879000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542049865.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://lofter.lf127.net/webpack/lofter-client-account/src/applications/login/pc.c340e0032e06ca157c9SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450811088.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2542083550.0000000000897000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2541833453.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543381316.0000000002758000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2543030975.0000000000898000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181220905.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2450748888.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.000000000089A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181150098.0000000000894000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000003.2181278421.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.29184.31872.exe, 00000000.00000002.2542938610.0000000000894000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.google.com/rundll32.exe, 00000009.00000002.2505814572.000000000348A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
8.219.190.98
lofter-oversea-sg.ntes53.netease.comSingapore
45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
103.235.46.96
www.wshifen.comHong Kong
55967BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1483370
Start date and time:2024-07-27 04:23:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.FileRepMalware.29184.31872.exe
Detection:MAL
Classification:mal76.evad.winEXE@7/8@3/2
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
22:24:42API Interceptor2x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
8.219.190.98zPmKNeJBku.exeGet hashmaliciousUnknownBrowse
  • testsec.lofter.com/post/1deb43d5_12b22be2f
Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
  • sunken-forest.lofter.com/
103.235.46.96http://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeamGet hashmaliciousHTMLPhisherBrowse
  • www.baidu.com/link?url=kRuPteP7ef3mkmqYKWXPX2MIE97SbdelD6gnMOM3pq_
chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
  • www.baidu.com/
LisectAVT_2403002A_270.exeGet hashmaliciousBlackMoonBrowse
  • www.baidu.com/
HEU_KMS_Activator.exeGet hashmaliciousUnknownBrowse
  • www.baidu.com/s?ie=utf-8&wd=ip
qGJBgGtR7e.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRATBrowse
  • www.baidu.com/
Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
  • www.baidu.com/
Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
  • www.baidu.com/
6o63snaetO.exeGet hashmaliciousUnknownBrowse
  • www.baidu.com/
http://metamask-zhwallet.org/Get hashmaliciousUnknownBrowse
  • www.baidu.com/img/flexible/logo/plus_logo_web_2.png
Tas10.dllGet hashmaliciousBlackMoonBrowse
  • www.baidu.com/

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
lofter-oversea-sg.ntes53.netease.comzPmKNeJBku.exeGet hashmaliciousUnknownBrowse
  • 8.219.190.98
Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
  • 8.219.190.98
SecuriteInfo.com.Trojan.DownLoader21.31174.24545.29097.exeGet hashmaliciousUnknownBrowse
  • 13.228.17.149
SecuriteInfo.com.Trojan.DownLoader21.31174.24545.29097.exeGet hashmaliciousUnknownBrowse
  • 13.228.17.149
5B5dkJ7vjc.exeGet hashmaliciousUnknownBrowse
  • 13.228.17.149
5B5dkJ7vjc.exeGet hashmaliciousUnknownBrowse
  • 13.228.17.149
www.wshifen.comhttp://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeamGet hashmaliciousHTMLPhisherBrowse
  • 103.235.46.96
7Y18r(213).exeGet hashmaliciousNitolBrowse
  • 103.235.47.188
chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
LisectAVT_2403002A_440.exeGet hashmaliciousXRedBrowse
  • 103.235.46.96
LisectAVT_2403002A_489.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
LisectAVT_2403002B_263.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
LisectAVT_2403002B_263.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
LisectAVT_2403002B_397.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
  • 103.235.47.188

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdhttp://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeamGet hashmaliciousHTMLPhisherBrowse
  • 103.235.46.96
7Y18r(213).exeGet hashmaliciousNitolBrowse
  • 103.235.47.188
chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
LisectAVT_2403002A_440.exeGet hashmaliciousXRedBrowse
  • 103.235.46.96
LisectAVT_2403002A_489.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
LisectAVT_2403002B_263.exeGet hashmaliciousUnknownBrowse
  • 103.235.47.188
LisectAVT_2403002B_263.exeGet hashmaliciousUnknownBrowse
  • 103.235.46.96
LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
  • 103.235.47.188
LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
  • 103.235.46.96
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCbeacon14.exeGet hashmaliciousCobaltStrikeBrowse
  • 47.243.165.127
chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
  • 47.88.198.68
chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
  • 47.254.187.184
http://gtm-cn-3mp3qqvk502.steamproxy.cc/Get hashmaliciousUnknownBrowse
  • 8.217.145.66
Jeffrey.laws Replay VM (01m27sec).docxGet hashmaliciousHTMLPhisherBrowse
  • 47.246.131.28
LisectAVT_2403002B_174.exeGet hashmaliciousPureLog StealerBrowse
  • 8.217.38.238
LisectAVT_2403002B_232.exeGet hashmaliciousUnknownBrowse
  • 8.217.173.140
LisectAVT_2403002B_232.exeGet hashmaliciousUnknownBrowse
  • 8.217.173.140
LisectAVT_2403002B_348.exeGet hashmaliciousUnknownBrowse
  • 47.52.240.120
LisectAVT_2403002B_348.exeGet hashmaliciousUnknownBrowse
  • 47.52.240.120

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
37f463bf4616ecd445d4a1937da06e19PO Tournefortian2453525525235235623425523235.exeGet hashmaliciousFormBook, GuLoaderBrowse
  • 8.219.190.98
setup.exeGet hashmaliciousAmadeyBrowse
  • 8.219.190.98
setup.exeGet hashmaliciousAmadey, SmokeLoaderBrowse
  • 8.219.190.98
file.exeGet hashmaliciousVidarBrowse
  • 8.219.190.98
1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
  • 8.219.190.98
file.exeGet hashmaliciousVidarBrowse
  • 8.219.190.98
Monetary_Funding_Sheet_2024.jsGet hashmaliciousWSHRATBrowse
  • 8.219.190.98
IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
  • 8.219.190.98
88z6JBPo00.exeGet hashmaliciousUnknownBrowse
  • 8.219.190.98
fJDG7S5OD7.exeGet hashmaliciousUnknownBrowse
  • 8.219.190.98

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\user\AppData\Local\Temp\bass.dllLisectAVT_2403002B_195.exeGet hashmaliciousUnknownBrowse

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

    Download File
    Process:C:\Windows\SysWOW64\rundll32.exe
    File Type:data
    Category:dropped
    Size (bytes):49120
    Entropy (8bit):0.0017331682157558962
    Encrypted:false
    SSDEEP:3:Ztt:T
    MD5:0392ADA071EB68355BED625D8F9695F3
    SHA1:777253141235B6C6AC92E17E297A1482E82252CC
    SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
    SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\SmartScreenCache.dat

    Download File
    Process:C:\Windows\SysWOW64\rundll32.exe
    File Type:data
    Category:dropped
    Size (bytes):123016
    Entropy (8bit):0.012178861222180768
    Encrypted:false
    SSDEEP:3:jiPtc15kltlM/tc/tc/tc/tfwsXW/tZ/tZ/tc/tc/tc/tc/te:ePtc15k1vwsV
    MD5:CAB15561D0353FB0FFFB402F08583356
    SHA1:5D819A2533929343D9D21C67C8925612E0BE4DF3
    SHA-256:5F71FF3CE37D751CC4C4B91CF428AFDD0B721D0965A494A4DB4922862A1B4C8D
    SHA-512:80BBB97A3D0DA865D58BE9C8453A6EC1FD565AF6B62CDEE346524477641E17A894C3CC1ED3A86B57B50A911DF88570EB9D9E0B667B2C9D3E295C9F13C804C354
    Malicious:false
    Reputation:low
    Preview:0.rJ..6M.h.3....................................................@.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\MSIMGSIZ.DAT

    Download File
    Process:C:\Windows\SysWOW64\rundll32.exe
    File Type:data
    Category:dropped
    Size (bytes):49120
    Entropy (8bit):0.0017331682157558962
    Encrypted:false
    SSDEEP:3:Ztt:T
    MD5:0392ADA071EB68355BED625D8F9695F3
    SHA1:777253141235B6C6AC92E17E297A1482E82252CC
    SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
    SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\SmartScreenCache.dat

    Download File
    Process:C:\Windows\SysWOW64\rundll32.exe
    File Type:data
    Category:dropped
    Size (bytes):123016
    Entropy (8bit):0.012208204075748083
    Encrypted:false
    SSDEEP:3:jiPtc15kltlM/tc/tc/tc/tfwsXW/tZ/tZ/tc/tc/tc/tc/t+lX:ePtc15k1vwsP1
    MD5:390A1DECDF3BBAE6F48CFC5D7DC6C1B8
    SHA1:E306A82ECAD491E847960845CE5747E203F6C760
    SHA-256:14096B30EEDE07D2707FC9ECA68283F5E2CB9A77B3BA099046D43704D49E6BD2
    SHA-512:ADA05C43A34136CD88835F182696AC146BA2E5A592A3EDB482631FAF325CB7BB9E6FA1AB7EC93A19A85ACFEC54F55F168945E4960517A2FCA971FD2878A2C4E4
    Malicious:false
    Reputation:low
    Preview:0.rJ..6M.h.3....................................................@.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\INetHistory\desktop.ini

    Download File
    Process:C:\Windows\SysWOW64\rundll32.exe
    File Type:Windows desktop.ini
    Category:dropped
    Size (bytes):130
    Entropy (8bit):4.973139661169433
    Encrypted:false
    SSDEEP:3:0NdQDjotjIAXJ28jqGiEI7fOLyovZeLhzUzYcB:0NwoyAXJ28CEI7QyyZeNUzxB
    MD5:941682911C20B2DABECB20476F91C98A
    SHA1:0B0BECF019CB15E75CDFA23BF0D4CB976F109BAA
    SHA-256:3FEF99E07B0455F88A5BB59E83329D0BFCEBE078D907985D0ABF70BE26B9B89A
    SHA-512:A12F5CAF5FD39CF2AE600E4378B9296D07787A83AE76BC410B89182A2F8E3202C4CA80D811D548193DFF439541DE9447F9FA141EBFD771E7AB7A6053CB4AF2B3
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:[.ShellClassInfo]..ConfirmFileOp=0..CLSID={FF393560-C2A7-11CF-BFF4-444553540000}..UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}..

    C:\Users\user\AppData\Local\Temp\bass.dll

    Download File
    Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):99896
    Entropy (8bit):7.951877694974373
    Encrypted:false
    SSDEEP:3072:p24KYnxDl1SlpejXNEFJUFew/UWjKoamC3uDz6iksXQl4B8:k4NnRl4leG7iUVmC3w6uB8
    MD5:DF054025C9E845B33B27A99AF750F9B9
    SHA1:CB2A9DC07DADA8E2D96D10BAEE878131AEFF0D14
    SHA-256:DFA29CF9A2CBCD8B1DCF7FB7A72764FF2B05E47B056E2A80190338492E0AD0A4
    SHA-512:F1DE2207A6EA3BB455FF763BB86404E57A78D0E1D229A0158E41C53507B7B63BE926142EE39FAE62B6408ACB8E5A350CE0F5BEAF1823C7D09A4BDE88622E4F36
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Virustotal, Detection: 1%, Browse
    Joe Sandbox View:
    • Filename: LisectAVT_2403002B_195.exe, Detection: malicious, Browse
    Preview:MZ......................@...................................D.... ..PE..L......L...........!................6 .......0...............................0.......................................#..L....!..........8............................................................................................................................r..................`....rsrc...........8...................@..@......... ..........................@................ ......................`.......................................l...........j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... ..f.`P....h.L..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X.........X.............L......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$...*.P(.*.....P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..{.........../.......w...................\...@...0..........................)S..........

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms (copy)

    Download File
    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    File Type:data
    Category:dropped
    Size (bytes):3476
    Entropy (8bit):3.2534975866172715
    Encrypted:false
    SSDEEP:48:EP5dJjdOljgfvE2Gw4b9GrIojASFuP5NJjdOljgfvE2Gw4U683GrIopz1:6vHm9SMvvH73ST
    MD5:671B1B946A4F492D69BEDFD198474A34
    SHA1:3033F15C722868D511A6945AAB174589D48F914A
    SHA-256:32A0AFEA104F8C1C5CB3FB3555A3B739B5ED28091B52135D39F8F2C24B3BACC2
    SHA-512:5CB60005492B0B3A88278A77BBF5655EF0BE2E6B63D0C543C2CBFB0D8C4CF469D3AD097131B57E7B9BF1B646AE44BB6E458D4E17E4BD66ADCC3E9E7869007584
    Malicious:false
    Preview:...................................FL..................F.@.. ......"0....H.#.....b."0...............................P.O. .:i.....+00.../C:\.....................1......X....PROGRA~2.........O.I.X......................V.......T.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....l.1.....(Um...INTERN~1..T......O.I.X............................K...I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.....f.2....(U.. .iexplore.exe..J......(U...X......:...........|.........qO+.i.e.x.p.l.o.r.e...e.x.e.......d...............-.......c.............aB.....C:\Program Files (x86)\Internet Explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G0ITMEODTKQ465TON7JY.temp

    Download File
    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    File Type:data
    Category:dropped
    Size (bytes):3476
    Entropy (8bit):3.2534975866172715
    Encrypted:false
    SSDEEP:48:EP5dJjdOljgfvE2Gw4b9GrIojASFuP5NJjdOljgfvE2Gw4U683GrIopz1:6vHm9SMvvH73ST
    MD5:671B1B946A4F492D69BEDFD198474A34
    SHA1:3033F15C722868D511A6945AAB174589D48F914A
    SHA-256:32A0AFEA104F8C1C5CB3FB3555A3B739B5ED28091B52135D39F8F2C24B3BACC2
    SHA-512:5CB60005492B0B3A88278A77BBF5655EF0BE2E6B63D0C543C2CBFB0D8C4CF469D3AD097131B57E7B9BF1B646AE44BB6E458D4E17E4BD66ADCC3E9E7869007584
    Malicious:false
    Preview:...................................FL..................F.@.. ......"0....H.#.....b."0...............................P.O. .:i.....+00.../C:\.....................1......X....PROGRA~2.........O.I.X......................V.......T.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....l.1.....(Um...INTERN~1..T......O.I.X............................K...I.n.t.e.r.n.e.t. .E.x.p.l.o.r.e.r.....f.2....(U.. .iexplore.exe..J......(U...X......:...........|.........qO+.i.e.x.p.l.o.r.e...e.x.e.......d...............-.......c.............aB.....C:\Program Files (x86)\Internet Explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.997158854131944
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.70%
    • Win32 EXE Yoda's Crypter (26571/9) 0.26%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:SecuriteInfo.com.FileRepMalware.29184.31872.exe
    File size:1'700'864 bytes
    MD5:d19a5ac8132e4040179f12eb9366d3b3
    SHA1:62f90ee5a169215995ac39ee1e9dd18791f9dffa
    SHA256:2ddec5cb7c8ac3965bf411207a223a485cb5811bc3d730237a956223860635f6
    SHA512:4dcadc3946054145fd788e8fa5a79f6a3ae62892d8609df63704f3e6a06805e74be1e2832b5601cb0b6f01c3753a5b3ab57e223cd3e0bbf7aac1a8997df3d53b
    SSDEEP:49152:69NL07qyX3Va5ISHsparMOJBl7qh85F76mWRF:6bL07DXupHspCMOJLqh85F7C
    TLSH:7E7533E7450EBBD5C485B3B71427D12904A7CB0768FDCBB66C8017FA9B786839692F20
    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........I..I(..I(..I(..&7..@(..&7..O(..24..O(...7..e(...4..e(..+7..i(..I(...*... ..J(.......(......2(...7..<(...7..y(..I(...(......H(.

    File Icon

    Icon Hash:4f1f4b67333b4d0f

    Static PE Info

    General

    Entrypoint:0x72bdb0
    Entrypoint Section:LBXX
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    DLL Characteristics:
    Time Stamp:0x5D15A624 [Fri Jun 28 05:31:16 2019 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:68000949fc03f16d9a9e66caf9016dda

    Entrypoint Preview

    Instruction
    pushad
    mov esi, 00591000h
    lea edi, dword ptr [esi-00190000h]
    add word ptr [edi+0032ECF0h], 0003h
    push edi
    mov ebp, esp
    lea ebx, dword ptr [esp-00003E80h]
    xor eax, eax
    push eax
    cmp esp, ebx
    jne 00007FEF90B50A3Dh
    inc esi
    inc esi
    push ebx
    push 00329DFCh
    push edi
    add ebx, 04h
    push ebx
    push 0019AD9Fh
    push esi
    add ebx, 04h
    push ebx
    push eax
    mov dword ptr [ebx], 00020003h
    nop
    nop
    nop
    nop
    push ebp
    push edi
    push esi
    push ebx
    sub esp, 7Ch
    mov edx, dword ptr [esp+00000090h]
    mov dword ptr [esp+74h], 00000000h
    mov byte ptr [esp+73h], 00000000h
    mov ebp, dword ptr [esp+0000009Ch]
    lea eax, dword ptr [edx+04h]
    mov dword ptr [esp+78h], eax
    mov eax, 00000001h
    movzx ecx, byte ptr [edx+02h]
    mov ebx, eax
    shl ebx, cl
    mov ecx, ebx
    dec ecx
    mov dword ptr [esp+6Ch], ecx
    movzx ecx, byte ptr [edx+01h]
    shl eax, cl
    dec eax
    mov dword ptr [esp+68h], eax
    mov eax, dword ptr [esp+000000A8h]
    movzx esi, byte ptr [edx]
    mov dword ptr [ebp+00h], 00000000h
    mov dword ptr [esp+60h], 00000000h
    mov dword ptr [eax], 00000000h
    mov eax, 00000300h
    mov dword ptr [esp+64h], esi
    mov dword ptr [esp+5Ch], 00000001h
    mov dword ptr [esp+58h], 00000001h

    Rich Headers

    Programming Language:
    • [ C ] VS98 (6.0) SP6 build 8804
    • [C++] VS98 (6.0) SP6 build 8804
    • [C++] VS98 (6.0) build 8168
    • [ C ] VS98 (6.0) build 8168
    • [EXP] VC++ 6.0 SP5 build 8804

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x33019c0x3a0.rsrc
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x32d0000x319c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x33053c0xc.rsrc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    LBXX0x10000x1900000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    LBXX0x1910000x19c0000x19ba005619331f6ba397779d5dab72d385d9c0False0.9996162551245066ARC archive data, packed7.999859282550719IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x32d0000x40000x3600922cf1c026aefa660a793abff1b275f8False0.48618344907407407data5.115567673036046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    TEXTINCLUDE0x32173c0xbdataChineseChina1.8181818181818181
    TEXTINCLUDE0x3217480x16dataChineseChina1.4090909090909092
    TEXTINCLUDE0x3217600x151dataChineseChina1.032640949554896
    WAVE0x3218b40x1448dataChineseChina1.0021186440677967
    RT_CURSOR0x322cfc0x134dataChineseChina1.0357142857142858
    RT_CURSOR0x322e300x134dataChineseChina1.0357142857142858
    RT_CURSOR0x322f640x134dataChineseChina1.0357142857142858
    RT_CURSOR0x3230980xb4dataChineseChina1.0611111111111111
    RT_CURSOR0x32314c0x134dataChineseChina1.0357142857142858
    RT_CURSOR0x3232800x134OpenPGP Public KeyChineseChina1.0357142857142858
    RT_BITMAP0x3233b40x16cdataChineseChina1.0302197802197801
    RT_ICON0x3235200x2e8dataChineseChina1.0147849462365592
    RT_ICON0x3238080x128dataChineseChina1.037162162162162
    RT_ICON0x32d7400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.5092323651452282
    RT_ICON0x325ed80x10a8data1.002579737335835
    RT_ICON0x326f800x988data1.0045081967213114
    RT_ICON0x3279080x468data1.0097517730496455
    RT_DIALOG0x327d700xeadataChineseChina1.047008547008547
    RT_DIALOG0x327e5c0xb2dataChineseChina1.0617977528089888
    RT_DIALOG0x327f100xe2dataChineseChina1.0486725663716814
    RT_GROUP_CURSOR0x327ff40x14dataChineseChina1.45
    RT_GROUP_CURSOR0x3280080x14PGP Secret Sub-key -ChineseChina1.45
    RT_GROUP_CURSOR0x32801c0x14dataChineseChina1.45
    RT_GROUP_CURSOR0x3280300x14dataChineseChina1.45
    RT_GROUP_CURSOR0x3280440x22dataChineseChina1.2647058823529411
    RT_GROUP_ICON0x32fcec0x3edata0.8548387096774194
    RT_VERSION0x32fd300x294OpenPGP Secret KeyChineseChina0.553030303030303
    RT_MANIFEST0x32ffc80x1d2XML 1.0 document, ASCII text, with very long lines (466), with no line terminators0.5879828326180258

    Imports

    DLLImport
    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
    ADVAPI32.dllRegCloseKey
    AVIFIL32.dllAVIStreamInfoA
    COMCTL32.dll
    comdlg32.dllChooseFontA
    GDI32.dllPie
    MSVFW32.dllDrawDibDraw
    ole32.dllOleInitialize
    OLEAUT32.dllUnRegisterTypeLib
    RASAPI32.dllRasHangUpA
    SHELL32.dllShellExecuteA
    USER32.dllGetDC
    WININET.dllInternetOpenA
    WINMM.dllPlaySoundA
    WINSPOOL.DRVOpenPrinterA
    WS2_32.dllntohl

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    ChineseChina

    Network Behavior

    Suricata IDS Alerts

    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
    2024-07-27T04:24:24.545034+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971640.68.123.157192.168.2.6
    2024-07-27T04:25:02.068281+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972220.114.59.183192.168.2.6
    2024-07-27T04:24:08.716828+0200TCP2830033ETPRO MALWARE Win32/Agent.xxxyeb Connectivity Check4971080192.168.2.6103.235.46.96

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jul 27, 2024 04:24:07.818398952 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:07.823896885 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:07.824083090 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:07.827713013 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:07.832614899 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.716727018 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.716780901 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.716820955 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.716828108 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.716828108 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.716856956 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.716866016 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.716890097 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.716901064 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.716923952 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.716933966 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.716958046 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.716968060 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.716990948 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.717000008 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.717022896 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.717034101 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.717060089 CEST8049710103.235.46.96192.168.2.6
    Jul 27, 2024 04:24:08.717066050 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.717106104 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.725402117 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:08.725464106 CEST4971080192.168.2.6103.235.46.96
    Jul 27, 2024 04:24:09.381426096 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:09.386399984 CEST80497118.219.190.98192.168.2.6
    Jul 27, 2024 04:24:09.386497021 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:09.386720896 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:09.391554117 CEST80497118.219.190.98192.168.2.6
    Jul 27, 2024 04:24:11.279501915 CEST80497118.219.190.98192.168.2.6
    Jul 27, 2024 04:24:11.279665947 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:11.280690908 CEST80497118.219.190.98192.168.2.6
    Jul 27, 2024 04:24:11.280755997 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:11.281135082 CEST80497118.219.190.98192.168.2.6
    Jul 27, 2024 04:24:11.281184912 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:11.807528973 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:11.807622910 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:11.807708979 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:11.822529078 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:11.822566032 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.145030022 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.145205975 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.198893070 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.198945999 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.199960947 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.200042963 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.203398943 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.244541883 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.701976061 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.702037096 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.702078104 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.702105045 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.702119112 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.702153921 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.763516903 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.763613939 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.853929996 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.854048967 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.887624979 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.887720108 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.887789965 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.887873888 CEST443497138.219.190.98192.168.2.6
    Jul 27, 2024 04:24:13.887938023 CEST49713443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.902657032 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:13.909459114 CEST80497118.219.190.98192.168.2.6
    Jul 27, 2024 04:24:14.488811016 CEST80497118.219.190.98192.168.2.6
    Jul 27, 2024 04:24:14.488923073 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:14.489599943 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:14.489721060 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:14.489799023 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:14.490144014 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:14.490174055 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:19.368268013 CEST80497118.219.190.98192.168.2.6
    Jul 27, 2024 04:24:19.368356943 CEST4971180192.168.2.68.219.190.98
    Jul 27, 2024 04:24:39.777173042 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:39.777262926 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:39.777291059 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:39.777335882 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:39.792007923 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:39.792015076 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:40.127696991 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:40.127780914 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:40.128339052 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:40.128364086 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:40.620330095 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:40.620445967 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:40.683758020 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:40.683847904 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:40.686099052 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:40.686175108 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:40.745656013 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:40.745738983 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:40.770462990 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:40.770534039 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:45.743451118 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:45.743521929 CEST443497148.219.190.98192.168.2.6
    Jul 27, 2024 04:24:45.743550062 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:45.743577957 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:50.183029890 CEST49714443192.168.2.68.219.190.98
    Jul 27, 2024 04:24:50.183084011 CEST4971180192.168.2.68.219.190.98

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jul 27, 2024 04:24:07.719613075 CEST6033453192.168.2.61.1.1.1
    Jul 27, 2024 04:24:07.726993084 CEST53603341.1.1.1192.168.2.6
    Jul 27, 2024 04:24:08.731450081 CEST6141453192.168.2.61.1.1.1
    Jul 27, 2024 04:24:09.380233049 CEST53614141.1.1.1192.168.2.6
    Jul 27, 2024 04:24:11.282733917 CEST5132753192.168.2.61.1.1.1
    Jul 27, 2024 04:24:11.806338072 CEST53513271.1.1.1192.168.2.6

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Jul 27, 2024 04:24:07.719613075 CEST192.168.2.61.1.1.10xf0bStandard query (0)www.baidu.comA (IP address)IN (0x0001)false
    Jul 27, 2024 04:24:08.731450081 CEST192.168.2.61.1.1.10x7a28Standard query (0)dnfex.lofter.comA (IP address)IN (0x0001)false
    Jul 27, 2024 04:24:11.282733917 CEST192.168.2.61.1.1.10x47e4Standard query (0)www.lofter.comA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jul 27, 2024 04:24:07.726993084 CEST1.1.1.1192.168.2.60xf0bNo error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
    Jul 27, 2024 04:24:07.726993084 CEST1.1.1.1192.168.2.60xf0bNo error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
    Jul 27, 2024 04:24:07.726993084 CEST1.1.1.1192.168.2.60xf0bNo error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
    Jul 27, 2024 04:24:07.726993084 CEST1.1.1.1192.168.2.60xf0bNo error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
    Jul 27, 2024 04:24:09.380233049 CEST1.1.1.1192.168.2.60x7a28No error (0)dnfex.lofter.comwww.lofter.comCNAME (Canonical name)IN (0x0001)false
    Jul 27, 2024 04:24:09.380233049 CEST1.1.1.1192.168.2.60x7a28No error (0)www.lofter.comoversea.lofter.comCNAME (Canonical name)IN (0x0001)false
    Jul 27, 2024 04:24:09.380233049 CEST1.1.1.1192.168.2.60x7a28No error (0)oversea.lofter.comlofter-oversea-sg.ntes53.netease.comCNAME (Canonical name)IN (0x0001)false
    Jul 27, 2024 04:24:09.380233049 CEST1.1.1.1192.168.2.60x7a28No error (0)lofter-oversea-sg.ntes53.netease.com8.219.190.98A (IP address)IN (0x0001)false
    Jul 27, 2024 04:24:11.806338072 CEST1.1.1.1192.168.2.60x47e4No error (0)www.lofter.comoversea.lofter.comCNAME (Canonical name)IN (0x0001)false
    Jul 27, 2024 04:24:11.806338072 CEST1.1.1.1192.168.2.60x47e4No error (0)oversea.lofter.comlofter-oversea-sg.ntes53.netease.comCNAME (Canonical name)IN (0x0001)false
    Jul 27, 2024 04:24:11.806338072 CEST1.1.1.1192.168.2.60x47e4No error (0)lofter-oversea-sg.ntes53.netease.com8.219.190.98A (IP address)IN (0x0001)false

    HTTP Request Dependency Graph

    • www.lofter.com
    • www.baidu.com
    • dnfex.lofter.com

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.649710103.235.46.96801936C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe
    TimestampBytes transferredDirectionData
    Jul 27, 2024 04:24:07.827713013 CEST82OUTGET / HTTP/1.1
    User-Agent: test
    Host: www.baidu.com
    Cache-Control: no-cache
    Jul 27, 2024 04:24:08.716727018 CEST1236INHTTP/1.1 200 OK
    Accept-Ranges: bytes
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 9508
    Content-Type: text/html
    Date: Sat, 27 Jul 2024 02:24:08 GMT
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    Pragma: no-cache
    Server: BWS/1.1
    Set-Cookie: BAIDUID=1C97D609257F49EC69DE3DD6AE548941:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BIDUPSID=1C97D609257F49EC69DE3DD6AE548941; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: PSTM=1722047048; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BAIDUID=1C97D609257F49EC82208A521C7DBBE1:FG=1; max-age=31536000; expires=Sun, 27-Jul-25 02:24:08 GMT; domain=.baidu.com; path=/; version=1; comment=bd
    Traceid: 172204704804117770347933477300039563073
    Vary: Accept-Encoding
    X-Ua-Compatible: IE=Edge,chrome=1
    X-Xss-Protection: 1;mode=block
    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 61 6c 77 61 79 73 22 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e5 85 a8 e7 90 83 e9 a2 86 e5 85 88 e7 9a 84 e4 b8
    Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta content="always" name="referrer"><meta name="description" content="
    Jul 27, 2024 04:24:08.716780901 CEST224INData Raw: ad e6 96 87 e6 90 9c e7 b4 a2 e5 bc 95 e6 93 8e e3 80 81 e8 87 b4 e5 8a 9b e4 ba 8e e8 ae a9 e7 bd 91 e6 b0 91 e6 9b b4 e4 be bf e6 8d b7 e5 9c b0 e8 8e b7 e5 8f 96 e4 bf a1 e6 81 af ef bc 8c e6 89 be e5 88 b0 e6 89 80 e6 b1 82 e3 80 82 e7 99 be
    Data Ascii: "><link rel="shortcut icon" href="//www.baidu.com/favicon.
    Jul 27, 2024 04:24:08.716820955 CEST1236INData Raw: 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 65 61 72 63 68 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 70 65 6e 73 65 61 72 63 68 64 65 73 63 72 69 70 74 69 6f
    Data Ascii: ico" type="image/x-icon"><link rel="search" type="application/opensearchdescription+xml" href="//www.baidu.com/content-search.xml" title=""><title></title><style type="text/css">body{margin:0;padding:0;te
    Jul 27, 2024 04:24:08.716856956 CEST1236INData Raw: 2d 77 65 69 67 68 74 3a 34 30 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 6f 75 74 6c 69 6e 65 3a 30 3b 62 6f 72 64 65 72 3a 30 3b 68 65 69 67 68 74 3a 33 30 70 78
    Data Ascii: -weight:400;text-align:center;vertical-align:middle;outline:0;border:0;height:30px;width:80px;line-height:30px;font-size:13px;border-radius:6px;padding:0;background-color:#f5f5f6;cursor:pointer}.c-btn:hover{background-color:#315efb;color:#fff!
    Jul 27, 2024 04:24:08.716890097 CEST1236INData Raw: 6b 67 72 6f 75 6e 64 3a 30 20 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 23 68 65 61 64 5f 77 72 61 70 70 65 72 20 2e 73 5f 69 70 74 5f 77 72 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 77 69 64 74 68 3a 35 34 36
    Data Ascii: kground:0 0;vertical-align:top}#head_wrapper .s_ipt_wr{position:relative;width:546px}#head_wrapper .s_btn_wr{width:108px;height:44px;position:relative;z-index:2}#head_wrapper .s_ipt_wr:hover #kw{border-color:#a7aab5}#head_wrapper #kw{width:512
    Jul 27, 2024 04:24:08.716923952 CEST1236INData Raw: 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 73 2d 74 6f 70 2d 6c 65 66 74 20 2e 6d 6e 61 76 3a 68 6f 76 65 72 20 2e 73 2d 62 72 69 2c 2e 73 2d 74 6f 70 2d 6c 65 66 74 20 61 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 23 33 31 35 65 66 62 3b 74
    Data Ascii: sition:relative}.s-top-left .mnav:hover .s-bri,.s-top-left a:hover{color:#315efb;text-decoration:none}.s-top-left .s-top-more-btn{padding-bottom:19px}.s-top-left .s-top-more-btn:hover .s-top-more{display:block}.s-top-right{position:absolute;ri
    Jul 27, 2024 04:24:08.716958046 CEST896INData Raw: 6c 65 66 74 22 20 63 6c 61 73 73 3d 22 73 2d 74 6f 70 2d 6c 65 66 74 20 73 2d 69 73 69 6e 64 65 78 2d 77 72 61 70 22 3e 3c 61 20 68 72 65 66 3d 22 2f 2f 6e 65 77 73 2e 62 61 69 64 75 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b
    Data Ascii: left" class="s-top-left s-isindex-wrap"><a href="//news.baidu.com/" target="_blank" class="mnav c-font-normal c-color-t"></a><a href="//www.hao123.com/" target="_blank" class="mnav c-font-normal c-color-t">hao123</a><a href="//map.baidu.
    Jul 27, 2024 04:24:08.716990948 CEST1236INData Raw: 78 2d 77 72 61 70 22 3e 3c 61 20 63 6c 61 73 73 3d 22 73 2d 74 6f 70 2d 6c 6f 67 69 6e 2d 62 74 6e 20 63 2d 62 74 6e 20 63 2d 62 74 6e 2d 70 72 69 6d 61 72 79 20 63 2d 62 74 6e 2d 6d 69 6e 69 20 6c 62 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69
    Data Ascii: x-wrap"><a class="s-top-login-btn c-btn c-btn-primary c-btn-mini lb" style="position:relative;overflow:visible" name="tj_login" href="//www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1">
    Jul 27, 2024 04:24:08.717022896 CEST1236INData Raw: 75 65 3d 22 22 3e 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 5f 69 70 74 5f 77 72 20 71 75 69 63 6b 64 65 6c 65 74 65 2d 77 72 61 70 22 3e 3c 69 6e 70 75 74 20 69 64 3d 22 6b 77 22 20 6e 61 6d 65 3d 22 77 64 22 20 63 6c 61 73 73 3d 22 73 5f 69
    Data Ascii: ue=""> <span class="s_ipt_wr quickdelete-wrap"><input id="kw" name="wd" class="s_ipt" value="" maxlength="255" autocomplete="off"> </span><span class="s_btn_wr"><input type="submit" id="su" value="" class="bg s_btn"> </span><input
    Jul 27, 2024 04:24:08.717060089 CEST726INData Raw: 77 77 2e 62 65 69 61 6e 2e 67 6f 76 2e 63 6e 2f 70 6f 72 74 61 6c 2f 72 65 67 69 73 74 65 72 53 79 73 74 65 6d 49 6e 66 6f 3f 72 65 63 6f 72 64 63 6f 64 65 3d 31 31 30 30 30 30 30 32 30 30 30 30 30 31 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e
    Data Ascii: ww.beian.gov.cn/portal/registerSystemInfo?recordcode=11000002000001" target="_blank">11000002000001</a></p><p class="lh"><a class="text-color" href="//beian.miit.gov.cn/" target="_blank">ICP030173</a></p><p class="lh


    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    1192.168.2.6497118.219.190.98801936C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe
    TimestampBytes transferredDirectionData
    Jul 27, 2024 04:24:09.386720896 CEST167OUTGET /post/30905118_1c5d041cf HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: dnfex.lofter.com
    Cache-Control: no-cache
    Jul 27, 2024 04:24:11.279501915 CEST682INHTTP/1.1 302 Found
    Server: nginx
    Date: Sat, 27 Jul 2024 02:24:10 GMT
    Content-Type: text/html;charset=UTF-8
    Content-Length: 0
    Connection: keep-alive
    Set-Cookie: NTESwebSI=430CB13F032D94B6ECF6B1785E3B439E.lofter-webapp-web-old-docker-lftpro-3-3nhsm-6bbi5-5456f799lrx6f-8080; Path=/; HttpOnly
    Set-Cookie: firstentry=%2Fpost.do%3FloftBlogName%3Ddnfex%26loftPostUrl%3D30905118_1c5d041cf%26|; Domain=.lofter.com; Expires=Sun, 28-Jul-2024 02:24:10 GMT; Path=/
    Location: https://www.lofter.com/front/login
    Set-Cookie: usertrack=CpiybmakWkon69EmwDmKAg==; expires=Sun, 27-Jul-25 02:24:10 GMT; domain=lofter.com; path=/
    P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
    Jul 27, 2024 04:24:11.280690908 CEST682INHTTP/1.1 302 Found
    Server: nginx
    Date: Sat, 27 Jul 2024 02:24:10 GMT
    Content-Type: text/html;charset=UTF-8
    Content-Length: 0
    Connection: keep-alive
    Set-Cookie: NTESwebSI=430CB13F032D94B6ECF6B1785E3B439E.lofter-webapp-web-old-docker-lftpro-3-3nhsm-6bbi5-5456f799lrx6f-8080; Path=/; HttpOnly
    Set-Cookie: firstentry=%2Fpost.do%3FloftBlogName%3Ddnfex%26loftPostUrl%3D30905118_1c5d041cf%26|; Domain=.lofter.com; Expires=Sun, 28-Jul-2024 02:24:10 GMT; Path=/
    Location: https://www.lofter.com/front/login
    Set-Cookie: usertrack=CpiybmakWkon69EmwDmKAg==; expires=Sun, 27-Jul-25 02:24:10 GMT; domain=lofter.com; path=/
    P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
    Jul 27, 2024 04:24:11.281135082 CEST682INHTTP/1.1 302 Found
    Server: nginx
    Date: Sat, 27 Jul 2024 02:24:10 GMT
    Content-Type: text/html;charset=UTF-8
    Content-Length: 0
    Connection: keep-alive
    Set-Cookie: NTESwebSI=430CB13F032D94B6ECF6B1785E3B439E.lofter-webapp-web-old-docker-lftpro-3-3nhsm-6bbi5-5456f799lrx6f-8080; Path=/; HttpOnly
    Set-Cookie: firstentry=%2Fpost.do%3FloftBlogName%3Ddnfex%26loftPostUrl%3D30905118_1c5d041cf%26|; Domain=.lofter.com; Expires=Sun, 28-Jul-2024 02:24:10 GMT; Path=/
    Location: https://www.lofter.com/front/login
    Set-Cookie: usertrack=CpiybmakWkon69EmwDmKAg==; expires=Sun, 27-Jul-25 02:24:10 GMT; domain=lofter.com; path=/
    P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
    Jul 27, 2024 04:24:13.902657032 CEST409OUTGET /post/30905118_1c5d041cf HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: dnfex.lofter.com
    Cache-Control: no-cache
    Cookie: NTESwebSI=430CB13F032D94B6ECF6B1785E3B439E.lofter-webapp-web-old-docker-lftpro-3-3nhsm-6bbi5-5456f799lrx6f-8080; firstentry=%2Fpost.do%3FloftBlogName%3Ddnfex%26loftPostUrl%3D30905118_1c5d041cf%26|; usertrack=CpiybmakWkon69EmwDmKAg==
    Jul 27, 2024 04:24:14.488811016 CEST345INHTTP/1.1 302 Found
    Server: nginx
    Date: Sat, 27 Jul 2024 02:24:14 GMT
    Content-Type: text/html;charset=UTF-8
    Content-Length: 0
    Connection: keep-alive
    Set-Cookie: NTESwebSI=AD627F8282FD534349823D017AF7AAB9.lofter-webapp-web-old-docker-lftpro-3-3nhsm-6bbi5-5456f799zt69m-8080; Path=/; HttpOnly
    Location: https://www.lofter.com/front/login


    HTTPS Connections

    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
    Jul 27, 2024 04:24:39.777173042 CEST8.219.190.98443192.168.2.649714CN=*.lofter.com, O="NetEase (Hangzhou) Network Co., Ltd", L=Hangzhou, ST=Zhejiang, C=CN CN=GeoTrust RSA CN CA G2, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=GeoTrust RSA CN CA G2, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Mar 28 01:00:00 CET 2024 Wed Mar 04 13:04:40 CET 2020 Fri Nov 10 01:00:00 CET 2006Wed Apr 09 01:59:59 CEST 2025 Mon Mar 04 13:04:40 CET 2030 Mon Nov 10 01:00:00 CET 2031771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
    CN=GeoTrust RSA CN CA G2, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Mar 04 13:04:40 CET 2020Mon Mar 04 13:04:40 CET 2030
    CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Nov 10 01:00:00 CET 2006Mon Nov 10 01:00:00 CET 2031

    HTTPS Proxied Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.6497138.219.190.984431936C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe
    TimestampBytes transferredDirectionData
    2024-07-27 02:24:13 UTC306OUTGET /front/login HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Cache-Control: no-cache
    Host: www.lofter.com
    Connection: Keep-Alive
    Cookie: firstentry=%2Fpost.do%3FloftBlogName%3Ddnfex%26loftPostUrl%3D30905118_1c5d041cf%26|; usertrack=CpiybmakWkon69EmwDmKAg==
    2024-07-27 02:24:13 UTC198INHTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 27 Jul 2024 02:24:13 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 9433
    Connection: close
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    2024-07-27 02:24:13 UTC2721INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 20 63 6c 61 73 73 3d 22 6c 6f 66 74 65 72 2d 70 61 67 65 22 20 64 61 74 61 2d 72 65 61 63 74 72 6f 6f 74 3d 22 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65
    Data Ascii: <!DOCTYPE html><html lang="zh" class="lofter-page" data-reactroot=""><head><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/><meta name="renderer" content="webkit"/><meta http-equiv="content-type" content="text/html;charset=utf-8"/><meta name
    2024-07-27 02:24:13 UTC1448INData Raw: 20 20 7d 0a 7d 2c 20 34 30 30 30 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 64 65 66 61 75 6c 74 2d 6c 6f 61 64 69 6e 67 2d 6d 61 73 6b 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 64 65 66 61 75 6c 74 2d 6c 6f 61 64 69 6e 67 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 64 65 66 61 75 6c 74 2d 6c 6f 61 64 69 6e 67 22 3e 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 64 65 66 61 75 6c 74 2d 69 63 6f 6e 2d 61 6e 69 6d 61 74 69 6f 6e 22 20 77 69 64 74 68 3d 22 36 34 22 20 68 65 69 67 68 74 3d 22 36 34 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 36 34 20 36 34 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 78 6d 6c 6e 73 3d 22
    Data Ascii: }}, 4000); </script><section class="page-default-loading-mask"><div class="page-default-loading-box"><div class="page-default-loading"><svg class="page-default-icon-animation" width="64" height="64" viewBox="0 0 64 64" fill="none" xmlns="
    2024-07-27 02:24:13 UTC2896INData Raw: 32 38 2e 35 38 37 20 32 30 2e 33 34 33 36 20 32 38 2e 35 38 37 20 32 31 2e 38 36 37 31 56 33 33 2e 39 36 39 33 43 32 38 2e 35 38 37 20 33 35 2e 32 38 38 35 20 32 39 2e 34 39 32 34 20 33 36 2e 33 39 35 34 20 33 30 2e 37 31 36 20 33 36 2e 37 30 31 37 43 33 31 2e 30 36 32 37 20 33 36 2e 37 38 37 35 20 33 31 2e 33 39 37 31 20 33 36 2e 35 32 32 20 33 31 2e 33 39 37 31 20 33 36 2e 31 36 32 36 56 32 31 2e 38 36 33 56 32 31 2e 37 36 34 39 43 33 31 2e 33 38 39 20 31 39 2e 38 36 31 36 20 33 31 2e 31 30 33 35 20 31 38 2e 35 36 32 37 20 33 30 2e 34 35 39 31 20 31 37 2e 33 34 39 37 43 33 30 2e 31 30 34 32 20 31 36 2e 36 38 33 39 20 32 39 2e 36 35 31 35 20 31 36 2e 30 39 35 37 20 32 39 2e 31 31 33 31 20 31 35 2e 35 38 39 33 43 32 38 2e 36 38 38 39 20 31 35 2e 31 39 33
    Data Ascii: 28.587 20.3436 28.587 21.8671V33.9693C28.587 35.2885 29.4924 36.3954 30.716 36.7017C31.0627 36.7875 31.3971 36.522 31.3971 36.1626V21.863V21.7649C31.389 19.8616 31.1035 18.5627 30.4591 17.3497C30.1042 16.6839 29.6515 16.0957 29.1131 15.5893C28.6889 15.193
    2024-07-27 02:24:13 UTC2368INData Raw: 65 72 2e 63 6f 6d 22 7d 7d 2c 7b 22 69 6d 61 67 65 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 66 74 65 72 2e 6c 66 31 32 37 2e 6e 65 74 5c 2f 31 36 31 31 38 30 32 36 39 33 32 32 39 5c 2f 78 69 7a 68 61 6e 67 32 2e 6a 70 67 3f 69 6d 61 67 65 56 69 65 77 26 74 79 70 65 3d 6a 70 67 26 71 75 61 6c 69 74 79 3d 37 30 26 73 74 72 69 70 6d 65 74 61 3d 30 26 74 68 75 6d 62 6e 61 69 6c 3d 34 30 30 30 78 34 30 30 30 22 2c 22 61 75 74 68 6f 72 22 3a 7b 22 6e 61 6d 65 22 3a 22 e3 80 8a e6 83 9c 20 e5 bc b5 e3 80 8b 22 2c 22 6c 69 6e 6b 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 78 69 69 7a 68 61 6e 67 2e 6c 6f 66 74 65 72 2e 63 6f 6d 22 7d 7d 2c 7b 22 69 6d 61 67 65 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6c 6f 66 74 65 72 2e 6c 66 31 32 37 2e 6e 65 74 5c 2f 31 36 31 31
    Data Ascii: er.com"}},{"image":"https:\/\/lofter.lf127.net\/1611802693229\/xizhang2.jpg?imageView&type=jpg&quality=70&stripmeta=0&thumbnail=4000x4000","author":{"name":" ","link":"https:\/\/xiizhang.lofter.com"}},{"image":"https:\/\/lofter.lf127.net\/1611


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:22:24:05
    Start date:26/07/2024
    Path:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.29184.31872.exe"
    Imagebase:0x400000
    File size:1'700'864 bytes
    MD5 hash:D19A5AC8132E4040179F12EB9366D3B3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:5
    Start time:22:24:41
    Start date:26/07/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
    Imagebase:0x850000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:8
    Start time:22:24:42
    Start date:26/07/2024
    Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList
    Imagebase:0xc70000
    File size:828'368 bytes
    MD5 hash:6F0F06D6AB125A99E43335427066A4A1
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:9
    Start time:22:24:44
    Start date:26/07/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:255 WinX:0 WinY:0 IEFrame:00000000
    Imagebase:0x850000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:3.6%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:13.6%
      Total number of Nodes:2000
      Total number of Limit Nodes:57
      execution_graph 16623 1000a880 16624 1000a890 GetPropA 16623->16624 16625 1000a8a2 16623->16625 16624->16625 16626 10006940 16631 100069f0 16626->16631 16629 100069a5 16630 1000696b CreateDIBSection 16630->16629 16632 1000694b 16631->16632 16633 100069fd DeleteObject 16631->16633 16632->16629 16632->16630 16633->16632 16634 1000a460 GetPropA 16635 1000a486 16634->16635 16642 1000a47f 16634->16642 16636 1000a60e 16637 1000a630 16636->16637 16638 1000a616 IsWindowVisible 16636->16638 16638->16637 16639 1000a625 16638->16639 16643 10015840 IsWindowVisible 16639->16643 16641 1000a608 ShowScrollBar 16641->16636 16642->16635 16642->16636 16642->16641 16644 10015bb3 16643->16644 16645 1001586e 16643->16645 16644->16637 16645->16644 16656 10015630 16645->16656 16648 100158f5 SelectObject PatBlt 16649 10015935 16648->16649 16649->16644 16664 1000fbf0 CreateCompatibleDC CreateCompatibleBitmap SelectObject 16649->16664 16652 1000b6e0 17 API calls 16655 100159da 16652->16655 16653 10015b69 BitBlt 16669 1000fc70 SelectObject DeleteDC DeleteObject 16653->16669 16655->16652 16655->16653 16657 10015645 16656->16657 16658 1001570e 16656->16658 16657->16658 16659 10015668 6 API calls 16657->16659 16658->16648 16658->16649 16660 100156f1 16659->16660 16661 100156dc 16659->16661 16660->16658 16663 100169c0 14 API calls 16660->16663 16670 100169c0 16661->16670 16663->16658 16665 1000fc60 SelectObject PatBlt 16664->16665 16666 1000fc32 CreateRectRgn GetClipRgn 16664->16666 16665->16655 16667 1000fc59 DeleteObject 16666->16667 16668 1000fc4f SelectClipRgn 16666->16668 16667->16665 16668->16667 16669->16649 16679 100169eb 16670->16679 16671 10016a97 IsWindowEnabled 16673 10016acc 16671->16673 16672 10016c06 16674 10016c10 SetRect MulDiv OffsetRect 16672->16674 16675 10016cd3 MulDiv 16672->16675 16673->16672 16682 10016d71 16673->16682 16678 10016c5e 16674->16678 16676 10016cf2 MulDiv 16675->16676 16677 10016cec 16675->16677 16676->16677 16684 10016c93 EqualRect 16677->16684 16685 10016d08 MulDiv 16677->16685 16680 10016c7f OffsetRect 16678->16680 16681 10016c81 IsRectEmpty 16678->16681 16679->16671 16679->16673 16680->16681 16681->16684 16683 10016dbf SetRectEmpty 16682->16683 16686 10016d93 SetRect 16682->16686 16683->16684 16688 10016e07 16684->16688 16689 10016df7 EqualRect 16684->16689 16685->16684 16686->16684 16690 10016e2f SetRectEmpty 16688->16690 16691 10016e36 16688->16691 16689->16688 16690->16691 16691->16660 16692 1001c400 16695 1001c450 GetPropA 16692->16695 16696 1001c485 GetPropA 16695->16696 16697 1001c46b RemovePropA SendMessageA 16695->16697 16698 1001c491 IsWindowVisible 16696->16698 16699 1001c40b EnumChildWindows 16696->16699 16697->16696 16698->16699 16701 1001c4b9 InvalidateRect SetWindowPos 16698->16701 16701->16699 16702 10014f80 16703 10014f92 16702->16703 16704 1001503f 16702->16704 16705 100150ee 16703->16705 16709 10015123 CallWindowProcA 16703->16709 16713 100150ab 16703->16713 16717 10014fe7 16703->16717 16718 10015106 16703->16718 16719 10014fb6 16703->16719 16720 10014fcb 16703->16720 16721 1001502a 16703->16721 16722 10014ffc CallWindowProcA 16703->16722 16723 1001507f 16703->16723 16706 100150c1 16704->16706 16707 10015046 16704->16707 16822 10016060 16705->16822 16710 100150c8 16706->16710 16711 1001511c 16706->16711 16712 10015048 16707->16712 16707->16713 16710->16718 16724 100150ca 16710->16724 16711->16709 16715 10015140 16711->16715 16712->16705 16712->16709 16712->16723 16735 10015095 16712->16735 16736 10015069 16712->16736 16809 10015be0 16713->16809 16714 10015102 16852 10015390 IsWindowVisible 16715->16852 16754 100154e0 16717->16754 16757 10015400 16718->16757 16764 10016220 16719->16764 16773 10012460 16720->16773 16782 10012100 CallWindowProcA 16721->16782 16728 100155d0 55 API calls 16722->16728 16789 100157b0 16723->16789 16724->16705 16734 100150d4 16724->16734 16742 10015023 16728->16742 16730 100150bd 16734->16709 16747 100150d9 16734->16747 16801 10012370 CallWindowProcA 16735->16801 16784 100162f0 16736->16784 16738 10014ff8 16739 10015091 16741 10015118 16745 10014fc7 16816 10014ef0 16747->16816 16750 1001507b 16751 100150a7 16752 10014fe3 16753 100150ea 16755 100155a8 CallWindowProcA 16754->16755 16756 100154fb 16754->16756 16755->16738 16756->16755 16758 10015433 16757->16758 16759 1001540a 16757->16759 16762 100154b3 SetWindowPos 16758->16762 16763 10015499 CallWindowProcA 16758->16763 16760 10015415 CallWindowProcA 16759->16760 16761 100154cc 16759->16761 16760->16741 16761->16741 16762->16761 16763->16762 16765 10016237 16764->16765 16766 1001623e GetWindowRect 16764->16766 16765->16766 16767 100162a9 CallWindowProcA 16765->16767 16768 1001626d PtInRect 16766->16768 16769 1001628c 16766->16769 16772 100162c7 16767->16772 16768->16769 16770 1001627d 16768->16770 16769->16767 16771 10016296 PtInRect 16769->16771 16770->16745 16771->16767 16771->16772 16772->16745 16774 10012484 16773->16774 16775 1001246a SendMessageA 16773->16775 16776 100155d0 IsWindowVisible 16774->16776 16775->16774 16777 100155e1 16776->16777 16778 100155e5 16776->16778 16777->16752 16779 10015840 53 API calls 16778->16779 16780 10015605 16779->16780 16781 1001560f SendMessageA 16780->16781 16781->16752 16783 10012127 16782->16783 16785 1001632b CallWindowProcA 16784->16785 16786 100162fd CallWindowProcA 16784->16786 16785->16750 16787 100155d0 55 API calls 16786->16787 16788 10016324 16787->16788 16788->16750 16790 100157bd 16789->16790 16791 1001581f CallWindowProcA 16790->16791 16856 10015f60 16790->16856 16791->16739 16793 100157d4 16794 10015800 16793->16794 16795 100157d8 16793->16795 16794->16791 16798 10015840 53 API calls 16794->16798 16796 10015840 53 API calls 16795->16796 16797 100157ed 16796->16797 16866 100124d0 SetTimer 16797->16866 16798->16791 16800 100157fe 16800->16791 16802 1001239b 16801->16802 16803 100123ae GetPropA 16801->16803 16802->16751 16804 10012405 SetBkMode IsWindowEnabled 16803->16804 16805 100123be 16803->16805 16807 10012428 SetTextColor 16804->16807 16805->16804 16806 100123c5 SetBkColor SetTextColor 16805->16806 16806->16751 16807->16751 16810 10015bf4 KillTimer KillTimer KillTimer 16809->16810 16811 10015bed 16809->16811 16813 10015f60 6 API calls 16810->16813 16811->16810 16812 10015c49 CallWindowProcA 16811->16812 16812->16730 16814 10015c23 16813->16814 16815 10015840 53 API calls 16814->16815 16815->16812 16817 10014f53 CallWindowProcA 16816->16817 16818 10014efd GetParent GetClassLongA 16816->16818 16817->16753 16818->16817 16819 10014f17 16818->16819 16820 10014f25 SendMessageA 16819->16820 16821 10014f3c SendMessageA 16819->16821 16820->16753 16821->16753 16823 10016071 16822->16823 16824 1001609d 16822->16824 16823->16824 16825 10016078 CallWindowProcA 16823->16825 16868 10016480 16824->16868 16825->16714 16827 100160a4 16828 100160d0 16827->16828 16829 100160ab CallWindowProcA 16827->16829 16830 10015840 53 API calls 16828->16830 16829->16714 16831 100160e5 16830->16831 16832 10016159 GetCapture 16831->16832 16833 100160ea 16831->16833 16835 10016174 16832->16835 16836 1001616a 16832->16836 16881 100124d0 SetTimer 16833->16881 16838 10016183 GetMessageA 16835->16838 16839 1001617c SetCapture 16835->16839 16836->16838 16837 100160fb 16840 10016132 SendMessageA 16837->16840 16841 10016105 GetParent SendMessageA 16837->16841 16842 100161ef 16838->16842 16846 1001619a 16838->16846 16839->16838 16840->16714 16841->16714 16843 10016202 ReleaseCapture 16842->16843 16844 10016208 16842->16844 16843->16844 16844->16714 16845 100161a0 GetCapture 16845->16842 16845->16846 16846->16845 16847 100161f1 16846->16847 16848 100161b7 DispatchMessageA 16846->16848 16882 10016760 16846->16882 16898 10016650 KillTimer KillTimer KillTimer 16847->16898 16849 100161de GetMessageA 16848->16849 16849->16842 16849->16845 16913 10009c60 16852->16913 16867 10016440 GetCursorPos GetWindowRect 16856->16867 16858 10015f73 16859 10015f9c PtInRect 16858->16859 16860 10015fb6 16858->16860 16859->16858 16861 10015fc4 PtInRect 16859->16861 16860->16793 16862 10015ff0 16861->16862 16863 10016008 PtInRect 16861->16863 16862->16793 16864 10016034 PtInRect 16863->16864 16865 1001601c 16863->16865 16864->16793 16865->16793 16866->16800 16867->16858 16869 10016496 16868->16869 16870 100164dd 16869->16870 16911 10016440 GetCursorPos GetWindowRect 16869->16911 16870->16827 16872 100164a9 16872->16870 16873 100164bf PtInRect 16872->16873 16873->16872 16874 100164e7 PtInRect 16873->16874 16875 10016523 16874->16875 16876 1001655f PtInRect 16874->16876 16875->16827 16877 10016577 16876->16877 16878 1001658e PtInRect 16876->16878 16877->16827 16879 10016613 PtInRect 16878->16879 16880 100165a6 16878->16880 16879->16880 16880->16827 16881->16837 16912 10016440 GetCursorPos GetWindowRect 16882->16912 16884 10015840 53 API calls 16886 10016975 16884->16886 16885 1001682c OffsetRect 16887 10016858 16885->16887 16888 1001684c OffsetRect 16885->16888 16886->16849 16889 10016873 16887->16889 16890 10016864 OffsetRect 16887->16890 16888->16887 16892 100168ab MulDiv 16889->16892 16893 100168bf 16889->16893 16890->16889 16891 10016924 16891->16884 16892->16893 16893->16891 16895 100168dd GetParent 16893->16895 16896 100168ff 16893->16896 16894 10016791 16894->16885 16894->16891 16897 10016918 SendMessageA 16895->16897 16896->16897 16897->16891 16899 1001670d 16898->16899 16900 10016689 16898->16900 16903 10015f60 6 API calls 16899->16903 16901 10016693 GetParent SendMessageA GetParent SendMessageA 16900->16901 16902 100166d7 SendMessageA SendMessageA 16900->16902 16901->16899 16902->16899 16904 1001671e 16903->16904 16905 10016722 16904->16905 16906 1001673a 16904->16906 16907 10015840 53 API calls 16905->16907 16908 10015840 53 API calls 16906->16908 16909 10016737 16907->16909 16910 1001674f 16908->16910 16909->16842 16910->16842 16911->16872 16912->16894 16914 10012140 SetPropA 16915 1001216a 16914->16915 16916 10017540 16917 1001756c 16916->16917 16918 100175a7 16916->16918 16917->16918 16919 100175e3 ??2@YAPAXI 16917->16919 16920 100175ff 16919->16920 16921 10017621 16920->16921 16922 10017606 ??3@YAXPAX 16920->16922 16923 10017694 ??3@YAXPAX 16921->16923 16924 100176af 16921->16924 16926 10017700 16921->16926 16922->16918 16925 100176e5 ??3@YAXPAX 16924->16925 16924->16926 16939 10006b30 16926->16939 16928 10017a12 16929 10017a1a ??3@YAXPAX 16928->16929 16930 10017acc ??3@YAXPAX SelectObject 16928->16930 16931 10017b04 CreateCompatibleBitmap SelectObject BitBlt SelectObject 16930->16931 16932 10017af6 DeleteObject 16930->16932 16947 10018e00 16931->16947 16932->16931 16936 10017b69 16977 100191c0 16936->16977 16940 100069f0 DeleteObject 16939->16940 16941 10006b3b 16940->16941 16942 10006bed 16941->16942 16943 10006b7a CreateDIBSection 16941->16943 16942->16928 16944 10006b94 16943->16944 16945 10006bc4 16944->16945 16946 100069f0 DeleteObject 16944->16946 16945->16928 16946->16942 16948 10018e33 16947->16948 16949 10018e29 DeleteObject 16947->16949 16950 10018e4a 16948->16950 16951 10018e3d DeleteObject 16948->16951 16949->16948 16981 10006940 16950->16981 16951->16950 16954 10018ede 16955 10018f0f CreateSolidBrush 16954->16955 16958 10018f1e CreatePatternBrush 16954->16958 16956 10018f29 16955->16956 16986 10006920 16956->16986 16958->16956 16960 10018f60 16963 10018f7d 16960->16963 16961 10018fb9 16964 10018fc0 DeleteObject 16961->16964 16965 10018fc6 16961->16965 16962 10018f90 DeleteObject 16962->16963 16963->16961 16963->16962 16966 10018fa6 DeleteObject 16963->16966 16964->16965 16967 10018fcd DeleteObject 16965->16967 16968 10018fd3 16965->16968 16966->16963 16967->16968 16969 10018ff8 CreateFontIndirectA CreateFontIndirectA 16968->16969 16970 10019046 SystemParametersInfoA CreateFontIndirectA CreateFontIndirectA SystemParametersInfoA 16968->16970 16969->16968 16971 100190b1 CreateFontIndirectA CreateFontIndirectA 16970->16971 16972 100190d4 16970->16972 16971->16972 16973 100190f3 CreateFontIndirectA CreateFontIndirectA 16972->16973 16974 1001911b 16972->16974 16973->16974 16975 10019122 CreateFontIndirectA CreateFontIndirectA 16974->16975 16976 1001914d 16974->16976 16975->16976 16976->16936 16979 100191d2 16977->16979 16978 10017b75 16979->16978 16989 10008030 16979->16989 16982 100069f0 DeleteObject 16981->16982 16983 1000694b 16982->16983 16984 100069a5 SelectObject BitBlt SelectObject 16983->16984 16985 1000696b CreateDIBSection 16983->16985 16984->16954 16985->16984 16987 10006934 16986->16987 16988 1000692d DeleteObject 16986->16988 16987->16960 16988->16987 16990 10008053 16989->16990 16991 10008039 SelectObject DeleteDC 16989->16991 16992 10008068 16990->16992 16993 1000805a DeleteObject 16990->16993 16991->16990 16992->16979 16993->16992 16994 1001c3e0 GetCurrentThreadId EnumThreadWindows 16995 10020a2e 16998 10019482 16995->16998 16999 10019488 16998->16999 17004 100031a0 LoadCursorA RegisterClassExA 16999->17004 17001 10019496 17002 100194b6 17001->17002 17003 1001949e GetCurrentThreadId SetWindowsHookExA 17001->17003 17003->17002 17004->17001 17005 1000da90 GetPropA 17006 1000dac3 17005->17006 17007 1000daa8 NtdllDefWindowProc_A 17005->17007 17008 1000db4b 17006->17008 17009 1000dacf 17006->17009 17010 1000dbb9 CallWindowProcA 17008->17010 17011 1000db90 17008->17011 17015 1000dba5 17008->17015 17016 1000db68 17008->17016 17017 1000db7c 17008->17017 17009->17011 17012 1000dad5 17009->17012 17069 1000ddb0 17011->17069 17013 1000db2b 17012->17013 17014 1000dadd 17012->17014 17013->17010 17025 1000db37 17013->17025 17019 1000db17 17014->17019 17020 1000dadf 17014->17020 17073 1000ddf0 17015->17073 17060 1000dd30 17016->17060 17065 1000dd70 17017->17065 17030 10012100 CallWindowProcA 17019->17030 17026 1000db03 17020->17026 17027 1000dae4 17020->17027 17023 1000dba0 17059 1000dcd0 TrackMouseEvent CallWindowProcA 17025->17059 17055 1000dc90 17026->17055 17027->17010 17033 1000daed 17027->17033 17028 1000db77 17029 1000db8b 17035 1000db26 17030->17035 17031 1000dbb4 17040 10012180 GetClientRect 17033->17040 17036 1000db46 17039 1000dafe 17041 100121b4 SelectObject PatBlt SelectObject 17040->17041 17042 10012207 17040->17042 17041->17039 17043 1000fbf0 7 API calls 17042->17043 17044 10012221 BitBlt CallWindowProcA 17043->17044 17077 1000fca0 SetMapMode SetWindowOrgEx SetWindowExtEx SetViewportOrgEx SetViewportExtEx 17044->17077 17046 10012273 17047 1000fbf0 7 API calls 17046->17047 17048 10012289 SelectObject PatBlt 17047->17048 17078 1000b4c0 17048->17078 17050 100122f6 BitBlt 17085 1000fc70 SelectObject DeleteDC DeleteObject 17050->17085 17052 10012326 17086 1000fc70 SelectObject DeleteDC DeleteObject 17052->17086 17054 10012337 17054->17039 17056 1000dca4 17055->17056 17087 1000def0 17056->17087 17059->17036 17107 1000de30 GetCursorPos GetWindowRect SendMessageA 17060->17107 17062 1000dd38 17063 1000dd4e CallWindowProcA 17062->17063 17064 1000def0 43 API calls 17062->17064 17063->17028 17064->17063 17066 1000dd7a 17065->17066 17067 1000dd8d CallWindowProcA 17065->17067 17068 1000def0 43 API calls 17066->17068 17067->17029 17068->17067 17070 1000ddc7 CallWindowProcA 17069->17070 17071 1000ddbd 17069->17071 17070->17023 17072 1000def0 43 API calls 17071->17072 17072->17070 17074 1000de07 CallWindowProcA 17073->17074 17075 1000ddfd 17073->17075 17074->17031 17076 1000def0 43 API calls 17075->17076 17076->17074 17077->17046 17080 1000b4c8 17078->17080 17079 1000b5dc 17079->17050 17080->17079 17081 1000b542 CreateCompatibleDC CreateCompatibleBitmap SelectObject 17080->17081 17082 1000b515 74AD1530 17080->17082 17083 100271c4 17081->17083 17082->17050 17084 1000b5a1 74AD1530 DeleteObject DeleteDC 17083->17084 17084->17050 17085->17052 17086->17054 17106 10009b70 17087->17106 17108 1000ded1 17107->17108 17109 1000de8e 17107->17109 17108->17062 17109->17108 17110 1000de94 SendMessageA SendMessageA PtInRect 17109->17110 17110->17109 17111 1000dedc 17110->17111 17111->17062 17112 10007a30 GetPropA 17113 10007a65 17112->17113 17114 10007a49 NtdllDefWindowProc_A 17112->17114 17115 10007b14 17113->17115 17116 10007a75 17113->17116 17117 10007b8d CallWindowProcA 17115->17117 17120 10007b30 17115->17120 17121 10007b76 17115->17121 17122 10007b47 17115->17122 17123 10007b5e 17115->17123 17118 10007a7b 17116->17118 17119 10007afd 17116->17119 17125 10007baf 17117->17125 17118->17117 17131 10007ae6 17118->17131 17132 10007aad 17118->17132 17133 10007acf 17118->17133 17134 10007a96 17118->17134 17159 1000dcd0 TrackMouseEvent CallWindowProcA 17119->17159 17160 100078e0 17120->17160 17148 10007960 17121->17148 17163 100078a0 17122->17163 17145 10007920 17123->17145 17130 10007b0e 17140 10012100 CallWindowProcA 17131->17140 17151 10012350 17132->17151 17154 100079a0 CallWindowProcA 17133->17154 17135 10007b41 17137 10007b58 17139 10007b70 17144 10007af7 17140->17144 17141 10007b87 17146 10007937 CallWindowProcA 17145->17146 17147 1000792d 17145->17147 17146->17139 17147->17146 17149 10007977 CallWindowProcA 17148->17149 17150 1000796d 17148->17150 17149->17141 17150->17149 17166 1000ae20 7 API calls 17151->17166 17153 10007abe 17155 10007a18 17154->17155 17156 100079ca 17154->17156 17156->17155 17184 10019730 17156->17184 17158 10007a0d InvalidateRect 17158->17155 17159->17130 17161 100078eb 17160->17161 17162 100078fc CallWindowProcA 17160->17162 17161->17162 17162->17135 17164 100078b6 CallWindowProcA 17163->17164 17165 100078aa 17163->17165 17164->17137 17165->17164 17167 1000aeeb 17166->17167 17168 1000ae9b 17166->17168 17167->17153 17170 1000af00 EqualRect 17168->17170 17171 1000b0b1 17170->17171 17172 1000af18 IsRectEmpty 17170->17172 17171->17167 17173 1000af84 17172->17173 17174 1000af2f 6 API calls 17172->17174 17175 1000afbd 17173->17175 17176 1000af8d CreatePen 17173->17176 17174->17173 17178 1000afc2 CreatePen 17175->17178 17179 1000afef 17175->17179 17177 1000b040 7 API calls 17176->17177 17182 1000b0a1 DeleteObject DeleteObject 17177->17182 17183 1000b099 SelectClipRgn 17177->17183 17178->17177 17180 1000b000 CreatePen 17179->17180 17181 1000b021 CreatePen 17179->17181 17180->17177 17181->17177 17182->17171 17183->17182 17185 1001975d 17184->17185 17186 10019f7d 17185->17186 17191 1001a750 17185->17191 17186->17158 17188 10019eee 17188->17186 17189 10019ef8 ??2@YAPAXI 17188->17189 17190 10019f20 17189->17190 17190->17158 17194 1001a77b 17191->17194 17192 1001a79b ??2@YAPAXI 17196 1001a7b4 17192->17196 17193 1001a7ea 17197 1001a7f2 ??2@YAPAXI 17193->17197 17198 1001a845 17193->17198 17194->17192 17194->17193 17195 1001a9a8 17194->17195 17195->17188 17223 10012140 SetPropA 17196->17223 17202 1001a80f 17197->17202 17199 1001a8a0 17198->17199 17200 1001a84d ??2@YAPAXI 17198->17200 17205 1001a8f8 17199->17205 17206 1001a8a8 ??2@YAPAXI 17199->17206 17203 1001a86a 17200->17203 17207 10012140 SetPropA 17202->17207 17211 10012140 SetPropA 17203->17211 17204 1001a7d6 17204->17188 17209 1001a950 17205->17209 17210 1001a900 ??2@YAPAXI 17205->17210 17212 1001a8c2 17206->17212 17208 1001a831 17207->17208 17208->17188 17209->17195 17215 1001a958 ??2@YAPAXI 17209->17215 17213 1001a91a 17210->17213 17214 1001a88c 17211->17214 17216 10012140 SetPropA 17212->17216 17218 10012140 SetPropA 17213->17218 17214->17188 17219 1001a972 17215->17219 17217 1001a8e4 17216->17217 17217->17188 17220 1001a93c 17218->17220 17221 10012140 SetPropA 17219->17221 17220->17188 17222 1001a994 17221->17222 17222->17188 17224 1001216a 17223->17224 17224->17204 17225 10013170 GetClientRect 17226 1000fbf0 7 API calls 17225->17226 17227 100131bd 17226->17227 17257 10012060 GetPropA 17227->17257 17258 1001209a SelectObject 17257->17258 17259 10012076 17257->17259 17261 10009a50 17258->17261 17259->17258 17260 10012088 SendMessageA 17259->17260 17260->17258 17262 1001a4f0 17263 1001a50b 17262->17263 17264 1001a65d CallNextHookEx 17262->17264 17263->17264 17265 1001a574 17263->17265 17266 1001a526 17263->17266 17267 1001a579 17265->17267 17269 1001a5c7 17265->17269 17266->17264 17272 1001a54f SetPropA 17266->17272 17267->17264 17276 1001a5a2 SetPropA 17267->17276 17268 1001a5d7 GetPropA 17268->17264 17270 1001a5ec GetPropA 17268->17270 17269->17264 17269->17268 17270->17264 17271 1001a5fb GetPropA 17270->17271 17273 1001a627 GetClassNameA 17271->17273 17274 1001a60a GetPropA 17271->17274 17277 1001a56f 17272->17277 17281 1001a030 17273->17281 17278 10019730 8 API calls 17274->17278 17276->17277 17277->17264 17279 1001a625 17278->17279 17280 1001a64c SetPropA 17279->17280 17280->17264 17402 1001a9c0 _mbscmp 17281->17402 17283 1001a049 17284 1001a059 _mbscmp 17283->17284 17285 1001a04d 17283->17285 17286 1001a086 _mbscmp 17284->17286 17287 1001a06e 17284->17287 17285->17280 17289 1001a095 17286->17289 17290 1001a0ad _mbscmp 17286->17290 17288 10019730 8 API calls 17287->17288 17291 1001a07f 17288->17291 17292 10019730 8 API calls 17289->17292 17293 1001a0cc _mbscmp 17290->17293 17294 1001a0bc 17290->17294 17291->17280 17297 1001a0a6 17292->17297 17295 1001a0f3 _mbscmp 17293->17295 17296 1001a0db 17293->17296 17415 100077b0 17294->17415 17301 1001a102 17295->17301 17302 1001a11a _mbscmp 17295->17302 17300 10019730 8 API calls 17296->17300 17297->17280 17299 1001a0c2 17299->17280 17303 1001a0ec 17300->17303 17304 10019730 8 API calls 17301->17304 17305 1001a141 _mbscmp 17302->17305 17306 1001a129 17302->17306 17303->17280 17307 1001a113 17304->17307 17309 1001a150 17305->17309 17310 1001a168 _mbscmp 17305->17310 17308 10019730 8 API calls 17306->17308 17307->17280 17313 1001a13a 17308->17313 17314 10019730 8 API calls 17309->17314 17311 1001a177 17310->17311 17312 1001a18f _mbscmp 17310->17312 17316 10019730 8 API calls 17311->17316 17317 1001a1b6 _mbscmp 17312->17317 17318 1001a19e 17312->17318 17313->17280 17315 1001a161 17314->17315 17315->17280 17319 1001a188 17316->17319 17321 1001a1c5 17317->17321 17322 1001a1dd _mbscmp 17317->17322 17320 10019730 8 API calls 17318->17320 17319->17280 17323 1001a1af 17320->17323 17324 10019730 8 API calls 17321->17324 17325 1001a204 _mbscmp 17322->17325 17326 1001a1ec 17322->17326 17323->17280 17329 1001a1d6 17324->17329 17327 1001a213 17325->17327 17328 1001a22b _mbscmp 17325->17328 17330 10019730 8 API calls 17326->17330 17332 10019730 8 API calls 17327->17332 17333 1001a252 _mbscmp 17328->17333 17334 1001a23a 17328->17334 17329->17280 17331 1001a1fd 17330->17331 17331->17280 17335 1001a224 17332->17335 17337 1001a261 17333->17337 17338 1001a279 _mbscmp 17333->17338 17336 10019730 8 API calls 17334->17336 17335->17280 17339 1001a24b 17336->17339 17340 10019730 8 API calls 17337->17340 17341 1001a2a0 _mbsstr 17338->17341 17342 1001a288 17338->17342 17339->17280 17345 1001a272 17340->17345 17343 1001a2b5 17341->17343 17344 1001a2cd _mbsstr 17341->17344 17346 10019730 8 API calls 17342->17346 17348 10019730 8 API calls 17343->17348 17349 1001a2f4 _mbscmp 17344->17349 17350 1001a2dc 17344->17350 17345->17280 17347 1001a299 17346->17347 17347->17280 17351 1001a2c6 17348->17351 17353 1001a303 17349->17353 17354 1001a31b _mbscmp 17349->17354 17352 10019730 8 API calls 17350->17352 17351->17280 17355 1001a2ed 17352->17355 17356 10019730 8 API calls 17353->17356 17357 1001a342 _mbscmp 17354->17357 17358 1001a32a 17354->17358 17355->17280 17361 1001a314 17356->17361 17359 1001a351 17357->17359 17360 1001a369 _mbscmp 17357->17360 17362 10019730 8 API calls 17358->17362 17364 10019730 8 API calls 17359->17364 17365 1001a390 _mbsstr 17360->17365 17366 1001a378 17360->17366 17361->17280 17363 1001a33b 17362->17363 17363->17280 17367 1001a362 17364->17367 17369 1001a39f _mbsstr 17365->17369 17370 1001a3ae 17365->17370 17368 10019730 8 API calls 17366->17368 17367->17280 17371 1001a389 17368->17371 17369->17370 17372 1001a3c6 _mbscmp 17369->17372 17373 10019730 8 API calls 17370->17373 17371->17280 17375 1001a3d5 17372->17375 17376 1001a3ed _mbscmp 17372->17376 17374 1001a3bf 17373->17374 17374->17280 17377 10019730 8 API calls 17375->17377 17378 1001a414 _mbscmp 17376->17378 17379 1001a3fc 17376->17379 17380 1001a3e6 17377->17380 17382 1001a423 17378->17382 17383 1001a43b _mbscmp 17378->17383 17381 10019730 8 API calls 17379->17381 17380->17280 17384 1001a40d 17381->17384 17385 10019730 8 API calls 17382->17385 17386 1001a462 _mbscmp 17383->17386 17387 1001a44a 17383->17387 17384->17280 17388 1001a434 17385->17388 17390 1001a471 17386->17390 17391 1001a489 17386->17391 17389 10019730 8 API calls 17387->17389 17388->17280 17394 1001a45b 17389->17394 17392 10019730 8 API calls 17390->17392 17433 1001aa70 _mbsstr 17391->17433 17395 1001a482 17392->17395 17394->17280 17395->17280 17396 1001a496 17397 1001a4d9 17396->17397 17398 1001a4ae _mbsstr 17396->17398 17397->17280 17398->17287 17399 1001a4c1 17398->17399 17400 10019730 8 API calls 17399->17400 17401 1001a4d2 17400->17401 17401->17280 17403 1001a9f7 _mbscmp 17402->17403 17404 1001a9dc 17402->17404 17405 1001aa67 17403->17405 17406 1001aa06 GetParent FindWindowExA 17403->17406 17407 10019730 8 API calls 17404->17407 17405->17283 17408 1001aa29 FindWindowExA 17406->17408 17409 1001aa5c 17406->17409 17410 1001a9f1 17407->17410 17408->17409 17411 1001aa37 FindWindowExA 17408->17411 17409->17283 17410->17283 17411->17409 17412 1001aa45 17411->17412 17413 10019730 8 API calls 17412->17413 17414 1001aa56 17413->17414 17414->17283 17416 100077bd 17415->17416 17417 1000782b 17416->17417 17418 100077f2 17416->17418 17419 10007805 17416->17419 17420 10007818 17416->17420 17421 100077cc 17416->17421 17422 100077df 17416->17422 17417->17299 17425 10019730 8 API calls 17418->17425 17426 10019730 8 API calls 17419->17426 17427 10019730 8 API calls 17420->17427 17423 10019730 8 API calls 17421->17423 17424 10019730 8 API calls 17422->17424 17428 100077dd 17423->17428 17429 100077f0 17424->17429 17430 10007803 17425->17430 17431 10007816 17426->17431 17432 10007829 17427->17432 17428->17299 17429->17299 17430->17299 17431->17299 17432->17299 17434 1001ab3b _mbsstr 17433->17434 17440 1001aa90 17433->17440 17435 1001ab65 _mbscmp 17434->17435 17436 1001ab4a 17434->17436 17438 1001ab95 _mbscmp 17435->17438 17439 1001ab7a 17435->17439 17437 10019730 8 API calls 17436->17437 17441 1001ab5f 17437->17441 17443 1001abae _mbscmp 17438->17443 17515 1001aba4 17438->17515 17442 10019730 8 API calls 17439->17442 17449 1001aab6 17440->17449 17450 1001aacd 17440->17450 17441->17396 17446 1001ab8f 17442->17446 17444 1001abd8 _mbscmp 17443->17444 17445 1001abbd 17443->17445 17451 1001ac02 _mbsstr 17444->17451 17452 1001abe7 17444->17452 17447 10019730 8 API calls 17445->17447 17446->17396 17453 1001abd2 17447->17453 17448 10019730 8 API calls 17454 1001b694 17448->17454 17455 10019730 8 API calls 17449->17455 17457 1001aad1 17450->17457 17464 1001ab04 17450->17464 17465 1001aaed 17450->17465 17458 1001ac1b _mbsstr 17451->17458 17451->17515 17456 10019730 8 API calls 17452->17456 17453->17396 17454->17396 17459 1001aac7 17455->17459 17460 1001abfc 17456->17460 17461 10019730 8 API calls 17457->17461 17462 1001ac93 17458->17462 17463 1001ac2a _mbscmp 17458->17463 17459->17396 17460->17396 17467 1001aae2 17461->17467 17466 1001aca1 _mbscmp 17462->17466 17471 1001b61f 17462->17471 17468 1001ac54 _mbscmp 17463->17468 17469 1001ac39 17463->17469 17464->17457 17484 1001ab24 17464->17484 17470 10019730 8 API calls 17465->17470 17472 1001acb0 17466->17472 17473 1001accb _mbscmp 17466->17473 17467->17396 17476 1001ac63 17468->17476 17477 1001ac76 _mbsstr 17468->17477 17474 10019730 8 API calls 17469->17474 17475 1001aafe 17470->17475 17471->17396 17479 10019730 8 API calls 17472->17479 17480 1001acf5 _mbscmp 17473->17480 17481 1001acda 17473->17481 17482 1001ac4e 17474->17482 17475->17396 17478 100077b0 8 API calls 17476->17478 17477->17471 17477->17515 17483 1001ac6d 17478->17483 17485 1001acc5 17479->17485 17487 1001ad0e _mbscmp 17480->17487 17480->17515 17486 10019730 8 API calls 17481->17486 17482->17396 17483->17396 17490 10019730 8 API calls 17484->17490 17485->17396 17491 1001acef 17486->17491 17488 1001ad38 _mbscmp 17487->17488 17489 1001ad1d 17487->17489 17494 1001ad62 _mbscmp 17488->17494 17495 1001ad47 17488->17495 17492 10019730 8 API calls 17489->17492 17493 1001ab35 17490->17493 17491->17396 17496 1001ad32 17492->17496 17493->17396 17498 1001ad75 _mbscmp 17494->17498 17494->17515 17497 10019730 8 API calls 17495->17497 17496->17396 17499 1001ad5c 17497->17499 17500 1001ad88 _mbscmp 17498->17500 17498->17515 17499->17396 17501 1001ada1 _mbscmp 17500->17501 17500->17515 17502 1001adb0 17501->17502 17503 1001adcb _mbscmp 17501->17503 17506 10019730 8 API calls 17502->17506 17504 1001adf5 _mbscmp 17503->17504 17505 1001adda 17503->17505 17508 1001b664 17504->17508 17509 1001ae08 _mbscmp 17504->17509 17507 10019730 8 API calls 17505->17507 17510 1001adc5 17506->17510 17511 1001adef 17507->17511 17513 10019730 8 API calls 17508->17513 17509->17508 17512 1001ae1b _mbscmp 17509->17512 17510->17396 17511->17396 17514 1001ae34 _mbscmp 17512->17514 17512->17515 17516 1001b679 17513->17516 17517 1001ae43 17514->17517 17518 1001ae5e _mbscmp 17514->17518 17515->17448 17516->17396 17519 10019730 8 API calls 17517->17519 17520 1001ae88 _mbscmp 17518->17520 17521 1001ae6d 17518->17521 17523 1001ae58 17519->17523 17520->17515 17522 1001aea1 _mbscmp 17520->17522 17524 10019730 8 API calls 17521->17524 17525 1001aeb0 17522->17525 17526 1001aecb _mbscmp 17522->17526 17523->17396 17527 1001ae82 17524->17527 17528 10019730 8 API calls 17525->17528 17529 1001aef5 _mbscmp 17526->17529 17530 1001aeda 17526->17530 17527->17396 17531 1001aec5 17528->17531 17529->17515 17533 1001af0e _mbscmp 17529->17533 17532 10019730 8 API calls 17530->17532 17531->17396 17534 1001aeef 17532->17534 17535 1001af38 _mbscmp 17533->17535 17536 1001af1d 17533->17536 17534->17396 17537 1001af62 _mbscmp 17535->17537 17538 1001af47 17535->17538 17539 10019730 8 API calls 17536->17539 17541 1001af75 _mbscmp 17537->17541 17542 1001b649 17537->17542 17540 10019730 8 API calls 17538->17540 17543 1001af32 17539->17543 17544 1001af5c 17540->17544 17541->17542 17545 1001af88 _mbscmp 17541->17545 17546 10019730 8 API calls 17542->17546 17543->17396 17544->17396 17545->17515 17547 1001afa1 _mbscmp 17545->17547 17548 1001b65e 17546->17548 17549 1001afb0 17547->17549 17550 1001afcb _mbscmp 17547->17550 17548->17396 17551 10019730 8 API calls 17549->17551 17552 1001aff5 _mbscmp 17550->17552 17553 1001afda 17550->17553 17555 1001afc5 17551->17555 17552->17515 17554 1001b00e _mbscmp 17552->17554 17556 10019730 8 API calls 17553->17556 17557 1001b038 _mbscmp 17554->17557 17558 1001b01d 17554->17558 17555->17396 17559 1001afef 17556->17559 17561 1001b062 _mbscmp 17557->17561 17562 1001b047 17557->17562 17560 10019730 8 API calls 17558->17560 17559->17396 17563 1001b032 17560->17563 17561->17515 17565 1001b075 _mbscmp 17561->17565 17564 10019730 8 API calls 17562->17564 17563->17396 17566 1001b05c 17564->17566 17565->17515 17567 1001b088 _mbscmp 17565->17567 17566->17396 17567->17515 17568 1001b0a1 _mbscmp 17567->17568 17569 1001b0b0 17568->17569 17570 1001b0cb _mbscmp 17568->17570 17571 10019730 8 API calls 17569->17571 17572 1001b5d0 17570->17572 17573 1001b0de _mbscmp 17570->17573 17574 1001b0c5 17571->17574 17578 10019730 8 API calls 17572->17578 17573->17572 17575 1001b0f1 _mbscmp 17573->17575 17574->17396 17576 1001b100 17575->17576 17577 1001b11b _mbscmp 17575->17577 17579 10019730 8 API calls 17576->17579 17577->17515 17580 1001b134 _mbscmp 17577->17580 17581 1001b5e5 17578->17581 17582 1001b115 17579->17582 17583 1001b143 17580->17583 17584 1001b15e _mbsstr 17580->17584 17581->17396 17582->17396 17585 10019730 8 API calls 17583->17585 17586 1001b171 _mbscmp 17584->17586 17587 1001b3a2 17584->17587 17589 1001b158 17585->17589 17586->17587 17588 1001b184 _mbscmp 17586->17588 17590 10019730 8 API calls 17587->17590 17591 1001b193 17588->17591 17592 1001b1ae _mbscmp 17588->17592 17589->17396 17593 1001b3b7 17590->17593 17594 10019730 8 API calls 17591->17594 17592->17515 17595 1001b1c1 _mbscmp 17592->17595 17593->17396 17596 1001b1a8 17594->17596 17595->17515 17597 1001b1d4 _mbscmp 17595->17597 17596->17396 17597->17515 17598 1001b1e7 _mbscmp 17597->17598 17598->17572 17599 1001b1fa _mbscmp 17598->17599 17599->17572 17600 1001b20d _mbscmp 17599->17600 17601 1001b220 _mbscmp 17600->17601 17602 1001b562 17600->17602 17601->17602 17604 1001b233 _mbscmp 17601->17604 17603 10019730 8 API calls 17602->17603 17605 1001b577 17603->17605 17604->17515 17606 1001b24c _mbscmp 17604->17606 17605->17396 17607 1001b276 _mbscmp 17606->17607 17608 1001b25b 17606->17608 17609 1001b2a0 _mbscmp 17607->17609 17610 1001b285 17607->17610 17611 10019730 8 API calls 17608->17611 17609->17515 17614 1001b2b9 _mbscmp 17609->17614 17613 10019730 8 API calls 17610->17613 17612 1001b270 17611->17612 17612->17396 17615 1001b29a 17613->17615 17616 1001b2e3 _mbscmp 17614->17616 17617 1001b2c8 17614->17617 17615->17396 17619 1001b2f2 17616->17619 17620 1001b30d _mbscmp 17616->17620 17618 10019730 8 API calls 17617->17618 17622 1001b2dd 17618->17622 17623 10019730 8 API calls 17619->17623 17620->17515 17621 1001b326 _mbscmp 17620->17621 17624 1001b350 _mbscmp 17621->17624 17625 1001b335 17621->17625 17622->17396 17626 1001b307 17623->17626 17628 1001b37a _mbscmp 17624->17628 17629 1001b35f 17624->17629 17627 10019730 8 API calls 17625->17627 17626->17396 17630 1001b34a 17627->17630 17628->17515 17632 1001b393 _mbscmp 17628->17632 17631 10019730 8 API calls 17629->17631 17630->17396 17633 1001b374 17631->17633 17632->17587 17634 1001b3bd _mbscmp 17632->17634 17633->17396 17635 1001b3e7 _mbscmp 17634->17635 17636 1001b3cc 17634->17636 17635->17515 17638 1001b400 _mbscmp 17635->17638 17637 10019730 8 API calls 17636->17637 17639 1001b3e1 17637->17639 17640 1001b42a _mbscmp 17638->17640 17641 1001b40f 17638->17641 17639->17396 17643 1001b454 _mbscmp 17640->17643 17644 1001b439 17640->17644 17642 10019730 8 API calls 17641->17642 17645 1001b424 17642->17645 17643->17515 17647 1001b46d _mbscmp 17643->17647 17646 10019730 8 API calls 17644->17646 17645->17396 17650 1001b44e 17646->17650 17648 1001b497 _mbscmp 17647->17648 17649 1001b47c 17647->17649 17652 1001b4c1 _mbscmp 17648->17652 17653 1001b4a6 17648->17653 17651 10019730 8 API calls 17649->17651 17650->17396 17654 1001b491 17651->17654 17652->17515 17656 1001b4d0 _mbscmp 17652->17656 17654->17396 17656->17515 17676 10025cb0 17677 10025cb5 17676->17677 17680 1002615b 17677->17680 17683 1002612f 17680->17683 17682 10025cda 17684 10026144 __dllonexit 17683->17684 17685 10026138 _onexit 17683->17685 17684->17682 17685->17682 17686 10024770 17687 10024782 17686->17687 17688 100248c0 17686->17688 17691 100248a9 17687->17691 17697 10024788 17687->17697 17689 100248c7 17688->17689 17690 1002493e 17688->17690 17693 10024938 17689->17693 17696 10024a23 CallWindowProcA 17689->17696 17699 100248d8 17689->17699 17694 100249c4 17690->17694 17695 10024945 17690->17695 17932 10021500 17691->17932 17702 100249cb 17694->17702 17703 10024a1c 17694->17703 17700 10024947 17695->17700 17701 100249af 17695->17701 17697->17696 17704 10024840 17697->17704 17705 10024801 17697->17705 17706 10024a06 17697->17706 17707 100247a6 17697->17707 17708 1002486a 17697->17708 17709 1002482b 17697->17709 17710 100247ec 17697->17710 17711 100249f0 17697->17711 17712 100247d0 17697->17712 17713 10024816 17697->17713 17714 10024894 17697->17714 17715 10024855 17697->17715 17716 100247bb 17697->17716 17717 1002487f 17697->17717 17698 100248bc 17723 100248f4 17699->17723 17724 10024909 17699->17724 17725 1002491e 17699->17725 17726 100248df 17699->17726 17736 1002494e 17700->17736 17737 1002498f 17700->17737 18053 10022680 17701->18053 17702->17706 17728 100249cd 17702->17728 17703->17696 17735 10024a40 17703->17735 17917 10022580 CallWindowProcA 17704->17917 17800 100223f0 17705->17800 18068 10021c00 17706->18068 17825 10021ca0 GetWindowRect PtInRect 17707->17825 17928 10022070 CallWindowProcA 17708->17928 17896 10021a80 17709->17896 17787 100227c0 CallWindowProcA 17710->17787 17818 10022720 IsWindowVisible 17711->17818 17720 10012460 SendMessageA 17712->17720 17803 10022200 17713->17803 17718 10012100 CallWindowProcA 17714->17718 17923 10022790 17715->17923 17783 10022430 17716->17783 17929 10024d50 17717->17929 17741 100248a5 17718->17741 17743 100247d7 17720->17743 18003 100225e0 17723->18003 18009 100216f0 17724->18009 18022 10022a20 IsWindowVisible 17725->18022 17971 10021800 17726->17971 17728->17711 17750 100249d4 17728->17750 18078 10021c60 17735->18078 17760 10024979 17736->17760 17773 10024964 17736->17773 17774 1002495a 17736->17774 17737->17696 17744 1002499a 17737->17744 17742 100247cc 17870 100220a0 17743->17870 18049 10022630 17744->18049 17745 100249c0 17748 10024812 17750->17696 17769 100249db 17750->17769 17751 10024827 17753 1002483c 17755 10024a02 17757 10024a18 17764 10012370 7 API calls 17760->17764 17761 1002487b 17762 100247b7 17763 10024890 17775 1002498b 17764->17775 17767 100248f0 17768 10024905 18061 100217a0 GetSystemMenu 17769->18061 17770 1002491a 17771 10024934 18034 100224c0 17773->18034 17774->17760 17779 1002495f 17774->17779 17776 100247e8 17777 100249ab 17779->17696 17781 10024975 17784 10022443 LoadCursorA SetCursor 17783->17784 17785 10022478 CallWindowProcA 17783->17785 17784->17742 17785->17742 17788 100227ee 17787->17788 17799 1002285d 17787->17799 18085 10024e80 GetWindowInfo 17788->18085 17790 100227f8 17791 100228a4 17790->17791 17792 10022809 17790->17792 17793 10022f90 GetMenu 17791->17793 17792->17799 18097 10022f90 17792->18097 17795 100228c8 17793->17795 17797 10022fd0 3 API calls 17795->17797 17795->17799 17796 10022852 17796->17799 18100 10022fd0 GetMenuItemCount 17796->18100 17797->17799 17801 100223fe 17800->17801 17802 1002240d CallWindowProcA 17800->17802 17801->17802 17802->17748 17804 100223cc CallWindowProcA 17803->17804 17805 10022219 17803->17805 17804->17751 17805->17804 17806 10022231 17805->17806 17807 1002223f 17805->17807 18133 10024730 ShowWindow ShowWindow ShowWindow ShowWindow 17806->18133 17809 10022246 17807->17809 17810 1002224f 17807->17810 18134 10024730 ShowWindow ShowWindow ShowWindow ShowWindow 17809->18134 17813 1002225f GetWindowRect SetWindowPos SetWindowPos SetWindowPos 17810->17813 17814 1002234c SetWindowPos SetWindowPos SetWindowPos 17810->17814 17811 1002223a 17811->17804 17815 100223b8 SetWindowPos 17813->17815 17814->17815 17815->17804 17816 100223c5 17815->17816 18135 10025870 17816->18135 17819 10022760 CallWindowProcA 17818->17819 17820 10022731 17818->17820 17819->17755 17821 10022a20 8 API calls 17820->17821 17822 1002274c 17821->17822 17823 100220a0 257 API calls 17822->17823 17824 10022759 17823->17824 17824->17755 17826 10021cf7 PtInRect 17825->17826 17827 10021ce8 17825->17827 17828 10021d06 17826->17828 17829 10021d3a 17826->17829 17827->17762 17830 10021d2b 17828->17830 18369 100124d0 SetTimer 17828->18369 17831 10022038 17829->17831 17832 10021d48 IsRectEmpty 17829->17832 17830->17762 17833 10016220 4 API calls 17831->17833 17835 10021e02 GetPropA 17832->17835 17836 10021d5d PtInRect 17832->17836 17837 10022049 17833->17837 17835->17837 17838 10021e19 17835->17838 17839 10021d73 PtInRect 17836->17839 17840 10021d6c 17836->17840 17837->17762 17838->17831 17841 10021e29 PtInRect 17838->17841 17839->17840 17842 10021d89 PtInRect 17839->17842 17843 10021dd8 17840->17843 18370 100124d0 SetTimer 17840->18370 17844 10021e3c 17841->17844 17845 10021f3d PtInRect 17841->17845 17842->17840 17846 10021d9f PtInRect 17842->17846 17843->17762 17851 10021e4c PtInRect 17844->17851 17852 10021ecd CreateRectRgn GetWindowRgn 17844->17852 17849 10021f5b PtInRect 17845->17849 17850 10021f4c 17845->17850 17846->17840 17847 10021de4 PtInRect 17846->17847 17847->17835 17855 10021df3 17847->17855 17856 10021f6a 17849->17856 17857 10021f79 PtInRect 17849->17857 17850->17762 17858 10021e72 17851->17858 17859 10021e81 PtInRect 17851->17859 17853 10021f1e DeleteObject 17852->17853 17854 10021eec PtInRegion 17852->17854 17853->17762 17860 10021f16 17854->17860 17861 10021efe PtInRegion 17854->17861 17855->17762 17856->17762 17857->17831 17862 10021f8c 17857->17862 17858->17762 17863 10021ecb 17859->17863 17864 10021ebc 17859->17864 17860->17853 17861->17860 17865 10021f0a PtInRegion 17861->17865 17866 10021f9a PtInRect 17862->17866 17867 1002201a 17862->17867 17863->17852 17864->17762 17865->17853 17865->17860 17868 10021fce 17866->17868 17869 10021fdd PtInRect 17866->17869 17867->17762 17868->17762 17869->17867 17871 100220b4 IsWindowVisible 17870->17871 17872 100221eb 17870->17872 17871->17872 17873 100220c6 17871->17873 17872->17776 17874 100220d0 GetWindowRect 17873->17874 17875 1002211a 17873->17875 17876 100220fd 17874->17876 17877 10024e80 31 API calls 17875->17877 17876->17875 18371 10024390 GetWindowRect 17876->18371 17879 10022123 17877->17879 17880 10022135 17879->17880 18381 100250c0 17879->18381 17880->17872 17883 10022164 IsRectEmpty 17880->17883 17884 1002215a 17880->17884 17887 10022162 17883->17887 18410 10023530 17884->18410 17885 10025870 97 API calls 17885->17880 17888 10022187 IsRectEmpty 17887->17888 17889 1002219e IsRectEmpty 17887->17889 17888->17889 17890 10022194 17888->17890 17891 100221bd 17889->17891 17893 100221ab 17889->17893 17892 10015840 53 API calls 17890->17892 17894 100221c7 SendMessageA 17891->17894 17892->17889 17893->17891 18453 10023960 17893->18453 17894->17776 17897 10021a94 17896->17897 17898 10021b1e 17896->17898 17899 10021af1 17897->17899 17900 10021a9e 17897->17900 17901 10021bdf 17898->17901 17911 10021b36 17898->17911 17902 10023f00 10 API calls 17899->17902 18549 10023f00 GetCursorPos GetWindowRect PtInRect 17900->18549 17904 100157b0 61 API calls 17901->17904 17905 10021af6 17902->17905 17907 10021bf1 17904->17907 17908 10021bc1 CallWindowProcA 17905->17908 17912 10024e60 115 API calls 17905->17912 17906 10021aa3 17909 10021aa8 17906->17909 17910 10021acc 17906->17910 17907->17753 17908->17753 17909->17908 18559 10024e60 17909->18559 17910->17908 17913 10024e60 115 API calls 17910->17913 17911->17908 17916 10023070 34 API calls 17911->17916 17914 10021ac7 17912->17914 17913->17914 17914->17908 17916->17908 17918 100225d0 17917->17918 17919 100225aa 17917->17919 17920 10024e80 31 API calls 17919->17920 17921 100225b3 17920->17921 17921->17918 17922 100225b7 SetWindowPos 17921->17922 17922->17918 17924 10022a20 8 API calls 17923->17924 17925 100227ab 17924->17925 17926 10023530 115 API calls 17925->17926 17927 100227b6 17926->17927 17928->17761 17930 10024d90 CallWindowProcA 17929->17930 17931 10024d5e 17929->17931 17930->17763 17931->17930 17933 10021511 17932->17933 17934 1002166f 17932->17934 17935 100215d9 17933->17935 17938 100216a0 CallWindowProcA 17933->17938 17945 1002159b IsZoomed 17933->17945 17946 1002152d 17933->17946 17936 10021677 17934->17936 17937 100216be 17934->17937 17940 100215f8 17935->17940 17941 100215de 17935->17941 17936->17938 17947 10021687 17936->17947 18566 10025b90 17937->18566 17938->17698 17943 10021617 17940->17943 17944 100215fd 17940->17944 17942 10023070 34 API calls 17941->17942 17949 100215f1 17942->17949 17953 10021636 17943->17953 17954 1002161c 17943->17954 17950 10023070 34 API calls 17944->17950 17945->17938 17955 100215ad GetSystemMetrics 17945->17955 17951 10021594 17946->17951 17957 1002155f SendMessageA 17946->17957 17958 1002154d ??3@YAXPAX 17946->17958 17952 10016060 92 API calls 17947->17952 17948 100216c5 17948->17698 17949->17698 17956 10021610 17950->17956 17951->17698 17959 1002169b 17952->17959 17961 10021655 17953->17961 17962 1002163b 17953->17962 17960 10023070 34 API calls 17954->17960 17955->17938 17963 100215be 17955->17963 17956->17698 17957->17951 17958->17957 17958->17958 17959->17698 17964 1002162f 17960->17964 17967 10023070 34 API calls 17961->17967 17965 10023070 34 API calls 17962->17965 17966 10022a20 8 API calls 17963->17966 17964->17698 17969 1002164e 17965->17969 17970 100215d4 17966->17970 17968 10021668 17967->17968 17968->17698 17969->17698 17970->17698 17972 10021813 17971->17972 17973 10021a00 17971->17973 17974 10021977 KillTimer 17972->17974 17975 10021819 17972->17975 17976 10021a25 CallWindowProcA 17973->17976 17977 10021a0e 17973->17977 17978 10023f00 10 API calls 17974->17978 17975->17976 17979 10021834 17975->17979 17976->17767 17980 10015be0 63 API calls 17977->17980 17981 10021997 17978->17981 17982 10023070 34 API calls 17979->17982 17983 10021a20 17980->17983 18584 10024cf0 GetMenuItemInfoA 17981->18584 17985 10021847 17982->17985 17983->17767 17986 100218a3 17985->17986 17987 10021970 17985->17987 17988 10021901 17985->17988 17989 10021856 17985->17989 17997 10021874 17985->17997 17986->17987 17993 100218b3 IsIconic 17986->17993 17987->17767 17988->17987 17994 1002190d GetSystemMenu GetMenuState 17988->17994 17989->17987 17992 10021866 IsZoomed 17989->17992 17990 100219f9 17990->17767 17991 100219a5 17991->17990 18001 10024e60 115 API calls 17991->18001 17996 10021883 SendMessageA 17992->17996 17992->17997 17998 100218e1 SendMessageA 17993->17998 17999 100218c1 SendMessageA 17993->17999 17994->17987 18000 1002192c SendMessageA 17994->18000 17995 10021961 SendMessageA 17995->17987 17996->17767 17997->17987 17997->17995 17998->17767 17999->17767 18000->17767 18002 100219d3 GetMenuItemID SendMessageA 18001->18002 18002->17990 18004 10022615 18003->18004 18005 100225eb 18003->18005 18007 10021500 204 API calls 18004->18007 18005->18004 18006 100225f9 CallWindowProcA 18005->18006 18006->17768 18008 10022622 18007->18008 18008->17768 18010 10021702 18009->18010 18011 10021776 CallWindowProcA 18009->18011 18012 10021707 18010->18012 18013 10021764 SendMessageA 18010->18013 18011->17770 18012->18011 18014 10021719 KillTimer 18012->18014 18013->18011 18015 10023f00 10 API calls 18014->18015 18016 10021739 18015->18016 18017 10021751 18016->18017 18018 1002173e 18016->18018 18020 10024e60 115 API calls 18017->18020 18019 10024e60 115 API calls 18018->18019 18021 1002174f 18019->18021 18020->18021 18021->18011 18023 10022a70 CallWindowProcA 18022->18023 18024 10022a36 18022->18024 18023->17771 18024->18023 18025 10022a96 18024->18025 18026 10022aca 18025->18026 18027 10022aae GetMenu 18025->18027 18029 10022ae2 GetWindowRect SendMessageA 18026->18029 18030 10022b07 CallWindowProcA 18026->18030 18027->18026 18028 10022abe SetMenu 18027->18028 18028->18026 18029->18030 18031 10022b32 18030->18031 18032 10022b49 18031->18032 18033 10022b3e SetMenu 18031->18033 18032->17771 18033->18032 18035 100224e6 GetSystemMetrics 18034->18035 18036 100224da 18034->18036 18037 100224f3 18035->18037 18038 1002250f 18035->18038 18036->18035 18036->18038 18039 10022a20 8 API calls 18037->18039 18040 1002252f 18038->18040 18585 10025b30 18038->18585 18041 10022509 18039->18041 18042 10023530 115 API calls 18040->18042 18041->17781 18044 10022538 CallWindowProcA 18042->18044 18045 10023530 115 API calls 18044->18045 18046 1002255c 18045->18046 18047 10022576 18046->18047 18048 10025b30 258 API calls 18046->18048 18047->17781 18048->18047 18050 1002263c 18049->18050 18051 1002265c CallWindowProcA 18050->18051 18592 10022dd0 18050->18592 18051->17777 18054 100226f7 CallWindowProcA 18053->18054 18055 1002269c 18053->18055 18054->17745 18056 10023f00 10 API calls 18055->18056 18057 100226a1 18056->18057 18058 100226ac KillTimer 18057->18058 18059 100226cf 18057->18059 18058->18054 18058->18059 18059->18054 18060 10024e60 115 API calls 18059->18060 18060->18054 18062 10022a20 8 API calls 18061->18062 18063 100217cd 18062->18063 18064 100217e1 18063->18064 18065 100217d9 GetSystemMenu 18063->18065 18066 100220a0 257 API calls 18064->18066 18065->18064 18067 100217ec 18066->18067 18069 10021c0a 18068->18069 18070 10021c2f 18068->18070 18071 10021c11 CallWindowProcA 18069->18071 18072 10021c57 18069->18072 18073 10015400 3 API calls 18070->18073 18071->17757 18072->17757 18074 10021c45 18073->18074 18075 10024e80 31 API calls 18074->18075 18076 10021c4e 18075->18076 18077 10024390 7 API calls 18076->18077 18077->18072 18079 10024650 8 API calls 18078->18079 18080 10021c68 18079->18080 18081 10024390 7 API calls 18080->18081 18082 10021c71 18081->18082 18601 10024b50 18082->18601 18086 10024ec6 18085->18086 18087 10024ef0 18086->18087 18103 10024ff0 18086->18103 18089 10024efc IsWindowVisible 18087->18089 18090 10024fdd 18087->18090 18089->18090 18091 10024f0e OffsetRect OffsetRect 18089->18091 18090->17790 18092 10024f54 EqualRect 18091->18092 18093 10024f7e 18091->18093 18092->18093 18094 10024f6c EqualRect 18092->18094 18106 10025780 18093->18106 18094->18090 18094->18093 18096 10024fcf 18096->17790 18098 10022fb1 GetMenu 18097->18098 18099 10022f9f 18097->18099 18098->17796 18099->17796 18101 10022ff5 GetMenuItemRect GetMenuItemRect 18100->18101 18102 10023057 18100->18102 18101->18102 18102->17799 18104 10025015 IsZoomed 18103->18104 18105 10025023 18103->18105 18104->18105 18105->18087 18107 10025790 IsIconic 18106->18107 18109 10025850 18106->18109 18108 1002579e IsZoomed 18107->18108 18112 100257ac 18107->18112 18108->18112 18110 1002586b 18109->18110 18130 10024650 18109->18130 18110->18096 18113 100257f6 18112->18113 18114 10025837 18112->18114 18115 10025801 IsRectEmpty 18113->18115 18125 10024520 18113->18125 18114->18109 18114->18110 18118 10025845 18114->18118 18115->18110 18117 10025812 IsWindowVisible 18115->18117 18119 10025820 18117->18119 18120 1002582b 18117->18120 18129 10024730 ShowWindow ShowWindow ShowWindow ShowWindow 18118->18129 18128 10024730 ShowWindow ShowWindow ShowWindow ShowWindow 18119->18128 18120->18096 18123 1002584e 18123->18096 18124 10025829 18124->18096 18126 10024643 18125->18126 18127 10024531 8 API calls 18125->18127 18126->18115 18127->18126 18128->18124 18129->18123 18131 10024660 8 API calls 18130->18131 18132 100246dc 18130->18132 18131->18132 18132->18110 18133->17811 18134->17810 18136 100258a8 GetWindowRect OffsetRect 18135->18136 18141 10025880 18135->18141 18137 100258e2 CreateRoundRectRgn 18136->18137 18138 1002591e CreateRectRgn 18136->18138 18143 100259b3 18137->18143 18150 100259e0 18138->18150 18141->17804 18142 100259e0 36 API calls 18144 10025973 18142->18144 18145 100259d4 18143->18145 18163 100246e0 18143->18163 18146 100259e0 36 API calls 18144->18146 18145->17804 18148 10025993 18146->18148 18149 100259e0 36 API calls 18148->18149 18149->18143 18151 10025956 18150->18151 18152 10025a0d IsRectEmpty 18150->18152 18151->18142 18152->18151 18153 10025a23 18152->18153 18154 10006940 2 API calls 18153->18154 18155 10025a68 SelectObject 18154->18155 18175 1000b6e0 18155->18175 18157 10025aaa SelectObject 18246 1001c210 GlobalAlloc GlobalFix SetRect 18157->18246 18159 10025ad2 18160 10025b05 18159->18160 18161 10025adc OffsetRgn CombineRgn DeleteObject 18159->18161 18162 10006920 DeleteObject 18160->18162 18161->18160 18162->18151 18164 100246ed IsRectEmpty 18163->18164 18174 10024724 18163->18174 18165 100246fe IsWindowVisible 18164->18165 18164->18174 18166 1002470c 18165->18166 18165->18174 18275 10004e30 GetWindowRect 18166->18275 18174->18145 18176 1000b6f6 18175->18176 18235 1000bfd7 18175->18235 18177 1000bb47 BitBlt 18176->18177 18178 1000b72f 18176->18178 18176->18235 18179 1000bbb5 18177->18179 18180 1000bb87 18177->18180 18181 1000b4c0 7 API calls 18178->18181 18271 1000b5f0 18179->18271 18261 1000b120 18180->18261 18182 1000b754 18181->18182 18186 1000b7a6 18182->18186 18187 1000b76a 18182->18187 18185 1000bbe1 BitBlt 18189 1000bc32 18185->18189 18190 1000bc64 18185->18190 18192 1000b4c0 7 API calls 18186->18192 18251 1000b2e0 18187->18251 18193 1000b120 4 API calls 18189->18193 18195 1000b5f0 BitBlt 18190->18195 18194 1000b7a1 18192->18194 18196 1000bc62 18193->18196 18199 1000b4c0 7 API calls 18194->18199 18195->18196 18197 1000bcb8 18196->18197 18198 1000bd0d 18196->18198 18200 1000b120 4 API calls 18197->18200 18202 1000b5f0 BitBlt 18198->18202 18201 1000b80f 18199->18201 18203 1000bd0b 18200->18203 18204 1000b830 18201->18204 18205 1000b86c 18201->18205 18202->18203 18207 1000bdc3 18203->18207 18208 1000bd84 18203->18208 18206 1000b2e0 7 API calls 18204->18206 18209 1000b4c0 7 API calls 18205->18209 18211 1000b867 18206->18211 18210 1000b5f0 BitBlt 18207->18210 18212 1000b120 4 API calls 18208->18212 18209->18211 18213 1000be00 BitBlt 18210->18213 18215 1000b925 18211->18215 18216 1000b8c6 18211->18216 18214 1000bdc1 18212->18214 18217 1000be87 18213->18217 18218 1000be49 18213->18218 18214->18213 18221 1000b4c0 7 API calls 18215->18221 18219 1000b2e0 7 API calls 18216->18219 18222 1000b5f0 BitBlt 18217->18222 18220 1000b120 4 API calls 18218->18220 18223 1000b920 18219->18223 18224 1000be85 18220->18224 18221->18223 18225 1000bec3 BitBlt 18222->18225 18226 1000b9a2 18223->18226 18227 1000b9eb 18223->18227 18224->18225 18245 1000bb3f 18225->18245 18228 1000b2e0 7 API calls 18226->18228 18229 1000b4c0 7 API calls 18227->18229 18230 1000b9e6 18228->18230 18229->18230 18237 1000b4c0 7 API calls 18230->18237 18231 1000bf52 OffsetRect 18233 1000b4c0 7 API calls 18231->18233 18232 1000bf17 18234 1000b4c0 7 API calls 18232->18234 18233->18235 18236 1000bf47 18234->18236 18235->18157 18236->18157 18238 1000ba60 18237->18238 18239 1000bac2 18238->18239 18240 1000ba79 18238->18240 18242 1000b4c0 7 API calls 18239->18242 18241 1000b2e0 7 API calls 18240->18241 18243 1000babd 18241->18243 18242->18243 18244 1000b4c0 7 API calls 18243->18244 18244->18245 18245->18231 18245->18232 18245->18235 18247 1001c3a9 ExtCreateRegion GlobalUnWire GlobalFree 18246->18247 18250 1001c284 18246->18250 18247->18159 18248 1001c2ea GlobalUnWire GlobalReAlloc GlobalFix 18249 1001c31e SetRect 18248->18249 18249->18250 18250->18247 18250->18248 18250->18249 18252 1000b396 18251->18252 18253 1000b327 18251->18253 18255 1000b4c0 7 API calls 18252->18255 18258 1000b3f5 18252->18258 18253->18252 18254 1000b4c0 7 API calls 18253->18254 18254->18253 18255->18252 18256 1000b4c0 7 API calls 18256->18258 18257 1000b4c0 7 API calls 18259 1000b4a4 18257->18259 18258->18256 18260 1000b458 18258->18260 18259->18194 18260->18257 18260->18259 18262 1000b1d0 18261->18262 18265 1000b167 18261->18265 18263 1000b229 18262->18263 18266 1000b1f1 BitBlt 18262->18266 18264 1000b286 18263->18264 18269 1000b252 BitBlt 18263->18269 18267 1000b2cf 18264->18267 18270 1000b29e BitBlt 18264->18270 18265->18262 18268 1000b183 BitBlt 18265->18268 18266->18263 18266->18266 18267->18185 18268->18265 18268->18268 18269->18264 18269->18269 18270->18267 18272 1000b5fd 18271->18272 18273 1000b64e 18271->18273 18272->18273 18274 1000b621 BitBlt 18272->18274 18273->18185 18274->18185 18276 10005585 18275->18276 18277 10004e8e 18275->18277 18318 10004590 GetWindowRect 18276->18318 18277->18276 18278 10006940 2 API calls 18277->18278 18281 10004ebd 18278->18281 18279 1000556e 18280 10006920 DeleteObject 18279->18280 18280->18276 18281->18279 18282 10006940 2 API calls 18281->18282 18283 10004fbf 18282->18283 18284 10004fc7 CreateCompatibleDC SelectObject SetBkMode 18283->18284 18285 1000555d 18283->18285 18287 10005016 18284->18287 18286 10006920 DeleteObject 18285->18286 18286->18279 18288 1000b4c0 7 API calls 18287->18288 18289 1000505f 18288->18289 18347 100055a0 18289->18347 18292 1000508f DrawIconEx 18294 100050bf GetWindowTextA DrawTextA 18292->18294 18295 10005167 18294->18295 18296 1000549b 18294->18296 18297 10005172 IsRectEmpty 18295->18297 18298 1000521c IsRectEmpty 18295->18298 18299 100054cc SelectObject DeleteDC CreateCompatibleDC SelectObject 18296->18299 18297->18298 18301 10005187 IsIconic 18297->18301 18300 1000524a 18298->18300 18304 1000519b 18298->18304 18305 10005556 DeleteObject 18299->18305 18302 10005359 IsRectEmpty 18300->18302 18303 1000525d IsRectEmpty 18300->18303 18301->18304 18307 1000538b GetSystemMenu GetMenuState 18302->18307 18309 10005280 18302->18309 18303->18302 18308 1000526c IsZoomed 18303->18308 18306 1000b6e0 17 API calls 18304->18306 18305->18285 18306->18300 18310 100053aa 18307->18310 18308->18309 18311 1000b6e0 17 API calls 18309->18311 18313 1000b6e0 17 API calls 18310->18313 18312 10005388 18311->18312 18312->18307 18314 10005433 IsRectEmpty 18313->18314 18314->18296 18315 10005447 SetBkMode 18314->18315 18316 1000545b 18315->18316 18317 1000b6e0 17 API calls 18316->18317 18317->18296 18319 10004776 18318->18319 18320 100045f2 18318->18320 18327 10004960 GetWindowRect 18319->18327 18320->18319 18321 10006940 2 API calls 18320->18321 18324 1000461b 18321->18324 18322 10004762 18323 10006920 DeleteObject 18322->18323 18323->18319 18324->18322 18325 100046e5 CreateCompatibleDC SelectObject 18324->18325 18326 1000475b DeleteObject 18325->18326 18326->18322 18328 10004b57 18327->18328 18329 100049c2 18327->18329 18336 10002ec0 GetWindowRect 18328->18336 18329->18328 18330 10006940 2 API calls 18329->18330 18333 100049eb 18330->18333 18331 10004b43 18332 10006920 DeleteObject 18331->18332 18332->18328 18333->18331 18334 10004ac7 CreateCompatibleDC SelectObject 18333->18334 18335 10004b3c DeleteObject 18334->18335 18335->18331 18337 10002f17 18336->18337 18338 10006940 2 API calls 18337->18338 18339 10002f2f 18338->18339 18340 10002f33 18339->18340 18342 10002f4c 18339->18342 18341 10006920 DeleteObject 18340->18341 18346 10002f47 18341->18346 18343 1000300e CreateCompatibleDC SelectObject 18342->18343 18344 10003083 DeleteObject 18343->18344 18345 10006920 DeleteObject 18344->18345 18345->18346 18346->18174 18348 100055b6 GetWindowRect SetRect GetWindowLongA 18347->18348 18358 10005068 SelectObject SetTextColor 18347->18358 18349 10005606 18348->18349 18350 10005808 SetRectEmpty SetRectEmpty SetRectEmpty SetRectEmpty SetRectEmpty 18348->18350 18351 100056df SetRectEmpty SetRectEmpty 18349->18351 18352 10005663 18349->18352 18362 100057c4 18350->18362 18351->18352 18356 10005783 SetRectEmpty 18352->18356 18359 10005722 18352->18359 18353 1000585a IsRectEmpty 18357 100058a2 IsRectEmpty 18353->18357 18353->18358 18354 1000584d IsRectEmpty 18354->18353 18356->18359 18357->18358 18358->18292 18358->18294 18359->18362 18364 10025c70 SendMessageA 18359->18364 18362->18353 18362->18354 18363 100057b5 SetRectEmpty 18363->18362 18365 100057ab 18364->18365 18366 10025c89 SendMessageA 18364->18366 18365->18362 18365->18363 18366->18365 18367 10025c94 GetClassLongA 18366->18367 18367->18365 18368 10025ca1 SendMessageA 18367->18368 18368->18365 18369->17830 18370->17843 18372 100243b0 18371->18372 18373 10024519 18372->18373 18374 100243c7 IsRectEmpty 18372->18374 18373->17875 18374->18373 18375 100243da 18374->18375 18376 10022f90 GetMenu 18375->18376 18377 1002449c 18376->18377 18378 10022fd0 3 API calls 18377->18378 18380 100244a7 18377->18380 18378->18380 18379 100244f6 SetWindowPos 18379->18373 18380->18373 18380->18379 18382 10022f90 GetMenu 18381->18382 18383 100250ce 18382->18383 18388 100250e4 18383->18388 18488 10022b70 18383->18488 18385 1002529e SetRectEmpty SetRectEmpty SetRectEmpty SetRectEmpty 18389 100251b3 18385->18389 18386 100250dd 18387 10022fd0 3 API calls 18386->18387 18387->18388 18388->18385 18388->18389 18390 10025613 6 API calls 18389->18390 18391 100252f0 18389->18391 18405 1002212e 18389->18405 18401 100255c9 18390->18401 18392 10025300 18391->18392 18393 10025528 SetRectEmpty SetRectEmpty SetRectEmpty SetRectEmpty SetRectEmpty 18391->18393 18395 100253e7 SetRectEmpty SetRectEmpty 18392->18395 18398 10025361 18392->18398 18394 100254e4 18393->18394 18396 10025574 IsRectEmpty 18394->18396 18397 10025567 IsRectEmpty 18394->18397 18399 100253f9 IsRectEmpty 18395->18399 18396->18401 18402 100255bc IsRectEmpty 18396->18402 18397->18396 18398->18399 18403 1002540a IsRectEmpty 18399->18403 18408 10025415 18399->18408 18404 100256e7 GetMenuItemCount GetMenuItemRect GetMenuItemRect 18401->18404 18401->18405 18402->18401 18403->18408 18404->18405 18405->17885 18406 10025c70 4 API calls 18407 100254cf 18406->18407 18407->18394 18409 100254d9 SetRectEmpty 18407->18409 18408->18396 18408->18406 18409->18394 18411 1002355c 18410->18411 18441 10023939 18410->18441 18412 1002356a IsWindowVisible 18411->18412 18411->18441 18413 1002357c 18412->18413 18412->18441 18414 1000fbf0 7 API calls 18413->18414 18413->18441 18415 100235d8 18414->18415 18416 100236a3 18415->18416 18417 100235ff 18415->18417 18419 1000b6e0 17 API calls 18416->18419 18418 1000b6e0 17 API calls 18417->18418 18421 10023620 18418->18421 18420 100236c7 18419->18420 18422 1000b6e0 17 API calls 18420->18422 18423 1000b6e0 17 API calls 18421->18423 18424 100236ea 18422->18424 18425 10023644 18423->18425 18426 1000b6e0 17 API calls 18424->18426 18427 1000b6e0 17 API calls 18425->18427 18428 1002370d 18426->18428 18429 10023667 18427->18429 18430 1000b6e0 17 API calls 18428->18430 18431 1000b6e0 17 API calls 18429->18431 18432 10023689 SetTextColor 18430->18432 18431->18432 18434 1000b4c0 7 API calls 18432->18434 18435 10023798 18434->18435 18436 100238e4 BitBlt 18435->18436 18498 10023070 18435->18498 18437 1002391b 18436->18437 18540 1000fc70 SelectObject DeleteDC DeleteObject 18437->18540 18440 100237ba 18442 100237c2 GetWindowTextA 18440->18442 18443 100237e9 18440->18443 18441->17887 18442->18443 18444 100237f3 DrawIconEx 18443->18444 18445 10023827 18443->18445 18444->18445 18446 1002389b SetBkMode 18445->18446 18447 10023879 18445->18447 18536 100120b0 GetPropA 18446->18536 18447->18445 18448 100250c0 40 API calls 18447->18448 18450 1002388f 18448->18450 18452 10023960 58 API calls 18450->18452 18452->18446 18454 1002398d 18453->18454 18475 10023ee5 18453->18475 18455 1002399b IsWindowVisible 18454->18455 18454->18475 18456 100239ad IsRectEmpty 18455->18456 18455->18475 18457 100239c2 18456->18457 18456->18475 18458 10022b70 6 API calls 18457->18458 18459 100239c9 18458->18459 18460 1000fbf0 7 API calls 18459->18460 18461 10023a1e SetBkMode SelectObject SelectObject 18460->18461 18462 10023a7e 18461->18462 18463 10023a9d SetTextColor 18461->18463 18462->18463 18464 10023aeb 18463->18464 18465 10023ab9 BitBlt 18463->18465 18541 1000b6a0 18464->18541 18466 10023b23 GetMenuItemCount 18465->18466 18469 10023b3e GetMenuItemInfoA 18466->18469 18470 10023e3d BitBlt 18466->18470 18544 10024db0 GetMenuItemRect 18469->18544 18472 10023ebc 18470->18472 18480 10023e74 18470->18480 18548 1000fc70 SelectObject DeleteDC DeleteObject 18472->18548 18474 10023cf4 GetSystemMetrics OffsetRect 18482 10023b9b 18474->18482 18475->17891 18476 10023c51 SetTextColor 18478 10023c6b DrawTextA SetTextColor 18476->18478 18477 10025c70 4 API calls 18481 10023cb3 DrawIconEx 18477->18481 18478->18482 18479 10023bbe InflateRect 18479->18482 18483 10023bd8 SetTextColor 18479->18483 18480->18472 18484 1000b6e0 17 API calls 18480->18484 18481->18482 18482->18469 18482->18474 18482->18476 18482->18477 18482->18478 18482->18479 18485 10023e36 18482->18485 18486 10023c0d SetTextColor 18482->18486 18487 1000b6e0 17 API calls 18482->18487 18483->18482 18484->18472 18485->18470 18486->18482 18487->18482 18489 10022b83 18488->18489 18490 10022b8b GetMenuItemCount 18488->18490 18489->18386 18491 10022ba4 GetMenuItemInfoA 18490->18491 18495 10022d93 18490->18495 18497 10022be2 18491->18497 18492 10022d6c ??2@YAPAXI 18492->18495 18493 10022c60 ??2@YAPAXI ??2@YAPAXI 18493->18497 18494 10022d34 18494->18492 18494->18495 18495->18386 18496 10022cbc SetMenuItemInfoA 18496->18497 18497->18491 18497->18493 18497->18494 18497->18496 18499 10023082 18498->18499 18510 10023511 18498->18510 18500 10023090 IsWindowVisible 18499->18500 18499->18510 18501 100230a2 18500->18501 18500->18510 18502 10023422 IsRectEmpty 18501->18502 18503 100230de 18501->18503 18501->18510 18504 10023439 IsRectEmpty 18502->18504 18502->18510 18505 10023100 IsRectEmpty 18503->18505 18506 100231a8 IsRectEmpty 18503->18506 18503->18510 18507 10023446 IsIconic 18504->18507 18508 1002347b IsRectEmpty 18504->18508 18505->18506 18509 10023111 IsIconic 18505->18509 18521 10023125 18506->18521 18524 100231d2 18506->18524 18515 10023464 18507->18515 18511 10023488 IsZoomed 18508->18511 18528 100234bc 18508->18528 18509->18521 18510->18440 18516 100234a6 18511->18516 18512 100231e5 IsRectEmpty 18513 100232dd IsRectEmpty 18512->18513 18519 100231f0 IsZoomed 18512->18519 18517 1002330a GetSystemMenu GetMenuState 18513->18517 18525 10023204 18513->18525 18514 1000b6e0 17 API calls 18520 100234e3 IsRectEmpty 18514->18520 18522 1000b6e0 17 API calls 18515->18522 18523 1000b6e0 17 API calls 18516->18523 18529 10023329 18517->18529 18518 1000b6e0 17 API calls 18518->18524 18519->18525 18520->18510 18535 100233db 18520->18535 18521->18518 18526 10023478 18522->18526 18523->18528 18524->18512 18524->18513 18527 1000b6e0 17 API calls 18525->18527 18526->18508 18530 10023307 18527->18530 18528->18514 18532 1000b6e0 17 API calls 18529->18532 18530->18517 18531 1000b6e0 17 API calls 18531->18510 18533 100233b3 IsRectEmpty 18532->18533 18533->18510 18534 100233c7 SetBkMode 18533->18534 18534->18535 18535->18531 18537 100120ea SelectObject DrawTextA 18536->18537 18538 100120c6 18536->18538 18537->18436 18538->18537 18539 100120d8 SendMessageA 18538->18539 18539->18537 18540->18441 18542 1000b6e0 17 API calls 18541->18542 18543 1000b6dc 18542->18543 18543->18466 18545 10024de6 OffsetRect 18544->18545 18546 10024dd5 18544->18546 18547 10024e1d 18545->18547 18546->18545 18547->18482 18548->18475 18550 10023f42 PtInRect 18549->18550 18551 10024043 18549->18551 18550->18551 18552 10023f71 GetMenuItemCount 18550->18552 18551->17906 18552->18551 18556 10023fa6 18552->18556 18553 10024db0 2 API calls 18554 10023fb9 GetMenuItemInfoA 18553->18554 18555 10024021 PtInRect 18554->18555 18554->18556 18555->18556 18558 1002404e 18555->18558 18556->18551 18556->18553 18556->18555 18557 10023ff2 OffsetRect 18556->18557 18557->18555 18558->17906 18560 10024e72 18559->18560 18561 10024e6c 18559->18561 18563 10023960 58 API calls 18560->18563 18562 10023530 115 API calls 18561->18562 18564 10024e71 18562->18564 18565 10024e77 18563->18565 18564->17914 18565->17914 18567 10023f00 10 API calls 18566->18567 18569 10025b98 18567->18569 18568 10025c63 18568->17948 18569->18568 18570 10025bb5 18569->18570 18571 10025c4a KillTimer 18569->18571 18582 10024cf0 GetMenuItemInfoA 18570->18582 18571->18568 18573 10025bbd 18573->18568 18574 10025c35 18573->18574 18575 10025bcf 18573->18575 18577 10024e60 115 API calls 18574->18577 18576 10024e60 115 API calls 18575->18576 18578 10025bea 18576->18578 18579 10025c46 18577->18579 18583 100124d0 SetTimer 18578->18583 18579->17948 18581 10025bf8 TrackPopupMenu 18581->17948 18582->18573 18583->18581 18584->17991 18586 10025b83 18585->18586 18587 10025b3f 18585->18587 18586->18040 18588 10025780 24 API calls 18587->18588 18589 10025b60 IsWindowVisible 18588->18589 18589->18586 18590 10025b6e 18589->18590 18591 100220a0 257 API calls 18590->18591 18591->18586 18593 10022de7 18592->18593 18594 10022f7e 18592->18594 18595 10022e0e GetWindowRect GetMenuItemCount 18593->18595 18596 10022dfc ??3@YAXPAX 18593->18596 18594->18051 18595->18594 18600 10022e47 18595->18600 18596->18595 18596->18596 18597 10022e4d GetMenuItemRect 18598 10022e78 OffsetRect 18597->18598 18597->18600 18598->18600 18599 10022ee9 GetSubMenu ??2@YAPAXI 18599->18600 18600->18594 18600->18597 18600->18598 18600->18599 18602 10021c8f 18601->18602 18606 10024b67 18601->18606 18603 10024bbd GetMenuItemCount 18603->18602 18604 10024bda GetMenuItemInfoA 18603->18604 18610 10024c29 18604->18610 18605 10024b8d 18605->18603 18606->18603 18606->18605 18607 10024bb4 ??3@YAXPAX 18606->18607 18607->18603 18608 10024c4f SetMenuItemInfoA 18609 10024ccf ??3@YAXPAX 18608->18609 18608->18610 18609->18610 18610->18602 18610->18604 18610->18608 18610->18609 18611 10024cc6 ??3@YAXPAX 18610->18611 18611->18609 18612 10025c70 SendMessageA 18613 10025ca9 18612->18613 18614 10025c89 SendMessageA 18612->18614 18614->18613 18615 10025c94 GetClassLongA 18614->18615 18615->18613 18616 10025ca1 SendMessageA 18615->18616 18616->18613 18617 10026218 18618 10026234 18617->18618 18619 1002622b 18617->18619 18618->18619 18626 1002625c 18618->18626 18634 1002616d 18618->18634 18619->18626 18627 10025d80 18619->18627 18622 10026268 18623 1002627c 18622->18623 18624 1002616d 3 API calls 18622->18624 18622->18626 18625 1002616d 3 API calls 18623->18625 18623->18626 18624->18623 18625->18626 18628 10025d89 18627->18628 18629 10025d9e 18627->18629 18630 10025da3 18628->18630 18641 10025d00 18628->18641 18646 10025d50 18629->18646 18630->18622 18635 10026175 18634->18635 18636 100261ab 18635->18636 18637 10026196 malloc 18635->18637 18639 100261d5 18635->18639 18636->18619 18637->18636 18638 100261af _initterm 18637->18638 18638->18636 18639->18636 18640 10026202 ??3@YAXPAX 18639->18640 18640->18636 18642 10025d0a ??2@YAPAXI 18641->18642 18645 10025d27 18641->18645 18643 10025d1b 18642->18643 18642->18645 18651 10019250 18643->18651 18645->18622 18647 10025d75 18646->18647 18648 10025d5b 18646->18648 18647->18630 18776 100194e0 UnhookWindowsHookEx 18648->18776 18661 10017090 12 API calls 18651->18661 18653 1001927b 18710 1001a700 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 18653->18710 18655 1001928b 18664 10011450 18655->18664 18660 100193b7 18662 100172bb 18661->18662 18663 10017317 CreateCompatibleDC CreateCompatibleDC 18662->18663 18663->18653 18711 10011460 14 API calls 18664->18711 18666 10011458 18667 10009db0 18666->18667 18712 10026920 18667->18712 18670 10026920 6 API calls 18671 10009dd1 18670->18671 18672 10026920 6 API calls 18671->18672 18673 10009de0 18672->18673 18674 10026920 6 API calls 18673->18674 18675 10009def 18674->18675 18676 10026920 6 API calls 18675->18676 18677 10009dfe 18676->18677 18678 10026920 6 API calls 18677->18678 18679 10009e0d 18678->18679 18680 10026920 6 API calls 18679->18680 18681 10009e1c 18680->18681 18682 10026920 6 API calls 18681->18682 18683 10009e2b 18682->18683 18684 10026920 6 API calls 18683->18684 18685 10009e3a 18684->18685 18686 10026920 6 API calls 18685->18686 18687 10009e49 18686->18687 18688 10026920 6 API calls 18687->18688 18689 10009e58 18688->18689 18690 10026920 6 API calls 18689->18690 18691 10009e67 18690->18691 18692 10026920 6 API calls 18691->18692 18693 10009e76 18692->18693 18694 10026920 6 API calls 18693->18694 18695 10009e85 18694->18695 18696 10026920 6 API calls 18695->18696 18697 10009e94 18696->18697 18698 10026920 6 API calls 18697->18698 18699 10009ea3 18698->18699 18700 10026920 6 API calls 18699->18700 18701 10009eb2 18700->18701 18702 10026920 6 API calls 18701->18702 18703 10009ec1 18702->18703 18704 10026920 6 API calls 18703->18704 18705 10009ed0 18704->18705 18706 10026920 6 API calls 18705->18706 18707 10009edf 18706->18707 18708 10026920 6 API calls 18707->18708 18709 10009eee 6E9E4BC0 GetVersion 18708->18709 18709->18660 18710->18655 18711->18666 18715 10026940 18712->18715 18717 10026958 18715->18717 18716 10009dc2 18716->18670 18717->18716 18719 10026530 18717->18719 18726 10026543 18719->18726 18720 100265b4 18721 10026655 18720->18721 18758 10026440 GetCurrentProcess 18720->18758 18721->18716 18725 10026440 3 API calls 18727 10026687 18725->18727 18726->18720 18768 10026aa0 18726->18768 18728 100266b4 18727->18728 18729 10026695 18727->18729 18732 100266c0 18728->18732 18733 100266df 18728->18733 18730 100264c0 2 API calls 18729->18730 18731 100266a4 18730->18731 18734 100264c0 2 API calls 18731->18734 18735 100264c0 2 API calls 18732->18735 18737 10026720 18733->18737 18739 10026aa0 SetLastError 18733->18739 18734->18721 18736 100266cf 18735->18736 18738 100264c0 2 API calls 18736->18738 18740 10026747 18737->18740 18741 10026728 18737->18741 18738->18721 18739->18733 18745 10026760 18740->18745 18746 1002677c 18740->18746 18742 100264c0 2 API calls 18741->18742 18743 10026737 18742->18743 18744 100264c0 2 API calls 18743->18744 18744->18721 18747 100264c0 2 API calls 18745->18747 18750 100267b9 18746->18750 18751 1002679d 18746->18751 18748 1002676f 18747->18748 18749 100264c0 2 API calls 18748->18749 18749->18721 18763 100264c0 18750->18763 18752 100264c0 2 API calls 18751->18752 18754 100267ac 18752->18754 18756 100264c0 2 API calls 18754->18756 18756->18721 18757 100264c0 2 API calls 18757->18721 18759 10026498 18758->18759 18760 10026477 18758->18760 18759->18725 18760->18759 18761 10026480 FlushInstructionCache 18760->18761 18761->18759 18762 1002649a VirtualProtect 18761->18762 18762->18759 18764 100264d2 18763->18764 18765 10026509 18763->18765 18764->18765 18766 100264e4 FlushInstructionCache 18764->18766 18765->18757 18766->18765 18767 1002650b VirtualProtect 18766->18767 18767->18765 18769 10026ab4 18768->18769 18772 10026bd0 18769->18772 18773 10026bdf 18772->18773 18774 10026ac4 18773->18774 18775 10026bee SetLastError 18773->18775 18774->18726 18775->18774 18799 1001bbf0 18776->18799 18778 10019516 18779 10019530 ??3@YAXPAX 18778->18779 18780 10019542 18778->18780 18779->18779 18779->18780 18781 10019569 ??3@YAXPAX 18780->18781 18782 1001957b 18780->18782 18781->18781 18781->18782 18783 100195a2 ??3@YAXPAX 18782->18783 18784 100195b4 18782->18784 18783->18783 18783->18784 18785 100195db ??3@YAXPAX 18784->18785 18786 100195ed 18784->18786 18785->18785 18785->18786 18787 10019614 ??3@YAXPAX 18786->18787 18788 10019626 18786->18788 18787->18787 18787->18788 18789 1001964d ??3@YAXPAX 18788->18789 18790 1001965f 18788->18790 18789->18789 18789->18790 18791 10019686 ??3@YAXPAX 18790->18791 18792 10019698 18790->18792 18791->18791 18791->18792 18793 100196d1 18792->18793 18794 100196bf ??3@YAXPAX 18792->18794 18821 10009f00 18793->18821 18794->18793 18794->18794 18796 100196f9 18864 10017350 18796->18864 18798 10019718 ??3@YAXPAX 18798->18647 18800 1001bc04 18799->18800 18801 1001bbfd 18799->18801 18802 1001bc13 DeleteObject 18800->18802 18803 1001bc24 18800->18803 18801->18778 18802->18803 18804 1001bc2e DeleteObject 18803->18804 18805 1001bc43 18803->18805 18804->18805 18806 1001bc5a DeleteObject 18805->18806 18807 1001bc9a 18805->18807 18808 1001bc7e DeleteObject 18805->18808 18806->18805 18809 1001bca1 DeleteObject 18807->18809 18810 1001bcb3 18807->18810 18808->18805 18809->18810 18811 1001bcba DeleteObject 18810->18811 18820 1001bccc 18810->18820 18811->18820 18812 1001bda5 18813 1001bdd1 18812->18813 18814 1001bdbf ??3@YAXPAX 18812->18814 18873 1001c570 18813->18873 18814->18813 18814->18814 18816 1001bd1a SendMessageA 18818 1001bd37 IsWindowVisible 18816->18818 18816->18820 18819 1001bd42 SetWindowPos InvalidateRect 18818->18819 18818->18820 18819->18820 18820->18812 18820->18816 18820->18818 18891 100262d0 18821->18891 18824 100262d0 11 API calls 18825 10009f1e 18824->18825 18826 100262d0 11 API calls 18825->18826 18827 10009f2d 18826->18827 18828 100262d0 11 API calls 18827->18828 18829 10009f3c 18828->18829 18830 100262d0 11 API calls 18829->18830 18831 10009f4b 18830->18831 18832 100262d0 11 API calls 18831->18832 18833 10009f5a 18832->18833 18834 100262d0 11 API calls 18833->18834 18835 10009f69 18834->18835 18836 100262d0 11 API calls 18835->18836 18837 10009f78 18836->18837 18838 100262d0 11 API calls 18837->18838 18839 10009f87 18838->18839 18840 100262d0 11 API calls 18839->18840 18841 10009f96 18840->18841 18842 100262d0 11 API calls 18841->18842 18843 10009fa5 18842->18843 18844 100262d0 11 API calls 18843->18844 18845 10009fb4 18844->18845 18846 100262d0 11 API calls 18845->18846 18847 10009fc3 18846->18847 18848 100262d0 11 API calls 18847->18848 18849 10009fd2 18848->18849 18850 100262d0 11 API calls 18849->18850 18851 10009fe1 18850->18851 18852 100262d0 11 API calls 18851->18852 18853 10009ff0 18852->18853 18854 100262d0 11 API calls 18853->18854 18855 10009fff 18854->18855 18856 100262d0 11 API calls 18855->18856 18857 1000a00e 18856->18857 18858 100262d0 11 API calls 18857->18858 18859 1000a01d 18858->18859 18860 100262d0 11 API calls 18859->18860 18861 1000a02c 18860->18861 18862 100262d0 11 API calls 18861->18862 18863 1000a03b 18862->18863 18863->18796 18865 10017386 DeleteDC 18864->18865 18866 1001738c 18864->18866 18865->18866 18867 10017393 DeleteDC 18866->18867 18868 10017399 18866->18868 18867->18868 18869 100173a0 DeleteObject 18868->18869 18870 100173aa 18868->18870 18869->18870 18871 10006920 DeleteObject 18870->18871 18872 100173c9 12 API calls 18871->18872 18872->18798 18874 1001c586 ??3@YAXPAX 18873->18874 18875 1001c598 18873->18875 18874->18874 18874->18875 18876 1001c632 18875->18876 18886 1001c4e0 IsMenu 18875->18886 18877 1001c64a ??3@YAXPAX 18876->18877 18880 1001c65c 18876->18880 18877->18877 18877->18880 18879 1001c6f6 18882 1001bde1 18879->18882 18883 1001c70e ??3@YAXPAX 18879->18883 18880->18879 18884 1001c4e0 3 API calls 18880->18884 18882->18778 18883->18882 18883->18883 18885 1001c6ab ??3@YAXPAX 18884->18885 18885->18880 18887 1001c4f5 GetMenuItemInfoA 18886->18887 18888 1001c567 ??3@YAXPAX 18886->18888 18887->18888 18889 1001c533 SetMenuItemInfoA 18887->18889 18888->18875 18889->18888 18892 100262e1 18891->18892 18893 10026309 SetLastError 18892->18893 18894 10026318 18892->18894 18909 10009f0f 18893->18909 18895 1002632a SetLastError 18894->18895 18896 10026339 18894->18896 18895->18909 18897 10026366 SetLastError 18896->18897 18898 10026375 18896->18898 18897->18909 18899 100263a2 18898->18899 18900 10026393 SetLastError 18898->18900 18901 10026440 3 API calls 18899->18901 18900->18909 18906 100263b2 18901->18906 18902 100263f5 18904 10026419 18902->18904 18905 100263fd SetLastError 18902->18905 18903 10026aa0 SetLastError 18903->18906 18908 100264c0 2 API calls 18904->18908 18907 100264c0 2 API calls 18905->18907 18906->18902 18906->18903 18907->18909 18908->18909 18909->18824

      Executed Functions

      Function 10017540 Relevance: 18.5, APIs: 12, Instructions: 476COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 60 10017540-10017566 61 10017b84-10017b93 60->61 62 1001756c-10017575 60->62 62->61 63 1001757b-1001757e 62->63 64 10017584-10017588 63->64 65 1001760f-1001761e 63->65 64->65 66 1001758e-10017592 64->66 66->65 67 10017594-10017598 66->67 67->65 68 1001759a-1001759f 67->68 69 100175a1-100175a5 68->69 70 100175b9-100175cf call 10001020 68->70 69->70 71 100175a7-100175b6 69->71 74 100175d1-100175e0 70->74 75 100175e3-100175fa ??2@YAPAXI@Z call 10001030 70->75 77 100175ff-10017604 75->77 78 10017621-1001765e 77->78 79 10017606-1001760c ??3@YAXPAX@Z 77->79 80 10017660-10017662 78->80 81 10017665-10017667 78->81 79->65 80->81 82 10017700-100177b7 81->82 83 1001766d-10017692 81->83 86 100177b9 82->86 87 100177bb-100177dc 82->87 84 10017694-100176ac ??3@YAXPAX@Z 83->84 85 100176af-100176da call 1000f6d0 83->85 95 100176e1-100176e3 85->95 96 100176dc-100176de 85->96 86->87 88 100177e0-10017805 87->88 89 100177de 87->89 91 10017810 88->91 92 10017807-1001780e 88->92 89->88 94 10017813-10017846 91->94 92->94 97 10017848 94->97 98 1001784a-10017882 94->98 95->82 99 100176e5-100176fd ??3@YAXPAX@Z 95->99 96->95 97->98 100 10017884-10017887 98->100 101 10017889 98->101 102 1001788c-100178c5 100->102 101->102 103 100178c7-100178cd 102->103 104 100178cf-100178d2 102->104 105 100178d5-10017a14 call 10006b30 103->105 104->105 108 10017a1a-10017ac9 ??3@YAXPAX@Z 105->108 109 10017acc-10017af4 ??3@YAXPAX@Z SelectObject 105->109 110 10017b04-10017b81 CreateCompatibleBitmap SelectObject BitBlt SelectObject call 10018e00 call 10018f60 call 10020d90 call 100191c0 109->110 111 10017af6-10017afd DeleteObject 109->111 111->110
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@$??2@
      • String ID:
      • API String ID: 4113381792-0
      • Opcode ID: 9aef21dc69513510d62cbd5b6012a76406e709963529ef32f910eb16fd510893
      • Instruction ID: 33afa64b527c78f8bd4c2c7d176e8c765b8c94169a76a89671ef6ae364567c8b
      • Opcode Fuzzy Hash: 9aef21dc69513510d62cbd5b6012a76406e709963529ef32f910eb16fd510893
      • Instruction Fuzzy Hash: 8502D0756002488FDB28CF14D890BEA77E2FB88310F59857DED0A5F381DB75AA45CB91
      Function 10007A30 Relevance: 4.7, APIs: 3, Instructions: 157nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10007A3D
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,100065A9,?,?,?,?), ref: 10007A59
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: cb2a118e651b28c30f67082bd4fe69c13c495138cac0e45b77bb26f8af636f3a
      • Instruction ID: 97ae2f1b3464a4c4e6a23b637a735b9b026802ad9d4f48c1e8d21a1d89c5b290
      • Opcode Fuzzy Hash: cb2a118e651b28c30f67082bd4fe69c13c495138cac0e45b77bb26f8af636f3a
      • Instruction Fuzzy Hash: BA415F767041019BE204DB58E8D4DBFB3A9EBD83A1F10882FF585C3256CB74AC5697B2
      Function 1000DA90 Relevance: 4.6, APIs: 3, Instructions: 117nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000DA9C
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000DAB8
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 6840023b0d9f93a644c901cc63a780c081a2c5d3ad5d97a37642cacfd9b32677
      • Instruction ID: 228e3ab525f591684e137e6fd99d1f9435fde28c84332add3aa5917434ab564e
      • Opcode Fuzzy Hash: 6840023b0d9f93a644c901cc63a780c081a2c5d3ad5d97a37642cacfd9b32677
      • Instruction Fuzzy Hash: 6E31397A7042019BE100EE58E880D6F77E9DBD47A0F118C1BF6819725AC770DC8697B2
      Function 10013170 Relevance: 34.9, APIs: 23, Instructions: 429windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 10013170-10013206 GetClientRect call 1000fbf0 call 10012060 SelectObject call 10009a50 IsWindowEnabled 8 10013291-100132a0 0->8 9 1001320c-10013212 0->9 12 100132a6-100132b0 8->12 10 10013214-10013229 9->10 11 1001322b-1001322e 9->11 10->12 13 10013251-10013261 GetFocus 11->13 14 10013230-1001324f 11->14 15 100132b1-1001333b call 1000b6e0 InflateRect GetWindowTextA 12->15 16 10013263-10013273 13->16 17 10013275-1001328f 13->17 14->15 20 10013341-10013355 SendMessageA 15->20 21 1001340a-1001340d 15->21 16->12 17->15 22 100133f0-10013405 20->22 23 1001335b-1001335d 20->23 24 10013413-10013428 SendMessageA 21->24 25 100134ac-100134ae 21->25 22->25 23->22 26 10013363-100133ee GetIconInfo GetObjectA GetTextExtentPointA DeleteObject * 2 23->26 27 10013497-100134a7 24->27 28 1001342a-1001342c 24->28 29 100134b4-100134c8 25->29 30 10013669-100136bf BitBlt call 1000fc70 25->30 26->22 27->25 28->27 33 1001342e-10013493 GetObjectA GetTextExtentPointA 28->33 34 100134d4-100134d7 29->34 35 100134ca-100134d3 29->35 33->27 36 100134dd-10013536 DrawTextA 34->36 37 1001359c-100135a5 34->37 35->34 39 10013538-1001354c 36->39 40 1001354e-10013554 36->40 41 100135b7-100135c8 GetPropA 37->41 42 100135a7-100135ad 37->42 39->41 43 10013556-1001356a 40->43 44 1001356c-1001359a 40->44 47 100135ca-100135cb 41->47 48 100135cd-100135d9 IsWindowEnabled 41->48 45 100135b4 42->45 46 100135af-100135b2 42->46 43->41 44->41 45->41 46->41 49 10013602-10013606 47->49 50 100135f2-10013601 48->50 51 100135db-100135f0 48->51 52 10013607-10013611 SetTextColor 49->52 50->49 51->52 53 10013631-10013663 SetBkMode DrawTextA 52->53 54 10013613-1001362b OffsetRect 52->54 53->30 54->53
      APIs
      • GetClientRect.USER32(?,?), ref: 1001319A
        • Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
        • Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
        • Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
        • Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
        • Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
        • Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
        • Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A
        • Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
        • Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090
      • SelectObject.GDI32(?,00000000), ref: 100131E3
      • IsWindowEnabled.USER32(?), ref: 100131FE
      • InflateRect.USER32(?,000000FE,000000FE), ref: 100132E2
      • GetWindowTextA.USER32(?,?,00000400), ref: 10013319
      • SendMessageA.USER32(?,000000F6,00000001,00000000), ref: 1001334D
      • GetIconInfo.USER32(00000000,?), ref: 10013369
      • GetObjectA.GDI32(?,00000018,?), ref: 1001337B
      • GetTextExtentPointA.GDI32(?,?,?,?), ref: 100133A5
      • DeleteObject.GDI32(?), ref: 100133E7
      • DeleteObject.GDI32(?), ref: 100133EE
      • SendMessageA.USER32(?,000000F6,00000000,00000000), ref: 10013420
      • GetObjectA.GDI32(00000000,00000018,?), ref: 10013436
      • GetTextExtentPointA.GDI32(?,?,?,?), ref: 10013460
      • DrawTextA.USER32(?,?,-00000001,?,00000000), ref: 1001352A
      • GetPropA.USER32(?,1002C2C0), ref: 100135C0
      • IsWindowEnabled.USER32(?), ref: 100135D1
      • SetTextColor.GDI32(?,?), ref: 10013607
      • OffsetRect.USER32(?,?,?), ref: 1001362B
      • SetBkMode.GDI32(?,00000001), ref: 10013638
      • DrawTextA.USER32(?,?,?,?,00000000), ref: 10013663
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1001368D
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Text$Rect$CreateDeleteMessageSelectSendWindow$ClipCompatibleDrawEnabledExtentPointProp$BitmapClientColorIconInflateInfoModeOffset
      • String ID:
      • API String ID: 660395982-0
      • Opcode ID: caf21a1c7cf1fe260952df342b86851fbddba4b749565e73e7d7b216ba7894aa
      • Instruction ID: 0720dea72c005f8db2774b89525498d56df710bbe5d87d96d133ef9dad5b9a48
      • Opcode Fuzzy Hash: caf21a1c7cf1fe260952df342b86851fbddba4b749565e73e7d7b216ba7894aa
      • Instruction Fuzzy Hash: 7FF14AB42087419FE324CF64C885E6BB7E9FBC8710F108A1CF69987290DB74E949CB52
      Function 10017090 Relevance: 21.2, APIs: 14, Instructions: 162COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??2@$CompatibleCreate
      • String ID:
      • API String ID: 2751892210-0
      • Opcode ID: e8fdb1ed28e246d3529f5ed77cbc3c3ceb66a55df81643b3e8b54a0f077fd1d3
      • Instruction ID: 0f10bd593ae600cb38cbaaa22fec1f499e913940d81218a79a1784d92bf44df9
      • Opcode Fuzzy Hash: e8fdb1ed28e246d3529f5ed77cbc3c3ceb66a55df81643b3e8b54a0f077fd1d3
      • Instruction Fuzzy Hash: FF7118B45007889BEB30CF29C8A17DABBE1FF4C310F90442E9A4D9B791DB7666558B81
      Function 10022200 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetWindowRect.USER32(?,?), ref: 10022268
      • SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 1002229B
      • SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 100222D3
      • SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 10022313
      • SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,0000271B), ref: 100223B8
        • Part of subcall function 10024730: ShowWindow.USER32(?,?,00000000,?,76945440,1002584E,00000000), ref: 10024747
        • Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024751
        • Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 1002475B
        • Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024765
      • CallWindowProcA.USER32(?,?,00000047,?,?), ref: 100223DC
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Show$CallProcRect
      • String ID:
      • API String ID: 3118190714-0
      • Opcode ID: 0dca7d29e93af85ade0fce1f98af7d168de262e2d7b920e1a23795d0ee674c28
      • Instruction ID: 8dc1deb737b558b6c714bf112c7838984d22b05039a9ca3c04896061e2edaa8e
      • Opcode Fuzzy Hash: 0dca7d29e93af85ade0fce1f98af7d168de262e2d7b920e1a23795d0ee674c28
      • Instruction Fuzzy Hash: 3651FF75344701AFE224DA68DC96FABB3E9EB88B10F10890DF65A973D5CA74BC018B54
      Function 1001A4F0 Relevance: 13.6, APIs: 9, Instructions: 128COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 136 1001a4f0-1001a505 137 1001a50b-1001a50d 136->137 138 1001a65d-1001a679 CallNextHookEx 136->138 137->138 139 1001a513-1001a518 137->139 139->138 140 1001a51e-1001a524 139->140 141 1001a574-1001a577 140->141 142 1001a526-1001a52d 140->142 143 1001a5c7-1001a5ca 141->143 144 1001a579-1001a57e 141->144 142->138 145 1001a533-1001a536 142->145 147 1001a5d7-1001a5ea GetPropA 143->147 148 1001a5cc-1001a5d1 143->148 144->138 146 1001a584-1001a589 144->146 145->138 149 1001a53c-1001a549 call 10009a50 145->149 146->138 150 1001a58f-1001a59c call 10009a50 146->150 147->138 152 1001a5ec-1001a5f9 GetPropA 147->152 148->138 148->147 149->138 157 1001a54f-1001a56f SetPropA call 100099f0 149->157 150->138 161 1001a5a2-1001a5c2 SetPropA call 100099f0 150->161 152->138 155 1001a5fb-1001a608 GetPropA 152->155 158 1001a627-1001a647 GetClassNameA call 1001a030 155->158 159 1001a60a-1001a625 GetPropA call 10019730 155->159 157->138 165 1001a64c-1001a657 SetPropA 158->165 159->165 161->138 165->138
      APIs
      • SetPropA.USER32(?,1002C058,00000000), ref: 1001A559
      • SetPropA.USER32(?,1002C058,00000000), ref: 1001A5AC
      • CallNextHookEx.USER32(?,?,?,?), ref: 1001A66D
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Prop$CallHookNext
      • String ID:
      • API String ID: 3868478265-0
      • Opcode ID: ba536d1b1a470f14f7738c772cb23c0568ed46f4c70e7589315eeac59150253b
      • Instruction ID: 7811e094c1e109cc8e8b8a1a0b8848a8eb1566d8d7a83a7f68ba57272ffb72e5
      • Opcode Fuzzy Hash: ba536d1b1a470f14f7738c772cb23c0568ed46f4c70e7589315eeac59150253b
      • Instruction Fuzzy Hash: 0D415479600611EFD614DB94CC80D2773E9EF966A07158A18F66ACB690D734FC85CB20
      Function 10023530 Relevance: 12.3, APIs: 8, Instructions: 312windowCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • IsWindowVisible.USER32(?), ref: 1002356E
      • SetTextColor.GDI32(?,?), ref: 1002374A
      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 1002390B
        • Part of subcall function 10023070: IsWindowVisible.USER32(?), ref: 10023094
        • Part of subcall function 10023070: IsRectEmpty.USER32(?), ref: 10023107
        • Part of subcall function 10023070: IsIconic.USER32(?), ref: 10023115
        • Part of subcall function 10023070: IsRectEmpty.USER32(?), ref: 100231E6
        • Part of subcall function 10023070: IsZoomed.USER32(?), ref: 100231F4
        • Part of subcall function 10023070: GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10023317
        • Part of subcall function 10023070: GetMenuState.USER32(00000000), ref: 1002331E
      • GetWindowTextA.USER32(?,?,00000400), ref: 100237DD
      • DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 1002381F
      • SetBkMode.GDI32(?,00000001), ref: 100238A2
      • SelectObject.GDI32(?,00000000), ref: 100238B7
      • DrawTextA.USER32(?,?,?,?,00040024), ref: 100238DE
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: TextWindow$DrawEmptyMenuRectVisible$ColorIconIconicModeObjectSelectStateSystemZoomed
      • String ID:
      • API String ID: 3608014746-0
      • Opcode ID: b124cef97b468efd2e6cf9f063e6fb4f9423a705c9c23057f94ce808e329f1e3
      • Instruction ID: 32d7335e5a1ed0603d0bba8e657fa13f5095f1cf460f47c86137365764961296
      • Opcode Fuzzy Hash: b124cef97b468efd2e6cf9f063e6fb4f9423a705c9c23057f94ce808e329f1e3
      • Instruction Fuzzy Hash: 4AC108B9240705AFE354CB64CC85FA7B3E9EB88740F208A1DF55A87255DA75FC06CBA0
      Function 1000B4C0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 230 1000b4c0-1000b4c6 231 1000b4c8 230->231 232 1000b4ce-1000b4d7 230->232 231->232 233 1000b5dc-1000b5e1 232->233 234 1000b4dd-1000b4e3 232->234 234->233 235 1000b4e9-1000b4ef 234->235 235->233 236 1000b4f5-1000b4fb 235->236 236->233 237 1000b501-1000b507 236->237 237->233 238 1000b50d-1000b50f 237->238 239 1000b511-1000b513 238->239 240 1000b542-1000b59c CreateCompatibleDC CreateCompatibleBitmap SelectObject call 100271c4 238->240 239->240 241 1000b515-1000b541 74AD1530 239->241 243 1000b5a1-1000b5db 74AD1530 DeleteObject DeleteDC 240->243
      APIs
      • 74AD1530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538
      • CreateCompatibleDC.GDI32(?), ref: 1000B548
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 1000B553
      • SelectObject.GDI32(00000000,00000000), ref: 1000B55F
      • 74AD1530.MSIMG32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?), ref: 1000B5BA
      • DeleteObject.GDI32(?), ref: 1000B5C5
      • DeleteDC.GDI32(00000000), ref: 1000B5CC
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CompatibleCreateD1530DeleteObject$BitmapSelect
      • String ID:
      • API String ID: 4272861949-0
      • Opcode ID: cea02a7140ad39d7cb010459c9ee0d1b607245b3b0f0fafe053c611a6cff785f
      • Instruction ID: a2bec2eff1570f1e033dcbeedc9227712d92de05b5e2e1092a7d92024c81a4dd
      • Opcode Fuzzy Hash: cea02a7140ad39d7cb010459c9ee0d1b607245b3b0f0fafe053c611a6cff785f
      • Instruction Fuzzy Hash: 083114B6206611BFE254DF59CC88F6BB7EDEBC8B91F10495CF64987250D630EC028B61
      Function 1001C450 Relevance: 10.6, APIs: 7, Instructions: 50windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 244 1001c450-1001c469 GetPropA 245 1001c485-1001c48f GetPropA 244->245 246 1001c46b-1001c47f RemovePropA SendMessageA 244->246 247 1001c491-1001c494 245->247 248 1001c4d4-1001c4d7 245->248 246->245 249 1001c496-1001c4a8 247->249 250 1001c4ae-1001c4b7 IsWindowVisible 247->250 249->250 250->248 251 1001c4b9-1001c4ce InvalidateRect SetWindowPos 250->251 251->248
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001C463
      • RemovePropA.USER32(?,1002C460), ref: 1001C471
      • SendMessageA.USER32(?,00006A30,00000000,00000000), ref: 1001C47F
      • GetPropA.USER32(?,1002C03C), ref: 1001C48B
      • IsWindowVisible.USER32(?), ref: 1001C4AF
      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,1001C40B,?), ref: 1001C4BD
      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237,?,?,?,1001C40B,?), ref: 1001C4CE
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Prop$Window$InvalidateMessageRectRemoveSendVisible
      • String ID:
      • API String ID: 2510188223-0
      • Opcode ID: 51a537452bd44370889b0a1f1f194821304f9a483811099fd7e9da286f0db7f1
      • Instruction ID: 11fdaa9114d1614bf2f695c029d4fea50ea2cb84254ba2801cf49c8279bf9916
      • Opcode Fuzzy Hash: 51a537452bd44370889b0a1f1f194821304f9a483811099fd7e9da286f0db7f1
      • Instruction Fuzzy Hash: B0016D75202A29EFE780AF954CC8DFB76ACEF45285B1280B9F20596011C7708A428BA5
      Function 100220A0 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Empty$Window$MessageSendVisible
      • String ID:
      • API String ID: 1963373104-0
      • Opcode ID: e9bd8bf3015e0fc931efd3356353d720a6aee9b169a9c962a95d430c27da7b1e
      • Instruction ID: 15d01376b549b43e06bef1ecdf41231e929ad262f4cddba4413b2d284a982563
      • Opcode Fuzzy Hash: e9bd8bf3015e0fc931efd3356353d720a6aee9b169a9c962a95d430c27da7b1e
      • Instruction Fuzzy Hash: A131AD38300B02ABD654DA75DC95FABB3E9EF94740F41890CFA5AC3250DB70E951CB90
      Function 10025C70 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 287 10025c70-10025c87 SendMessageA 288 10025ca9-10025cab 287->288 289 10025c89-10025c92 SendMessageA 287->289 289->288 290 10025c94-10025c9f GetClassLongA 289->290 290->288 291 10025ca1-10025ca7 SendMessageA 290->291 291->288
      APIs
      • SendMessageA.USER32(?,0000007F,00000002,00000000), ref: 10025C83
      • SendMessageA.USER32(?,0000007F,00000000,00000000), ref: 10025C8E
      • GetClassLongA.USER32(?,000000F2), ref: 10025C97
      • SendMessageA.USER32(?,0000007F,00000001,00000000), ref: 10025CA7
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$ClassLong
      • String ID:
      • API String ID: 1264571673-0
      • Opcode ID: 370d63bef3b9863a2f2e968b8f2886904922ea484c8d1e949867ab0d5a59f7f0
      • Instruction ID: 947a8f3f8a0cea30fb6e839a99a16b54cd066c6a9c51171dd670646b1ab2be3e
      • Opcode Fuzzy Hash: 370d63bef3b9863a2f2e968b8f2886904922ea484c8d1e949867ab0d5a59f7f0
      • Instruction Fuzzy Hash: AEE0DF6A3453277DF11066269C02FAB328C8F91B91F224120FB04F50C4E2A6AD0306B8
      Function 1000A460 Relevance: 4.7, APIs: 3, Instructions: 194windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 292 1000a460-1000a47d GetPropA 293 1000a486-1000a496 call 10009c60 292->293 294 1000a47f-1000a484 292->294 299 1000a49b-1000a4a0 293->299 294->293 295 1000a4a3-1000a4a9 294->295 297 1000a4b5-1000a4bc 295->297 298 1000a4ab-1000a4b2 295->298 300 1000a4f4-1000a4fa 297->300 301 1000a4be-1000a4c1 297->301 304 1000a500-1000a504 300->304 302 1000a4c3-1000a4cb 301->302 303 1000a4de-1000a4e0 301->303 302->300 305 1000a4cd-1000a4d2 302->305 306 1000a4e2-1000a4e9 303->306 307 1000a4ec-1000a4f2 303->307 308 1000a512-1000a516 304->308 309 1000a506-1000a50f 304->309 305->307 310 1000a4d4-1000a4db 305->310 307->304 311 1000a518-1000a524 308->311 312 1000a52b-1000a52f 308->312 309->308 315 1000a526 311->315 316 1000a528 311->316 313 1000a531-1000a539 312->313 314 1000a57b-1000a585 312->314 317 1000a53b 313->317 318 1000a53d-1000a544 313->318 319 1000a591 314->319 320 1000a587-1000a58f 314->320 315->316 316->312 317->318 321 1000a546-1000a54a 318->321 322 1000a54c 318->322 323 1000a593-1000a596 319->323 320->323 324 1000a54e-1000a55a 321->324 322->324 325 1000a598-1000a59f 323->325 326 1000a60e-1000a614 323->326 329 1000a560-1000a56e 324->329 330 1000a55c-1000a55e 324->330 327 1000a5a1-1000a5a4 325->327 328 1000a5c8-1000a5cd 325->328 331 1000a630-1000a638 326->331 332 1000a616-1000a623 IsWindowVisible 326->332 334 1000a5a6-1000a5ad 327->334 335 1000a5af 327->335 336 1000a5f2-1000a5f7 328->336 337 1000a5cf 328->337 338 1000a570-1000a578 329->338 330->338 332->331 333 1000a625-1000a62b call 10015840 332->333 333->331 340 1000a5b2-1000a5b5 334->340 335->340 336->326 343 1000a5f9-1000a607 336->343 341 1000a5d1-1000a5d3 337->341 342 1000a5d5-1000a5d8 337->342 338->314 340->326 344 1000a5b7-1000a5c6 340->344 341->336 341->342 342->336 345 1000a5da-1000a5df 342->345 346 1000a608 ShowScrollBar 343->346 344->346 345->326 347 1000a5e1-1000a5f0 345->347 346->326 347->346
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000A46F
      • ShowScrollBar.USER32(?), ref: 1000A608
      • IsWindowVisible.USER32(?), ref: 1000A61B
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: PropScrollShowVisibleWindow
      • String ID:
      • API String ID: 925533089-0
      • Opcode ID: b05e0342eeb9d100af01acffb98c79fbe272d89ffbffb893b2e8404fb9fbfbc6
      • Instruction ID: 5d9c8eb271cc9b0f02aa51a35db3e0294c315e2d033d928ddf3a82af3e440562
      • Opcode Fuzzy Hash: b05e0342eeb9d100af01acffb98c79fbe272d89ffbffb893b2e8404fb9fbfbc6
      • Instruction Fuzzy Hash: 36617C75304B029FE724CE24D984B5BB7E5FB86395F20CA2DE846CB648E771E885CB50
      Function 10015400 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 425 10015400-10015408 426 10015433-10015497 call 10009bd0 * 2 425->426 427 1001540a-1001540f 425->427 434 100154b3-100154c6 SetWindowPos 426->434 435 10015499-100154ad CallWindowProcA 426->435 428 10015415-10015430 CallWindowProcA 427->428 429 100154cc-100154cf 427->429 434->429 435->434
      APIs
      • CallWindowProcA.USER32(?,?,00000001,?,?), ref: 10015429
      • CallWindowProcA.USER32(?,?,00000001,?,?), ref: 100154AD
      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,0000263F), ref: 100154C6
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$CallProc
      • String ID:
      • API String ID: 883168683-0
      • Opcode ID: 049282dc8febc6ffcff643e693e9be518f14e6765984f4641e482d5a9bc57cbd
      • Instruction ID: 2f0a6d1fae90f1da847d9558e590aaa30e7de1fb8e63c55613dd495823e97c50
      • Opcode Fuzzy Hash: 049282dc8febc6ffcff643e693e9be518f14e6765984f4641e482d5a9bc57cbd
      • Instruction Fuzzy Hash: 4621E8B4204701EFE360CF24C884F97B7E9EB88314F10891DF5AA8B690D771E885CB60
      Function 1002616D Relevance: 4.6, APIs: 3, Instructions: 54COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 436 1002616d-10026173 437 10026183-10026194 436->437 438 10026175-1002617b 436->438 441 10026196-100261a9 malloc 437->441 442 100261d5-100261d7 437->442 439 100261ab-100261ad 438->439 440 1002617d 438->440 444 10026215 439->444 440->437 441->439 443 100261af-100261d3 _initterm 441->443 445 10026212-10026214 442->445 446 100261d9-100261e0 442->446 443->445 445->444 446->445 447 100261e2-100261e9 446->447 448 100261ec-100261ee 447->448 449 10026202-10026211 ??3@YAXPAX@Z 448->449 450 100261f0-100261f4 448->450 449->445 451 100261f6-100261f8 450->451 452 100261fd-10026200 450->452 451->452 452->448
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@_inittermmalloc
      • String ID:
      • API String ID: 1640728331-0
      • Opcode ID: 28efe3b135363df1d26e65f438198e95a9e2b0e57acad8b9d4fda251abc1b172
      • Instruction ID: c3025327f4686e2d82251761483d94adc5640adac6d06395e623d3ba54a4f38f
      • Opcode Fuzzy Hash: 28efe3b135363df1d26e65f438198e95a9e2b0e57acad8b9d4fda251abc1b172
      • Instruction Fuzzy Hash: 07115E316452A1CFF784CBA4EEC4B1A37A4FB09391B650479FC05CB2A5D721AC42CB00
      Function 10026440 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.KERNEL32(?,?,10026677,00000000,00000020), ref: 10026463
      • FlushInstructionCache.KERNEL32(10026677,00000000,10026677,?,10026677,00000000,00000020), ref: 1002648E
      • VirtualProtect.KERNEL32(00000000,10026677,00000040,00000014,?,10026677,00000000,00000020), ref: 100264AB
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
      • String ID:
      • API String ID: 3733156554-0
      • Opcode ID: 6ab28333a214872ef38e7cec3ea03a05ced2cd15625bfb15ed58538e5cadbd30
      • Instruction ID: 63f23e8b59d19312b92c29cae95ac7a559587f2e0b5583b49ef3a248e102aaa7
      • Opcode Fuzzy Hash: 6ab28333a214872ef38e7cec3ea03a05ced2cd15625bfb15ed58538e5cadbd30
      • Instruction Fuzzy Hash: 0E11A278A00208EFDB44DF98D984A9AB7F5FB48304F20C199F9099B350C735EE41DB90
      Function 10022430 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
      Download Yara Rule
      APIs
      • LoadCursorA.USER32(00000000,00007F84), ref: 10022466
      • SetCursor.USER32(00000000), ref: 1002246D
      • CallWindowProcA.USER32(?,?,00000020,?,?), ref: 10022488
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Cursor$CallLoadProcWindow
      • String ID:
      • API String ID: 831520691-0
      • Opcode ID: bf4b07cb46031061091a48be3070b511f6d722d995ee6d89d0a7fe8c069e6cd6
      • Instruction ID: 062c7e92b90e4879049151a24f00c03cd6efa16da21a8c855a1b890bc08c09af
      • Opcode Fuzzy Hash: bf4b07cb46031061091a48be3070b511f6d722d995ee6d89d0a7fe8c069e6cd6
      • Instruction Fuzzy Hash: 3EF02771608302F7F214EB90CC45E3B7268EB89B04FB0C224F2488A0D1CA34D402C712
      Function 0040A3EA Relevance: 3.9, Strings: 3, Instructions: 126COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2542351661.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2542331485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000719000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.000000000071F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000725000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542712617.000000000072B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542732580.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID: 1.0.0$h/AO$jjj
      • API String ID: 0-2783887836
      • Opcode ID: da21ffdf912b7413c35b1e8eb46c9471b0f764a4d62de53698c7881865904f21
      • Instruction ID: 47ac5ea5ded28ca46134445a046575d2997d6d6a7c11a59719bb35b119e2de65
      • Opcode Fuzzy Hash: da21ffdf912b7413c35b1e8eb46c9471b0f764a4d62de53698c7881865904f21
      • Instruction Fuzzy Hash: 14410572909380AFCB058B305D096687F60FB23314F1946FBD986AB1D3E23D492A875F
      Function 10014F80 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,00000000,?,?), ref: 10015010
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 10015136
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow
      • String ID:
      • API String ID: 2714655100-0
      • Opcode ID: 3a34cf9c1cf895b50e1ffedf62062b269e6f1887e1c20b20102255bf11944071
      • Instruction ID: 3a9bc6d7e016e4f588f7fcbb5cad357005f6a59b672cc3281e17a6244433939f
      • Opcode Fuzzy Hash: 3a34cf9c1cf895b50e1ffedf62062b269e6f1887e1c20b20102255bf11944071
      • Instruction Fuzzy Hash: 815151BA208610EFD249DB54D851E7FB3AAEBD8711F14C90DF2568F245CA31EC8287A5
      Function 100264C0 Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
      Download Yara Rule
      APIs
      • FlushInstructionCache.KERNEL32(?,00000000,00000000), ref: 100264FF
      • VirtualProtect.KERNEL32(00000000,00000000,00000000,00000000), ref: 10026524
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CacheFlushInstructionProtectVirtual
      • String ID:
      • API String ID: 403598440-0
      • Opcode ID: c3da033d4900e79327e44b0a828f40d223d41c1a4726ae3b7a942c81a8011169
      • Instruction ID: 4cf98e0dcf6dfc27f34e277785f8542e4947d89007de13e16ffdbbdb6af82732
      • Opcode Fuzzy Hash: c3da033d4900e79327e44b0a828f40d223d41c1a4726ae3b7a942c81a8011169
      • Instruction Fuzzy Hash: 5E01D778A00208EFD740CF94D894A9DFBB9FB48314F50C298E80997355D731EE86CB50
      Function 10022720 Relevance: 3.0, APIs: 2, Instructions: 40windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 10022727
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 10022777
        • Part of subcall function 10022A20: IsWindowVisible.USER32(?), ref: 10022A2C
        • Part of subcall function 10022A20: CallWindowProcA.USER32(?,?,?,?,?), ref: 10022A87
        • Part of subcall function 100220A0: IsWindowVisible.USER32(?), ref: 100220B8
        • Part of subcall function 100220A0: GetWindowRect.USER32 ref: 100220E3
        • Part of subcall function 100220A0: IsRectEmpty.USER32(?), ref: 1002218E
        • Part of subcall function 100220A0: IsRectEmpty.USER32(?), ref: 100221A5
        • Part of subcall function 100220A0: SendMessageA.USER32(?,00007401,?,?), ref: 100221DA
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$RectVisible$CallEmptyProc$MessageSend
      • String ID:
      • API String ID: 4052620737-0
      • Opcode ID: 32b9e609d8ef7e85d037e18e0d6d777959baff4de8e75da9bb6dee04d9dbc7e5
      • Instruction ID: ecefd7cb717017ce8ca5c15fabac25cc6db7c6444c9262e517bd60f13e577a75
      • Opcode Fuzzy Hash: 32b9e609d8ef7e85d037e18e0d6d777959baff4de8e75da9bb6dee04d9dbc7e5
      • Instruction Fuzzy Hash: C1F0EC79314711BBD614CB59D885FABB3EAEBC8710F10890DF64587290C670EC458765
      Function 10019482 Relevance: 3.0, APIs: 2, Instructions: 30threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 100031A0: LoadCursorA.USER32 ref: 100031E6
        • Part of subcall function 100031A0: RegisterClassExA.USER32 ref: 1000320D
      • GetCurrentThreadId.KERNEL32 ref: 1001949E
      • SetWindowsHookExA.USER32(00000004,1001A4F0,?,00000000), ref: 100194AD
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ClassCurrentCursorHookLoadRegisterThreadWindows
      • String ID:
      • API String ID: 1908744831-0
      • Opcode ID: 19cee74c161a8a1ef3f8c2fedae50ded263d7b6a45f83f2ca4177339b9e5c586
      • Instruction ID: 1960aa195ee1fe07530ea21f1dd313f19c5464d8ba1e979a915d34b59bad2663
      • Opcode Fuzzy Hash: 19cee74c161a8a1ef3f8c2fedae50ded263d7b6a45f83f2ca4177339b9e5c586
      • Instruction Fuzzy Hash: 40F082B9A001049FE314CF58E885B9A7BE8EB88711F00812AFA0BC7340EB31A451C751
      Function 10012060 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C2CC), ref: 1001206C
      • SendMessageA.USER32(?,00000031,?,?), ref: 10012090
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessagePropSend
      • String ID:
      • API String ID: 25370605-0
      • Opcode ID: 7d5e3bc90b47571d82ce137a822031f71c38e63c62c9b70d0aa0c542d69259e0
      • Instruction ID: b8d12084a5fb27a2b02e8c7b5d46552afd1830b42c17ef8beebdc7801db986c6
      • Opcode Fuzzy Hash: 7d5e3bc90b47571d82ce137a822031f71c38e63c62c9b70d0aa0c542d69259e0
      • Instruction Fuzzy Hash: E4E06DB93003139BE360CB98CC84E5273ECEF88694B114518F509CB211D7B0EC91CB50
      Function 1001C3E0 Relevance: 3.0, APIs: 2, Instructions: 6threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 1001C3E7
      • EnumThreadWindows.USER32(00000000), ref: 1001C3EE
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Thread$CurrentEnumWindows
      • String ID:
      • API String ID: 2396873506-0
      • Opcode ID: d622cf26246987ff9e9421572da9bcdcb2b88d34bd5217939b00bcf58dbb3ef1
      • Instruction ID: 12c5552e0a4cb50a56c7161035d2123e8fa57657582dde7ac2283fab1c990b87
      • Opcode Fuzzy Hash: d622cf26246987ff9e9421572da9bcdcb2b88d34bd5217939b00bcf58dbb3ef1
      • Instruction Fuzzy Hash: BFB0027554511457ED1057A04D5DF95361C9744706F214440F305D50D0C67491A38755
      Function 0040A216 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2542351661.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2542331485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000719000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.000000000071F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000725000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542712617.000000000072B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542732580.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID: 1.0.0$jjj
      • API String ID: 0-1597944893
      • Opcode ID: 4d673ffb85c4157bdd21d49afa310edbfa047cba010d71a552dc272db4b4039d
      • Instruction ID: 6228866e52e494c37f3b604a63eb1282b7345db33720fa8a27b0dde577abd5de
      • Opcode Fuzzy Hash: 4d673ffb85c4157bdd21d49afa310edbfa047cba010d71a552dc272db4b4039d
      • Instruction Fuzzy Hash: 5981227294C341ABCB118B704D06B387B20BB26715F1846BBED427A2D3E27E5836834F
      Function 10024770 Relevance: 1.8, APIs: 1, Instructions: 266COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 10024A36
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow
      • String ID:
      • API String ID: 2714655100-0
      • Opcode ID: ccc98896fe80d5754182099f52a7d0c2ef5bca29cf5af2a5b87928f1901503f8
      • Instruction ID: 0276685cddaf8491d1b69849fc3bfca2be8f4e4163da7e6ce67b870ed928455b
      • Opcode Fuzzy Hash: ccc98896fe80d5754182099f52a7d0c2ef5bca29cf5af2a5b87928f1901503f8
      • Instruction Fuzzy Hash: 358163BA308350AF9144DB58E491E7FB3E9EBD8710F51CD0DF55687244CB30AC8287AA
      Function 100227C0 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,00000083,?,?), ref: 100227DD
        • Part of subcall function 10024E80: GetWindowInfo.USER32(?), ref: 10024E99
        • Part of subcall function 10024E80: IsWindowVisible.USER32(?), ref: 10024F00
        • Part of subcall function 10024E80: OffsetRect.USER32(?,?,?), ref: 10024F39
        • Part of subcall function 10024E80: OffsetRect.USER32(?,?,?), ref: 10024F4E
        • Part of subcall function 10024E80: EqualRect.USER32(?,?), ref: 10024F66
        • Part of subcall function 10024E80: EqualRect.USER32(?,?), ref: 10024F78
        • Part of subcall function 10022FD0: GetMenuItemCount.USER32(?), ref: 10022FE9
        • Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,00000000,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 1002300D
        • Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,-00000001,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 10023021
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$ItemMenuWindow$EqualOffset$CallCountInfoProcVisible
      • String ID:
      • API String ID: 2682827658-0
      • Opcode ID: ba77e99849152b532a34ce5233054817b3643cd4816e7d9f4adc947aa763c3b2
      • Instruction ID: e8be41dcc1f79ff3f90e0d34badb2271f0da0451bde1e7ce2bf7accdd2581f9d
      • Opcode Fuzzy Hash: ba77e99849152b532a34ce5233054817b3643cd4816e7d9f4adc947aa763c3b2
      • Instruction Fuzzy Hash: 9B711374601A029FC348CF69D994A56F7E2FF88314F65862DD85E8B755DB30F892CB80
      Function 100154E0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,00000083,?,?), ref: 100155BB
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow
      • String ID:
      • API String ID: 2714655100-0
      • Opcode ID: 5d0bdd36328f84d96af1c0e60120005e76f9a7083c5701b91d0d2ef7dfa2a6cb
      • Instruction ID: 664da86f57333d2594dda9d77ea2a9eee9da370e28bc646d6d5ed37cb1cf24e2
      • Opcode Fuzzy Hash: 5d0bdd36328f84d96af1c0e60120005e76f9a7083c5701b91d0d2ef7dfa2a6cb
      • Instruction Fuzzy Hash: E2212674600B02DFD354CF29C890E96BBE6EF88324F14866DA55E8B365CB31F881CB50
      Function 10006940 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 100069F0: DeleteObject.GDI32(?), ref: 100069FE
      • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CreateDeleteObjectSection
      • String ID:
      • API String ID: 2173382960-0
      • Opcode ID: 1eb944d488383bc4aa980fc588f5b2db447b9dad9f5b85fe004328d50d26d93d
      • Instruction ID: 7c6951bcf0e21e93eae5dd231c3839bee3ae470e0ee931b53b39c6278d73b45b
      • Opcode Fuzzy Hash: 1eb944d488383bc4aa980fc588f5b2db447b9dad9f5b85fe004328d50d26d93d
      • Instruction Fuzzy Hash: 14116D726107058AE330CF15DD81B57F7E9EF94790F54893EE185CAA91D771E8088B60
      Function 1000A880 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000A896
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Prop
      • String ID:
      • API String ID: 257714900-0
      • Opcode ID: 9e952fefe096254a1bbe306181cc1f219a277d469f60241f2d76a5743c8985b5
      • Instruction ID: b92aa163cc4772d189c91a95496e01ad41b9399914cdb497733bef8968714656
      • Opcode Fuzzy Hash: 9e952fefe096254a1bbe306181cc1f219a277d469f60241f2d76a5743c8985b5
      • Instruction Fuzzy Hash: 06F06276208621ABA110DA5C9CC0C7FE7ACDBD66B0720472DF660D32D7CB20AC4697A1
      Function 10012100 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 1001211B
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow
      • String ID:
      • API String ID: 2714655100-0
      • Opcode ID: 030ee3439517a845b7d82d67b14f3aff6846b9a8e8a57e3d2cf6ecb39df51a96
      • Instruction ID: 290b3ffbc8d81257372996e1971beab4bfcff2d7a1735a6a4ddaedf5bc9e0035
      • Opcode Fuzzy Hash: 030ee3439517a845b7d82d67b14f3aff6846b9a8e8a57e3d2cf6ecb39df51a96
      • Instruction Fuzzy Hash: 45E04F76300610AFD210DA49C844E57B3E9EFD8710F11851EF685C7250CAB0EC868BA0
      Function 10007920 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 1000794E
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow
      • String ID:
      • API String ID: 2714655100-0
      • Opcode ID: 3837359f5aa365d52d23818cb5a4e785554cb113e94c8a2c60ee71aa23cfa8d2
      • Instruction ID: 3233c890d28c53d32e3e190f2b8006c9aae7ff1ccd48ca7d894a4f2dc1e0a51b
      • Opcode Fuzzy Hash: 3837359f5aa365d52d23818cb5a4e785554cb113e94c8a2c60ee71aa23cfa8d2
      • Instruction Fuzzy Hash: 99E092B5614711ABD724CB68D884DABB3E9FB8C340B008A1EB58EC3655DB74EC41CBA5
      Function 10012140 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
      Download Yara Rule
      APIs
      • SetPropA.USER32(?,1002C03C,00000000), ref: 10012151
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Prop
      • String ID:
      • API String ID: 257714900-0
      • Opcode ID: ad9e8f4c746ecc45e60b6a0c308ab00b59580d52182ade068d68dd5d959c878d
      • Instruction ID: 35157bf594c235461d53df282a2f192a396ed101a5a2d3219a77b9f403ebd6a7
      • Opcode Fuzzy Hash: ad9e8f4c746ecc45e60b6a0c308ab00b59580d52182ade068d68dd5d959c878d
      • Instruction Fuzzy Hash: 91E01A79504720EFC760DF69C888C47FBE8EF582203108B1EB499C3252D630E880CB90
      Function 10007960 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,00000202,?,?), ref: 1000798E
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow
      • String ID:
      • API String ID: 2714655100-0
      • Opcode ID: 0077ab38353094712698eb6dd30769997c8e5cb9205edea728dd21dabe57070d
      • Instruction ID: 2e45f834aee2e2b688859d921c8f99aa2f403f919a164ed404510ddb608d3ca7
      • Opcode Fuzzy Hash: 0077ab38353094712698eb6dd30769997c8e5cb9205edea728dd21dabe57070d
      • Instruction Fuzzy Hash: 8CE04F756047109FD714CB68C844D97B3E8FB88340B008A1EB08EC3655D774EC41C750
      Function 100223F0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,00000046,?,?), ref: 1002241D
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow
      • String ID:
      • API String ID: 2714655100-0
      • Opcode ID: e3bc2e746433023f95ead78f46c0119a23b9cb0d4e988137bf02804617c1a965
      • Instruction ID: 7a9d2a18568fca2f1777ed7b6681e46c759f9dce21c5a15a22889261b2edb605
      • Opcode Fuzzy Hash: e3bc2e746433023f95ead78f46c0119a23b9cb0d4e988137bf02804617c1a965
      • Instruction Fuzzy Hash: 41E092B6A00201ABD644DE98D885E52B3E9EBA8784B248058F64CCB255D236ED87DB91
      Function 1001C400 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 1001C450: GetPropA.USER32(?,1002C03C), ref: 1001C463
        • Part of subcall function 1001C450: RemovePropA.USER32(?,1002C460), ref: 1001C471
        • Part of subcall function 1001C450: SendMessageA.USER32(?,00006A30,00000000,00000000), ref: 1001C47F
        • Part of subcall function 1001C450: GetPropA.USER32(?,1002C03C), ref: 1001C48B
        • Part of subcall function 1001C450: IsWindowVisible.USER32(?), ref: 1001C4AF
        • Part of subcall function 1001C450: InvalidateRect.USER32(?,00000000,00000001,?,?,?,1001C40B,?), ref: 1001C4BD
        • Part of subcall function 1001C450: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237,?,?,?,1001C40B,?), ref: 1001C4CE
      • EnumChildWindows.USER32(?,1001C430,?), ref: 1001C419
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Prop$Window$ChildEnumInvalidateMessageRectRemoveSendVisibleWindows
      • String ID:
      • API String ID: 3749985120-0
      • Opcode ID: b9a06091cf27c0a1cdba5cc864607ad6be3b95ef9907f11268cd4fc7a1c9827e
      • Instruction ID: 9d20c7b3d0f7a05e384f27410cf9e7c35a197a4ef50129b58ecd41070bc00b86
      • Opcode Fuzzy Hash: b9a06091cf27c0a1cdba5cc864607ad6be3b95ef9907f11268cd4fc7a1c9827e
      • Instruction Fuzzy Hash: 1AC0127901913067E100D7089C50DDB725CEF55218F004411F94497200C334F99647E6
      Function 10025D00 Relevance: 1.3, APIs: 1, Instructions: 24COMMON
      Download Yara Rule
      APIs
      • ??2@YAPAXI@Z.MSVCRT ref: 10025D0F
        • Part of subcall function 10019250: 6E9E4BC0.MSVFW32 ref: 10019374
        • Part of subcall function 10019250: GetVersion.KERNEL32 ref: 10019392
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??2@Version
      • String ID:
      • API String ID: 2373634075-0
      • Opcode ID: b42eda6355405cee72902d32ec50ce663df726c730aeb1b8a14187fe49f5916d
      • Instruction ID: 7e419e08a8c89389e48617f3b5b6180ff5c9c39a8ef321e5e2b9f2201d5a6f9d
      • Opcode Fuzzy Hash: b42eda6355405cee72902d32ec50ce663df726c730aeb1b8a14187fe49f5916d
      • Instruction Fuzzy Hash: 29E09A787001098FE728CB78ECD4E2637E1EBD8600B21853DE90AC3292FA31E862D604
      Function 004010F4 Relevance: .1, Instructions: 125COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2542351661.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2542331485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000719000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.000000000071F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000725000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542712617.000000000072B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542732580.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6cfda428b647a9c1e66ea1dfe7df026b84fdbf0b698643869a1d3b585c741846
      • Instruction ID: 01c0f0202f684e85914bce64c7b5eade3e0da4db066aaeac8dc6d161bcd00f86
      • Opcode Fuzzy Hash: 6cfda428b647a9c1e66ea1dfe7df026b84fdbf0b698643869a1d3b585c741846
      • Instruction Fuzzy Hash: B7312B726052411BEB0C96396C91B7727A9DF19324718027FFA42EF7F6EA3C9C40C259
      Function 00401104 Relevance: .1, Instructions: 54COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2542351661.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2542331485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000719000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.000000000071F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000725000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542712617.000000000072B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542732580.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 282781ad850d0f5377eb5ebd3c088aae73bef9e4d7193e358584d007400ca782
      • Instruction ID: 8431e423196a5e010cd1fdec70db2e1a2e418a78fcc832cbd3b53f8ccb62c907
      • Opcode Fuzzy Hash: 282781ad850d0f5377eb5ebd3c088aae73bef9e4d7193e358584d007400ca782
      • Instruction Fuzzy Hash: 4FF0F9762006115AEB1CA669AC91E7723ADFD5D365314013FEB03EE3E1E928DD01C265
      Function 0040A023 Relevance: .0, Instructions: 40COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2542351661.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2542331485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000719000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.000000000071F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000725000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542712617.000000000072B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542732580.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 605bc37fe4d4e6f457f4de498ddc64b0a3cf4119b823fe1be2ab728b009ddf3f
      • Instruction ID: 7d2fadf0b1d01d421f652e498d40ef672197189c333635745e405da412b580e2
      • Opcode Fuzzy Hash: 605bc37fe4d4e6f457f4de498ddc64b0a3cf4119b823fe1be2ab728b009ddf3f
      • Instruction Fuzzy Hash: 04F06D3294834CDACF265EB089006BE7E31AB22301F0840A3E1517A2D3C27F0930936F
      Function 0040A1C3 Relevance: .0, Instructions: 18COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2542351661.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2542331485.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.00000000006FD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000719000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.000000000071F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000721000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000725000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542351661.0000000000729000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542712617.000000000072B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2542732580.000000000072D000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f8bd35eae000479bd508d7d46edbf26164fdf6c6f8fb0ae214bac149c8971b8f
      • Instruction ID: 55cfb59443020752cc166607f12a2405de92669b3a53c4d2eba9cae4440f09ca
      • Opcode Fuzzy Hash: f8bd35eae000479bd508d7d46edbf26164fdf6c6f8fb0ae214bac149c8971b8f
      • Instruction Fuzzy Hash: DDD09E31919348DACB19DA604B040B97762A613311F1441B7A8967E2D2D53D4F36E71F

      Non-executed Functions

      Function 10004E30 Relevance: 36.6, APIs: 24, Instructions: 566windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 10004E5F
        • Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998
      • CreateCompatibleDC.GDI32(00000000), ref: 10004FC9
      • SelectObject.GDI32(00000000,?), ref: 10004FDD
      • SetBkMode.GDI32(00000000,00000001), ref: 10004FE6
        • Part of subcall function 1000B4C0: 74AD1530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538
        • Part of subcall function 100055A0: GetWindowRect.USER32(?,?), ref: 100055C2
        • Part of subcall function 100055A0: SetRect.USER32(?,00000000,00000000,?,?), ref: 100055E3
        • Part of subcall function 100055A0: GetWindowLongA.USER32(?,000000F0), ref: 100055EF
      • SelectObject.GDI32(00000000,?), ref: 10005076
      • SetTextColor.GDI32(00000000,?), ref: 1000507F
      • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 100050B7
      • GetWindowTextA.USER32(?,?,00000400), ref: 10005127
      • DrawTextA.USER32(00000000,?,?,?,00040024), ref: 10005150
      • IsRectEmpty.USER32(?), ref: 10005179
      • IsIconic.USER32(?), ref: 1000518B
      • IsRectEmpty.USER32(?), ref: 1000525E
      • IsZoomed.USER32(?), ref: 10005270
      • GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10005398
      • GetMenuState.USER32(00000000), ref: 1000539F
      • IsRectEmpty.USER32(?), ref: 1000543D
      • SetBkMode.GDI32(00000000,00000001), ref: 1000544A
      • SelectObject.GDI32(00000000,?), ref: 100054D5
      • DeleteDC.GDI32(00000000), ref: 100054DC
      • CreateCompatibleDC.GDI32(00000000), ref: 100054E4
      • SelectObject.GDI32(00000000,?), ref: 100054F5
      • DeleteObject.GDI32(00000000), ref: 10005557
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Object$SelectWindow$CreateEmptyText$CompatibleDeleteDrawMenuMode$ColorD1530IconIconicLongSectionStateSystemZoomed
      • String ID:
      • API String ID: 2183519620-0
      • Opcode ID: 869c7fd31a59fd848f571312f20572626bedb3b1c27675698ae66dad921983ac
      • Instruction ID: cea4122b0922ce362506ef713f39b4431f8d55212c238b2335c3802d68202380
      • Opcode Fuzzy Hash: 869c7fd31a59fd848f571312f20572626bedb3b1c27675698ae66dad921983ac
      • Instruction Fuzzy Hash: 92227B79240205AFF324CB64CC89FAB77A9FF84745F20491CF95A87295EA71B906CB60
      Function 10023070 Relevance: 25.9, APIs: 17, Instructions: 358windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 10023094
      • IsRectEmpty.USER32(?), ref: 10023107
      • IsIconic.USER32(?), ref: 10023115
      • IsRectEmpty.USER32(?), ref: 100231E6
      • IsZoomed.USER32(?), ref: 100231F4
      • GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10023317
      • GetMenuState.USER32(00000000), ref: 1002331E
      • IsRectEmpty.USER32(?), ref: 100233BD
      • SetBkMode.GDI32(?,00000001), ref: 100233CA
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: EmptyRect$Menu$IconicModeStateSystemVisibleWindowZoomed
      • String ID:
      • API String ID: 549281773-0
      • Opcode ID: 0859ee2c90a4b87bb8b63a2d08eab5df806f4869aada2a1f22d7c7a97dd138e1
      • Instruction ID: d06e77375d5cb7ab1f1ac25b83a2b383d651d1881662a64e5f1b630b1572dc97
      • Opcode Fuzzy Hash: 0859ee2c90a4b87bb8b63a2d08eab5df806f4869aada2a1f22d7c7a97dd138e1
      • Instruction Fuzzy Hash: 1DD16CB9241B06AFE324CB64DCC4FAB73A9FF84744F60891CE55A87241E634FD468B60
      Function 10006010 Relevance: 25.7, APIs: 17, Instructions: 164windownativeCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 1000601C
      • SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10006032
      • SendMessageA.USER32(?,000000A2,00000000,?), ref: 10006052
      • GetWindowRect.USER32(?,?), ref: 10006062
      • IsRectEmpty.USER32(?), ref: 1000608D
      • PtInRect.USER32(?,?,?), ref: 100060A0
      • GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 100060BF
      • GetMenuState.USER32(00000000), ref: 100060C6
      • SendMessageA.USER32(?,00000112,0000F180,?), ref: 100060F9
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,10004C8B), ref: 10006113
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageRectSendWindow$Menu$EmptyEnabledNtdllProc_StateSystem
      • String ID:
      • API String ID: 2671586774-0
      • Opcode ID: f247dd20f8a3ef77669b665c33eb62aa311374e3ee6afc9b99d1d99878e1aa7b
      • Instruction ID: db1f306a8784ca8736970017476ad2195cdbaa505f3b9dba42231a781a1f9d91
      • Opcode Fuzzy Hash: f247dd20f8a3ef77669b665c33eb62aa311374e3ee6afc9b99d1d99878e1aa7b
      • Instruction Fuzzy Hash: 1551AE75240716AFF320DBA5CC89FAB77EDEB88780F20492CF55683695DA34E945CB20
      Function 10003970 Relevance: 20.3, APIs: 13, Instructions: 806COMMON
      Download Yara Rule
      APIs
      • ??2@YAPAXI@Z.MSVCRT ref: 100039AB
      • ??2@YAPAXI@Z.MSVCRT ref: 100039BD
      • PtInRegion.GDI32(?,00000000,00000000,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020), ref: 10003A4F
      • PtInRegion.GDI32(?,?,00000000,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020), ref: 10003AB3
      • ??2@YAPAXI@Z.MSVCRT ref: 10003B14
      • ??2@YAPAXI@Z.MSVCRT ref: 10003C36
      • _ftol.MSVCRT ref: 10003D2F
      • OffsetRgn.GDI32(?,?,?), ref: 10004038
      • PtInRegion.GDI32(?,-00000001,?,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000), ref: 100041D4
      • ??3@YAXPAX@Z.MSVCRT ref: 1000428E
      • ??3@YAXPAX@Z.MSVCRT ref: 10004298
      • ??3@YAXPAX@Z.MSVCRT ref: 100042A2
      • ??3@YAXPAX@Z.MSVCRT ref: 100042AC
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??2@??3@$Region$Offset_ftol
      • String ID:
      • API String ID: 2490806229-0
      • Opcode ID: 20f87a81f43be5445c397b0e250875611de442200e131b72367e034636e4db9f
      • Instruction ID: 98ed0c605d52677ada83a984198e756a1aca9b3409a824ef284006b387393d3d
      • Opcode Fuzzy Hash: 20f87a81f43be5445c397b0e250875611de442200e131b72367e034636e4db9f
      • Instruction Fuzzy Hash: F3626975A086468FD709CF19C88051AB7E6FFC8384F15C92DE899DB359EB30E946CB81
      Function 10021800 Relevance: 19.7, APIs: 13, Instructions: 170windowtimeCOMMON
      Download Yara Rule
      APIs
      • KillTimer.USER32 ref: 1002198A
      • GetMenuItemID.USER32(?,?), ref: 100219E3
      • SendMessageA.USER32(?,00000111,00000000), ref: 100219F3
      • CallWindowProcA.USER32(?,?,000000A2,?,?), ref: 10021A38
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallItemKillMenuMessageProcSendTimerWindow
      • String ID:
      • API String ID: 2515994771-0
      • Opcode ID: 3b3b23c477d770ed4f7aa771234f3d45869d44fa6d65c12bb79bc5aa267ef81e
      • Instruction ID: 89b724dc2ca4cdc55add286efa33b9077fff919ea1f62498a6f78f4254ff7468
      • Opcode Fuzzy Hash: 3b3b23c477d770ed4f7aa771234f3d45869d44fa6d65c12bb79bc5aa267ef81e
      • Instruction Fuzzy Hash: 64518179304702AFE354DB64D895FEBB3E9FB98740F50891DF696C6190CB70A886CB50
      Function 10009340 Relevance: 15.2, APIs: 10, Instructions: 161nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10009350
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000936C
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 9ead5d21b62799828bb9cc85ce7bf4125b4fa391575515c34ce0a3c6fe3e6a79
      • Instruction ID: 66a860390867b69e52e3412568fee3c891a1f5c98dd500308f81789add6bf3bd
      • Opcode Fuzzy Hash: 9ead5d21b62799828bb9cc85ce7bf4125b4fa391575515c34ce0a3c6fe3e6a79
      • Instruction Fuzzy Hash: E941907A205600ABE200DB58DC84DABB3E8FBC4751F50491DF98683251C774ED0ACBB2
      Function 1000C3F0 Relevance: 15.2, APIs: 10, Instructions: 161nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000C400
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000C41C
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: d5b8f05a9e68d77798507910b0dc128c9ddebfdd8b18848f9afa2fd6e5e951aa
      • Instruction ID: e4712fcc12151d2cebdf1b72559aff8232ef5eb8468fa4595113e4497e6478ba
      • Opcode Fuzzy Hash: d5b8f05a9e68d77798507910b0dc128c9ddebfdd8b18848f9afa2fd6e5e951aa
      • Instruction Fuzzy Hash: 7F419F7A205704ABE250EB58DC88D6BB7E8FBC8751F50491DF94283252C774ED0A8BB2
      Function 10017BA0 Relevance: 12.9, APIs: 6, Strings: 1, Instructions: 613COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ObjectSelect
      • String ID: d
      • API String ID: 1517587568-2564639436
      • Opcode ID: bde552e54f32443e204c6f3d8f074d9ca5ab16db1e7efedaa453502c1c712233
      • Instruction ID: 4b82767d9c842e9e08e3940738fc6923ca1a8521680a6cc2111a8d75eee5b889
      • Opcode Fuzzy Hash: bde552e54f32443e204c6f3d8f074d9ca5ab16db1e7efedaa453502c1c712233
      • Instruction Fuzzy Hash: 4A32E571A047128FD319CF14D8907AAB3E5FFC8340F558A7DE8969B291D734EA89CB42
      Function 10005940 Relevance: 12.1, APIs: 8, Instructions: 83nativetimeCOMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 10005959
      • GetWindowRect.USER32(?,?), ref: 1000596C
      • PtInRect.USER32(?,?,?), ref: 1000599D
      • PtInRect.USER32(?,?,?), ref: 100059B4
      • PtInRect.USER32(?,?,?), ref: 100059CB
      • PtInRect.USER32(?,?,?), ref: 100059E2
      • KillTimer.USER32(?,00006625,?,?,?,?,?,?,?,10004CEB,?,?,00000000,?,?), ref: 100059F2
        • Part of subcall function 10004E30: GetWindowRect.USER32(?,?), ref: 10004E5F
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,?,?,10004CEB,?,?,00000000,?,?), ref: 10005A27
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Window$CursorKillNtdllProc_Timer
      • String ID:
      • API String ID: 1632373092-0
      • Opcode ID: b8796e62a7e9f8a1269d68023e98339359b7a28a012fa2bbc78eefee34ee6aa6
      • Instruction ID: 9a3ddf00fd3851daef2864d54b78be332d389b06acf702b9600ba59b9845d60c
      • Opcode Fuzzy Hash: b8796e62a7e9f8a1269d68023e98339359b7a28a012fa2bbc78eefee34ee6aa6
      • Instruction Fuzzy Hash: 51212CB6614302AFE314DB64CC88C6BB7E9FFC8794F008A1DF49AD3214D631E9058B62
      Function 10021370 Relevance: 10.6, APIs: 7, Instructions: 134nativewindowCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002CD88), ref: 1002137E
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1002139A
      • IsWindowVisible.USER32(?), ref: 100213D9
      • ShowWindow.USER32(?,00000000), ref: 100213E6
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$NtdllProc_PropShowVisible
      • String ID:
      • API String ID: 2900772547-0
      • Opcode ID: 1dd075973b18bd4a155f3fa5b72aa87e198f8b617cdb39295f7a88e0023e63e6
      • Instruction ID: bd9fa984eed261b426f55b418d79167bb0f56a7a5cd861e89bf77d4c9bc891ea
      • Opcode Fuzzy Hash: 1dd075973b18bd4a155f3fa5b72aa87e198f8b617cdb39295f7a88e0023e63e6
      • Instruction Fuzzy Hash: 9531E97B301659ABE211DA95ECC4DBFB7ADEBD53D6F01841AF24187100C722AD06C775
      Function 100098B0 Relevance: 9.1, APIs: 6, Instructions: 85nativetimeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 100098BE
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100098DA
      • KillTimer.USER32(?,?,00000000), ref: 10009914
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: KillNtdllProc_PropTimerWindow
      • String ID:
      • API String ID: 3733616403-0
      • Opcode ID: 3c55ececde0a7ee3e163387940c24b6939577072ee2d8cbbac78a905ef7d04e5
      • Instruction ID: adc7337034f0b9ec4e7ed3ed95778db363d18d8614baef39ea8ea303d17308f6
      • Opcode Fuzzy Hash: 3c55ececde0a7ee3e163387940c24b6939577072ee2d8cbbac78a905ef7d04e5
      • Instruction Fuzzy Hash: EF21F336305215ABE210DA54ECC4E7F77ACEBC5BE1F10451EF68293241C726AC069761
      Function 10006210 Relevance: 9.1, APIs: 6, Instructions: 56windownativeCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 10006219
      • SendMessageA.USER32(?,00000020,?,0201FFFE), ref: 1000622F
      • SendMessageA.USER32(?,000000A3,00000000,?), ref: 10006251
      • IsZoomed.USER32(?), ref: 10006263
      • SendMessageA.USER32(?,00000112,0000F120,?), ref: 1000628C
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000629E
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$Window$EnabledNtdllProc_Zoomed
      • String ID:
      • API String ID: 1736178447-0
      • Opcode ID: 31b90f1f2f4758470e2ea2747ea2563a49cebe7bfef6ce3f53ee5ca3d1f04934
      • Instruction ID: 53ad444b2308a7bebedf1b38f9ffedf2fa5899a07a2aa37d5df76109a97d8af9
      • Opcode Fuzzy Hash: 31b90f1f2f4758470e2ea2747ea2563a49cebe7bfef6ce3f53ee5ca3d1f04934
      • Instruction Fuzzy Hash: E1118E35305B12EFE220CB95DC84E9BB3EDEB8CB40F20880CF68597594C670E841C764
      Function 1001B8F0 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(00000000,?,?,10025E63,?,?,?,?,?,?), ref: 1001B8F4
      • FindResourceA.KERNEL32(00000000,?,?), ref: 1001B913
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: FindHandleModuleResource
      • String ID:
      • API String ID: 3537982541-0
      • Opcode ID: 20047523e8b2d551bcd9e8a145dcbb2bf7234696f2abbd8170a661a441ae52bd
      • Instruction ID: 5268aa00fc51c7ef6193ce43b0a0328cd4925fc10cfa97f1260c64665a9d4d10
      • Opcode Fuzzy Hash: 20047523e8b2d551bcd9e8a145dcbb2bf7234696f2abbd8170a661a441ae52bd
      • Instruction Fuzzy Hash: 0501DF7A2056206BE3119728EC88D6F77ECEFC9211F114119FA44C7200DB34CE4387B1
      Function 1000B6E0 Relevance: 8.6, APIs: 5, Instructions: 1050windowCOMMON
      Download Yara Rule
      APIs
      • BitBlt.GDI32(?,00000000,?,?,?,?,?,?,00CC0020), ref: 1000BB67
      • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000BE29
      • BitBlt.GDI32(?,?,?,00000020,?,?,?,?,00CC0020), ref: 1000BEF2
      • OffsetRect.USER32(?,1000329E,000000FF), ref: 1000BFA9
      • BitBlt.GDI32(?,?,?,00000020,?,?,?,?,00CC0020), ref: 1000BC0B
        • Part of subcall function 1000B4C0: 74AD1530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538
        • Part of subcall function 1000B4C0: CreateCompatibleDC.GDI32(?), ref: 1000B548
        • Part of subcall function 1000B4C0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 1000B553
        • Part of subcall function 1000B4C0: SelectObject.GDI32(00000000,00000000), ref: 1000B55F
        • Part of subcall function 1000B4C0: 74AD1530.MSIMG32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?), ref: 1000B5BA
        • Part of subcall function 1000B4C0: DeleteObject.GDI32(?), ref: 1000B5C5
        • Part of subcall function 1000B4C0: DeleteDC.GDI32(00000000), ref: 1000B5CC
        • Part of subcall function 1000B5F0: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B646
        • Part of subcall function 1000B120: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B1A0
        • Part of subcall function 1000B120: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B216
        • Part of subcall function 1000B120: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B273
        • Part of subcall function 1000B120: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B2C9
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CompatibleCreateD1530DeleteObject$BitmapOffsetRectSelect
      • String ID:
      • API String ID: 2188787078-0
      • Opcode ID: cac2739ba0984c5b844557e8b4f5d791b105f7fe2c822b0771468b378f7f900f
      • Instruction ID: b631010fc7c61f0dbc485572ac6f53e1cb0354f72aed0dfdbd8fa92e86ef0b76
      • Opcode Fuzzy Hash: cac2739ba0984c5b844557e8b4f5d791b105f7fe2c822b0771468b378f7f900f
      • Instruction Fuzzy Hash: F872B6B5700901AFD358CE6ECE95D27F7EAEFC8610314CA1CA55EC3A5CEA30F8558A64
      Function 1001D8E0 Relevance: 7.6, APIs: 5, Instructions: 150nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001D8EC
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001D908
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: e4a0d490164f6d9069ce7e86964c5195bdc24712ecee0d29021a28e2da7046a5
      • Instruction ID: 3dd76a049db869770da15870645d9af25493a0817101984a39104c73db85ad87
      • Opcode Fuzzy Hash: e4a0d490164f6d9069ce7e86964c5195bdc24712ecee0d29021a28e2da7046a5
      • Instruction Fuzzy Hash: D741447A7082119BD640FE58E880E6F77A9EBD4750F108C1BF5818B256C270DCC697B2
      Function 10008310 Relevance: 7.6, APIs: 5, Instructions: 99nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000831C
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008338
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 76ff8970db67151db0b6f6ec3473056875dcff3a0f31a7fb73f1cb6230d5cb84
      • Instruction ID: d5cf22ff5653e0c4365a76e3bc0a6f530f10b9ff97d098438d5549bdcf248cbb
      • Opcode Fuzzy Hash: 76ff8970db67151db0b6f6ec3473056875dcff3a0f31a7fb73f1cb6230d5cb84
      • Instruction Fuzzy Hash: 0E216476308612ABE204DB18EC84EAF77A9EBD8760F104919F181D7295C770ED9687B1
      Function 1001FD50 Relevance: 7.6, APIs: 5, Instructions: 90nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001FD66
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001FD7E
      • FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1001FDBE
      • GetPropA.USER32(00000000,1002C03C), ref: 1001FDD0
      • GetWindowRect.USER32(00000000,?), ref: 1001FDED
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Prop$FindNtdllProc_Rect
      • String ID:
      • API String ID: 1621342347-0
      • Opcode ID: e209e126209f789dd80fe51a7b19f8c596f70caf1b5d236961e23ecb73bb45dc
      • Instruction ID: 6b8d0221fe97fab34533167ca4c9a37e3e90209f2d168c5ada330748bbe964d0
      • Opcode Fuzzy Hash: e209e126209f789dd80fe51a7b19f8c596f70caf1b5d236961e23ecb73bb45dc
      • Instruction Fuzzy Hash: F83187356042009FD304DF18C888E7BB3E9FBD8654F55895DF9459B352C730EE468B66
      Function 10008710 Relevance: 6.2, APIs: 4, Instructions: 176nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000871D
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008739
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 826a2f52f7e6cf888468cf574442a5b1d842237e04ebc0d74020836fc4713a4a
      • Instruction ID: 4fac22d2b0eaef5fff40d3138b4cbdac12c866ca4beaf184c634f33bf18d14c9
      • Opcode Fuzzy Hash: 826a2f52f7e6cf888468cf574442a5b1d842237e04ebc0d74020836fc4713a4a
      • Instruction Fuzzy Hash: 055164763041119BE204DA48D8D4DBFB3AEEBD4392F14842BF68187296CB71EC5697B2
      Function 1001FEA0 Relevance: 6.2, APIs: 4, Instructions: 163nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001FEAD
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001FEC9
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 5716e03bdd05c131fa1711044e4bacf8af709cbf5cb97f13cea4ef0443b835b5
      • Instruction ID: 62426f1cfc6e2e8613ee12b2a616a1d9dd04dd25ff66616f45cf830b1ca35ad5
      • Opcode Fuzzy Hash: 5716e03bdd05c131fa1711044e4bacf8af709cbf5cb97f13cea4ef0443b835b5
      • Instruction Fuzzy Hash: 6341A6B77042115BE100DA58E8C4EBFB39ADBD83A1F50842FF68587252C770DC9697B5
      Function 10011630 Relevance: 6.1, APIs: 4, Instructions: 133nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001163C
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10011658
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 526c9ef3a2a92265fd59938002838eeed9a0dafe04fa7b4cf744bce3a05f278e
      • Instruction ID: e71c5dea82c0fa7fedd5e34c1b30a37f09bcbf9f8200f5aed356c99c4536bfaa
      • Opcode Fuzzy Hash: 526c9ef3a2a92265fd59938002838eeed9a0dafe04fa7b4cf744bce3a05f278e
      • Instruction Fuzzy Hash: DB41767A7082119BD248DA08E894DAF73E9DBD8750F10491DF142CB396C770EC8A87B2
      Function 10025780 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON
      Download Yara Rule
      APIs
      • IsIconic.USER32(?), ref: 10025794
      • IsZoomed.USER32(?), ref: 100257A2
        • Part of subcall function 10024730: ShowWindow.USER32(?,?,00000000,?,76945440,1002584E,00000000), ref: 10024747
        • Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024751
        • Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 1002475B
        • Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024765
      • IsRectEmpty.USER32(?), ref: 10025808
      • IsWindowVisible.USER32(?), ref: 10025816
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Show$EmptyIconicRectVisibleZoomed
      • String ID:
      • API String ID: 3753707372-0
      • Opcode ID: c1c3f4868670907c5ce2aaa56f8e4901cd67358b1a5e343eccb99875e79ee5f4
      • Instruction ID: f748418fd072593a3d66f39f517992ca0597f05378dce08ab7b824f94379abf5
      • Opcode Fuzzy Hash: c1c3f4868670907c5ce2aaa56f8e4901cd67358b1a5e343eccb99875e79ee5f4
      • Instruction Fuzzy Hash: 6B213D34305B52CBE760CB35F888B9B73E8EF44786F82446DE45BDA240EB75E8418B48
      Function 10008D40 Relevance: 6.1, APIs: 4, Instructions: 64nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C058), ref: 10008D4C
      • RemovePropA.USER32(?,1002C058), ref: 10008D5E
      • CallWindowProcA.USER32(00000000,?,?,?,?), ref: 10008D88
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008DD0
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: PropWindow$CallNtdllProcProc_Remove
      • String ID:
      • API String ID: 167436498-0
      • Opcode ID: ae9651af754efeaf910986bedca81cdbe93bc3ee3aa19282c3980d9b3a87c30d
      • Instruction ID: 7f1ce935ea723094267178f469a7703aac22c69bbb9d6f32e347a6d7df6c448d
      • Opcode Fuzzy Hash: ae9651af754efeaf910986bedca81cdbe93bc3ee3aa19282c3980d9b3a87c30d
      • Instruction Fuzzy Hash: 6D11697A105511ABA241DB18DC84CBF7BADEFD5790F10491DF58183296C720AD4AC7F6
      Function 1000F750 Relevance: 4.7, APIs: 3, Instructions: 165nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000F75C
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000F778
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: d06918abb0d3f2a99f0b8790ebeffd6e64b80bf03755ea9d7ece643dea9d183d
      • Instruction ID: 2528abf51e870a12b61f462225b441024f09dc823bf7e01d6d69a58c881fcfe4
      • Opcode Fuzzy Hash: d06918abb0d3f2a99f0b8790ebeffd6e64b80bf03755ea9d7ece643dea9d183d
      • Instruction Fuzzy Hash: A74177B63086119FE248DE08E865D7F73AADBD4750F10891DF14287296CB30AC8A97B6
      Function 10014790 Relevance: 4.6, APIs: 3, Instructions: 140nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001479C
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100147B8
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: aabdaddb52ba19fe15e07398bace0ccf46ff83178fe0b4999134df6da741ce6e
      • Instruction ID: 5cef6116b7980ede2fc3cff8751f03a03dbdccd6a3174d1e1b5d14adc9a2bdd3
      • Opcode Fuzzy Hash: aabdaddb52ba19fe15e07398bace0ccf46ff83178fe0b4999134df6da741ce6e
      • Instruction Fuzzy Hash: 134153B67086119BD244DA18E8A5D7F73A9EBD4750F01481DF1428B3A6CF70EC8687B6
      Function 1000FD50 Relevance: 4.6, APIs: 3, Instructions: 131nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000FD5B
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000FD77
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 44a9cc59f4e6ab64c4beb2c156f6846ce86c779df6cdf7289ec6719d91925d85
      • Instruction ID: 4488ee033ce5568a6e9b86f628f37d529af62b25991ac58fd4dce584937037cd
      • Opcode Fuzzy Hash: 44a9cc59f4e6ab64c4beb2c156f6846ce86c779df6cdf7289ec6719d91925d85
      • Instruction Fuzzy Hash: D9414AB63082459BE240DE54D980D7F73E9EBC4790F118C0EF5818765AC770EC8697B6
      Function 1001C800 Relevance: 4.6, APIs: 3, Instructions: 129nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001C80C
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001C828
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: f8d477e5692cdd5ca17986cf2d97dfdfc446317701b126a3d5f38e338d641d94
      • Instruction ID: 1e50225a5a76dfa976e6c4c56d3e30440892ed78c8c68004a9b13c076068a0f2
      • Opcode Fuzzy Hash: f8d477e5692cdd5ca17986cf2d97dfdfc446317701b126a3d5f38e338d641d94
      • Instruction Fuzzy Hash: A13155BB7083159BD240DE58E884D6F73A9EBD4760F108C1AF5819B256C770ECCA97B2
      Function 1001E7F0 Relevance: 4.6, APIs: 3, Instructions: 102nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001E7FC
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001E818
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 2bb6b4c9f7c8451d55efabac318bb80ec691770c947b02e026458401ab56470f
      • Instruction ID: 8b1d6d09460b07866bb12f6193a6cd946900c67d8b00bd84724c958df11b5175
      • Opcode Fuzzy Hash: 2bb6b4c9f7c8451d55efabac318bb80ec691770c947b02e026458401ab56470f
      • Instruction Fuzzy Hash: 063152BA6082519BD240DE58E880DAFB7E9EBD8751F108C19F281C7252C730ECCAD7B1
      Function 1000D330 Relevance: 4.6, APIs: 3, Instructions: 94nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000D33D
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000D359
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 7c525df14ed70a4f11c4a69d41a52e97dcc25fc77dcc8a51e8dfaffd4d0c7820
      • Instruction ID: 3cad35e25735ce33caab85577b29180f6f89a3b7f1056cd299d0b253d523294e
      • Opcode Fuzzy Hash: 7c525df14ed70a4f11c4a69d41a52e97dcc25fc77dcc8a51e8dfaffd4d0c7820
      • Instruction Fuzzy Hash: 9C21B5B7700111ABE200EA58D8D8DAFF7ADEBD42A1F10852BF54187286C770DC46D7B2
      Function 10013DA0 Relevance: 4.6, APIs: 3, Instructions: 85nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10013DAC
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10013DC8
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 8ce96701103211df28a60adab9aab3bd328910b0f052636790040f0ca7b46eaf
      • Instruction ID: 4bf817b2858c0e7a759d776878d335dbdc853776b506ffad1926632038d3614c
      • Opcode Fuzzy Hash: 8ce96701103211df28a60adab9aab3bd328910b0f052636790040f0ca7b46eaf
      • Instruction Fuzzy Hash: 992133BB704211ABD240DA58E884D6F77E9DBD4760F11C919F541CB296C270DCCA97B1
      Function 10012AD0 Relevance: 4.6, APIs: 3, Instructions: 73nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10012ADB
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10012AF7
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: f859cb2866e1b746edcdcea0132dc8f0da540a57dcf5b24eda86e99f76fe94e6
      • Instruction ID: d284b80dbbabb1398f9d2070992cac2ce438575b69408aea9e9a94da9e131599
      • Opcode Fuzzy Hash: f859cb2866e1b746edcdcea0132dc8f0da540a57dcf5b24eda86e99f76fe94e6
      • Instruction Fuzzy Hash: 5E111FFA208212AFD244DF58E984DAB73E9EBC8750F108D09F5819B245C734EC96C7B6
      Function 10012BF0 Relevance: 4.6, APIs: 3, Instructions: 64nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10012BFC
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10012C18
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 185552ad6ea6ac270079b2802cbaebd668f86dd486cc4b8468dc4ddae3fa65e1
      • Instruction ID: 2331f883b3d6d46fcb743b651009c8baabaccb07b2ddfb5f76acc19c2e81c812
      • Opcode Fuzzy Hash: 185552ad6ea6ac270079b2802cbaebd668f86dd486cc4b8468dc4ddae3fa65e1
      • Instruction Fuzzy Hash: 231154BA2082129BD204DF59E880DAFB7A9EBD4721F118C1AF641C7211C770EC96C7B1
      Function 1001D330 Relevance: 4.6, APIs: 3, Instructions: 52nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001D33B
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001D357
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 1001D386
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$CallNtdllProcProc_Prop
      • String ID:
      • API String ID: 1641805499-0
      • Opcode ID: 46341e93d8e58ef3595aaf0da966454599506139a11b45700178d658ee10fc8e
      • Instruction ID: 45f5a508404fa7b349f84285f489640ca45463347baf7dd885cba52e9e31337c
      • Opcode Fuzzy Hash: 46341e93d8e58ef3595aaf0da966454599506139a11b45700178d658ee10fc8e
      • Instruction Fuzzy Hash: 83017576205211AFD641EE68D894D9B77E9EBC8700F10CD0AF5819B209C370ED86C7B2
      Function 10006350 Relevance: 4.5, APIs: 3, Instructions: 49nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000635B
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10006377
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 100063A3
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$CallNtdllProcProc_Prop
      • String ID:
      • API String ID: 1641805499-0
      • Opcode ID: b2e07a47a1426d67f7f142ce626aa22bb2d9af6c5e67b1305e8dc8a19f5800c8
      • Instruction ID: b12fdf80a4ee98a0669d910f96ba9de27c494e6b3a9d2ac390c97d8e35b7d40b
      • Opcode Fuzzy Hash: b2e07a47a1426d67f7f142ce626aa22bb2d9af6c5e67b1305e8dc8a19f5800c8
      • Instruction Fuzzy Hash: 2A010CB6205212AFE604DE54D844CAB77E9EBC8750F10890DF58597245C730ED4687B6
      Function 1000E440 Relevance: 4.5, APIs: 3, Instructions: 43nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000E44B
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000E465
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E48F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$CallNtdllProcProc_Prop
      • String ID:
      • API String ID: 1641805499-0
      • Opcode ID: 84638921357078577de142535a6b59ebe40062ceaa83d5b013f43905e33e93f3
      • Instruction ID: 3a83241c110d65d65373b22bd99f22be1f6ecbda2895f89fe6f1498726ca76d1
      • Opcode Fuzzy Hash: 84638921357078577de142535a6b59ebe40062ceaa83d5b013f43905e33e93f3
      • Instruction Fuzzy Hash: A5F01DB6205611EFA204DF54ED44CAB77E9EBC8740F10C90DF545A7259D730EC0A87B2
      Function 10006560 Relevance: 4.5, APIs: 3, Instructions: 40nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000656B
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10006585
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 49e39e83e9a89f6ca4b8d7cd12482889b2ec6db643a0077634f122c1e9a6dbe2
      • Instruction ID: 5dbf9fbb83ff20062e3ed168ee9e718ee031d4db6b7bc6fcd510bc647bf1e31e
      • Opcode Fuzzy Hash: 49e39e83e9a89f6ca4b8d7cd12482889b2ec6db643a0077634f122c1e9a6dbe2
      • Instruction Fuzzy Hash: A8F014B5209621AFE204DF40DC84DAB73A9EFC8740F208908F58697249C770ED46CBB2
      Function 10020B70 Relevance: 4.5, APIs: 3, Instructions: 39nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10020B7B
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10020B95
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 10020BB8
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$CallNtdllProcProc_Prop
      • String ID:
      • API String ID: 1641805499-0
      • Opcode ID: c3d1fd1e4d7f990324f643c9a0f4cf6b2b597ee975d3aeca719244d55fd90ff2
      • Instruction ID: 8febcc7cfdc6d2d48d38ff73ec199bb7e5977764db5be9c515e8769bbb7d267c
      • Opcode Fuzzy Hash: c3d1fd1e4d7f990324f643c9a0f4cf6b2b597ee975d3aeca719244d55fd90ff2
      • Instruction Fuzzy Hash: BFF03CB5209611AFE204DF54E898CAB73EAEFC8610F108D0DF58583252D770EC46CBB2
      Function 100062B0 Relevance: 4.5, APIs: 3, Instructions: 28nativewindowCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 100062CA
      • SendMessageA.USER32(?,00000313,00000000,?), ref: 100062E0
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100062F6
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$EnabledMessageNtdllProc_Send
      • String ID:
      • API String ID: 2494340020-0
      • Opcode ID: 29ef5c36759909998ca288fb9ceec95f70c955037747a1ce61ac65453ab41c58
      • Instruction ID: b518878becbef3456e94c07293a0586dd5aa6203277d98abda6802a90051a15b
      • Opcode Fuzzy Hash: 29ef5c36759909998ca288fb9ceec95f70c955037747a1ce61ac65453ab41c58
      • Instruction Fuzzy Hash: 4FF0F879204712ABE250CF65DD48E97B7FDEBD8740F20480CB58193260C770E949CB65
      Function 10005900 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 10005906
      • EnableWindow.USER32(?,00000001), ref: 10005913
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,10004C2B,?,?,?,?,?), ref: 10005929
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$EnableEnabledNtdllProc_
      • String ID:
      • API String ID: 1897713328-0
      • Opcode ID: d8f3d101fd2ff192c26bcb8c68b95ec9de1c7bd83f65ef2fc7084ca5d7d2d836
      • Instruction ID: 33976d3887a1ec7a0cf96d3802eee5120e501a190f8f2c604677c3bb47bb1761
      • Opcode Fuzzy Hash: d8f3d101fd2ff192c26bcb8c68b95ec9de1c7bd83f65ef2fc7084ca5d7d2d836
      • Instruction Fuzzy Hash: C5E0EC79116A22EFE201DF10DC88DAB77ACEF89751F108408F94193211C770AE068BAA
      Function 10019250 Relevance: 3.1, APIs: 2, Instructions: 125COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 100170FF
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 1001710F
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 1001711C
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 10017129
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 10017139
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 10017149
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 100171FB
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 1001720B
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 10017218
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 10017225
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 10017235
        • Part of subcall function 10017090: ??2@YAPAXI@Z.MSVCRT ref: 10017245
        • Part of subcall function 1001A700: GetModuleHandleA.KERNEL32(1002C484,1002C48C,00000000,?,?,1001928B), ref: 1001A715
        • Part of subcall function 1001A700: GetProcAddress.KERNEL32(00000000), ref: 1001A71E
        • Part of subcall function 1001A700: GetModuleHandleA.KERNEL32(1002C484,1002C468,?,?,1001928B), ref: 1001A72C
        • Part of subcall function 1001A700: GetProcAddress.KERNEL32(00000000), ref: 1001A72F
      • 6E9E4BC0.MSVFW32 ref: 10019374
      • GetVersion.KERNEL32 ref: 10019392
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??2@$AddressHandleModuleProc$Version
      • String ID:
      • API String ID: 607549927-0
      • Opcode ID: 75fbd79844d9eb319f2b12770aaf3b233e693f84d3838c57fe8f29243c82a089
      • Instruction ID: 5b54c09bc1dd4f1213f150441d2aaf7ae1adbd29d96e13561a9b09d10e717ef9
      • Opcode Fuzzy Hash: 75fbd79844d9eb319f2b12770aaf3b233e693f84d3838c57fe8f29243c82a089
      • Instruction Fuzzy Hash: A351F8F4801B059FC325CF2AC58169AFBE8FFA4310F10892FE2AA87251DBB46644CF55
      Function 10008CB0 Relevance: 3.0, APIs: 2, Instructions: 47nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10008CBB
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008CD7
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: feaf19fdce81d9a1ca190ef1869b546541239fbc762c3de87076e7c699cb6eff
      • Instruction ID: ba7b9a7e75b5fd1a47e67aed631709819a18bd4e2cca9f68860d5bab8b638427
      • Opcode Fuzzy Hash: feaf19fdce81d9a1ca190ef1869b546541239fbc762c3de87076e7c699cb6eff
      • Instruction Fuzzy Hash: CA01FFB6209212AFE640DB54E880DAF73E9EFD4740F118D0DF58197255C770ED868BB6
      Function 1000CBC0 Relevance: 3.0, APIs: 2, Instructions: 41nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000CBCB
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000CBE7
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: a25ab68950917d6236ee748f622a9537c84212b176b5efc6b59e8fcbf1fbc87d
      • Instruction ID: 539b395f2d12ac3cc3f2cd791ecb8ee3aacd8a81aa599b83fb95c9963a22f77c
      • Opcode Fuzzy Hash: a25ab68950917d6236ee748f622a9537c84212b176b5efc6b59e8fcbf1fbc87d
      • Instruction Fuzzy Hash: A0F04F76108655ABE200DB48E890DAF73E8EBC5740F11CC0DF485D7216C770EC8687B2
      Function 100214B0 Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 100214BB
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100214D5
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: c35ed24f15a732a2fb9719cd40208895b9e4687b4f23d394dfac90f4a6c104ed
      • Instruction ID: 2e47a34acdab9f8ecda0e86b8cba3aa85b6d9dc765e54781da42e49aa2a1b60d
      • Opcode Fuzzy Hash: c35ed24f15a732a2fb9719cd40208895b9e4687b4f23d394dfac90f4a6c104ed
      • Instruction Fuzzy Hash: 0CE0C075219651AB9204DF54E894CAB73E9EBC8700F118D0DF55593241C730AC458BB6
      Function 10014EA0 Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10014EAB
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,1000C929,?,?,?,?), ref: 10014EC5
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_PropWindow
      • String ID:
      • API String ID: 2172124074-0
      • Opcode ID: 783af7ae8caf7b65d366def2194d219bf0924809f2022b0113ac818fb61e7c82
      • Instruction ID: 23f51dd478920679ccafe8476a3c24c847d47fdfb480d2aa289d71b137eb8eb9
      • Opcode Fuzzy Hash: 783af7ae8caf7b65d366def2194d219bf0924809f2022b0113ac818fb61e7c82
      • Instruction Fuzzy Hash: 15E0C9B6219652AFA204DF54EC94CAB73EDEBC8700F118D0DF58597255CB30EC468BB6
      Function 10004BD0 Relevance: 1.6, APIs: 1, Instructions: 111nativeCOMMON
      Download Yara Rule
      APIs
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004D01
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: NtdllProc_Window
      • String ID:
      • API String ID: 4255912815-0
      • Opcode ID: 31a8e49bf0f8921b0a2aa4cc36cf9ef07e022d74f52cb5b04577164ebb7e90d0
      • Instruction ID: 0b222c3024169f657697f4807f45d8ba6cc9b1c5df0fdb5bc05cb1375a895788
      • Opcode Fuzzy Hash: 31a8e49bf0f8921b0a2aa4cc36cf9ef07e022d74f52cb5b04577164ebb7e90d0
      • Instruction Fuzzy Hash: 4431A9FA618241AFD248DF58D891C2BB3E9EBD8700F54890CB69587256D731EC19CB72
      Function 100048E0 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON
      Download Yara Rule
      APIs
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004929
        • Part of subcall function 10004800: IsWindowEnabled.USER32(?), ref: 10004809
        • Part of subcall function 10004800: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000482A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$EnabledMessageNtdllProc_Send
      • String ID:
      • API String ID: 2494340020-0
      • Opcode ID: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
      • Instruction ID: 225bf36e4a0812ad4753787a01e5a8dd77c9d750d7cfa771ec93f23d9b1118eb
      • Opcode Fuzzy Hash: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
      • Instruction Fuzzy Hash: CCF0B6F9618242AFE204DB54D890D2BB3E9EBC8780F118D1DB685C3265DA30ED04CB36
      Function 10004510 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON
      Download Yara Rule
      APIs
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004559
        • Part of subcall function 10004430: IsWindowEnabled.USER32(?), ref: 10004439
        • Part of subcall function 10004430: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000445A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$EnabledMessageNtdllProc_Send
      • String ID:
      • API String ID: 2494340020-0
      • Opcode ID: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
      • Instruction ID: 426c8d43d59635654131c640abf00cd082b32ef771906314d33d0ca2d6834fbf
      • Opcode Fuzzy Hash: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
      • Instruction Fuzzy Hash: B2F0B6F9618642AFE204DA54D881D2BB3E9EBC8780F518D0DB68583256DA30EC44CB36
      Function 10002E40 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON
      Download Yara Rule
      APIs
      • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10002E89
        • Part of subcall function 10002C90: IsWindowEnabled.USER32(?), ref: 10002C9C
        • Part of subcall function 10002C90: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10002CBD
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$EnabledMessageNtdllProc_Send
      • String ID:
      • API String ID: 2494340020-0
      • Opcode ID: eafbc55fe3c2f1772681b34cb3290cd541762abe2b2c9e9570eb85c6031177f9
      • Instruction ID: 6bebc549723526bab81e68595eedc138839718632c5911c4ede022b626121a3a
      • Opcode Fuzzy Hash: eafbc55fe3c2f1772681b34cb3290cd541762abe2b2c9e9570eb85c6031177f9
      • Instruction Fuzzy Hash: E8F0B6B9608242AFE604DA54D885D2BB3E9EBC8780F108D0DB685C3266D730EC44CB32
      Function 100293A1 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID: R
      • API String ID: 0-1466425173
      • Opcode ID: cd3b73b7348ff081589cfac0100b05dc96f159948ea6ee02f68d477cfa1a48d5
      • Instruction ID: 8be94b6153ab9119319510401fc8330cfa8a6dc569db2486da79333d3fcb569b
      • Opcode Fuzzy Hash: cd3b73b7348ff081589cfac0100b05dc96f159948ea6ee02f68d477cfa1a48d5
      • Instruction Fuzzy Hash: E1519E5804D7C11FC3278B3888659A7BF216F57528B0F8AEBD4D08F963C249994AD7A2
      Function 1000EDA0 Relevance: .9, Instructions: 855COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a339960ffb5a704b000e7367763248f18282941ed323104f3f76a1d61ee49cb0
      • Instruction ID: 983c4fcd37887a59a0cb9d3b85b446299f8e70ed709c6495451e70af00230a31
      • Opcode Fuzzy Hash: a339960ffb5a704b000e7367763248f18282941ed323104f3f76a1d61ee49cb0
      • Instruction Fuzzy Hash: 1142A2377406154BEB0CCD5EC8B16BDB3D3ABC835474D463D9A5BD3782EDB8A80A8684
      Function 10002250 Relevance: .6, Instructions: 617COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 07396eee454c85584817cf15b8c0d006d29891ab31e0bab80244d1fd90dbd4d6
      • Instruction ID: 93596e6502c76a15187eaa282ea5bd3d0e08f7ebc6713d694ddc07016d6b6326
      • Opcode Fuzzy Hash: 07396eee454c85584817cf15b8c0d006d29891ab31e0bab80244d1fd90dbd4d6
      • Instruction Fuzzy Hash: 19124A32B086154FE71CCE28C49426EB7E2EBC8394F16463EE95AD7748DA30D945CBC1
      Function 10028B99 Relevance: .2, Instructions: 198COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a01781256ee79fcf471860e977b16b7ce8c920ade3d6f3453a41c6b7b0ce33b4
      • Instruction ID: 428467e42f7f86c7821e8e1e21e6f22a2fc9309eb635c514b15cab7e2e214c89
      • Opcode Fuzzy Hash: a01781256ee79fcf471860e977b16b7ce8c920ade3d6f3453a41c6b7b0ce33b4
      • Instruction Fuzzy Hash: 3C61C82914D3C15FC7874B7444661A27FB1AE1B22870E85DAC9C18F173D299AC4FEFA1
      Function 1001A030 Relevance: 44.0, APIs: 29, Instructions: 463COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 1001A9C0: _mbscmp.MSVCRT ref: 1001A9D3
      • _mbscmp.MSVCRT ref: 1001A065
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: _mbscmp
      • String ID:
      • API String ID: 2888065108-0
      • Opcode ID: 2db2da2f1ae1e61f1de84b9da0cee3094acc3992bba78dd0357555a99ed89133
      • Instruction ID: 3c9746c1fec8770da351958914ea95a60552062d740270c3ce570340641db563
      • Opcode Fuzzy Hash: 2db2da2f1ae1e61f1de84b9da0cee3094acc3992bba78dd0357555a99ed89133
      • Instruction Fuzzy Hash: A6B1902739152923D101F2E5BCC1EEE634CDFE22A7F118032F705ED081DA36EA9682B5
      Function 10005D40 Relevance: 42.3, APIs: 28, Instructions: 254windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 10005D4C
      • SendMessageA.USER32(?,00000020,?,0201FFFE), ref: 10005D62
      • GetWindowRect.USER32(?,?), ref: 10005D7B
      • IsRectEmpty.USER32(?), ref: 10005DA1
      • PtInRect.USER32(?), ref: 10005DB8
      • IsZoomed.USER32(?), ref: 10005E71
      • GetWindowLongA.USER32(?,000000F0), ref: 10005E8E
      • SetRect.USER32(?,00000000,00000000,?,?), ref: 10005EBB
      • OffsetRect.USER32(?,?,?), ref: 10005ED0
      • SetRect.USER32(?,?,00000000,?,?), ref: 10005EF1
      • SetRect.USER32(?,?,00000000,?,00000004), ref: 10005F0F
      • PtInRect.USER32(?), ref: 10005F1E
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Window$EmptyEnabledLongMessageOffsetSendZoomed
      • String ID:
      • API String ID: 3721721508-0
      • Opcode ID: 1c55317af7e18a16ab680dc0c89327f4a8ef3d22245125a4e3fe7293c6f417bf
      • Instruction ID: b63b4231ee4676df5d12ce30ad5422ad18bad84e1520a447d21eb9a6881f90ac
      • Opcode Fuzzy Hash: 1c55317af7e18a16ab680dc0c89327f4a8ef3d22245125a4e3fe7293c6f417bf
      • Instruction Fuzzy Hash: 5781A375204316AFF320DBA4DCC9F6B77ECEB84B81F10491DF64682194EA75EA05C761
      Function 10014B40 Relevance: 40.8, APIs: 27, Instructions: 270windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageA.USER32(?), ref: 10014BF2
      • CallWindowProcA.USER32(?,?,00000001,?,?), ref: 10014C13
      • CallWindowProcA.USER32(?,?,00000001,00000000,?), ref: 10014C38
      • IsWindowVisible.USER32(?), ref: 10014C42
      • InvalidateRect.USER32(?,00000000,00000001), ref: 10014C54
      • GetWindowRect.USER32(?,000000F0), ref: 10014C87
      • GetParent.USER32(?), ref: 10014C9D
      • ScreenToClient.USER32(00000000), ref: 10014CA6
      • GetParent.USER32(?), ref: 10014CB1
      • ScreenToClient.USER32(00000000), ref: 10014CB4
      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 10014CE7
      • GetWindowRect.USER32(?,000000F0), ref: 10014CF6
      • GetParent.USER32(?), ref: 10014D1C
      • ScreenToClient.USER32(00000000), ref: 10014D25
      • GetParent.USER32(?), ref: 10014D30
      • ScreenToClient.USER32(00000000), ref: 10014D33
      • GetWindowRect.USER32(?,000000F0), ref: 10014D72
      • GetParent.USER32(?), ref: 10014D88
      • ScreenToClient.USER32(00000000), ref: 10014D91
      • GetParent.USER32(?), ref: 10014D9C
      • ScreenToClient.USER32(00000000), ref: 10014D9F
      • GetParent.USER32(?), ref: 10014DE5
      • ScreenToClient.USER32(00000000), ref: 10014DEE
      • GetParent.USER32(?), ref: 10014DF9
      • ScreenToClient.USER32(00000000), ref: 10014DFC
      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 10014E2F
      • GetWindowRect.USER32(?,000000F0), ref: 10014E3E
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$ClientParentScreen$Rect$CallMoveProc$InvalidateMessageSendVisible
      • String ID:
      • API String ID: 1330197011-0
      • Opcode ID: 27cd31995633851774bee205df8a30004b9258d202a727f50e8ef6ab539021a8
      • Instruction ID: c47097b4e2208499dd9ef6fa9ca82aafd1a7c7d366bf9be39b5b8423eecfa7f7
      • Opcode Fuzzy Hash: 27cd31995633851774bee205df8a30004b9258d202a727f50e8ef6ab539021a8
      • Instruction Fuzzy Hash: 67A139B52047069FE314CF65C884F6BB7E9EBC8704F11891CF599972A0DA74F98ACB60
      Function 100250C0 Relevance: 39.4, APIs: 26, Instructions: 416windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 10022FD0: GetMenuItemCount.USER32(?), ref: 10022FE9
        • Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,00000000,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 1002300D
        • Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,-00000001,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 10023021
      • SetRectEmpty.USER32(?), ref: 100252A5
      • SetRectEmpty.USER32(?), ref: 100252AE
      • SetRectEmpty.USER32(?), ref: 100252B7
      • SetRectEmpty.USER32(?), ref: 100252C0
      • SetRectEmpty.USER32(?), ref: 100253EE
      • SetRectEmpty.USER32(?), ref: 100253F7
      • IsRectEmpty.USER32(?), ref: 10025400
      • IsRectEmpty.USER32(?), ref: 1002540B
      • SetRectEmpty.USER32(?), ref: 100254E0
      • SetRectEmpty.USER32(?), ref: 1002552F
      • SetRectEmpty.USER32(?), ref: 10025538
      • SetRectEmpty.USER32(?), ref: 10025541
      • SetRectEmpty.USER32(?), ref: 1002554A
      • SetRectEmpty.USER32(?), ref: 10025553
      • IsRectEmpty.USER32(?), ref: 1002556E
      • IsRectEmpty.USER32(?), ref: 100255B6
      • IsRectEmpty.USER32(?), ref: 100255C3
      • SetRectEmpty.USER32(?), ref: 1002561A
      • SetRectEmpty.USER32(?), ref: 10025623
      • SetRectEmpty.USER32(?), ref: 1002562C
      • SetRectEmpty.USER32(?), ref: 10025635
      • SetRectEmpty.USER32(?), ref: 1002563E
      • SetRectEmpty.USER32(?), ref: 10025647
      • GetMenuItemCount.USER32(?), ref: 100256E8
      • GetMenuItemRect.USER32(?,?,00000000,?,?,?,?,?,?,?,1002388F,?), ref: 10025708
      • GetMenuItemRect.USER32(?,?,-00000001,?,?,?,?,?,?,?,1002388F,?), ref: 1002571C
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Empty$ItemMenu$Count
      • String ID:
      • API String ID: 3556175780-0
      • Opcode ID: 51b63d87aa26e79ce635bc53da4e79dd0ac5e2a0a2ba4a142e7e1ecfd1e9703b
      • Instruction ID: 3580b85264a0b11b2af6f932b74e5bb24bd1c90a80f22c94ed852e82d06a07f9
      • Opcode Fuzzy Hash: 51b63d87aa26e79ce635bc53da4e79dd0ac5e2a0a2ba4a142e7e1ecfd1e9703b
      • Instruction Fuzzy Hash: 4D12CF75605B058FC368CB28D888AE6B7E5FF88305F65896ED8AF87315DB31B841CB44
      Function 10005A40 Relevance: 39.3, APIs: 26, Instructions: 255windowtimeCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 10005A4C
      • SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10005A62
      • GetWindowRect.USER32(?,?), ref: 10005A7B
      • IsRectEmpty.USER32(?), ref: 10005AA1
      • PtInRect.USER32(?), ref: 10005AB8
      • SetTimer.USER32 ref: 10005BAC
      • GetWindowLongA.USER32(?,000000F0), ref: 10005BC6
      • SetRect.USER32(?,00000000,00000000,?,?), ref: 10005BF3
      • OffsetRect.USER32(?,?,?), ref: 10005C08
      • SetRect.USER32(?,?,00000000,?,?), ref: 10005C2A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Window$EmptyEnabledLongMessageOffsetSendTimer
      • String ID:
      • API String ID: 70592305-0
      • Opcode ID: 9b1bcf4309ba79a44affa8d35e3d6eb1101dc492926530dc94eed6df942145db
      • Instruction ID: d42ccc5a3b2781513f2fd8ff1ff6268cf5ee92936f68469feebf928f78cc2080
      • Opcode Fuzzy Hash: 9b1bcf4309ba79a44affa8d35e3d6eb1101dc492926530dc94eed6df942145db
      • Instruction Fuzzy Hash: CA819C75204706AFF320DBA4CC89FAB77E8EB88B81F104909F656C6294E771F905CB25
      Function 10011B50 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 404windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 10011B62
      • SendMessageA.USER32(?,00001009,00000000,?), ref: 10011B78
      • InflateRect.USER32(?,00000000,00000005), ref: 10011BE9
      • SetRect.USER32(00000060,?,?,?,?), ref: 10011CC0
      • SetRect.USER32(00000050,?,?,?,?), ref: 10011CDE
      • InflateRect.USER32(00000050,00000004,00000004), ref: 10011CEB
      • InflateRect.USER32(00000060,00000004,00000004), ref: 10011CF2
      • SetRectEmpty.USER32(00000050), ref: 10011D0E
      • SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011D49
      • SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011D8D
      • SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011DE0
      • SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011E17
      • IsRectEmpty.USER32(00000050), ref: 10011E2F
      • InflateRect.USER32(00000050,00000001,00000001), ref: 10011E3E
      • SetRectEmpty.USER32(?), ref: 10011E62
      • SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011E95
      • SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011EC9
      • SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011F14
      • SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011F45
      • IsRectEmpty.USER32(?), ref: 10011F61
      • InflateRect.USER32(?,00000001,00000001), ref: 10011F78
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$MessageSend$Inflate$Empty$Client
      • String ID:
      • API String ID: 1339602669-3916222277
      • Opcode ID: c0bd68143ee354b4ca45915280152967c7e5e1a2a28bd3c8534a58b4e74df048
      • Instruction ID: a0f7648be8e36038d2b16f179121c650e50f05b29048d1dfe480584c03a9469a
      • Opcode Fuzzy Hash: c0bd68143ee354b4ca45915280152967c7e5e1a2a28bd3c8534a58b4e74df048
      • Instruction Fuzzy Hash: 21E17D752087069FD318CF29C9C1A9AB7E6FBC8344F144A2DF585DB251D7B0E886CB52
      Function 1001CC00 Relevance: 37.9, APIs: 25, Instructions: 431windowCOMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 1001CC0F
      • ScreenToClient.USER32(?,?), ref: 1001CC1E
      • GetClientRect.USER32(?,?), ref: 1001CC57
      • GetParent.USER32(?), ref: 1001CC61
      • GetClassNameA.USER32(00000000,?,00000040), ref: 1001CC73
      • _mbscmp.MSVCRT ref: 1001CC89
      • _mbscmp.MSVCRT ref: 1001CC9C
      • CreateCompatibleDC.GDI32(?), ref: 1001CCB8
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 1001CCCB
      • SelectObject.GDI32(00000000,00000000), ref: 1001CCDD
      • SelectObject.GDI32(00000000,?), ref: 1001CCEC
      • PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1001CD02
      • SetRect.USER32(?,?,?,?,?), ref: 1001CD41
      • SetRect.USER32(?,?,?,?,?), ref: 1001CD64
      • IsWindowEnabled.USER32(?), ref: 1001CD6A
      • PtInRect.USER32(?,?,?), ref: 1001CD8D
      • PtInRect.USER32(?,?,?), ref: 1001CE0C
      • PtInRect.USER32(?,?,?), ref: 1001CFDF
      • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 1001D0F1
      • DeleteDC.GDI32(00000000), ref: 1001D0F8
      • DeleteObject.GDI32(?), ref: 1001D103
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Object$ClientCompatibleCreateDeleteSelect_mbscmp$BitmapClassCursorEnabledNameParentScreenWindow
      • String ID:
      • API String ID: 3766834539-0
      • Opcode ID: c2ef48b3f6ec4ec22484b2a45e11998c80fbc2def04bd750a7d1df5ab2a244b6
      • Instruction ID: 3e656c1c5e6747a07933068c804b643b2a797f552276aae395ead9c06b7a3bed
      • Opcode Fuzzy Hash: c2ef48b3f6ec4ec22484b2a45e11998c80fbc2def04bd750a7d1df5ab2a244b6
      • Instruction Fuzzy Hash: 20F159B9204204AFE304DB54CC85EABB3ADFFC8744F148A69F95887355D634EE46CB61
      Function 10021CA0 Relevance: 36.4, APIs: 24, Instructions: 355COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Window
      • String ID:
      • API String ID: 924285169-0
      • Opcode ID: 10a71a3ec35c7868adf77ffbb036b0aa99efc379083cf3b09a92fc681535840c
      • Instruction ID: 9d0981d9d4456fe75954a96ff124bc768ed38601b0fc248c18501ffb98e7e012
      • Opcode Fuzzy Hash: 10a71a3ec35c7868adf77ffbb036b0aa99efc379083cf3b09a92fc681535840c
      • Instruction Fuzzy Hash: BDB1B276600305ABE360CBA9ECC4EE7B7ECEBD8790F51492EF859C6240D635E949C760
      Function 1001D420 Relevance: 36.3, APIs: 24, Instructions: 336windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 1001D44A
        • Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
        • Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
        • Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
        • Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
        • Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
        • Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
        • Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A
      • SetBkMode.GDI32(?,00000001), ref: 1001D4A3
        • Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
        • Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090
      • SelectObject.GDI32(?,00000000), ref: 1001D4B8
      • SendMessageA.USER32(?,00000406,00000000,00000000), ref: 1001D4E1
      • IsRectEmpty.USER32(?), ref: 1001D4FA
      • SendMessageA.USER32(?,0000040A,00000000,?), ref: 1001D55E
      • SendMessageA.USER32(?,00000414,00000000,00000000), ref: 1001D56B
      • GetIconInfo.USER32(00000000,?), ref: 1001D580
      • GetObjectA.GDI32(?,00000018,?), ref: 1001D598
      • DrawIconEx.USER32(?,?,?,00000000,?,?,00000000,00000000,00000003), ref: 1001D5D1
      • DeleteObject.GDI32(?), ref: 1001D5E5
      • DeleteObject.GDI32(?), ref: 1001D5EF
      • SendMessageA.USER32(?,00000403,00000000,00000000), ref: 1001D60E
      • ??2@YAPAXI@Z.MSVCRT ref: 1001D622
      • SendMessageA.USER32(?,00000402,00000001,00000000), ref: 1001D64B
      • SetTextColor.GDI32(?,?), ref: 1001D674
      • DrawTextA.USER32(?,00000000,?,?,00000024), ref: 1001D694
      • ??3@YAXPAX@Z.MSVCRT ref: 1001D69B
      • SendMessageA.USER32(?,00000402,00000000,00000000), ref: 1001D6EB
      • GetParent.USER32(?), ref: 1001D726
      • IsWindowEnabled.USER32(?), ref: 1001D732
      • SendMessageA.USER32(00000000,0000002B,00000000,?), ref: 1001D775
      • SelectClipRgn.GDI32(?,00000000), ref: 1001D7BC
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1001D83D
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$Object$Select$ClipCreateDeleteRect$CompatibleDrawIconText$??2@??3@BitmapClientColorEmptyEnabledInfoModeParentPropWindow
      • String ID:
      • API String ID: 1362129631-0
      • Opcode ID: b003ebf027d72403f8cb3d27b9e7ff3e5f9c0d22eb73ba247c27aebcaaa1183c
      • Instruction ID: 90df3fa2a803067d4cdad2171947ebf974ab48cb4e9fe13901dbc3d04bca41ca
      • Opcode Fuzzy Hash: b003ebf027d72403f8cb3d27b9e7ff3e5f9c0d22eb73ba247c27aebcaaa1183c
      • Instruction Fuzzy Hash: D1D10675604341AFE354DF68C884E6BB7E9FBC8700F148A2DF68987291DB70E945CB62
      Function 10023960 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 425windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 1002399F
      • IsRectEmpty.USER32(?), ref: 100239B4
      • SetBkMode.GDI32 ref: 10023A30
      • SelectObject.GDI32(?,?), ref: 10023A4D
      • SelectObject.GDI32(?,?), ref: 10023A5D
      • SetTextColor.GDI32(?,?), ref: 10023AAD
      • BitBlt.GDI32(?,00000000,00000000,?,00000001,00000000,?,?,00CC0020), ref: 10023AE3
      • GetMenuItemCount.USER32(00000000), ref: 10023B2A
      • GetMenuItemInfoA.USER32(00000000,00000000,00000400,?), ref: 10023B88
        • Part of subcall function 10024DB0: GetMenuItemRect.USER32(?,00000000,?,?,?,?,751E6D90,00000000,10023B9B,00000000,?), ref: 10024DCB
        • Part of subcall function 10024DB0: OffsetRect.USER32(?,?,?), ref: 10024DF9
      • InflateRect.USER32(?,000000FF,000000FF), ref: 10023BC7
      • SetTextColor.GDI32(?,?), ref: 10023BEF
      • SetTextColor.GDI32(?,?), ref: 10023C25
      • SetTextColor.GDI32(?,?), ref: 10023C69
      • DrawTextA.USER32(?,?,?,?,00000025), ref: 10023C8B
      • SetTextColor.GDI32(?,?), ref: 10023C9B
      • DrawIconEx.USER32(?,?,?,00000000,00000010,00000010,00000000,00000000,00000003), ref: 10023CE9
      • GetSystemMetrics.USER32(00000020), ref: 10023CFE
      • OffsetRect.USER32(?,00000000), ref: 10023D19
      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 10023E64
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Text$ColorRect$ItemMenu$DrawObjectOffsetSelect$CountEmptyIconInflateInfoMetricsModeSystemVisibleWindow
      • String ID: 0
      • API String ID: 2055320636-4108050209
      • Opcode ID: 37e9a5e0e2e580665de7cd9a3032d2bb2df789812bb621c82e55d9ffef3a9a1e
      • Instruction ID: a9acdb67b72450ec93636fc2c6a84ac6b9940729399217752d96d5b5a37b2c08
      • Opcode Fuzzy Hash: 37e9a5e0e2e580665de7cd9a3032d2bb2df789812bb621c82e55d9ffef3a9a1e
      • Instruction Fuzzy Hash: 5DF14975204741AFE354CF28D885FABB3E9FB88704F608A2DF95997290DB30E906CB51
      Function 100101C0 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 377windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,00000000), ref: 10010213
      • GetClientRect.USER32(?,?), ref: 10010222
      • ClientToScreen.USER32(?,?), ref: 10010237
      • ClientToScreen.USER32(?,?), ref: 10010242
      • SetBkMode.GDI32(?,00000001), ref: 10010281
      • SelectObject.GDI32(?,?), ref: 10010299
      • ClientToScreen.USER32(?,?), ref: 100102EA
      • MenuItemFromPoint.USER32(00000000,?,?,?), ref: 100102FB
      • GetMenuItemRect.USER32(?,?,00000000,?), ref: 10010325
      • GetMenuItemRect.USER32(?,?,00000000,?), ref: 1001033D
      • GetMenuItemCount.USER32(?), ref: 10010357
      • GetMenuItemRect.USER32(?,?,00000000,?), ref: 10010389
      • OffsetRect.USER32(?,?,?), ref: 100103AC
      • GetMenuItemInfoA.USER32 ref: 10010419
      • SetRect.USER32(?,?,?,?,?), ref: 1001053E
      • SetRect.USER32(?,?,?,?,?), ref: 10010564
      • OffsetRect.USER32(?,?,?), ref: 10010579
      • OffsetRect.USER32(?,?,?), ref: 10010591
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1001060C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$ItemMenu$Client$OffsetScreen$CountFromInfoModeObjectPointSelectWindow
      • String ID: 0
      • API String ID: 303195050-4108050209
      • Opcode ID: 008811b3abd2f731aae474ba5b14917b142eec1ffb338946d922de29f3af1481
      • Instruction ID: 218a776880d17dfc55bc541e60bba26cc9f27d11404c7c810f554a5f716a7b01
      • Opcode Fuzzy Hash: 008811b3abd2f731aae474ba5b14917b142eec1ffb338946d922de29f3af1481
      • Instruction Fuzzy Hash: 61E113B5208345AFE354CF68C884E6BB7E9FBC8744F108A1DF58A87250DB74E945CB62
      Function 100034F0 Relevance: 33.3, APIs: 22, Instructions: 321COMMON
      Download Yara Rule
      APIs
      • CreateRectRgn.GDI32(00000000,00000000,1002CDA8,?), ref: 10003521
      • SelectObject.GDI32(?,?), ref: 10003586
      • CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 100035F1
      • SelectObject.GDI32(?,?), ref: 10003791
      • OffsetRgn.GDI32(00000000,?,?), ref: 1000380A
      • CombineRgn.GDI32(00000000,00000000,?,00000003), ref: 10003819
      • DeleteObject.GDI32(?), ref: 10003824
      • SetRect.USER32(?,00000000,00000000,00000000,?), ref: 1000385B
      • SelectObject.GDI32(?,?), ref: 100038A2
      • SelectObject.GDI32(?,?), ref: 100038EF
      • SelectObject.GDI32(?,?), ref: 100037DD
        • Part of subcall function 1001C210: ExtCreateRegion.GDI32(00000000,00000062,00000000), ref: 1001C3B3
        • Part of subcall function 1001C210: GlobalUnWire.KERNEL32(00000000), ref: 1001C3BC
        • Part of subcall function 1001C210: GlobalFree.KERNEL32(00000000), ref: 1001C3C3
      • OffsetRgn.GDI32(00000000,00000000,?), ref: 10003918
      • CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 10003923
      • DeleteObject.GDI32(00000000), ref: 1000392A
      • DeleteObject.GDI32(?), ref: 100035FC
        • Part of subcall function 10006920: DeleteObject.GDI32(?), ref: 1000692E
      • SelectObject.GDI32(?,?), ref: 100035D2
        • Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,751E6BA0,00000000,00000000,?,?,?,10003905,?,?,?,1002CDA8,?,1002CDC8), ref: 1001C227
        • Part of subcall function 1001C210: GlobalFix.KERNEL32(00000000), ref: 1001C230
        • Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
        • Part of subcall function 1001C210: GlobalUnWire.KERNEL32(00000000), ref: 1001C2EB
        • Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
        • Part of subcall function 1001C210: GlobalFix.KERNEL32(00000000), ref: 1001C316
        • Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339
      • SelectObject.GDI32(?,?), ref: 10003683
      • SelectObject.GDI32(?,?), ref: 100036CF
      • OffsetRgn.GDI32(00000000,00000000,?), ref: 100036F2
      • CombineRgn.GDI32(00000000,00000000,?,00000003), ref: 10003701
      • DeleteObject.GDI32(?), ref: 1000370C
      • SetRect.USER32(?,00000000,00000000,?,?), ref: 10003753
        • Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Select$Global$DeleteRect$Combine$CreateOffset$AllocWire$FreeRegionSection
      • String ID:
      • API String ID: 1948797773-0
      • Opcode ID: 28d03ff82f9fef2848c515fd377fc677e97226a5aac8fcd684cd577ae0ea30f7
      • Instruction ID: 7ad6e692fdaee63a5d88ca3bc9fb50060419e0f4e25ce673a8ec1ac2766f1ee5
      • Opcode Fuzzy Hash: 28d03ff82f9fef2848c515fd377fc677e97226a5aac8fcd684cd577ae0ea30f7
      • Instruction Fuzzy Hash: B8D107B9504318AFE354CFA4CD84D6BBBE9FB88740F204A1DF55987264D770E906CBA2
      Function 1000AF00 Relevance: 33.2, APIs: 22, Instructions: 151COMMON
      Download Yara Rule
      APIs
      • EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
      • IsRectEmpty.USER32(?), ref: 1000AF21
      • CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
      • CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
      • CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
      • SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
      • DeleteObject.GDI32(00000000), ref: 1000AF7F
      • DeleteObject.GDI32(00000000), ref: 1000AF82
      • CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
      • CreatePen.GDI32(00000000,00000001,?), ref: 1000AFD6
      • CreatePen.GDI32(00000000,00000001,?), ref: 1000B008
      • CreateSolidBrush.GDI32(?), ref: 1000B041
      • SelectObject.GDI32(?,00000000), ref: 1000B051
      • SelectObject.GDI32(?,00000000), ref: 1000B059
      • Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
      • SelectObject.GDI32(?,?), ref: 1000B080
      • SelectObject.GDI32(?,?), ref: 1000B088
      • IsRectEmpty.USER32(?), ref: 1000B08F
      • SelectClipRgn.GDI32(?,00000000), ref: 1000B09B
      • DeleteObject.GDI32(00000000), ref: 1000B0A8
      • DeleteObject.GDI32(00000000), ref: 1000B0AB
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$CreateSelect$Rect$Delete$ClipEmpty$BrushCombineEqualRectangleSolid
      • String ID:
      • API String ID: 1312918531-0
      • Opcode ID: 37fa40e2efc1a56c945f34d09480b679d3446cfe2338074c795da41fd2fd06c2
      • Instruction ID: ed92dcb72f46cb93286c5d67c269e6d90022c8bc6c11db7440066506c94aadbf
      • Opcode Fuzzy Hash: 37fa40e2efc1a56c945f34d09480b679d3446cfe2338074c795da41fd2fd06c2
      • Instruction Fuzzy Hash: 2D515779205215AFE244DBA4CCC4E6BB7E9FFC8744F208A19FA0597260D770ED46CBA1
      Function 1000C930 Relevance: 31.7, APIs: 21, Instructions: 208windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowLongA.USER32(?,000000F0), ref: 1000C945
      • GetWindowLongA.USER32(?,000000EC), ref: 1000C968
      • IsWindowEnabled.USER32(?), ref: 1000C982
      • SendMessageA.USER32(?,00000138,00000000,?), ref: 1000C9A3
      • GetClientRect.USER32(?,?), ref: 1000C9B4
      • GetWindowRect.USER32(?,?), ref: 1000C9C3
      • ClientToScreen.USER32(?,?), ref: 1000C9D8
      • ClientToScreen.USER32(?,?), ref: 1000C9E3
      • OffsetRect.USER32(?,?,?), ref: 1000C9FE
      • OffsetRect.USER32(?,?,?), ref: 1000CA13
      • SelectObject.GDI32(00000000,00000000), ref: 1000CA17
      • CreateRectRgn.GDI32(?,?,?,?), ref: 1000CA39
      • CreateRectRgn.GDI32(?,?,?,?), ref: 1000CA51
      • CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000CA5A
      • SelectClipRgn.GDI32(00000000,00000000), ref: 1000CA62
      • DeleteObject.GDI32(00000000), ref: 1000CA6F
      • DeleteObject.GDI32(00000000), ref: 1000CA72
      • PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1000CA88
      • InflateRect.USER32(?,000000FE,000000FE), ref: 1000CACF
      • IsWindowEnabled.USER32(?), ref: 1000CAD9
      • GetFocus.USER32 ref: 1000CAE7
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Window$ClientObject$CreateDeleteEnabledLongOffsetScreenSelect$ClipCombineFocusInflateMessageSend
      • String ID:
      • API String ID: 1428229788-0
      • Opcode ID: d4372ce6a2278cce0392c1b9f9947206522c49e50afc0a6178835e897f4a38ff
      • Instruction ID: f3ce32309e44c4e53b58f03bab4cd10378bf4dbb7bac6551a4584a97cbcaf063
      • Opcode Fuzzy Hash: d4372ce6a2278cce0392c1b9f9947206522c49e50afc0a6178835e897f4a38ff
      • Instruction Fuzzy Hash: 26714DB8204305AFE304DF65CC84E2BB7E8EFC9754F108A1DF99993260D675E946CB62
      Function 10013F20 Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 493windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 10013F4E
      • OffsetRect.USER32(?,?,?), ref: 10013F67
        • Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
        • Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
        • Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
        • Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
        • Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
        • Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
        • Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A
      • SetBkMode.GDI32(?,00000001), ref: 10013F9A
        • Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
        • Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090
      • SelectObject.GDI32(?,00000000), ref: 10013FB5
      • SelectObject.GDI32(?,?), ref: 10013FC9
      • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 10013FED
      • SendMessageA.USER32(?,0000040C,00000000,00000000), ref: 1001400F
      • ??2@YAPAXI@Z.MSVCRT ref: 10014027
      • SetRectEmpty.USER32(00000000), ref: 10014046
      • SendMessageA.USER32(?,00000409,00000000,00000000), ref: 1001405B
      • SendMessageA.USER32 ref: 10014247
      • SetRect.USER32(?,?,?,?,?), ref: 1001431F
      • DrawTextA.USER32(?,?,?,?,00000025), ref: 10014469
      • ??3@YAXPAX@Z.MSVCRT ref: 10014484
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 100144FE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$MessageObjectSelectSend$Create$ClipCompatible$??2@??3@BitmapDeleteDrawEmptyModeOffsetPropTextWindow
      • String ID: P
      • API String ID: 4166418595-3110715001
      • Opcode ID: 9f570dee45befc74a9ce08817d24616d7024467e30ac1365d4316e300070ec4e
      • Instruction ID: 667f0b52e11a95e24b10ca477dcf0e066d8db5c2e0f9aabd908416b331fe757d
      • Opcode Fuzzy Hash: 9f570dee45befc74a9ce08817d24616d7024467e30ac1365d4316e300070ec4e
      • Instruction Fuzzy Hash: 831269756043019FD314CF58C880A6AB7E6FFC8704F258A1DF6998B361DA71EC86CB52
      Function 100201A0 Relevance: 28.9, APIs: 19, Instructions: 351windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,00000020), ref: 100201C0
      • OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
      • CreateCompatibleDC.GDI32(00000000), ref: 100201D9
      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 100201EA
      • SelectObject.GDI32(00000000,00000000), ref: 100201FC
      • SelectObject.GDI32(00000000,?), ref: 1002020B
      • PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F
        • Part of subcall function 10020700: SendMessageA.USER32(?,0000041A,00000000,00000044), ref: 1002071E
        • Part of subcall function 10020700: SendMessageA.USER32(?,00000419,00000000,00000034), ref: 1002072F
        • Part of subcall function 10020700: GetClientRect.USER32(?,?), ref: 10020749
      • IsWindowEnabled.USER32(?), ref: 1002024C
      • IsWindowEnabled.USER32(?), ref: 1002028A
      • GetFocus.USER32 ref: 100202CF
      • IsWindowEnabled.USER32(?), ref: 10020411
      • IsWindowEnabled.USER32(?), ref: 1002044B
      • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 100205BD
      • DeleteObject.GDI32(?), ref: 100205C8
      • DeleteDC.GDI32(00000000), ref: 100205CF
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Enabled$ObjectRect$CompatibleCreateDeleteMessageSelectSend$BitmapClientFocusOffset
      • String ID:
      • API String ID: 969275910-0
      • Opcode ID: 5b169589681542832a6b021b38e202f014957ac69c21412b49005b06810db579
      • Instruction ID: 94777b03be6e9f1ae59e0413948786f371ff679d45ed1d23647022047fdc10e1
      • Opcode Fuzzy Hash: 5b169589681542832a6b021b38e202f014957ac69c21412b49005b06810db579
      • Instruction Fuzzy Hash: 91C138B9200715DFE364CB54DCC1EAB73AAFF88740F618969FA0587762D634ED418B60
      Function 1000DEF0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 269windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 1000DF29
      • OffsetRect.USER32(?,?,?), ref: 1000DF42
        • Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
        • Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
        • Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
        • Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
        • Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
        • Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
        • Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A
      • SetBkMode.GDI32(?,00000001), ref: 1000DF94
        • Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
        • Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090
      • SelectObject.GDI32(?,00000000), ref: 1000DFA9
      • IsWindowEnabled.USER32(?), ref: 1000DFB3
      • SendMessageA.USER32(?,00001209,00000000,00000000), ref: 1000DFCE
      • SendMessageA.USER32 ref: 1000DFFA
      • SendMessageA.USER32(?,0000120F,?,00000000), ref: 1000E02B
      • SendMessageA.USER32(?,00001203,00000000,?), ref: 1000E03E
      • SendMessageA.USER32(?,00001207,00000000,?), ref: 1000E04F
      • 75031510.COMCTL32(?,?,?,?,?,00000001,?,?,?,00001200,00000000,00000000), ref: 1000E156
      • SetTextColor.GDI32(?,?), ref: 1000E1A9
      • DrawTextA.USER32(?,?,?,?,00000024), ref: 1000E1D4
      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000E210
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$CreateObjectRectSelect$ClipCompatibleTextWindow$75031510BitmapColorDeleteDrawEnabledModeOffsetProp
      • String ID: 7
      • API String ID: 1961424070-1790921346
      • Opcode ID: 209c6b230ae2945e32d27e986554ab5b0cf3fdf4ca1b30fa4d1875b4f07b6efb
      • Instruction ID: d6cd2112b19415e89498b4abe21e6ca38dab58f18fec7e0c69950289425e1392
      • Opcode Fuzzy Hash: 209c6b230ae2945e32d27e986554ab5b0cf3fdf4ca1b30fa4d1875b4f07b6efb
      • Instruction Fuzzy Hash: 58A14A75208341AFE314CF24C884F6BB7E9EBC8744F108A1CF599973A1DA75E945CB62
      Function 10018F60 Relevance: 24.2, APIs: 16, Instructions: 171COMMON
      Download Yara Rule
      APIs
      • DeleteObject.GDI32(?), ref: 10018F91
      • DeleteObject.GDI32(?), ref: 10018FA7
      • DeleteObject.GDI32(?), ref: 10018FC1
      • DeleteObject.GDI32(?), ref: 10018FCE
      • CreateFontIndirectA.GDI32(00000000), ref: 1001900A
      • CreateFontIndirectA.GDI32(00000000), ref: 1001902C
      • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 10019057
      • CreateFontIndirectA.GDI32(?), ref: 1001905E
      • CreateFontIndirectA.GDI32 ref: 10019076
      • SystemParametersInfoA.USER32 ref: 100190A3
      • CreateFontIndirectA.GDI32(?), ref: 100190BA
      • CreateFontIndirectA.GDI32(?), ref: 100190CD
      • CreateFontIndirectA.GDI32(?), ref: 10019102
      • CreateFontIndirectA.GDI32(?), ref: 10019116
      • CreateFontIndirectA.GDI32(?), ref: 10019131
      • CreateFontIndirectA.GDI32(?), ref: 10019145
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CreateFontIndirect$DeleteObject$InfoParametersSystem
      • String ID:
      • API String ID: 3387422844-0
      • Opcode ID: 830815c587014a26e3a7e992bde17b6236e9c72615f67e54c72626ec8243f3db
      • Instruction ID: 711df5a203e8b563da40807aa8fc905527dfc6b6a225bd5e8f361db8bcb87da6
      • Opcode Fuzzy Hash: 830815c587014a26e3a7e992bde17b6236e9c72615f67e54c72626ec8243f3db
      • Instruction Fuzzy Hash: DD6116B06007468FE720CF69C880A9BF7E5FF88744F504A2EE98A87640E774FA45CB55
      Function 10015C70 Relevance: 22.8, APIs: 15, Instructions: 254windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 10015C7C
      • GetClientRect.USER32(?,?), ref: 10015CA1
      • GetWindowRect.USER32(?,?), ref: 10015CB0
      • ClientToScreen.USER32(?,?), ref: 10015CC5
      • ClientToScreen.USER32(?,?), ref: 10015CD0
      • OffsetRect.USER32(?,?,?), ref: 10015CEB
      • OffsetRect.USER32(?,?,?), ref: 10015D00
      • EqualRect.USER32(?,?), ref: 10015D0C
      • IsWindowEnabled.USER32(?), ref: 10015D96
      • GetFocus.USER32 ref: 10015DF8
        • Part of subcall function 1000AF00: EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
        • Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000AF21
        • Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
        • Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
        • Part of subcall function 1000AF00: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
        • Part of subcall function 1000AF00: SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
        • Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF7F
        • Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF82
        • Part of subcall function 1000AF00: CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
        • Part of subcall function 1000AF00: CreateSolidBrush.GDI32(?), ref: 1000B041
        • Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B051
        • Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B059
        • Part of subcall function 1000AF00: Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
        • Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B080
        • Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B088
        • Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000B08F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Object$Select$Create$ClientWindow$DeleteEmptyEqualOffsetScreen$BrushClipCombineEnabledFocusRectangleSolidVisible
      • String ID:
      • API String ID: 2232225062-0
      • Opcode ID: 6fd00cd0d9cef5d93f091ee120e2f42cff278c3d6447bc84d75fe32b91aeaa54
      • Instruction ID: 8293882ae8f60722bbcd7dca41eebeae144ae381a56dea18b72fd41b6b61f364
      • Opcode Fuzzy Hash: 6fd00cd0d9cef5d93f091ee120e2f42cff278c3d6447bc84d75fe32b91aeaa54
      • Instruction Fuzzy Hash: 6291F4B96043019FD304DF69C88592BB7E9EBC8310F14CA1DF9998B355DA31E946CB92
      Function 100055A0 Relevance: 22.7, APIs: 15, Instructions: 222COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Empty$Window$Long
      • String ID:
      • API String ID: 1594619121-0
      • Opcode ID: bb4e3b14c8995c92c39710eed11583c245718b1c2e8e577bdaf230dd83820362
      • Instruction ID: d0c9926444baea1fe4ebff3a720e05cc6beccc75dc12de5c1cc4c6843b7c2cf1
      • Opcode Fuzzy Hash: bb4e3b14c8995c92c39710eed11583c245718b1c2e8e577bdaf230dd83820362
      • Instruction Fuzzy Hash: FFA11375605B058FE364CF28C888BA7B7E5FF88345F25896DD89E87215DB32A806CF50
      Function 100240D0 Relevance: 22.7, APIs: 15, Instructions: 199timewindowCOMMON
      Download Yara Rule
      APIs
      • KillTimer.USER32(?,00006626), ref: 1002412C
      • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 1002413C
        • Part of subcall function 10024CF0: GetMenuItemInfoA.USER32 ref: 10024D26
        • Part of subcall function 100124D0: SetTimer.USER32(?,?,00000000,10012490), ref: 100124E3
      • KillTimer.USER32(?,?), ref: 10024176
      • TrackPopupMenu.USER32(?,00000000,00000000,00000000,00000000,?), ref: 100241DA
        • Part of subcall function 10023F00: GetCursorPos.USER32(?), ref: 10023F0E
        • Part of subcall function 10023F00: GetWindowRect.USER32(?,?), ref: 10023F1D
        • Part of subcall function 10023F00: PtInRect.USER32(?,?,?), ref: 10023F38
        • Part of subcall function 10023F00: PtInRect.USER32(00000168,?,?), ref: 10023F67
        • Part of subcall function 10023F00: GetMenuItemCount.USER32(?), ref: 10023F94
        • Part of subcall function 10023F00: GetMenuItemInfoA.USER32 ref: 10023FE3
        • Part of subcall function 10023F00: OffsetRect.USER32(?,?,00000000), ref: 1002401B
        • Part of subcall function 10023F00: PtInRect.USER32(?,00000400,00000000), ref: 10024030
        • Part of subcall function 10024060: GetMenuItemRect.USER32(?,?,?,?), ref: 10024082
        • Part of subcall function 10024060: GetMenuItemRect.USER32(?,?,?,?), ref: 10024099
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Menu$Item$Timer$InfoKill$CountCursorMessageOffsetPopupSendTrackWindow
      • String ID:
      • API String ID: 2948288781-0
      • Opcode ID: 51ee28288f19f70f4e95dd3a8ef5f6a57d4dcf2b95c017293d7a3d885d298ca3
      • Instruction ID: 37a8328168521e0b11368bf9a4f74ca38fbc0c8ce550388fabf89b9119d921f0
      • Opcode Fuzzy Hash: 51ee28288f19f70f4e95dd3a8ef5f6a57d4dcf2b95c017293d7a3d885d298ca3
      • Instruction Fuzzy Hash: 0F71EF79200702ABE310DB28DC84FABB7F9EF98754F11891DF55A87290DB31E945CB51
      Function 10002C90 Relevance: 22.6, APIs: 15, Instructions: 150windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 10002C9C
      • SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10002CBD
      • SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10002CDD
      • GetCursorPos.USER32(?), ref: 10002D06
      • GetWindowRect.USER32(?,?), ref: 10002D1C
      • GetWindowRect.USER32(?,?), ref: 10002D2A
      • GetWindowRect.USER32(?,?), ref: 10002D38
      • PtInRect.USER32(?,?,?), ref: 10002D87
      • LoadCursorA.USER32(00000000,00007F85), ref: 10002DC6
      • SetCursor.USER32(00000000), ref: 10002DCD
      • SendMessageA.USER32(?,?,0000000F,?), ref: 10002DE9
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: RectWindow$CursorMessageSend$EnabledLoad
      • String ID:
      • API String ID: 4229092383-0
      • Opcode ID: f0ec41966ff8e8fd90f7b837bfef7e6c1f3a3dc11e14d87aa70b65b93e45b5b6
      • Instruction ID: dc413347daec2f70c86c06c67fd336eb8edfad542e32f7a3e4721b36555a0e72
      • Opcode Fuzzy Hash: f0ec41966ff8e8fd90f7b837bfef7e6c1f3a3dc11e14d87aa70b65b93e45b5b6
      • Instruction Fuzzy Hash: 66517975608742AFE310DB65CC88E9BB7E9FFC8B50F60891DF58983250D674E905CB62
      Function 10017350 Relevance: 22.6, APIs: 15, Instructions: 88COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@$Delete$Object
      • String ID:
      • API String ID: 1805807598-0
      • Opcode ID: 7b169dbb6de1d35d7e5cbc644cd2f3a099730363be3119b7d3e9183802c9ff51
      • Instruction ID: 8eb2a162a59bfd02bb3efb1085eef2ff5d2453cd59b241f8ea59b29271d371ff
      • Opcode Fuzzy Hash: 7b169dbb6de1d35d7e5cbc644cd2f3a099730363be3119b7d3e9183802c9ff51
      • Instruction Fuzzy Hash: 0D3105B9500B519BC720DFB8D8C5A9BB7E8FB4C210FA08D1DB5AA87241C676F9449B60
      Function 100169C0 Relevance: 21.4, APIs: 14, Instructions: 408COMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 10016A9B
      • SetRect.USER32(?,00000000,?,?,?), ref: 10016C24
      • MulDiv.KERNEL32(?,?,?), ref: 10016C3D
      • OffsetRect.USER32(?,00000000,00000000), ref: 10016C51
      • OffsetRect.USER32(?,00000000,?), ref: 10016C7F
      • IsRectEmpty.USER32(?), ref: 10016C85
      • MulDiv.KERNEL32(?,76952370,?), ref: 10016CDB
      • MulDiv.KERNEL32(-00000001,?,?), ref: 10016CFA
      • MulDiv.KERNEL32(?,?,?), ref: 10016D1F
      • SetRect.USER32(?,?,00000000,?,?), ref: 10016DB7
      • SetRectEmpty.USER32(?), ref: 10016DC3
      • EqualRect.USER32(?,?), ref: 10016DED
      • EqualRect.USER32(?,?), ref: 10016DFD
      • SetRectEmpty.USER32(?), ref: 10016E30
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Empty$EqualOffset$EnabledWindow
      • String ID:
      • API String ID: 1250441839-0
      • Opcode ID: 488337cf230d6d23f37ee5c869d15c7c6214d7048653378568f50572e3e0747a
      • Instruction ID: b6d8e02c079bcafa56aa8081014225c04d9d0cf20a220bfdce263d8fab6bfb8f
      • Opcode Fuzzy Hash: 488337cf230d6d23f37ee5c869d15c7c6214d7048653378568f50572e3e0747a
      • Instruction Fuzzy Hash: 3302E4746047019FC718CF69C98491AFBF6FF88304F248A2DE98A8B755D731E985CB91
      Function 10011460 Relevance: 21.0, APIs: 14, Instructions: 49COMMON
      Download Yara Rule
      APIs
      • GetSysColor.USER32(0000000F), ref: 10011466
      • GetSystemMetrics.USER32(0000000F), ref: 10011476
      • GetSystemMetrics.USER32(00000000), ref: 1001147D
      • GetSystemMetrics.USER32(00000001), ref: 10011484
      • GetSystemMetrics.USER32(0000000B), ref: 1001148B
      • GetSystemMetrics.USER32(0000000C), ref: 10011492
      • GetSystemMetrics.USER32(00000002), ref: 10011499
      • GetSystemMetrics.USER32(00000003), ref: 100114A0
      • GetSystemMetrics.USER32(00000020), ref: 100114A7
      • GetSystemMetrics.USER32(00000021), ref: 100114AE
      • GetSystemMetrics.USER32(00000007), ref: 100114B5
      • GetSystemMetrics.USER32(00000008), ref: 100114BC
      • GetSystemMetrics.USER32(00000004), ref: 100114C3
      • GetSystemMetrics.USER32(00000033), ref: 100114CA
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MetricsSystem$Color
      • String ID:
      • API String ID: 3740768223-0
      • Opcode ID: 4821abbd3c922a8ad17e9c27865194d4b68152617fa17cc4b81dc97e02bf1303
      • Instruction ID: b415c9ff06fc4772aef4a92c67fdb6d16b11039c2eda6f13e71a1828a8f5e86c
      • Opcode Fuzzy Hash: 4821abbd3c922a8ad17e9c27865194d4b68152617fa17cc4b81dc97e02bf1303
      • Instruction Fuzzy Hash: F00187B0D417449AE7306FB29D4EF07BEE0EFC0B00F11492EE2858BA81D6B5A141CF40
      Function 1000CE20 Relevance: 19.7, APIs: 13, Instructions: 199windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 1000CE96
      • OffsetRect.USER32(?,?,?), ref: 1000CEAF
      • GetClientRect.USER32(?,?), ref: 1000CEC1
      • SelectObject.GDI32(?,?), ref: 1000CEFA
      • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 1000CF18
      • SetMapMode.GDI32(?,00000001), ref: 1000CF24
      • SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000CF34
      • SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000CF44
      • SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000CF54
      • SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000CF64
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000CFB5
        • Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
        • Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
        • Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D
        • Part of subcall function 1000E340: SelectObject.GDI32(?,?), ref: 1000E3AA
        • Part of subcall function 1000E340: DeleteDC.GDI32(?), ref: 1000E3B4
        • Part of subcall function 1000E340: DeleteObject.GDI32(?), ref: 1000E3D1
      • ??3@YAXPAX@Z.MSVCRT ref: 1000D017
      • InvalidateRect.USER32(?,00000000,00000001), ref: 1000D031
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$DeleteRect$SelectWindow$Viewport$??3@ClientInvalidateModeOffset
      • String ID:
      • API String ID: 648218233-0
      • Opcode ID: 1af748156e2dd9d40a91cdbdd6aab29c40d3e99f3135864ecf00bc1dc963960f
      • Instruction ID: 2f10df49a190d83ca2c48d706accd39583ccff9776fc3dcd98fdd01acb908c43
      • Opcode Fuzzy Hash: 1af748156e2dd9d40a91cdbdd6aab29c40d3e99f3135864ecf00bc1dc963960f
      • Instruction Fuzzy Hash: 6A615C79244342AFE224DF14CC85F2BB7A8FB88B40F20891DFA5997295C771FD428B61
      Function 10009550 Relevance: 19.7, APIs: 13, Instructions: 185windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 10009562
      • GetWindowRect.USER32(?,?), ref: 10009571
      • ClientToScreen.USER32(?,?), ref: 10009586
      • ClientToScreen.USER32(?,?), ref: 10009591
      • OffsetRect.USER32(?,?,?), ref: 100095AC
      • OffsetRect.USER32(?,?,?), ref: 100095C1
      • IsWindowEnabled.USER32(?), ref: 100095D2
      • GetFocus.USER32 ref: 100095E0
      • FindWindowExA.USER32(?,00000000,1002C070,00000000), ref: 1000964D
      • FindWindowExA.USER32(?,00000000,1002C060,00000000), ref: 10009662
      • SelectObject.GDI32(00000000,?), ref: 100096C6
      • PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 100096E8
      • IsWindowEnabled.USER32(?), ref: 100096F2
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Rect$Client$EnabledFindOffsetScreen$FocusObjectSelect
      • String ID:
      • API String ID: 995514740-0
      • Opcode ID: 82dd0a023d1e9244c0f8f06e9f0e271506f95df6bee9012c3d74dd2b6a11903f
      • Instruction ID: 219e8067712f3e67318549e0e7e2ffd899cab36933d0d05de9bc9511727c2731
      • Opcode Fuzzy Hash: 82dd0a023d1e9244c0f8f06e9f0e271506f95df6bee9012c3d74dd2b6a11903f
      • Instruction Fuzzy Hash: BB6115B8204702AFE314DF69C880E6BB7E8FF88744B208A5DF94987355D735E946CB61
      Function 1001CA30 Relevance: 19.6, APIs: 13, Instructions: 97windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 1001CA4C
      • GetWindowRect.USER32(?,?), ref: 1001CA5B
      • ClientToScreen.USER32(?,?), ref: 1001CA70
      • ClientToScreen.USER32(?,?), ref: 1001CA7B
      • OffsetRect.USER32(?,?,?), ref: 1001CA96
      • OffsetRect.USER32(?,?,?), ref: 1001CAAB
      • EqualRect.USER32(?,?), ref: 1001CAB7
      • BeginPath.GDI32(00000000), ref: 1001CAC2
      • Rectangle.GDI32(00000000,?,?,?,?), ref: 1001CADD
      • EndPath.GDI32(00000000), ref: 1001CAE4
      • SelectClipPath.GDI32(00000000,00000004), ref: 1001CAED
      • SelectObject.GDI32(00000000,?), ref: 1001CB00
      • PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1001CB1A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$ClientPath$OffsetScreenSelect$BeginClipEqualObjectRectangleWindow
      • String ID:
      • API String ID: 2221267872-0
      • Opcode ID: 219697da08de77e07886dc8c6d20df574dcbbf54c4940b152de1776a259c56e3
      • Instruction ID: 2ba2e5f7c95da289b8c11f671d4d77d81127840f5cb8de534027a22f72d25923
      • Opcode Fuzzy Hash: 219697da08de77e07886dc8c6d20df574dcbbf54c4940b152de1776a259c56e3
      • Instruction Fuzzy Hash: B231C879204316AFE714DB65CCC9D7BB3F9FBC8614F108A0CF55683250DA74E94A8B61
      Function 100084B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 100084C9
      • GetComboBoxInfo.USER32 ref: 100084DC
      • GetWindowRect.USER32(?,?), ref: 100084FD
      • OffsetRect.USER32(?,?,?), ref: 1000851B
      • CallWindowProcA.USER32(?,?,0000000F,?,?), ref: 10008566
      • IsWindowEnabled.USER32(?), ref: 10008599
      • GetFocus.USER32 ref: 100085A7
      • IsRectEmpty.USER32(?), ref: 10008606
      • SelectObject.GDI32(00000000,?), ref: 10008646
      • PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 1000866A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: RectWindow$CallComboEmptyEnabledFocusInfoObjectOffsetProcSelect
      • String ID: 4
      • API String ID: 3620934650-4088798008
      • Opcode ID: ff69685712dfb7541cd1ad91b48a2aaedd911cbe40dfa843f3ff19d120081c87
      • Instruction ID: 5cea887d1a42687cc65618457859d6ae2faca28e616dd28a7858be6a4daf13f9
      • Opcode Fuzzy Hash: ff69685712dfb7541cd1ad91b48a2aaedd911cbe40dfa843f3ff19d120081c87
      • Instruction Fuzzy Hash: 275127B9208701AFE314DF68C880E6BB7E9FBC8750F108A1DF99987355DA30E945CB52
      Function 10013810 Relevance: 18.4, APIs: 12, Instructions: 363windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 1001383A
        • Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
        • Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
        • Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
        • Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
        • Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
        • Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
        • Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A
        • Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
        • Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090
      • SelectObject.GDI32(?,00000000), ref: 10013889
      • InflateRect.USER32(?,000000FF,000000FF), ref: 100138F0
      • InflateRect.USER32(00000000,000000FF,000000FF), ref: 100138FB
      • IsWindowEnabled.USER32(?), ref: 10013912
      • GetWindowTextA.USER32(?,?,00000400), ref: 10013AA2
      • DrawTextA.USER32(?,?,?,?,00000001), ref: 10013B3E
      • GetPropA.USER32(?,1002C2C0), ref: 10013BD4
      • SetTextColor.GDI32(?,00000000), ref: 10013BFA
      • SetBkMode.GDI32(?,00000001), ref: 10013C07
      • DrawTextA.USER32(?,?,?,?,00000001), ref: 10013C2C
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10013C56
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: RectText$CreateObjectSelect$ClipCompatibleDrawInflatePropWindow$BitmapClientColorDeleteEnabledMessageModeSend
      • String ID:
      • API String ID: 3785997197-0
      • Opcode ID: bf8b04a64fc7e9720845d1a8b633114ab653b3764a86c28c23747f38c52eb1d7
      • Instruction ID: 6eeb226ef1bb0de1b614e7657a0c8b189afcc3c0ce88ba382625342e3441b8cf
      • Opcode Fuzzy Hash: bf8b04a64fc7e9720845d1a8b633114ab653b3764a86c28c23747f38c52eb1d7
      • Instruction Fuzzy Hash: 5DE137B52083019FD354CF68C884A6AB7E5FFC8714F108A1DFAA987391D774E945CB92
      Function 10007550 Relevance: 18.2, APIs: 12, Instructions: 192windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageA.USER32(?,000000F6,00000001,00000000), ref: 10007570
      • GetIconInfo.USER32(00000000,?), ref: 10007586
      • GetObjectA.GDI32(?,00000018,?), ref: 10007598
      • DrawIconEx.USER32(?,?,?,00000000,?,?,00000000,00000000,00000003), ref: 1000761E
      • DeleteObject.GDI32(?), ref: 1000762F
      • DeleteObject.GDI32(?), ref: 10007636
      • SendMessageA.USER32(?,000000F6,00000000,00000000), ref: 1000764D
      • GetObjectA.GDI32(00000000,00000018,?), ref: 10007665
      • CreateCompatibleDC.GDI32(?), ref: 10007670
      • SelectObject.GDI32(00000000,00000000), ref: 1000767A
      • BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 10007701
      • DeleteDC.GDI32(00000000), ref: 10007708
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Delete$IconMessageSend$CompatibleCreateDrawInfoSelect
      • String ID:
      • API String ID: 955780663-0
      • Opcode ID: 122180a6be51cacf192691a891b99cc1150dfe11f8c774a4c476940fe2165945
      • Instruction ID: 5ad2fc0d9cfef1da6667f6bfad95baaf5387ec86fbaa1d7a00321d89c8de7b88
      • Opcode Fuzzy Hash: 122180a6be51cacf192691a891b99cc1150dfe11f8c774a4c476940fe2165945
      • Instruction Fuzzy Hash: BD516075300611AFD344CA7CCD85F6BB7EAEFC8244F198628FA49C7255D671EC068790
      Function 1000C6F0 Relevance: 18.2, APIs: 12, Instructions: 163windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 1000C702
      • GetWindowRect.USER32(?,?), ref: 1000C711
      • ClientToScreen.USER32(?,?), ref: 1000C726
      • ClientToScreen.USER32(?,?), ref: 1000C731
      • OffsetRect.USER32(?,?,?), ref: 1000C74C
      • OffsetRect.USER32(?,?,?), ref: 1000C761
      • IsWindowEnabled.USER32(?), ref: 1000C778
      • GetFocus.USER32 ref: 1000C782
      • InflateRect.USER32(00000020,000000FE,000000FE), ref: 1000C81C
      • SelectObject.GDI32(00000000,?), ref: 1000C830
      • PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 1000C84F
      • IsWindowEnabled.USER32(?), ref: 1000C859
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$ClientWindow$EnabledOffsetScreen$FocusInflateObjectSelect
      • String ID:
      • API String ID: 3408369734-0
      • Opcode ID: 3be52d9941539292c299830c6e9bf5df74aa8ccb6bf1b58d779688aaf5952ba0
      • Instruction ID: d3539a25c7ff0506e7ee7ab9e9479a1055ac5ff067c866c20199165bfa3bfce7
      • Opcode Fuzzy Hash: 3be52d9941539292c299830c6e9bf5df74aa8ccb6bf1b58d779688aaf5952ba0
      • Instruction Fuzzy Hash: C25119B8204706AFE314DF69C884D2BB7E9FFC8354B208A1DF85987365D631ED468B61
      Function 10016060 Relevance: 18.2, APIs: 12, Instructions: 157windowCOMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 1001608F
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 100160C2
      • GetParent.USER32(?), ref: 1001611B
      • SendMessageA.USER32(00000000), ref: 10016122
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow$MessageParentSend
      • String ID:
      • API String ID: 482362837-0
      • Opcode ID: 916f991154467816be997b105c9d4eb4c11a9125e158527fd240b7089936db19
      • Instruction ID: 0d51841f0734fbb8e4940dc07b8de3669c789b49538fb586d0ae161ad6d6c563
      • Opcode Fuzzy Hash: 916f991154467816be997b105c9d4eb4c11a9125e158527fd240b7089936db19
      • Instruction Fuzzy Hash: 4E519E76200611AFE310DB68CC85FAB73E8EB8C750F144918F95ACB292D670E985CBA1
      Function 1000C030 Relevance: 18.1, APIs: 12, Instructions: 80COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?), ref: 1000C03F
      • GetClientRect.USER32(?,?), ref: 1000C04B
      • ClientToScreen.USER32(?,?), ref: 1000C05D
      • ClientToScreen.USER32(?,?), ref: 1000C065
      • OffsetRect.USER32(?,?,?), ref: 1000C080
      • OffsetRect.USER32(?,?,?), ref: 1000C095
      • CreateRectRgn.GDI32(?,?,?,?), ref: 1000C0B1
      • CreateRectRgn.GDI32(?,?,?,?), ref: 1000C0C9
      • CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C0D2
      • SelectClipRgn.GDI32(?,00000000), ref: 1000C0DE
      • DeleteObject.GDI32(00000000), ref: 1000C0EB
      • DeleteObject.GDI32(00000000), ref: 1000C0EE
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Client$CreateDeleteObjectOffsetScreen$ClipCombineSelectWindow
      • String ID:
      • API String ID: 2240990249-0
      • Opcode ID: 4b3a124ec8f7523d0d551fb504430074e69b4b5c7f317864df0b48e49119c4e9
      • Instruction ID: 6da254da4a0019f5656eed989aa654683ae0a7bab9e4da9d351570924b964c57
      • Opcode Fuzzy Hash: 4b3a124ec8f7523d0d551fb504430074e69b4b5c7f317864df0b48e49119c4e9
      • Instruction Fuzzy Hash: C021D8B9115225BFE304DB55CC84CABB7EDEFC9710F158A0DF98593210D674EA0A8BA2
      Function 10012D70 Relevance: 16.8, APIs: 11, Instructions: 272windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 10012DA6
      • OffsetRect.USER32(?,?,?), ref: 10012DBF
        • Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
        • Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
        • Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
        • Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
        • Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
        • Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
        • Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A
      • SelectObject.GDI32(?,00000000), ref: 10012DF5
      • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 10012E0F
      • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 10012E28
      • SendMessageA.USER32(?,00000407,00000001,00000000), ref: 10012E3C
      • IsWindowEnabled.USER32(?), ref: 10012E7B
      • IsWindowEnabled.USER32(?), ref: 10012F5A
      • IsWindowEnabled.USER32(?), ref: 10012F95
      • IsWindowEnabled.USER32(?), ref: 1001306D
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 100130BE
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Enabled$CreateObjectRectSelect$ClipCompatibleMessageSend$BitmapDeleteOffset
      • String ID:
      • API String ID: 1350237671-0
      • Opcode ID: 6133fc0ec921e100b3f7b777ce710fdf6920ba7fd51a58843914a26640d38602
      • Instruction ID: 4c5c30fd0665583f47b77be65c20ac278036d55bad62e296687f2ec44f63bcda
      • Opcode Fuzzy Hash: 6133fc0ec921e100b3f7b777ce710fdf6920ba7fd51a58843914a26640d38602
      • Instruction Fuzzy Hash: A9B148B9204301AFE348CF68C885E6AB7EAFBC8714F148A2DF95997351DB30E941CB51
      Function 1001BBF0 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON
      Download Yara Rule
      APIs
      • DeleteObject.GDI32(?), ref: 1001BC14
      • DeleteObject.GDI32(?), ref: 1001BC2F
      • DeleteObject.GDI32(?), ref: 1001BC5B
      • DeleteObject.GDI32(?), ref: 1001BC7F
      • DeleteObject.GDI32(?), ref: 1001BCA2
      • DeleteObject.GDI32(?), ref: 1001BCBB
      • SendMessageA.USER32(?,00006A31,00000000,00000000), ref: 1001BD28
      • IsWindowVisible.USER32(?), ref: 1001BD38
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: DeleteObject$MessageSendVisibleWindow
      • String ID:
      • API String ID: 2663172341-0
      • Opcode ID: 66abe18e5676ff3348325067956f17469dfdb9c0fcfd3401069746659852b7f4
      • Instruction ID: 69cb3e28c512f8bc434b60400197b4956680df1e75d225c41875b39bfed14100
      • Opcode Fuzzy Hash: 66abe18e5676ff3348325067956f17469dfdb9c0fcfd3401069746659852b7f4
      • Instruction Fuzzy Hash: C15149B96006198FD744DF65D8C4D19BBE6EF84754B66806DE4098F261CB32ECC2CF54
      Function 1000FF70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 198windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??2@ItemMenu$Info$??3@Count
      • String ID: 0
      • API String ID: 1280313425-4108050209
      • Opcode ID: 6e4a127d26160f2826dbd7c3078cd4743ef47c8372238a0a12d2d6f6826a0902
      • Instruction ID: 9c73eb5ddcbb23b1021a2a30c8f8144f940f888cd30e2e31c2a3417c855ec077
      • Opcode Fuzzy Hash: 6e4a127d26160f2826dbd7c3078cd4743ef47c8372238a0a12d2d6f6826a0902
      • Instruction Fuzzy Hash: 117128B1B042429FD304CF14C880A5ABBE5FF88754F25C56DF8899B361D7B6E886CB91
      Function 10023F00 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114windowCOMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 10023F0E
      • GetWindowRect.USER32(?,?), ref: 10023F1D
      • PtInRect.USER32(?,?,?), ref: 10023F38
      • PtInRect.USER32(00000168,?,?), ref: 10023F67
      • GetMenuItemCount.USER32(?), ref: 10023F94
        • Part of subcall function 10024DB0: GetMenuItemRect.USER32(?,00000000,?,?,?,?,751E6D90,00000000,10023B9B,00000000,?), ref: 10024DCB
        • Part of subcall function 10024DB0: OffsetRect.USER32(?,?,?), ref: 10024DF9
      • GetMenuItemInfoA.USER32 ref: 10023FE3
      • OffsetRect.USER32(?,?,00000000), ref: 1002401B
      • PtInRect.USER32(?,00000400,00000000), ref: 10024030
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$ItemMenu$Offset$CountCursorInfoWindow
      • String ID: 0
      • API String ID: 1145675194-4108050209
      • Opcode ID: 175602bbc668ff8853d7943d656a5cc7ce6d6184f3f0c48b566ecbe4b546db37
      • Instruction ID: 31d5a28eec6a1afefc3e1dee2d447974a65d6f43cb3d9e79273529089ad59d0b
      • Opcode Fuzzy Hash: 175602bbc668ff8853d7943d656a5cc7ce6d6184f3f0c48b566ecbe4b546db37
      • Instruction Fuzzy Hash: BE415B752087019FD304DF68DC88A6BB7F9FBC8650F11891DFA5583250DB71E94ACBA2
      Function 100065F0 Relevance: 15.2, APIs: 10, Instructions: 232windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 1000669B
      • SelectObject.GDI32(?,?), ref: 100066CF
      • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100066E7
      • GetPropA.USER32(?,1002C03C), ref: 100066F3
      • IsWindowEnabled.USER32(?), ref: 10006700
      • GetFocus.USER32 ref: 10006745
      • InflateRect.USER32(?,000000FB,000000FB), ref: 100067AA
      • InflateRect.USER32(?,00000005,00000005), ref: 100067F1
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10006813
      • ??3@YAXPAX@Z.MSVCRT ref: 10006877
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Inflate$??3@ClientEnabledFocusObjectPropSelectWindow
      • String ID:
      • API String ID: 24168671-0
      • Opcode ID: ed3e04b97e76525c8ce2d3e680fc5afe9cccc0776d0c1c7a03bb55042e5a08e0
      • Instruction ID: 808e24e67ffa3fdcadfbf8160937d97e86c192aaa0f854ceeccdbcc12e2f0151
      • Opcode Fuzzy Hash: ed3e04b97e76525c8ce2d3e680fc5afe9cccc0776d0c1c7a03bb55042e5a08e0
      • Instruction Fuzzy Hash: 3A8159B96043419FE314CF54CC84E6BB3EAFB88794F218A2CF95987355DA30ED458B61
      Function 1001C210 Relevance: 15.2, APIs: 10, Instructions: 152memoryCOMMON
      Download Yara Rule
      APIs
      • GlobalAlloc.KERNEL32(00000002,00000660,751E6BA0,00000000,00000000,?,?,?,10003905,?,?,?,1002CDA8,?,1002CDC8), ref: 1001C227
      • GlobalFix.KERNEL32(00000000), ref: 1001C230
      • SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
      • GlobalUnWire.KERNEL32(00000000), ref: 1001C2EB
      • GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
      • GlobalFix.KERNEL32(00000000), ref: 1001C316
      • SetRect.USER32(?,?,?,?,?), ref: 1001C339
      • ExtCreateRegion.GDI32(00000000,00000062,00000000), ref: 1001C3B3
      • GlobalUnWire.KERNEL32(00000000), ref: 1001C3BC
      • GlobalFree.KERNEL32(00000000), ref: 1001C3C3
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Global$AllocRectWire$CreateFreeRegion
      • String ID:
      • API String ID: 3828056624-0
      • Opcode ID: 6ba06d16079189b5735e3eb41b3e1a1aff45cf1b4ebc31a8399078287940a643
      • Instruction ID: 800a03afdf74d798d33c9bbd273a6215fc8d6eee2ba7c904765c8bbc0eaa987e
      • Opcode Fuzzy Hash: 6ba06d16079189b5735e3eb41b3e1a1aff45cf1b4ebc31a8399078287940a643
      • Instruction Fuzzy Hash: 165179752047058FD314CF19C8C4E1ABBE6FBC8354F158A2DF8969B252D730E98ACBA1
      Function 10006A30 Relevance: 15.1, APIs: 10, Instructions: 95windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 100069F0: DeleteObject.GDI32(?), ref: 100069FE
      • CreateCompatibleDC.GDI32(00000000), ref: 10006A67
      • CreateCompatibleDC.GDI32(00000000), ref: 10006A6D
      • SelectObject.GDI32(00000000,?), ref: 10006A8A
      • GetObjectA.GDI32(?,00000018,?), ref: 10006AA2
      • SelectObject.GDI32(00000000,000000FF), ref: 10006AD1
      • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 10006AEE
      • SelectObject.GDI32(00000000,00000000), ref: 10006AF6
      • SelectObject.GDI32(00000000,00000000), ref: 10006AFE
      • DeleteDC.GDI32(00000000), ref: 10006B07
      • DeleteDC.GDI32(00000000), ref: 10006B0A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Select$Delete$CompatibleCreate
      • String ID:
      • API String ID: 2651682802-0
      • Opcode ID: 9590772b2381df981e00ce1ca602ee8b7f492eed31d7fb91fb646ce7ea8e8a2e
      • Instruction ID: 18bf3757976541dfd00de2af7b288375a6f254a0424e89b954cf1b644370f741
      • Opcode Fuzzy Hash: 9590772b2381df981e00ce1ca602ee8b7f492eed31d7fb91fb646ce7ea8e8a2e
      • Instruction Fuzzy Hash: A221A0762043196BF250EB59CCC0F2BB7EDEBC9790F60442DFA4097244DA64EC068BA2
      Function 1000C1C0 Relevance: 15.1, APIs: 10, Instructions: 88windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 1000C1D7
      • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 1000C1F5
      • FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C204
      • IsWindowVisible.USER32(00000000), ref: 1000C211
      • GetWindowRect.USER32(00000000,?), ref: 1000C22D
      • OffsetRect.USER32(?,?,?), ref: 1000C242
      • CreateRectRgn.GDI32(?,?,?,?), ref: 1000C25C
      • CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C269
      • DeleteObject.GDI32(00000000), ref: 1000C270
      • FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C280
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: RectWindow$CreateFind$CombineDeleteObjectOffsetVisible
      • String ID:
      • API String ID: 1313402854-0
      • Opcode ID: 8629bedc85b525c95f566e4f9ec39ac268af53675b713f40d67e7f6029a4d90e
      • Instruction ID: 0129f1f143ae883f5581523c8020f595d90fc1c3a02a3f94cc4d99a36711fcdf
      • Opcode Fuzzy Hash: 8629bedc85b525c95f566e4f9ec39ac268af53675b713f40d67e7f6029a4d90e
      • Instruction Fuzzy Hash: AD210C75205325AFE2109B65CC85F3BB7ECEBC9B55F104619FA45A3240DA20ED068B66
      Function 1000C100 Relevance: 15.1, APIs: 10, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • GetUpdateRect.USER32(?,?,00000000), ref: 1000C110
      • GetWindowRect.USER32(?,?), ref: 1000C126
      • ClientToScreen.USER32(?,?), ref: 1000C138
      • ClientToScreen.USER32(?,?), ref: 1000C140
      • OffsetRect.USER32(?,?,?), ref: 1000C155
      • CreateRectRgn.GDI32(?,?,?,?), ref: 1000C16F
      • CombineRgn.GDI32(00000000,00000000,00000000,00000001), ref: 1000C195
      • DeleteObject.GDI32(00000000), ref: 1000C19C
      • SelectClipRgn.GDI32(?,00000000), ref: 1000C1A4
      • DeleteObject.GDI32(00000000), ref: 1000C1AB
        • Part of subcall function 1000C1C0: GetWindowRect.USER32(?,?), ref: 1000C1D7
        • Part of subcall function 1000C1C0: CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 1000C1F5
        • Part of subcall function 1000C1C0: FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C204
        • Part of subcall function 1000C1C0: IsWindowVisible.USER32(00000000), ref: 1000C211
        • Part of subcall function 1000C1C0: GetWindowRect.USER32(00000000,?), ref: 1000C22D
        • Part of subcall function 1000C1C0: OffsetRect.USER32(?,?,?), ref: 1000C242
        • Part of subcall function 1000C1C0: CreateRectRgn.GDI32(?,?,?,?), ref: 1000C25C
        • Part of subcall function 1000C1C0: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C269
        • Part of subcall function 1000C1C0: DeleteObject.GDI32(00000000), ref: 1000C270
        • Part of subcall function 1000C1C0: FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C280
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Window$CreateDeleteObject$ClientCombineFindOffsetScreen$ClipSelectUpdateVisible
      • String ID:
      • API String ID: 3337848875-0
      • Opcode ID: ab81bbd6e475fd5f65db4c67aaa5c7c4afadf060e7e249b2e30564a5a9679415
      • Instruction ID: 74d7dfbfc758c62a16206c90bb991d6bb96e2836b961c83879c6e1e08fceeccd
      • Opcode Fuzzy Hash: ab81bbd6e475fd5f65db4c67aaa5c7c4afadf060e7e249b2e30564a5a9679415
      • Instruction Fuzzy Hash: 4611477A105221AFF300DB65CCC4DABB7ACEFC9740F14490DF94582200E734EA0A8BB2
      Function 10012750 Relevance: 13.7, APIs: 9, Instructions: 187windowCOMMON
      Download Yara Rule
      APIs
      • SelectObject.GDI32(?,?), ref: 10012809
      • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 1001281F
      • SetMapMode.GDI32(?,00000001), ref: 1001282B
      • SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1001283B
      • SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1001284B
      • SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1001285B
      • SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1001286B
      • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 100128B8
        • Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
        • Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
        • Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D
        • Part of subcall function 1000E340: SelectObject.GDI32(?,?), ref: 1000E3AA
        • Part of subcall function 1000E340: DeleteDC.GDI32(?), ref: 1000E3B4
        • Part of subcall function 1000E340: DeleteObject.GDI32(?), ref: 1000E3D1
      • ??3@YAXPAX@Z.MSVCRT ref: 1001292B
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Delete$Select$ViewportWindow$??3@Mode
      • String ID:
      • API String ID: 2611903862-0
      • Opcode ID: 7c815beb85d3b7d6d1a28cbd2c605b41dffed16a3aaece435989d75e05e30fb6
      • Instruction ID: 5a2126a295ea02ada3bf3e3be973f49605dcc2c156f47a887c0508dc2def5236
      • Opcode Fuzzy Hash: 7c815beb85d3b7d6d1a28cbd2c605b41dffed16a3aaece435989d75e05e30fb6
      • Instruction Fuzzy Hash: FA614BB9640301AFE724CF18CC85F5B77A9FB88B50F20891CF9599B391C671E881CBA5
      Function 100194E0 Relevance: 13.7, APIs: 9, Instructions: 156COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@$HookUnhookWindows
      • String ID:
      • API String ID: 4067003578-0
      • Opcode ID: b87acc1557eed828f0344a7fc93a7db1be4abbab0bedf78bfabcd7249e5cf933
      • Instruction ID: 68d6bc10badb6e31eff8a5ceec3b68c03d71041423b9f4d656f5879cd019a15e
      • Opcode Fuzzy Hash: b87acc1557eed828f0344a7fc93a7db1be4abbab0bedf78bfabcd7249e5cf933
      • Instruction Fuzzy Hash: 45613DB5900B418BC721CF6DC8C068AFBE5FB58250F95482EE1AE87352D735F984CB96
      Function 10012180 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 100121A6
      • SelectObject.GDI32(?,?), ref: 100121CC
      • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100121E4
      • SelectObject.GDI32(?,00000000), ref: 100121EC
      • BitBlt.GDI32 ref: 1001224C
      • CallWindowProcA.USER32(?,?,00000014,00000000,?), ref: 10012262
      • SelectObject.GDI32(00000000,?), ref: 100122A0
      • PatBlt.GDI32(00000000,00000000,00000000,?,00CC0020,00F00021), ref: 100122BE
      • BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 10012316
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ObjectSelect$CallClientProcRectWindow
      • String ID:
      • API String ID: 1176863719-0
      • Opcode ID: 8d9555288dfa4cb6b9910587152f2368e31d67d4d9cfedcddf4c0e453304757e
      • Instruction ID: 521344e5b0112258a1cfddc808acbd5a461835463cd1efe4b2e01d7775b1bad5
      • Opcode Fuzzy Hash: 8d9555288dfa4cb6b9910587152f2368e31d67d4d9cfedcddf4c0e453304757e
      • Instruction Fuzzy Hash: BB51F9B9254300AFE214DB54CC86F6BB7A8EBC8B50F20491CFA4597391C6B5FC458BA6
      Function 1000D060 Relevance: 13.6, APIs: 9, Instructions: 119COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: PathRect$ClipSelect$BeginClientEmptyOffsetRectangleWindow
      • String ID:
      • API String ID: 926769777-0
      • Opcode ID: 0826a6cac50ff6d8cc9cb84acf4d3d3ae261592e089b67d3ff386e635de06544
      • Instruction ID: ba60728ec9fc36432d1322e881ef709b7ac6645eae2937ea16e8d96f42463b8c
      • Opcode Fuzzy Hash: 0826a6cac50ff6d8cc9cb84acf4d3d3ae261592e089b67d3ff386e635de06544
      • Instruction Fuzzy Hash: 4B413979609211AFE744EF04C884D9FB7E9EFC8761F50881DF94A87214D730E94ACBA2
      Function 10016650 Relevance: 13.6, APIs: 9, Instructions: 89windowtimeCOMMON
      Download Yara Rule
      APIs
      • KillTimer.USER32(?,00006622,76933760,00000000,100161F8,?,?), ref: 10016663
      • KillTimer.USER32(?,00006623,?,?), ref: 1001666E
      • KillTimer.USER32(?,00006624,?,?), ref: 10016679
      • GetParent.USER32(?), ref: 100166B6
      • SendMessageA.USER32(00000000,?,?), ref: 100166BF
      • GetParent.USER32(?), ref: 100166CF
      • SendMessageA.USER32(00000000,?,?), ref: 100166D2
      • SendMessageA.USER32(?,?,?,00000000), ref: 100166FA
      • SendMessageA.USER32(?,?,00000008,00000000), ref: 1001670B
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$KillTimer$Parent
      • String ID:
      • API String ID: 639473585-0
      • Opcode ID: 43e7f77cbceff515ad615a55a00688c3b258852cb15ecafe0dc3e5f4f77e3c47
      • Instruction ID: 23e64ce1f8e016dc164ffd5e7c53ec1364c03778283d0123c89ade336ad14168
      • Opcode Fuzzy Hash: 43e7f77cbceff515ad615a55a00688c3b258852cb15ecafe0dc3e5f4f77e3c47
      • Instruction Fuzzy Hash: 1F212175200B01ABE664DB65CC51FA7B3EDEF88714F11481DF6569B290CAB1F841CB60
      Function 10004800 Relevance: 13.6, APIs: 9, Instructions: 80windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 10004809
      • SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000482A
      • SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10004847
      • LoadCursorA.USER32(00000000,00007F84), ref: 1000486B
      • SetCursor.USER32(00000000), ref: 10004872
      • SendMessageA.USER32(?,?,0000000B,?), ref: 1000488F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$Cursor$EnabledLoadWindow
      • String ID:
      • API String ID: 952789742-0
      • Opcode ID: 32ed43d69171fde928c40ca07546bdfc92c8bcd283c9c7b1e6585add4f52f139
      • Instruction ID: a48a6881d2a0336a3b2bb6231070b8bc95643f1d678b29964c15dfe4c6f22d82
      • Opcode Fuzzy Hash: 32ed43d69171fde928c40ca07546bdfc92c8bcd283c9c7b1e6585add4f52f139
      • Instruction Fuzzy Hash: 0521BE75609763AFF250CB64EC88F8B37E8EF58750F128C14F241D6990CBA0E8458795
      Function 10004430 Relevance: 13.6, APIs: 9, Instructions: 80windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 10004439
      • SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000445A
      • SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10004477
      • LoadCursorA.USER32(00000000,00007F84), ref: 1000449B
      • SetCursor.USER32(00000000), ref: 100044A2
      • SendMessageA.USER32(?,?,0000000A,?), ref: 100044BF
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$Cursor$EnabledLoadWindow
      • String ID:
      • API String ID: 952789742-0
      • Opcode ID: e8c35d7865301e7346ea7a2614379b4a33c7a3f3bf2c79482a3e40d957fdedee
      • Instruction ID: 4b1eefcfb1eff533e0469eb4f3c20f4418bd10dfbad317feed312d8172fc31b6
      • Opcode Fuzzy Hash: e8c35d7865301e7346ea7a2614379b4a33c7a3f3bf2c79482a3e40d957fdedee
      • Instruction Fuzzy Hash: 5D21D175709723AFF650CB64EC88F8B37E8EF59750F128804F242D7890C6A0E846C795
      Function 10022B70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ItemMenu$??2@CountInfo
      • String ID: 0
      • API String ID: 343086914-4108050209
      • Opcode ID: 2b229e6ce4f0cb3d8364a42aaff5c57ac865d2390ea098557bfb65e58a4eac2a
      • Instruction ID: eeaf9257602ae2fb2291704959b8afc54feedf824bc9d131a5182b5c0530c076
      • Opcode Fuzzy Hash: 2b229e6ce4f0cb3d8364a42aaff5c57ac865d2390ea098557bfb65e58a4eac2a
      • Instruction Fuzzy Hash: 97717EB0604246AFE754CF64E880A5ABBE5FF84744FA5C52EE809CB751E731EC42CB81
      Function 10024B50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@ItemMenu$Info$Count
      • String ID: 0
      • API String ID: 1300621985-4108050209
      • Opcode ID: cf8d953e71d0d401e0776d2466d0d5f42c659b4f9576582b63639309d889a865
      • Instruction ID: ba23ef1283d543214e51f6240621ccfcbfd39c9ee9b7c6bd65e8a0915674a4ed
      • Opcode Fuzzy Hash: cf8d953e71d0d401e0776d2466d0d5f42c659b4f9576582b63639309d889a865
      • Instruction Fuzzy Hash: 1D519E746012028FD754CF18E8C4A56B7F9EF88754F66C669E809CB350EB31EC42CB91
      Function 10024E80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$EqualOffsetWindow$InfoVisible
      • String ID: <
      • API String ID: 2641278648-4251816714
      • Opcode ID: 43b4f7e995c0a357d226bfec25f4c2e0ace47f82f58a39247d552d2796c55144
      • Instruction ID: 43e9ea39151c7cd5d2d9fc7f3b5f0f6f8eba1aada2934db523e61a0316c8f1e6
      • Opcode Fuzzy Hash: 43b4f7e995c0a357d226bfec25f4c2e0ace47f82f58a39247d552d2796c55144
      • Instruction Fuzzy Hash: 294128756047029FD354CF28D484A9BB7E8FFC8304F518A2EF89987250DB31E946CB62
      Function 10022A20 Relevance: 12.1, APIs: 8, Instructions: 120windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 10022A2C
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 10022A87
      • GetMenu.USER32(?), ref: 10022AB2
      • SetMenu.USER32(?,00000000), ref: 10022AC4
      • GetWindowRect.USER32(?,00400000), ref: 10022AEB
      • SendMessageA.USER32(?,00000083,00000000,?), ref: 10022B01
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 10022B1E
      • SetMenu.USER32(?,00000000), ref: 10022B43
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Menu$CallProc$MessageRectSendVisible
      • String ID:
      • API String ID: 3332730756-0
      • Opcode ID: 7e02270cb5639131933e80c8c53a2fa2742bf47566859d10389e38ab56e9b911
      • Instruction ID: 9276f38f3cf173ca9a812d88aef6df53489b9eb25c2b5bf1bf9ebad47c79e053
      • Opcode Fuzzy Hash: 7e02270cb5639131933e80c8c53a2fa2742bf47566859d10389e38ab56e9b911
      • Instruction Fuzzy Hash: 5F416A79204701AFD260DBA9DC84E67B3E9EB88754F208A1DF55AC3661C634E942CB60
      Function 100106C0 Relevance: 12.1, APIs: 8, Instructions: 119COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,00000005,?,?), ref: 100106F0
      • GetWindowRect.USER32(?,?), ref: 10010725
      • OffsetRect.USER32(?,?,?), ref: 1001073E
        • Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998
      • SelectObject.GDI32(?,?), ref: 10010782
      • SelectObject.GDI32(?,00000000), ref: 100107C7
      • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 100107D7
        • Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,751E6BA0,00000000,00000000,?,?,?,10003905,?,?,?,1002CDA8,?,1002CDC8), ref: 1001C227
        • Part of subcall function 1001C210: GlobalFix.KERNEL32(00000000), ref: 1001C230
        • Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
        • Part of subcall function 1001C210: GlobalUnWire.KERNEL32(00000000), ref: 1001C2EB
        • Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
        • Part of subcall function 1001C210: GlobalFix.KERNEL32(00000000), ref: 1001C316
        • Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339
      • CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 100107F7
      • DeleteObject.GDI32(00000000), ref: 100107FE
        • Part of subcall function 10006920: DeleteObject.GDI32(?), ref: 1000692E
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: GlobalRect$Object$AllocCreateDeleteSelectWindow$CallCombineOffsetProcSectionWire
      • String ID:
      • API String ID: 910829930-0
      • Opcode ID: 8d9b0bf1d7519ee72f556b295753cef8cb64391f53ae4860d5cb9819d170f47e
      • Instruction ID: 73ca99926bc02046f123c486a2af454b80d39e45caa77a60c923b30de1dd379e
      • Opcode Fuzzy Hash: 8d9b0bf1d7519ee72f556b295753cef8cb64391f53ae4860d5cb9819d170f47e
      • Instruction Fuzzy Hash: 4041FA79204740AFE354CF64CC85E6BB7A9FBC8710F108A1CF65987251DB74E905CBA1
      Function 10024520 Relevance: 12.1, APIs: 8, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • CreateWindowExA.USER32(00080000,1002C028,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 10024562
      • CreateWindowExA.USER32(00080000,1002C028,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 10024594
      • CreateWindowExA.USER32(00080000,1002C028,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 100245C6
      • CreateWindowExA.USER32(00080000,1002C028,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 100245F8
      • SetPropA.USER32(?,1002CD88,?), ref: 10024613
      • SetPropA.USER32(?,1002CD88,?), ref: 10024622
      • SetPropA.USER32(?,1002CD88,?), ref: 10024631
      • SetPropA.USER32(?,1002CD88,?), ref: 10024640
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CreatePropWindow
      • String ID:
      • API String ID: 661344865-0
      • Opcode ID: 1089ebc232d11df68c40f06de5aeeb89f545c28512acefa0cdbd24b27eb5c3d6
      • Instruction ID: 9f628f48033890d7f24c30de2fa77ca5103cf21e47ce77eaf880fe3b7e00f918
      • Opcode Fuzzy Hash: 1089ebc232d11df68c40f06de5aeeb89f545c28512acefa0cdbd24b27eb5c3d6
      • Instruction Fuzzy Hash: F931B9753C0704BAE270DBA5DC86F93B7A8EF98B11F314519F749AB2D0C6A0B8418B58
      Function 10017480 Relevance: 12.1, APIs: 8, Instructions: 76fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?), ref: 1001749D
      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?,?), ref: 100174B9
      • CloseHandle.KERNEL32(00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?,?), ref: 100174C6
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: File$CloseCreateHandleSize
      • String ID:
      • API String ID: 1378416451-0
      • Opcode ID: 81fbd18608adbdfbe6414eac23378f6f2e5a840e10539d39e41f4149977872c6
      • Instruction ID: 8b3d300d7cd505047f5b36438d5475ead2230649a77d8796dbb5cbe265e0d923
      • Opcode Fuzzy Hash: 81fbd18608adbdfbe6414eac23378f6f2e5a840e10539d39e41f4149977872c6
      • Instruction Fuzzy Hash: 8411EB7734122027E220A659EC8DF6BB79CE7D9BB2F208136FA45D62C0D661EC568371
      Function 10024650 Relevance: 12.0, APIs: 8, Instructions: 45COMMON
      Download Yara Rule
      APIs
      • RemovePropA.USER32(?,1002CD88), ref: 1002466D
      • RemovePropA.USER32(?,1002CD88), ref: 1002467B
      • RemovePropA.USER32(?,1002CD88), ref: 10024689
      • RemovePropA.USER32(?,1002CD88), ref: 10024697
      • DestroyWindow.USER32(?), ref: 100246A6
      • DestroyWindow.USER32(?), ref: 100246AF
      • DestroyWindow.USER32(?), ref: 100246B8
      • DestroyWindow.USER32(?), ref: 100246C1
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: DestroyPropRemoveWindow
      • String ID:
      • API String ID: 1784376950-0
      • Opcode ID: 482fe341d6cdaa7da7b42383c716d25f52f4c96051cfc89517db10860ab7a2cb
      • Instruction ID: 8634cc0847dbc949a985fe4dc17aacceb001e21e00327079f9f065a41ef256d6
      • Opcode Fuzzy Hash: 482fe341d6cdaa7da7b42383c716d25f52f4c96051cfc89517db10860ab7a2cb
      • Instruction Fuzzy Hash: 31019AB2541B489BC620EFBA9C84DD7F7EDAFE9301F514A2EE259D3210CA75A8018B50
      Function 10011880 Relevance: 10.6, APIs: 7, Instructions: 148windowCOMMON
      Download Yara Rule
      APIs
      • SelectObject.GDI32(00000000,?), ref: 1001189F
      • IsRectEmpty.USER32(00000050), ref: 100118A9
      • PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 100118D6
      • IsWindowEnabled.USER32(?), ref: 100118DC
      • IsRectEmpty.USER32(00000060), ref: 1001196A
      • PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 10011991
      • IsWindowEnabled.USER32(?), ref: 10011997
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: EmptyEnabledRectWindow$ObjectSelect
      • String ID:
      • API String ID: 2275352032-0
      • Opcode ID: 61536b1bc63d1b18624d50eafd3497a21945634e6b3a74052bb211d21fc59686
      • Instruction ID: a48e8d2156bf71d1f245c115769e0258ac4b106f3870a774a9d1c5f789da5c24
      • Opcode Fuzzy Hash: 61536b1bc63d1b18624d50eafd3497a21945634e6b3a74052bb211d21fc59686
      • Instruction Fuzzy Hash: 7B5159B82016019FE318CB55CCD4EAB73EAEF88754B118968E9598B715DB35FC82CB20
      Function 10022DD0 Relevance: 10.6, APIs: 7, Instructions: 144windowCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MenuRect$Item$??2@??3@CountOffsetWindow
      • String ID:
      • API String ID: 386475264-0
      • Opcode ID: f17518a12ae01caf356ce74a89df4fd18e8e6548c938938fe35cb7513e8f26fd
      • Instruction ID: b4e87db7927906467f26b41a9e75fc39679a568fb5d8f31fe5ea3c43946c0583
      • Opcode Fuzzy Hash: f17518a12ae01caf356ce74a89df4fd18e8e6548c938938fe35cb7513e8f26fd
      • Instruction Fuzzy Hash: 415153B4A083069FC708CF69D88095AFBE5FB88710F558A6DF85A8B311DB30E945CB81
      Function 1000AAE0 Relevance: 10.6, APIs: 7, Instructions: 138COMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000AAED
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Prop
      • String ID:
      • API String ID: 257714900-0
      • Opcode ID: 2c6010a68df39a012fe3cfaaf114c4777e7ed861bf3d100bc81ecca3e0610d64
      • Instruction ID: 2e390604217a2b3f58ee7591da4aaa58580bf2b8c483784fb10c7b559247f76a
      • Opcode Fuzzy Hash: 2c6010a68df39a012fe3cfaaf114c4777e7ed861bf3d100bc81ecca3e0610d64
      • Instruction Fuzzy Hash: 6741BF72600705DFE720DF59D8C0FABB7D9EB853A1F41852EF14A86102C731A8C5CB25
      Function 100125E0 Relevance: 10.6, APIs: 7, Instructions: 111COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Path$Rect$BeginClientClipEmptyEnabledRectangleSelectWindow
      • String ID:
      • API String ID: 1084965025-0
      • Opcode ID: c99acffac70395a903fcda901865948252828067514702023488eea6cbb16816
      • Instruction ID: b8edb3d788cc78fff0226b0fdbf1bf844b5db10293aac1c63da7d3a1532afda8
      • Opcode Fuzzy Hash: c99acffac70395a903fcda901865948252828067514702023488eea6cbb16816
      • Instruction Fuzzy Hash: 1A4146B8205201AFD308DF14C884E6BB7E8EF89750F15856DF9458B265D730ED89CBA2
      Function 10011300 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108windowCOMMON
      Download Yara Rule
      APIs
      • GetMenuItemCount.USER32(?), ref: 10011314
      • GetMenuItemInfoA.USER32 ref: 10011357
      • SetMenuItemInfoA.USER32(?,00000000,00000400,00000400), ref: 100113C7
      • ??3@YAXPAX@Z.MSVCRT ref: 1001141C
      • ??3@YAXPAX@Z.MSVCRT ref: 10011425
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ItemMenu$??3@Info$Count
      • String ID: 0
      • API String ID: 736798657-4108050209
      • Opcode ID: 0cf0ac6ad7a8be9223033cdd5cb307bfcc9cf592a42d38a91426e5dcf788734d
      • Instruction ID: 6d719e0a32b6bda592360f4ae478a4486d40816c5b56cfaf3c9dbc286bc1d952
      • Opcode Fuzzy Hash: 0cf0ac6ad7a8be9223033cdd5cb307bfcc9cf592a42d38a91426e5dcf788734d
      • Instruction Fuzzy Hash: 39316D746043129FD708CF18C880A9AB3E9FF88B58F258529F959DB351E731EC82CB52
      Function 1000C5D0 Relevance: 10.6, APIs: 7, Instructions: 103windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,00000000), ref: 1000C5E8
      • InflateRect.USER32(000000FE,000000FE,000000FE), ref: 1000C5F9
      • CallWindowProcA.USER32(?,?,0000000F,?,?), ref: 1000C61A
      • GetClientRect.USER32(?,?), ref: 1000C62B
      • InflateRect.USER32(?,000000FE,000000FE), ref: 1000C661
      • IsWindowEnabled.USER32(?), ref: 1000C667
      • GetFocus.USER32 ref: 1000C675
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$ClientInflateWindow$CallEnabledFocusProc
      • String ID:
      • API String ID: 3997489093-0
      • Opcode ID: 81175768eda5f638bfd17fee8b037c0f1c98ebf9303a901b092cef3987487af0
      • Instruction ID: 0210b2d985ab851d087a4ba75c5b64220f905e20614fa079e217abae1528d616
      • Opcode Fuzzy Hash: 81175768eda5f638bfd17fee8b037c0f1c98ebf9303a901b092cef3987487af0
      • Instruction Fuzzy Hash: FD314A75604301AFD314DF6AC880D1BF7E9EFC9254F208A1DF59983365DA32E846CB92
      Function 10018E00 Relevance: 10.6, APIs: 7, Instructions: 96windowCOMMON
      Download Yara Rule
      APIs
      • DeleteObject.GDI32(?), ref: 10018E2A
      • DeleteObject.GDI32(?), ref: 10018E3E
      • SelectObject.GDI32(10017522,?), ref: 10018E89
      • BitBlt.GDI32(10017522,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 10018EC1
      • SelectObject.GDI32(10017522,?), ref: 10018ECF
      • CreateSolidBrush.GDI32(?), ref: 10018F16
      • CreatePatternBrush.GDI32(?), ref: 10018F23
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$BrushCreateDeleteSelect$PatternSolid
      • String ID:
      • API String ID: 22681066-0
      • Opcode ID: 493c7b64c06f7fda6f307e4e9a9fb4371a82727674913205bff5ba11ea4a1bec
      • Instruction ID: 23f9e4fe7887b74c245d57b0e501ed812031919aed004f8028d95dad6bed7b15
      • Opcode Fuzzy Hash: 493c7b64c06f7fda6f307e4e9a9fb4371a82727674913205bff5ba11ea4a1bec
      • Instruction Fuzzy Hash: E03148B52007019FE214DF64C895FA7B7E9EB88750F11892DF69A872A1DB30F945CB60
      Function 1000AE20 Relevance: 10.6, APIs: 7, Instructions: 81COMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 1000AE2F
      • GetWindowRect.USER32(?,?), ref: 1000AE3B
      • ClientToScreen.USER32(?,?), ref: 1000AE4D
      • ClientToScreen.USER32(?,?), ref: 1000AE55
      • OffsetRect.USER32(?,?,?), ref: 1000AE70
      • OffsetRect.USER32(?,?,?), ref: 1000AE85
      • EqualRect.USER32(?,?), ref: 1000AE91
        • Part of subcall function 1000AF00: EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
        • Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000AF21
        • Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
        • Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
        • Part of subcall function 1000AF00: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
        • Part of subcall function 1000AF00: SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
        • Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF7F
        • Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF82
        • Part of subcall function 1000AF00: CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
        • Part of subcall function 1000AF00: CreateSolidBrush.GDI32(?), ref: 1000B041
        • Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B051
        • Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B059
        • Part of subcall function 1000AF00: Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
        • Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B080
        • Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B088
        • Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000B08F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Object$Select$Create$Client$DeleteEmptyEqualOffsetScreen$BrushClipCombineRectangleSolidWindow
      • String ID:
      • API String ID: 1135996890-0
      • Opcode ID: b217bab60f10c5aea6f42e71060e513870f453460a2ff76ab6cc9e0435775f34
      • Instruction ID: bacedecaa7b5975dfe14453393d98d9b711d5753841d023854cdc35a831728b0
      • Opcode Fuzzy Hash: b217bab60f10c5aea6f42e71060e513870f453460a2ff76ab6cc9e0435775f34
      • Instruction Fuzzy Hash: 59211979109201AFE304DF19C885C6BBBF9EFC9350F11CA1DF44987225D634EA46CBA2
      Function 10012370 Relevance: 10.6, APIs: 7, Instructions: 74COMMON
      Download Yara Rule
      APIs
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 1001238D
      • GetPropA.USER32(?,1002C03C), ref: 100123B4
      • SetBkColor.GDI32(?,?), ref: 100123D2
      • SetTextColor.GDI32(?,?), ref: 100123EC
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Color$CallProcPropTextWindow
      • String ID:
      • API String ID: 1567449379-0
      • Opcode ID: fd243b49dd2b70934088a78486ed71f3f6b1e30930e2a5d8f73f0faa35da5f50
      • Instruction ID: 4c3276a66a0a9f635cfbb79f7bd4f3ded52351a7d3631d5cad51002f68e975b9
      • Opcode Fuzzy Hash: fd243b49dd2b70934088a78486ed71f3f6b1e30930e2a5d8f73f0faa35da5f50
      • Instruction Fuzzy Hash: 32213C7A200215DFE214CF55DCC8EA7B7A9FF88711F258579FA0987612C731AC86CB60
      Function 1000FBF0 Relevance: 10.5, APIs: 7, Instructions: 49windowCOMMON
      Download Yara Rule
      APIs
      • CreateCompatibleDC.GDI32(?), ref: 1000FC09
      • CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
      • SelectObject.GDI32(00000000,00000000), ref: 1000FC21
      • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
      • GetClipRgn.GDI32(?,00000000), ref: 1000FC44
      • SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
      • DeleteObject.GDI32(00000000), ref: 1000FC5A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Create$ClipCompatibleObjectSelect$BitmapDeleteRect
      • String ID:
      • API String ID: 4212353020-0
      • Opcode ID: da83c9e4fb198581466429983a14078e16099fff12b7c695a401a7cb8fb48538
      • Instruction ID: 8b55c2d16eca8a6de84a41ee3e6a417fb1aae9501b44e532c548ffb84ecac7fc
      • Opcode Fuzzy Hash: da83c9e4fb198581466429983a14078e16099fff12b7c695a401a7cb8fb48538
      • Instruction Fuzzy Hash: 5001D379601314AFE3509FA59CC8F26BBECFF48A51F20891EFA86D2250C674A9058B20
      Function 10015840 Relevance: 9.3, APIs: 6, Instructions: 287windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 10015860
      • SelectObject.GDI32(?,?), ref: 10015903
      • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1001592F
      • SelectObject.GDI32(?,?), ref: 100159B3
      • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100159C9
      • BitBlt.GDI32(?,?,76952370,?,?,?,00000000,00000000,00CC0020), ref: 10015B86
        • Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
        • Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
        • Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Select$Delete$VisibleWindow
      • String ID:
      • API String ID: 2338221860-0
      • Opcode ID: 421cafb401685e9174eb1292b169dd592b5d176713f7d8995dcaaaaccdaf3922
      • Instruction ID: f04d0c149d7934839a0fbc71b930f3873cc576cb42b8e8f7a274e06dc9e73843
      • Opcode Fuzzy Hash: 421cafb401685e9174eb1292b169dd592b5d176713f7d8995dcaaaaccdaf3922
      • Instruction Fuzzy Hash: 79B104B8200205AFE714CF54C8C5EAB77A8FF88B44F14496CF8498B256DB75ED46CBA1
      Function 10003220 Relevance: 9.2, APIs: 6, Instructions: 239windowCOMMON
      Download Yara Rule
      APIs
      • CreateCompatibleDC.GDI32(00000000), ref: 100032B3
      • SelectObject.GDI32(00000000,?), ref: 100032C0
        • Part of subcall function 100042C0: PtInRegion.GDI32(?,00000000,?,00000000,00000000,1002CDA8,1002CDC8,1002CDC8,?,00000000), ref: 100042F8
      • SelectObject.GDI32(00000000,?), ref: 1000342A
      • DeleteDC.GDI32(00000000), ref: 10003431
      • DeleteObject.GDI32(00000000), ref: 10003438
      • IsWindowVisible.USER32(?), ref: 10003491
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$DeleteSelect$CompatibleCreateRegionVisibleWindow
      • String ID:
      • API String ID: 1842338607-0
      • Opcode ID: 91ee33ab1b69a359ab367a5ca384a9598f5026615020f2f567bafd236aa3cddf
      • Instruction ID: b148bc9a0c6a2d913fc867f66123447b75209ee6773f678a23cc705497eb98c2
      • Opcode Fuzzy Hash: 91ee33ab1b69a359ab367a5ca384a9598f5026615020f2f567bafd236aa3cddf
      • Instruction Fuzzy Hash: EF915D796006048FE709CF69C8C4C2BB7EAFFC8694B158A2DF85987369DB30E945CB51
      Function 10016760 Relevance: 9.2, APIs: 6, Instructions: 185windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 10016440: GetCursorPos.USER32(?), ref: 1001644C
        • Part of subcall function 10016440: GetWindowRect.USER32(?,?), ref: 1001645B
      • OffsetRect.USER32(?,00000000,?), ref: 1001683C
      • OffsetRect.USER32(?,00000000,?), ref: 10016852
      • OffsetRect.USER32(?,00000000,?), ref: 1001686D
      • MulDiv.KERNEL32(?,?,?), ref: 100168B4
      • GetParent.USER32(?), ref: 100168F6
      • SendMessageA.USER32(?,?,00000000,00000000), ref: 10016918
        • Part of subcall function 10015840: IsWindowVisible.USER32(?), ref: 10015860
        • Part of subcall function 10015840: SelectObject.GDI32(?,?), ref: 10015903
        • Part of subcall function 10015840: PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1001592F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Offset$Window$CursorMessageObjectParentSelectSendVisible
      • String ID:
      • API String ID: 410164804-0
      • Opcode ID: e54e0525136698f0fd5e31759bfa30945750bee2bbb6fc76e0388ad5adbd1f6c
      • Instruction ID: 5b3f42e8751718efe35102d26408225ceaa88a89c417ccc3e437b77936ff3ce4
      • Opcode Fuzzy Hash: e54e0525136698f0fd5e31759bfa30945750bee2bbb6fc76e0388ad5adbd1f6c
      • Instruction Fuzzy Hash: 6D611774204606AFD708DF39CD94A6AB7E9FB88704F108A1DF85A9B344DB30FA45CB95
      Function 10011160 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
      Download Yara Rule
      APIs
      • GetObjectA.GDI32(00000000,00000018,?), ref: 10011285
      • CreateCompatibleDC.GDI32(00000000), ref: 1001128D
      • SelectObject.GDI32(00000000,00000000), ref: 1001129D
      • 74AD1530.MSIMG32(?,?,?,00000010,00000010,00000000,00000000,00000000,?,?,00FF01FF,?,?), ref: 100112DB
      • SelectObject.GDI32(00000000,00000000), ref: 100112E3
      • DeleteDC.GDI32(00000000), ref: 100112E6
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Select$CompatibleCreateD1530Delete
      • String ID:
      • API String ID: 1534105499-0
      • Opcode ID: 30058f95b80ec2afb2eca019207f2575a1dc55e2264cb8df5d5b038a1d08b1d2
      • Instruction ID: fced8d308138b36c133f8264daa482e3f1224d76aacb4f59917f490493d9ace5
      • Opcode Fuzzy Hash: 30058f95b80ec2afb2eca019207f2575a1dc55e2264cb8df5d5b038a1d08b1d2
      • Instruction Fuzzy Hash: 954190767402049FD344DB58CC80FAAB3A9EF89360F25855AED04CF351C635EC96CBA1
      Function 10010C70 Relevance: 9.1, APIs: 6, Instructions: 143COMMON
      Download Yara Rule
      APIs
      • SetTextColor.GDI32(00000000,?), ref: 10010CEA
      • SelectObject.GDI32(?,?), ref: 10010D3A
      • _mbsstr.MSVCRT ref: 10010D4A
      • DrawTextA.USER32(?,?,00000000,?,00000024), ref: 10010D6C
      • DrawTextA.USER32(00000000,00000001,?,?,00000026), ref: 10010D9F
      • DrawTextA.USER32(?,?,?,?,00000024), ref: 10010DC7
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Text$Draw$ColorObjectSelect_mbsstr
      • String ID:
      • API String ID: 2554462136-0
      • Opcode ID: 167540bd5a1515ecb06707f3ebbd2082f6ec1e01a77e5fac4a1d7c74e16ee5d3
      • Instruction ID: caa0527cdf57b14729ef594e8188670eae6bffac27ed0865ed6a9a4dbb4e9640
      • Opcode Fuzzy Hash: 167540bd5a1515ecb06707f3ebbd2082f6ec1e01a77e5fac4a1d7c74e16ee5d3
      • Instruction Fuzzy Hash: E4515C792042009FD308CF68C884E67B7E9FF88354F108A6DF9598B355DB70E946CBA1
      Function 1000E680 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
      Download Yara Rule
      APIs
      • OffsetRect.USER32(?,?,00000000), ref: 1000E6C6
      • OffsetRect.USER32(?,?,?), ref: 1000E76A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: OffsetRect
      • String ID:
      • API String ID: 177026234-0
      • Opcode ID: aaa94e786c78679375264d08a80620499181ed88b43f71d2a266caf68266feef
      • Instruction ID: 55dceb283fd2939f53b1af87dd3abf76b527e98de1fc72b27c0b69958cadab38
      • Opcode Fuzzy Hash: aaa94e786c78679375264d08a80620499181ed88b43f71d2a266caf68266feef
      • Instruction Fuzzy Hash: 70314B763029559FF3049E7C9E8CABEBBCAD7C82A2F29573DF606D1048D661FC094250
      Function 10015630 Relevance: 9.1, APIs: 6, Instructions: 114COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 10015671
      • GetClientRect.USER32(?,?), ref: 10015680
      • ClientToScreen.USER32(?,?), ref: 10015695
      • ClientToScreen.USER32(?,?), ref: 100156A0
      • OffsetRect.USER32(?,?,?), ref: 100156BB
      • OffsetRect.USER32(?,?,?), ref: 100156D0
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Client$OffsetScreen$Window
      • String ID:
      • API String ID: 3447441489-0
      • Opcode ID: 7cd20ebc07aa8017c6d87fa62e7aa96f440e11c1cf49f979fd91717a38e00a84
      • Instruction ID: c2827e8d9cd10a597387bf157e688e7552e1f46be816908af53a9ee1b8aa0ec2
      • Opcode Fuzzy Hash: 7cd20ebc07aa8017c6d87fa62e7aa96f440e11c1cf49f979fd91717a38e00a84
      • Instruction Fuzzy Hash: E241F578204706DFD714CF29C881EA7B7E9EF88754F14891DE89ACB250E731F9858BA1
      Function 100259E0 Relevance: 9.1, APIs: 6, Instructions: 102COMMON
      Download Yara Rule
      APIs
      • IsRectEmpty.USER32(?), ref: 10025A15
        • Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998
      • SelectObject.GDI32(00000001,?), ref: 10025A7D
      • SelectObject.GDI32(00000001,00000000), ref: 10025AC2
        • Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,751E6BA0,00000000,00000000,?,?,?,10003905,?,?,?,1002CDA8,?,1002CDC8), ref: 1001C227
        • Part of subcall function 1001C210: GlobalFix.KERNEL32(00000000), ref: 1001C230
        • Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
        • Part of subcall function 1001C210: GlobalUnWire.KERNEL32(00000000), ref: 1001C2EB
        • Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
        • Part of subcall function 1001C210: GlobalFix.KERNEL32(00000000), ref: 1001C316
        • Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339
      • OffsetRgn.GDI32(00000000,00000000,?), ref: 10025AE4
      • CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 10025AF8
      • DeleteObject.GDI32(00000000), ref: 10025AFF
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Global$ObjectRect$AllocSelect$CombineCreateDeleteEmptyOffsetSectionWire
      • String ID:
      • API String ID: 3701367244-0
      • Opcode ID: 29ebdb5e4d99459ae6c459a07793ccd64b701410539c83b757910fb199093e9e
      • Instruction ID: cf9c318b9d579a266dc806ebc7a0d6f04a146a731b116f9e3c9b73cee362de29
      • Opcode Fuzzy Hash: 29ebdb5e4d99459ae6c459a07793ccd64b701410539c83b757910fb199093e9e
      • Instruction Fuzzy Hash: 7F41FB79604751AFD314CF64C880E6BB7E8FF88650F208A1DF55587641DB34E909CBA1
      Function 1000E270 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
      Download Yara Rule
      APIs
      • CreateCompatibleDC.GDI32(?), ref: 1000E284
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 1000E298
      • SelectObject.GDI32(?,00000000), ref: 1000E2A6
      • SelectObject.GDI32(?,?), ref: 1000E2C0
      • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000E2DA
      • ??2@YAPAXI@Z.MSVCRT ref: 1000E2F0
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CompatibleCreateObjectSelect$??2@Bitmap
      • String ID:
      • API String ID: 661465749-0
      • Opcode ID: 517728d0a81dfb890fec61be2e80a0268166fa2bfb532fabf3e6e869bc174316
      • Instruction ID: 676109a112f91462f0683b0e748601321322578746db1e72dd9edd93884032e7
      • Opcode Fuzzy Hash: 517728d0a81dfb890fec61be2e80a0268166fa2bfb532fabf3e6e869bc174316
      • Instruction Fuzzy Hash: 6F21F5B9601702AFE314CF59D884E16FBE8FB88751F20C62EFA5987751D730A841CBA0
      Function 1001DC40 Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 1001DC52
      • GetCursorPos.USER32(?), ref: 1001DC5D
      • SendMessageA.USER32(?,00001200,00000000,00000000), ref: 1001DC92
      • SendMessageA.USER32(?,0000120F,00000000,00000000), ref: 1001DCB0
      • SendMessageA.USER32(?,00001207,00000000,?), ref: 1001DCC1
      • PtInRect.USER32(?,?,?), ref: 1001DCD2
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$Rect$CursorWindow
      • String ID:
      • API String ID: 1680679697-0
      • Opcode ID: fc3e80be71d03c64dc65eb24677b2ab1e78b96a8fe08b6872ed11463f4ba74dc
      • Instruction ID: b91518a891387c981cce0504226fb2a498f6544864ac186356a6de0c8c4ec29a
      • Opcode Fuzzy Hash: fc3e80be71d03c64dc65eb24677b2ab1e78b96a8fe08b6872ed11463f4ba74dc
      • Instruction Fuzzy Hash: 102181762043069FD304DF69CCC0E5BB7E8EBC8660F104A1EF551D7250D6B0E9498BA1
      Function 1000DE30 Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 1000DE3E
      • GetWindowRect.USER32(?,?), ref: 1000DE4D
      • SendMessageA.USER32(?,00001200,00000000,00000000), ref: 1000DE82
      • SendMessageA.USER32(?,0000120F,00000000,00000000), ref: 1000DEA5
      • SendMessageA.USER32(?,00001207,00000000), ref: 1000DEB1
      • PtInRect.USER32(?,?,?), ref: 1000DEC2
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$Rect$CursorWindow
      • String ID:
      • API String ID: 1680679697-0
      • Opcode ID: 93dd26b5b11665f8d53c80fd854311e6abff328d32208a84f31c42ea47ed69d3
      • Instruction ID: 25e19ebef5cfb3a3824964290d61ec62e8227a99a9e9e0869e33b01463ce3919
      • Opcode Fuzzy Hash: 93dd26b5b11665f8d53c80fd854311e6abff328d32208a84f31c42ea47ed69d3
      • Instruction Fuzzy Hash: B02181752043069FE304DF65CCC0E6BB7E9EBC8660F104A1EF950C7250D670E9498B61
      Function 1001A9C0 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
      Download Yara Rule
      APIs
      • _mbscmp.MSVCRT ref: 1001A9D3
      • _mbscmp.MSVCRT ref: 1001A9FD
      • GetParent.USER32(?), ref: 1001AA0B
      • FindWindowExA.USER32(00000000,00000000,1002C4BC,00000000), ref: 1001AA23
      • FindWindowExA.USER32(00000000,00000000,1002C4B0,00000000), ref: 1001AA31
      • FindWindowExA.USER32(00000000,00000000,1002C4A0,00000000), ref: 1001AA3F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: FindWindow$_mbscmp$Parent
      • String ID:
      • API String ID: 3521712903-0
      • Opcode ID: 5e0b855fcac5159f367e03da2c711da51616acd7177871d874b9811b27d61f41
      • Instruction ID: 07a90f14033cc30d1d35d2e0eeef8570c81e30e2f87793286d4a341ae43e1c20
      • Opcode Fuzzy Hash: 5e0b855fcac5159f367e03da2c711da51616acd7177871d874b9811b27d61f41
      • Instruction Fuzzy Hash: D111C8773516252BE200F6A8AC90FAB63CCDFD5666F514022FB00EA140D334ED8687B5
      Function 1001EBC0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 1001EBD4
      • GetWindowRect.USER32(?,?), ref: 1001EBE3
      • GetClientRect.USER32(?,?), ref: 1001EBF2
      • ClientToScreen.USER32(?,?), ref: 1001EC07
      • ClientToScreen.USER32(?,?), ref: 1001EC12
      • SendMessageA.USER32(?,00000445,00000000,?), ref: 1001EC54
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Client$RectScreen$CursorMessageSendWindow
      • String ID:
      • API String ID: 1353371867-0
      • Opcode ID: 7e52564109b9bdb87fea7c149928c1ee72434fd62f985c6adbb850f7f3630d07
      • Instruction ID: c36cae17ecde68ff4f981e12f48877b9c68e936cd5b1928b6e4795760c61fe65
      • Opcode Fuzzy Hash: 7e52564109b9bdb87fea7c149928c1ee72434fd62f985c6adbb850f7f3630d07
      • Instruction Fuzzy Hash: 2B110479108746EFD708DF29C888D6BB7E8EBD8604F10C91DF58983220E670E94ACB52
      Function 1001BB00 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window
      • String ID:
      • API String ID: 2353593579-0
      • Opcode ID: f539908fe5b4ee91853859bd00b7215825581461b09397d3a58328f8b06297f0
      • Instruction ID: 61a02fd3fe343e1cbdaa3c21f8ae578eda2fb75fcd6781e2b5076b330a8b8943
      • Opcode Fuzzy Hash: f539908fe5b4ee91853859bd00b7215825581461b09397d3a58328f8b06297f0
      • Instruction Fuzzy Hash: EEF03035346A31B7FA91ABA4BC8AFDB3658DF05741F214010F701AA0D4D7A4AB8747EA
      Function 10019170 Relevance: 9.0, APIs: 6, Instructions: 23COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@
      • String ID:
      • API String ID: 613200358-0
      • Opcode ID: f1a8cc473319eb0b1c69932dca6256fb8b8dc5912ee8d40ae2d3c541b9704d15
      • Instruction ID: b30d290d8c7ff241b3e1323c47ca36b58938814fe857fb6cef48acb235ac3c58
      • Opcode Fuzzy Hash: f1a8cc473319eb0b1c69932dca6256fb8b8dc5912ee8d40ae2d3c541b9704d15
      • Instruction Fuzzy Hash: ADE0757A51062057C224E7B4ACC1DD772A9BB4C210FA08D0CB19A47201C977F940E790
      Function 10009120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63windowCOMMON
      Download Yara Rule
      APIs
      • GetMenuItemInfoA.USER32 ref: 10009179
      • SelectObject.GDI32(00000000,?), ref: 100091A7
      • GetTextExtentPointA.GDI32(00000000,?,?,00000400), ref: 100091C7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ExtentInfoItemMenuObjectPointSelectText
      • String ID: 0$@
      • API String ID: 1214468274-1545510068
      • Opcode ID: 917930f70828090b676f5c8c02eca02738ab7c5eca451f6404b20d046d03fd04
      • Instruction ID: 3d2f61126256a53cf897c85a85e5fe7bc4fb7c3a9049d66df69f7ce8b741961f
      • Opcode Fuzzy Hash: 917930f70828090b676f5c8c02eca02738ab7c5eca451f6404b20d046d03fd04
      • Instruction Fuzzy Hash: 46111F75209300AFE750DB24C955BEFB7E8FBC4350F40491DF69992290DB79AA09CB92
      Function 10018890 Relevance: 7.9, APIs: 5, Instructions: 413COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: _ftol
      • String ID:
      • API String ID: 2545261903-0
      • Opcode ID: 54f8a28af38cbc904a6a211d7a6f8c81f12d1385314ea70c361e39c26235b509
      • Instruction ID: 0b0bc44675ec839da114b02f6054aa0f657a73593dc5a8713aae574027d7ad68
      • Opcode Fuzzy Hash: 54f8a28af38cbc904a6a211d7a6f8c81f12d1385314ea70c361e39c26235b509
      • Instruction Fuzzy Hash: DBF1CF71909B61EBE351DF10D89428A7BE4FFC5380FA14A5DF4C1961A1EB31CB96CB82
      Function 10010E00 Relevance: 7.7, APIs: 5, Instructions: 218windowCOMMON
      Download Yara Rule
      APIs
      • OffsetRect.USER32(?,?,?), ref: 10010E51
        • Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
        • Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
        • Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
        • Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
        • Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
        • Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
        • Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A
        • Part of subcall function 1000B0C0: CreateSolidBrush.GDI32(?), ref: 1000B0C9
        • Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B0DD
        • Part of subcall function 1000B0C0: PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
        • Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B103
        • Part of subcall function 1000B0C0: DeleteObject.GDI32(00000000), ref: 1000B106
      • SetBkMode.GDI32(?,00000001), ref: 10010EA8
      • SelectObject.GDI32(?,?), ref: 10010EBD
      • SendMessageA.USER32(?,0000002B,00000000,?), ref: 10010F7B
      • GetPixel.GDI32(?,?,?), ref: 10011008
        • Part of subcall function 1000B4C0: 74AD1530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Select$Create$ClipCompatibleDeleteRect$BitmapBrushD1530MessageModeOffsetPixelSendSolid
      • String ID:
      • API String ID: 2601035247-0
      • Opcode ID: f5c3c6a3893a7df674df041db2b20e0fcbff9e871180a081f6335cb58035cd86
      • Instruction ID: a69ee935151e19899d8c4b44d90f6d6784ea96e440500a2836e4d15a7f76abeb
      • Opcode Fuzzy Hash: f5c3c6a3893a7df674df041db2b20e0fcbff9e871180a081f6335cb58035cd86
      • Instruction Fuzzy Hash: 0981E4B4608340AFE314CB58C882F6BB7E9FB88740F108A1DF99997391D670E945CB62
      Function 1001A750 Relevance: 7.7, APIs: 6, Instructions: 171COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??2@
      • String ID:
      • API String ID: 1033339047-0
      • Opcode ID: acee3e2d181177633a24cf035c914bc3b8895da4ff9bca02219d70c3d3395465
      • Instruction ID: 780453279fc9d404bdb8cca2fd0b2e9d713902c348bdb508de38a8486bde4cdd
      • Opcode Fuzzy Hash: acee3e2d181177633a24cf035c914bc3b8895da4ff9bca02219d70c3d3395465
      • Instruction Fuzzy Hash: 2951A1B5A083519BD604DF289C91B1A73D0EB98B60F004A2EF196DB381DB34ED848B93
      Function 10016480 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
      Download Yara Rule
      APIs
      • PtInRect.USER32(0000002C,00000000,00000000), ref: 100164CD
      • PtInRect.USER32(0000006C,?,?), ref: 10016519
      • PtInRect.USER32(0000003C,?,?), ref: 1001656D
      • PtInRect.USER32(0000005C,?,?), ref: 1001659C
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect
      • String ID:
      • API String ID: 400858303-0
      • Opcode ID: 8c6a47cf31c48d3af39ec7387fbf4fc412dc478c91933e0ee7674804f5ed87f4
      • Instruction ID: 88eee75a724b57100442f45c2dc2b334c4b92a05eceda69fcc84a06ca03c096a
      • Opcode Fuzzy Hash: 8c6a47cf31c48d3af39ec7387fbf4fc412dc478c91933e0ee7674804f5ed87f4
      • Instruction Fuzzy Hash: 04514C753007069BD714DF69EC84AABB3E9FB88B14F40092DF85A87240DB75F989CB61
      Function 1001C570 Relevance: 7.7, APIs: 5, Instructions: 157COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@
      • String ID:
      • API String ID: 613200358-0
      • Opcode ID: 353ac758a6fb63025c5d98e7d195cbef0722081482f832dd2b1cd277f8c81383
      • Instruction ID: 207150d8cd520f2c8076046b94b252afd95317543a8e9ea73a38ad0b49929f05
      • Opcode Fuzzy Hash: 353ac758a6fb63025c5d98e7d195cbef0722081482f832dd2b1cd277f8c81383
      • Instruction Fuzzy Hash: 305134B6A0025D8FC714CF4AC894C56B7E1EF886507AAC4AED54A5F622CA31FC86CF44
      Function 1001E9A9 Relevance: 7.6, APIs: 5, Instructions: 149timeCOMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 1001EA96
      • GetWindowRect.USER32(?,?), ref: 1001EAA5
      • PtInRect.USER32(?,?,?), ref: 1001EABA
      • KillTimer.USER32(?,00007720), ref: 1001EAD3
      • InvalidateRect.USER32(?,00000000,00000000), ref: 1001EAE7
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$CursorInvalidateKillTimerWindow
      • String ID:
      • API String ID: 1204915734-0
      • Opcode ID: 9ef916551e3afd5be42b82f6000de7f42f9ff66f33c1c6494cbb8683e67b5be9
      • Instruction ID: 1aaf348c908433e104cd2ce18659ca1b4ce5b612a6fc862c77d7acbc4d0a29e2
      • Opcode Fuzzy Hash: 9ef916551e3afd5be42b82f6000de7f42f9ff66f33c1c6494cbb8683e67b5be9
      • Instruction Fuzzy Hash: F40113B9504752AFD710DB28C8C886BB7F9EF49744B10894DF58AC7220D630F945CB61
      Function 10021500 Relevance: 7.6, APIs: 5, Instructions: 145windowCOMMON
      Download Yara Rule
      APIs
      • ??3@YAXPAX@Z.MSVCRT ref: 10021551
      • SendMessageA.USER32(?,00000112,0000F093,?), ref: 1002158D
      • IsZoomed.USER32(?), ref: 1002159F
      • GetSystemMetrics.USER32(00000004), ref: 100215AF
      • CallWindowProcA.USER32(?,?,000000A1,?,?), ref: 100216B3
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@CallMessageMetricsProcSendSystemWindowZoomed
      • String ID:
      • API String ID: 3560867145-0
      • Opcode ID: 40f6cafe6fc529aef8933b53fac1e56a8b6434288313871db4eb5997b39d8aab
      • Instruction ID: 6bec9c70b05b0ba5ee56a74e6e33481ab579d1bccf6329b3e51cbdad3a69271d
      • Opcode Fuzzy Hash: 40f6cafe6fc529aef8933b53fac1e56a8b6434288313871db4eb5997b39d8aab
      • Instruction Fuzzy Hash: B441E27A7002119BE710DF94E8C9FDBB399EBA4750F80803AF9099F282C7719C5487A0
      Function 10008FB0 Relevance: 7.6, APIs: 5, Instructions: 128COMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 10009048
      • CallWindowProcA.USER32(?,?,0000002B,?,?), ref: 100090CB
      • CreateCompatibleDC.GDI32(00000000), ref: 100090EC
      • CallWindowProcA.USER32(?,?,0000002B,00000000,?), ref: 10009100
      • DeleteDC.GDI32(?), ref: 1000910C
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow$CompatibleCreateDeleteProp
      • String ID:
      • API String ID: 1060680913-0
      • Opcode ID: 088e118dbf137e4194a6ec5c3e0d9fc1955a6b201465a2604efd515ce137b97b
      • Instruction ID: f2b3dcc440dab69ee4fbcbe6af92302eeabc2b2a5026597934c7d9f665362333
      • Opcode Fuzzy Hash: 088e118dbf137e4194a6ec5c3e0d9fc1955a6b201465a2604efd515ce137b97b
      • Instruction Fuzzy Hash: AA4134753007129FE310CF6AD884B66B7E8FF847D0F158129F9498B295D732E882CBA1
      Function 10010840 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 100108A4
      • OffsetRect.USER32(?,?,?), ref: 100108BD
      • GetSystemMetrics.USER32(00000000), ref: 100108CB
      • GetSystemMetrics.USER32(00000001), ref: 100108D1
      • CallWindowProcA.USER32(?,?,00000046,?,?), ref: 10010933
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MetricsRectSystemWindow$CallOffsetProc
      • String ID:
      • API String ID: 3217627387-0
      • Opcode ID: 8be756d99e248d4b1e801939b3714eb5480deeaa81697c236dc379206ebd8c11
      • Instruction ID: 23580ca9b0729daaad7b279e8dc62797c40a95a429eab73825f66c9b8e763cb3
      • Opcode Fuzzy Hash: 8be756d99e248d4b1e801939b3714eb5480deeaa81697c236dc379206ebd8c11
      • Instruction Fuzzy Hash: 9D314C753092069FE718DF18C8A4E6AB7E6FF88740F24851DF9CA8B252D670E981CB51
      Function 10016350 Relevance: 7.6, APIs: 5, Instructions: 75timewindowCOMMON
      Download Yara Rule
      APIs
      • KillTimer.USER32(?,?), ref: 10016363
        • Part of subcall function 100124D0: SetTimer.USER32(?,?,00000000,10012490), ref: 100124E3
      • GetParent.USER32(?), ref: 100163A2
      • SendMessageA.USER32(00000000), ref: 100163A9
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Timer$KillMessageParentSend
      • String ID:
      • API String ID: 4215942989-0
      • Opcode ID: 929a81d9524b9661685c560c274d4be5b9dbd8275d2883391fbb45ab76854343
      • Instruction ID: cfa475f0d94ce1742ae4734d9acbaaceee74d3da44fb01cfd7150537f1731013
      • Opcode Fuzzy Hash: 929a81d9524b9661685c560c274d4be5b9dbd8275d2883391fbb45ab76854343
      • Instruction Fuzzy Hash: D9216F79301B12ABE624D764CC95FDB72E9EB58B40F404818F656CE280DA76ED82C754
      Function 100200C0 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(00000000), ref: 100200D7
      • ScreenToClient.USER32(?,00000000), ref: 100200E6
      • PtInRect.USER32(00000034,00000000,?), ref: 100200FA
      • TrackMouseEvent.USER32(?,?,?,?,?,?,?,?,1001FFAC,?,?), ref: 10020142
      • CallWindowProcA.USER32(?,?,00000200,?,?), ref: 1002015F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallClientCursorEventMouseProcRectScreenTrackWindow
      • String ID:
      • API String ID: 246821313-0
      • Opcode ID: 452f02149016ab57f0be7edff06aaeae5fa3b70f219bffea2e1b92ae58be304f
      • Instruction ID: 3019ab15dc7928b1b202b4615dd38406c76b54fbe59730a3b13cec038340f0e3
      • Opcode Fuzzy Hash: 452f02149016ab57f0be7edff06aaeae5fa3b70f219bffea2e1b92ae58be304f
      • Instruction Fuzzy Hash: D4113A79204701EFD314DF14C885A5BB7E9FB88700F504A0DF98683621D770E949CB91
      Function 10014EF0 Relevance: 7.5, APIs: 5, Instructions: 46windowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(?), ref: 10014F03
      • GetClassLongA.USER32(00000000), ref: 10014F0A
      • SendMessageA.USER32(?,00000115,00000000,00000000), ref: 10014F30
      • SendMessageA.USER32(?,00000115,00000001,00000000), ref: 10014F47
      • CallWindowProcA.USER32(?,?,0000020A,?,?), ref: 10014F6A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSend$CallClassLongParentProcWindow
      • String ID:
      • API String ID: 1353622983-0
      • Opcode ID: cfb1d0e207854fb8dcd69ebbbabeafc674c5207766cd86b1f8a176c5c5f3fc80
      • Instruction ID: d2383e6da1af4afa3427e5b8932eb01d4800057d420c1cdead8e2e9a0b4738ac
      • Opcode Fuzzy Hash: cfb1d0e207854fb8dcd69ebbbabeafc674c5207766cd86b1f8a176c5c5f3fc80
      • Instruction Fuzzy Hash: BE018436214711EFE354DB54CC89FC777A5FB98740F118918F2568B6A4C6B0E882CB50
      Function 1000B0C0 Relevance: 7.5, APIs: 5, Instructions: 36windowCOMMON
      Download Yara Rule
      APIs
      • CreateSolidBrush.GDI32(?), ref: 1000B0C9
      • SelectObject.GDI32(?,00000000), ref: 1000B0DD
      • PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
      • SelectObject.GDI32(?,00000000), ref: 1000B103
      • DeleteObject.GDI32(00000000), ref: 1000B106
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Select$BrushCreateDeleteSolid
      • String ID:
      • API String ID: 1979645813-0
      • Opcode ID: 8202d082a8d02d7cb35fd4a3e7ed27b63294127b33079cb5fb6f541fec19d876
      • Instruction ID: 83e1346f7fd50f5c1e27b067344e86bff92973f43accc98672dc9dd08b035da2
      • Opcode Fuzzy Hash: 8202d082a8d02d7cb35fd4a3e7ed27b63294127b33079cb5fb6f541fec19d876
      • Instruction Fuzzy Hash: E9F0587A205214AFE200DB65DCC8CBBBBECEBCDA54F10051CF94893200C634AD0A8B72
      Function 1000FCA0 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
      Download Yara Rule
      APIs
      • SetMapMode.GDI32(00000000,00000001), ref: 1000FCA8
      • SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000FCB7
      • SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000FCC6
      • SetViewportOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 1000FCD5
      • SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000FCE4
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ViewportWindow$Mode
      • String ID:
      • API String ID: 1998588776-0
      • Opcode ID: d550d996791e68486d74e7e69cc671b827fb91bbe54977dfd5cc9daaae8f4344
      • Instruction ID: 19eb1e7a97a7d17af1ec9957c6ac4774e2def1865d773f4b49123eaa02bc8819
      • Opcode Fuzzy Hash: d550d996791e68486d74e7e69cc671b827fb91bbe54977dfd5cc9daaae8f4344
      • Instruction Fuzzy Hash: 94F09878391310BBF6749B60CCCAF957765AB48B11F304809FA81AA2D0C6F5A5859B64
      Function 10008DE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160windowCOMMON
      Download Yara Rule
      APIs
      • GetMenuItemInfoA.USER32 ref: 10008E73
      • CallWindowProcA.USER32(?,?,0000002C,?,?), ref: 10008F42
      • CallWindowProcA.USER32(?,?,0000002C,?,?), ref: 10008F98
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow$InfoItemMenu
      • String ID: 0
      • API String ID: 1396499677-4108050209
      • Opcode ID: 4e8d0b03f25231fc6dcbf2cc5d41fcfb2e5006d6da9717ac153e70087d0b34e5
      • Instruction ID: 3a263b56c78cee0a8e23883c6dc5574ccc9387f68b94d4295bca3dd9a186fa29
      • Opcode Fuzzy Hash: 4e8d0b03f25231fc6dcbf2cc5d41fcfb2e5006d6da9717ac153e70087d0b34e5
      • Instruction Fuzzy Hash: EC513B793102018FE704CF18C884AA6B7E9FF88394F18856EED488B355D736ED46CBA1
      Function 1001C4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON
      Download Yara Rule
      APIs
      • IsMenu.USER32(?), ref: 1001C4EB
      • GetMenuItemInfoA.USER32 ref: 1001C524
      • SetMenuItemInfoA.USER32(?,?,00000400,?), ref: 1001C561
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Menu$InfoItem
      • String ID: 0
      • API String ID: 1040333723-4108050209
      • Opcode ID: 243637d71311623db6106a7351d464556d75ae7d0fb0a3426c1bbd7d193cda2a
      • Instruction ID: f8b742696180afde77dc344fc1703784ab48d404007203de0ad804771102cd86
      • Opcode Fuzzy Hash: 243637d71311623db6106a7351d464556d75ae7d0fb0a3426c1bbd7d193cda2a
      • Instruction Fuzzy Hash: CA115774204311AFE310CF28C884E6BB7E8EF88794F50891DF999D7690E770E982CB56
      Function 100262D0 Relevance: 6.4, APIs: 5, Instructions: 114COMMON
      Download Yara Rule
      APIs
      • SetLastError.KERNEL32(00000006,?,00000000,?,00000001), ref: 1002630B
      • SetLastError.KERNEL32(00000006,?,00000000,?,00000001), ref: 1002632C
      • SetLastError.KERNEL32(00000009,?,00000000,?,00000001), ref: 10026368
      • SetLastError.KERNEL32(0000000C,?,00000000,?,00000001), ref: 10026395
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID:
      • API String ID: 1452528299-0
      • Opcode ID: c3616aa7b4a34e8de724524b9adc4ac18453dfc774abf1496d12cb01671f6ebc
      • Instruction ID: b3c434b615bc2635f358bc3621d77ed4a3c5ae3a0f0d1fd31a7ebcab961547c0
      • Opcode Fuzzy Hash: c3616aa7b4a34e8de724524b9adc4ac18453dfc774abf1496d12cb01671f6ebc
      • Instruction Fuzzy Hash: F941F774E04109EFDB04DFA8D895ADDBBB1EF4C314F608559E94AAB285D730AA41CFA0
      Function 1001E500 Relevance: 6.2, APIs: 4, Instructions: 200windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageA.USER32 ref: 1001E552
      • InflateRect.USER32(?,000000FE,000000FE), ref: 1001E599
      • 75031510.COMCTL32(?,?,?,00000000,?,00000001), ref: 1001E727
        • Part of subcall function 1000E930: SetRectEmpty.USER32(?), ref: 1000E942
        • Part of subcall function 1000E930: SetRectEmpty.USER32(?), ref: 1000E949
      • 75031510.COMCTL32(?,?,?,?,?,00000001), ref: 1001E685
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$75031510Empty$InflateMessageSend
      • String ID:
      • API String ID: 2666495051-0
      • Opcode ID: c1d657de1969eec40a7d2c4ceaca19b3ee4d01ccf90aa8a5cb8032dc9250f240
      • Instruction ID: 714f37e124b3561914c789874ae4d57327775486736af5f1980e57804d13f8a5
      • Opcode Fuzzy Hash: c1d657de1969eec40a7d2c4ceaca19b3ee4d01ccf90aa8a5cb8032dc9250f240
      • Instruction Fuzzy Hash: 8E81D0B56183409FD354CF58C880A6BFBE9FBC9700F108A2DFA9887351E771E9458B96
      Function 1000B120 Relevance: 6.2, APIs: 4, Instructions: 164windowCOMMON
      Download Yara Rule
      APIs
      • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B1A0
      • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B216
      • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B273
      • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B2C9
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bbb36afaebd339171a8ba2a9bff4ae1e802011074496994489dee8731f070884
      • Instruction ID: 0e05779d305182e8bcc6fd0604af41abdce4d5981c7c16a485e6175e980c0b19
      • Opcode Fuzzy Hash: bbb36afaebd339171a8ba2a9bff4ae1e802011074496994489dee8731f070884
      • Instruction Fuzzy Hash: 9451E474209341AFD344CF1AC980A1BFBE9EFCC698F549A1DF99993314D670ED018B66
      Function 10004960 Relevance: 6.2, APIs: 4, Instructions: 161COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 1000498C
        • Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998
      • CreateCompatibleDC.GDI32(00000000), ref: 10004ACC
      • SelectObject.GDI32(00000000,?), ref: 10004ADA
      • DeleteObject.GDI32(00000000), ref: 10004B3D
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CreateObject$CompatibleDeleteRectSectionSelectWindow
      • String ID:
      • API String ID: 3658416323-0
      • Opcode ID: 23c3dad39b7b06eb48d7addef53a14f29711dad34157be51c5675d575d6ac0fc
      • Instruction ID: 926509f65d47b9d16154319da591b5b9fbd828cd3c3562e040cac586d4f0fdc2
      • Opcode Fuzzy Hash: 23c3dad39b7b06eb48d7addef53a14f29711dad34157be51c5675d575d6ac0fc
      • Instruction Fuzzy Hash: 71514075204254AFE714CFA8CDD4FAB7BA9EBC8740F11462DF64983264DB70A906CBA1
      Function 10004590 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 100045BC
        • Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998
      • CreateCompatibleDC.GDI32(00000000), ref: 100046EA
      • SelectObject.GDI32(00000000,?), ref: 100046F8
      • DeleteObject.GDI32(00000000), ref: 1000475C
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CreateObject$CompatibleDeleteRectSectionSelectWindow
      • String ID:
      • API String ID: 3658416323-0
      • Opcode ID: 57afb882074d8b283f91df5b332fb814e48e5fbbc40286b92b26aa013bbe1ff9
      • Instruction ID: 31f3b9b0e5f8ca5f00bfa3506996ac21a001d0e66bebc1a0bde6ad0a93aefee3
      • Opcode Fuzzy Hash: 57afb882074d8b283f91df5b332fb814e48e5fbbc40286b92b26aa013bbe1ff9
      • Instruction Fuzzy Hash: D0515F75204314AFE714CFA4CDC4FAB7BA9EB88754F114629FA4583394DB70A906CB61
      Function 10002EC0 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 10002EEB
        • Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998
      • CreateCompatibleDC.GDI32(00000000), ref: 10003013
      • SelectObject.GDI32(00000000,?), ref: 10003021
        • Part of subcall function 10006920: DeleteObject.GDI32(?), ref: 1000692E
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CreateObject$CompatibleDeleteRectSectionSelectWindow
      • String ID:
      • API String ID: 3658416323-0
      • Opcode ID: 07dad1b2f8abdf8a07eb973fc9d63cefb9e0dcfc90d492f50281410ed9c71344
      • Instruction ID: b27995b4a09c7bf90d17540a9eabbb7790c638f4d3ea255d685444a3819b181a
      • Opcode Fuzzy Hash: 07dad1b2f8abdf8a07eb973fc9d63cefb9e0dcfc90d492f50281410ed9c71344
      • Instruction Fuzzy Hash: 6E514C76204315AFE310CFA8CDC9FABBBE9FB88650F504629F54983295DB70A905CB61
      Function 10025870 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 100258B1
      • OffsetRect.USER32(?,?,?), ref: 100258CA
      • CreateRoundRectRgn.GDI32(?,?,?,?,00000001,00000001), ref: 1002590F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$CreateOffsetRoundWindow
      • String ID:
      • API String ID: 3966507845-0
      • Opcode ID: cea002b6a8ef21f2cb3a895f42f3fb7a80bcb03468e2dcf9a5a67d2188188a0a
      • Instruction ID: fd809a4ceb687a9920e0430a40226c629e5b8fbea5758eea80f51bca6e6e67d1
      • Opcode Fuzzy Hash: cea002b6a8ef21f2cb3a895f42f3fb7a80bcb03468e2dcf9a5a67d2188188a0a
      • Instruction Fuzzy Hash: EC4161B9214601AFE714DB68D885EABB3E9EBC4700F50C91DF89A87240DA70FD05CBA5
      Function 10007F00 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
      Download Yara Rule
      APIs
      • CreateCompatibleDC.GDI32(?), ref: 10007F68
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 10007F82
      • SelectObject.GDI32(?,00000000), ref: 10007F8F
      • 74AD1530.MSIMG32(?,?,?,?,?,?,00000000,00000000,?,?,00FF00FF), ref: 10008017
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CompatibleCreate$BitmapD1530ObjectSelect
      • String ID:
      • API String ID: 3192329904-0
      • Opcode ID: 351117b677a3e932f0f50200bd7c7ee2448bf8813f5f97b2c86bedaae17dfc0b
      • Instruction ID: 68acdb373d7a775d6d7ccb3423d03b7186a2d247abf388a2c01072eab6aa2972
      • Opcode Fuzzy Hash: 351117b677a3e932f0f50200bd7c7ee2448bf8813f5f97b2c86bedaae17dfc0b
      • Instruction Fuzzy Hash: F841D4B8600602AFE324CF68C884E26B7F9FF88744B108A1DF99983754D730F955CBA1
      Function 10015F60 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 10016440: GetCursorPos.USER32(?), ref: 1001644C
        • Part of subcall function 10016440: GetWindowRect.USER32(?,?), ref: 1001645B
      • PtInRect.USER32(0000002C,76951B80,?), ref: 10015FAA
      • PtInRect.USER32(0000003C,?,?), ref: 10015FEA
      • PtInRect.USER32(0000006C,?,?), ref: 10016016
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$CursorWindow
      • String ID:
      • API String ID: 2067259548-0
      • Opcode ID: e1af6214a6f7562a9d61b136065f3798b9d7b294db994c50de0c6dc41576ed19
      • Instruction ID: 942b3ee6e408d2d77c3cbed3ca5e98908d906ac42d301ec7afef9c4228c91e15
      • Opcode Fuzzy Hash: e1af6214a6f7562a9d61b136065f3798b9d7b294db994c50de0c6dc41576ed19
      • Instruction Fuzzy Hash: EE313C763007029BC714CF65EC809ABF3E8FB84751F45462DE95987600DB36E8498BA1
      Function 100080F0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
      Download Yara Rule
      APIs
      • IsWindowEnabled.USER32(?), ref: 100080F7
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: EnabledWindow
      • String ID:
      • API String ID: 1255321416-0
      • Opcode ID: 7eca8c281a0b202235e49865d5931ba51e94db6309202c9b20545d352822c802
      • Instruction ID: 37371956b553b68bbaf28cfff257a7f0d6f94ec872bf77a3ed07d6cbcf5e9166
      • Opcode Fuzzy Hash: 7eca8c281a0b202235e49865d5931ba51e94db6309202c9b20545d352822c802
      • Instruction Fuzzy Hash: CE11B1772444628BF720D67CE846ACAA3D4FB74390F018D27F59AC7288D628DD878754
      Function 10016220 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,00000001), ref: 10016247
      • PtInRect.USER32(?,?,?), ref: 10016273
      • PtInRect.USER32(?,?,?), ref: 1001629F
      • CallWindowProcA.USER32(?,?,00000084,?,?), ref: 100162BC
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$Window$CallProc
      • String ID:
      • API String ID: 2141924492-0
      • Opcode ID: 42652ddef185d08e1dd2a8195f870a649398aa3ec5a314d83f618bccea3ac0b9
      • Instruction ID: 6bb5dbdf489e1a6f0cc29fa7beb5d91727bcf99365b1c6db062720247cfdbd6a
      • Opcode Fuzzy Hash: 42652ddef185d08e1dd2a8195f870a649398aa3ec5a314d83f618bccea3ac0b9
      • Instruction Fuzzy Hash: 0C218176300B165BE360DAAACCC4E67B3ECFB88A50F40492EF985C7641D635FD598760
      Function 10008B70 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT ref: 100125B5
      • RemovePropA.USER32(?,1002C040), ref: 10008BBA
        • Part of subcall function 1000CD20: ??3@YAXPAX@Z.MSVCRT ref: 1000CD95
      • RemovePropA.USER32(?,1002C048), ref: 10008BD2
      • ??3@YAXPAX@Z.MSVCRT ref: 10008BE6
      • ??3@YAXPAX@Z.MSVCRT ref: 10008C10
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ??3@$PropRemove
      • String ID:
      • API String ID: 1378348335-0
      • Opcode ID: 93d3d9c42f870cd9d9b3a1bdedabf6ebe2cb150f49cc310acf5eac463d88ac74
      • Instruction ID: 4856fc888e7d091422dc3a361147995440e5673d3ac1890a2cd9819baa295a63
      • Opcode Fuzzy Hash: 93d3d9c42f870cd9d9b3a1bdedabf6ebe2cb150f49cc310acf5eac463d88ac74
      • Instruction Fuzzy Hash: A621AFB56007829FD710CF5AD8C0A8AF7E4FB48210F804A2DF16987341C778E9498B91
      Function 1000E340 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: DeleteObject$??3@Select
      • String ID:
      • API String ID: 3433755800-0
      • Opcode ID: f55ce02d52da9193f42541787e68d3cff3417927cbf413641bc5f72140a8c5a2
      • Instruction ID: eff67cfb01a4d2600c09c765b352805dfe5dc578d0251df350f47da1601aa07e
      • Opcode Fuzzy Hash: f55ce02d52da9193f42541787e68d3cff3417927cbf413641bc5f72140a8c5a2
      • Instruction Fuzzy Hash: E3113AB4600642AFE714CF15C8C8E16BBE9FF88380B29C56AE808D7325D771ED41CB90
      Function 100117B0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
      Download Yara Rule
      APIs
      • PtInRect.USER32(00000050,?), ref: 100117CF
      • PtInRect.USER32(00000060,?), ref: 100117DF
      • PtInRect.USER32(00000050,?), ref: 100117FC
      • CallWindowProcA.USER32(?,?,00000200,?,?), ref: 10011838
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$CallProcWindow
      • String ID:
      • API String ID: 2854435161-0
      • Opcode ID: 3ea446e5017dbbd17509b2e94ce09de6277395e8464c5c9cb4b424a2b4c0ace6
      • Instruction ID: 8c562a3d8ffa91b3488f9b2e3c9223cef3bcf56be9e3598e3ad49312dabcbff5
      • Opcode Fuzzy Hash: 3ea446e5017dbbd17509b2e94ce09de6277395e8464c5c9cb4b424a2b4c0ace6
      • Instruction Fuzzy Hash: 17117C75600715AFE328CF16CC88EA777FCEB80B85F10481DF58286651DA31E886CB60
      Function 10011AC0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
      Download Yara Rule
      APIs
      • PtInRect.USER32(00000050,?), ref: 10011AD9
      • PtInRect.USER32(00000060,?), ref: 10011AE9
      • PtInRect.USER32(00000050,?), ref: 10011AFB
      • CallWindowProcA.USER32(?,?,00000202,?,?), ref: 10011B37
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$CallProcWindow
      • String ID:
      • API String ID: 2854435161-0
      • Opcode ID: 59ffc7ff1c5213b1cf39a1a4bbb19d144ce8416fa73da0f37271d160e36c8f56
      • Instruction ID: 8a3aa6fa90d41ed69226067b3e75a7c91dc2c122c79226572cad67fafd763433
      • Opcode Fuzzy Hash: 59ffc7ff1c5213b1cf39a1a4bbb19d144ce8416fa73da0f37271d160e36c8f56
      • Instruction Fuzzy Hash: C6014C75605725AFE328CB56DCC8EABBBFCEB84B81B10481EF54286211D731E9858B61
      Function 10011A30 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
      Download Yara Rule
      APIs
      • PtInRect.USER32(00000050,?), ref: 10011A49
      • PtInRect.USER32(00000060,?), ref: 10011A59
      • PtInRect.USER32(00000050,?), ref: 10011A6B
      • CallWindowProcA.USER32(?,?,00000201,?,?), ref: 10011AAA
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Rect$CallProcWindow
      • String ID:
      • API String ID: 2854435161-0
      • Opcode ID: 81c6700b62b5b93b1d102745a9a0f424a562618402be3bbb7fec3a059a690f7a
      • Instruction ID: e73e578019d50ab50198203406a73d3f958aba72b0e288fd38bf24a79029c17e
      • Opcode Fuzzy Hash: 81c6700b62b5b93b1d102745a9a0f424a562618402be3bbb7fec3a059a690f7a
      • Instruction Fuzzy Hash: B7018CB5201715AFE324CF56CC88EABBBFCEF84B81F10080DF58286111C631E984CB61
      Function 10007720 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?), ref: 1000772F
      • GetPropA.USER32(?,1002C050), ref: 1000773E
      • SelectObject.GDI32(?,?), ref: 10007783
      • PatBlt.GDI32(?,00F00021,?,?,?,00F00021), ref: 100077A3
        • Part of subcall function 1000B0C0: CreateSolidBrush.GDI32(?), ref: 1000B0C9
        • Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B0DD
        • Part of subcall function 1000B0C0: PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
        • Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B103
        • Part of subcall function 1000B0C0: DeleteObject.GDI32(00000000), ref: 1000B106
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Object$Select$BrushClientCreateDeletePropRectSolid
      • String ID:
      • API String ID: 3435410480-0
      • Opcode ID: ee39c86b8713ff7bd0879a4eba1016b9c2dcf60cedc71159b2e0360e7d2bf52b
      • Instruction ID: 0ce474bad31ea1b146f6a7476c3485cc4b4618f4c22a3676eee4e6d7add3520a
      • Opcode Fuzzy Hash: ee39c86b8713ff7bd0879a4eba1016b9c2dcf60cedc71159b2e0360e7d2bf52b
      • Instruction Fuzzy Hash: 570117BA604211EFE204DB58CC84DABB7ACEFC8250F508A0DFA5983211D630ED45CBA2
      Function 10015BE0 Relevance: 6.0, APIs: 4, Instructions: 47timeCOMMON
      Download Yara Rule
      APIs
      • KillTimer.USER32(?,00006622,00000000,?,10008828,?,?,?), ref: 10015C04
      • KillTimer.USER32(?,00006623), ref: 10015C0F
      • KillTimer.USER32(?,00006624), ref: 10015C1A
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 10015C60
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: KillTimer$CallProcWindow
      • String ID:
      • API String ID: 4157066807-0
      • Opcode ID: 73276a6097d022647674bceacd34be44969d3857d0e8de3a6d1c863b984271ce
      • Instruction ID: 7c6a0bc5b88cb8bece1b2373cc4b17ef2a87975b470b42242de656e3c344c917
      • Opcode Fuzzy Hash: 73276a6097d022647674bceacd34be44969d3857d0e8de3a6d1c863b984271ce
      • Instruction Fuzzy Hash: 3901E975204B05EBE224DB6AC890F9BB3E9EF98700F14890DF5599F290C676E8818B50
      Function 1000E4B0 Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1000E4C5
      • SendMessageA.USER32(?,00006A30,00000000,00000000), ref: 1000E4DB
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E4F5
      • CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E512
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: CallProcWindow$MessagePropSend
      • String ID:
      • API String ID: 3197700573-0
      • Opcode ID: 16cd9c1c8a4f09862bd2c9aa2b2deed388164335538f6a85cc36725207bd56c1
      • Instruction ID: 451063f49a3e527fd8d608dc22c3f8f1e55c4af648b6bbb05c8928ea7c27e05f
      • Opcode Fuzzy Hash: 16cd9c1c8a4f09862bd2c9aa2b2deed388164335538f6a85cc36725207bd56c1
      • Instruction Fuzzy Hash: EA014B7A201621EBE204DF54DC88EABB7ADEFD9761F20840DF60593241C721ED06CBB5
      Function 10014AB0 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32 ref: 10014AE1
      • SendMessageA.USER32(?,000000E9,00000000), ref: 10014AF1
      • IsWindowVisible.USER32(?), ref: 10014B15
      • SendMessageA.USER32(?,000000E9,00000000), ref: 10014B25
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: MessageSendVisibleWindow
      • String ID:
      • API String ID: 3984873885-0
      • Opcode ID: 5673385011df388f717717f68ae525e54092af11df8779ffd9ee95a29302be15
      • Instruction ID: fc90fe054d96e1b13d9ec6b26fe80a5f78d3395466cc4f4aa367405a843ec8f6
      • Opcode Fuzzy Hash: 5673385011df388f717717f68ae525e54092af11df8779ffd9ee95a29302be15
      • Instruction Fuzzy Hash: 0D014F79104A12DFE660DB64CC84FE373E8EB18300F018919F6A6C7660C770E845CB64
      Function 1001BDF0 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001BDFC
      • SendMessageA.USER32(?,00006A31,00000000,00000000), ref: 1001BE12
      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237,?,?,1001BB2D,?,?,10025F3F,?,?), ref: 1001BE30
      • InvalidateRect.USER32(?,00000000,00000001,?,?,1001BB2D,?,?,10025F3F,?,?), ref: 1001BE3B
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: InvalidateMessagePropRectSendWindow
      • String ID:
      • API String ID: 1683571725-0
      • Opcode ID: f1fa45ef511af30ddd497535aa07129b0897fb5ddec85c8cb697c59cca0d390d
      • Instruction ID: 61bc7c0cfe7dd8b66f4080b3c9d4250a00e71bb5cd075d56d4ab3ddb2b0c9d6c
      • Opcode Fuzzy Hash: f1fa45ef511af30ddd497535aa07129b0897fb5ddec85c8cb697c59cca0d390d
      • Instruction Fuzzy Hash: FBF0E535342A21FBF6515758AC89FCE37A59F85B10F200001F700EA1D0CBE49A834B55
      Function 100205F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 100205FB
      • ScreenToClient.USER32(?,?), ref: 1002060A
      • PtInRect.USER32(00000034,?,?), ref: 1002061E
      • CallWindowProcA.USER32(?,?,00000201,?,?), ref: 1002064D
        • Part of subcall function 100201A0: GetWindowRect.USER32(?,00000020), ref: 100201C0
        • Part of subcall function 100201A0: OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
        • Part of subcall function 100201A0: CreateCompatibleDC.GDI32(00000000), ref: 100201D9
        • Part of subcall function 100201A0: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 100201EA
        • Part of subcall function 100201A0: SelectObject.GDI32(00000000,00000000), ref: 100201FC
        • Part of subcall function 100201A0: SelectObject.GDI32(00000000,?), ref: 1002020B
        • Part of subcall function 100201A0: PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F
        • Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002024C
        • Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002028A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Rect$CompatibleCreateEnabledObjectSelect$BitmapCallClientCursorOffsetProcScreen
      • String ID:
      • API String ID: 3882218468-0
      • Opcode ID: afb86ea5bd93d0f3c5f6897db7f249f6baaa89d0f154500c220c73288da3c33b
      • Instruction ID: 9c0e68a1bfba51fb30c42bce227b29f8990f29df3688151d92ec8c3378a25188
      • Opcode Fuzzy Hash: afb86ea5bd93d0f3c5f6897db7f249f6baaa89d0f154500c220c73288da3c33b
      • Instruction Fuzzy Hash: C8F019B9210311AFE714DB54CD89D67B3E9FB88B00F50890DF58683650DB70F919CBA1
      Function 10020690 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
      Download Yara Rule
      APIs
      • GetCursorPos.USER32(?), ref: 1002069B
      • ScreenToClient.USER32(?,?), ref: 100206AA
      • PtInRect.USER32(00000034,?,?), ref: 100206BE
      • CallWindowProcA.USER32(?,?,00000203,?,?), ref: 100206ED
        • Part of subcall function 100201A0: GetWindowRect.USER32(?,00000020), ref: 100201C0
        • Part of subcall function 100201A0: OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
        • Part of subcall function 100201A0: CreateCompatibleDC.GDI32(00000000), ref: 100201D9
        • Part of subcall function 100201A0: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 100201EA
        • Part of subcall function 100201A0: SelectObject.GDI32(00000000,00000000), ref: 100201FC
        • Part of subcall function 100201A0: SelectObject.GDI32(00000000,?), ref: 1002020B
        • Part of subcall function 100201A0: PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F
        • Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002024C
        • Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002028A
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: Window$Rect$CompatibleCreateEnabledObjectSelect$BitmapCallClientCursorOffsetProcScreen
      • String ID:
      • API String ID: 3882218468-0
      • Opcode ID: e5acc8b09ba55b0c849634dbc04fec6fda9d79dfec1a49745e8be55ffeea7e36
      • Instruction ID: 3f66a2042e15db7492eec8571bc4eccf41e5f2ab532cfb3c276876021694c1e2
      • Opcode Fuzzy Hash: e5acc8b09ba55b0c849634dbc04fec6fda9d79dfec1a49745e8be55ffeea7e36
      • Instruction Fuzzy Hash: AAF019B9200311AFE204DB54DD89D67B3EDFB88B00F10890DF58683650DB70F909CBA1
      Function 1001C740 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
      Download Yara Rule
      APIs
      • GetPropA.USER32(?,1002C03C), ref: 1001C753
      • LockWindowUpdate.USER32(?,?,10025F1F,?,?), ref: 1001C76F
      • GetPropA.USER32(?,1002C03C), ref: 1001C781
      • LockWindowUpdate.USER32(00000000), ref: 1001C79E
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: LockPropUpdateWindow
      • String ID:
      • API String ID: 165959620-0
      • Opcode ID: 21e405a72cf705807934c4471f6505aaf612a935a217802134ff392a136f5abf
      • Instruction ID: 7a3979f4e55717f4f8ab17c69277cc3bf6940b2a43d5fdf8dbe088e1ab8e3198
      • Opcode Fuzzy Hash: 21e405a72cf705807934c4471f6505aaf612a935a217802134ff392a136f5abf
      • Instruction Fuzzy Hash: 1EF01738206625DBEB98DB21CC88FAA37E8EF40B91F168498F1099B1A1C770D881CF51
      Function 10024730 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
      Download Yara Rule
      APIs
      • ShowWindow.USER32(?,?,00000000,?,76945440,1002584E,00000000), ref: 10024747
      • ShowWindow.USER32(?,?), ref: 10024751
      • ShowWindow.USER32(?,?), ref: 1002475B
      • ShowWindow.USER32(?,?), ref: 10024765
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ShowWindow
      • String ID:
      • API String ID: 1268545403-0
      • Opcode ID: 3295a3fcf0ae12c1fcbb8f7e5f53fbdeca41f72dae6878fcabe25103e68869c8
      • Instruction ID: fbebdeaf8877d8e39abbbfefd4f084f7c7d7f891781dffc730fc7a01b7582861
      • Opcode Fuzzy Hash: 3295a3fcf0ae12c1fcbb8f7e5f53fbdeca41f72dae6878fcabe25103e68869c8
      • Instruction Fuzzy Hash: 28E092B6201750ABD224DAAACCC8D97F7ECFBCE711B50491EB259832008A75E801C774
      Function 1001A700 Relevance: 6.0, APIs: 4, Instructions: 23libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(1002C484,1002C48C,00000000,?,?,1001928B), ref: 1001A715
      • GetProcAddress.KERNEL32(00000000), ref: 1001A71E
      • GetModuleHandleA.KERNEL32(1002C484,1002C468,?,?,1001928B), ref: 1001A72C
      • GetProcAddress.KERNEL32(00000000), ref: 1001A72F
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID:
      • API String ID: 1646373207-0
      • Opcode ID: b978585602eefc31c83160de33f8556ed3312a0566cad042a39d1910bad30d93
      • Instruction ID: e5961c9c5a536ee549249fec62f5ee9ffd92b965adf733a9a8c24a5aa6594063
      • Opcode Fuzzy Hash: b978585602eefc31c83160de33f8556ed3312a0566cad042a39d1910bad30d93
      • Instruction Fuzzy Hash: 58D05B766012186FD610FBF9AC98CA7F79CDD95551391452AF344D3111C7709C018BB0
      Function 100031A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32registryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2543975993.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
      • Associated: 00000000.00000002.2543975993.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000000.00000002.2543975993.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd
      Similarity
      • API ID: ClassCursorLoadRegister
      • String ID: 0
      • API String ID: 1693014935-4108050209
      • Opcode ID: 28f346c1f4dfbe2856f6f1ab5a9c9bdac0e0dbbb8d7eea49bca441095fb31d7d
      • Instruction ID: 197b4fdf75a9891b34d05670b40042e82415c0f2dfe413ea69ca17455c6e27b2
      • Opcode Fuzzy Hash: 28f346c1f4dfbe2856f6f1ab5a9c9bdac0e0dbbb8d7eea49bca441095fb31d7d
      • Instruction Fuzzy Hash: F501FBB44193619BE300CF18D45464BFFE4EF88754F804A1EF48596260D7B596498BCA